From: "Steve Sakoman" <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 09/14] libproxy: fix CVE-2020-25219
Date: Thu, 22 Oct 2020 05:51:42 -1000 [thread overview]
Message-ID: <f2e07dcf2c8ced2efcb6b67db45b9c5dc5ca5309.1603381705.git.steve@sakoman.com> (raw)
In-Reply-To: <cover.1603381704.git.steve@sakoman.com>
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libproxy/libproxy/CVE-2020-25219.patch | 61 +++++++++++++++++++
.../libproxy/libproxy_0.4.15.bb | 1 +
2 files changed, 62 insertions(+)
create mode 100644 meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch
diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch
new file mode 100644
index 0000000000..3ef7f85451
--- /dev/null
+++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch
@@ -0,0 +1,61 @@
+From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Wed, 9 Sep 2020 11:12:02 -0500
+Subject: [PATCH] Rewrite url::recvline to be nonrecursive
+
+This function processes network input. It's semi-trusted, because the
+PAC ought to be trusted. But we still shouldn't allow it to control how
+far we recurse. A malicious PAC can cause us to overflow the stack by
+sending a sufficiently-long line without any '\n' character.
+
+Also, this function failed to properly handle EINTR, so let's fix that
+too, for good measure.
+
+Fixes #134
+
+Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/836c10b60c65e947ff1e10eb02fbcc676d909ffa]
+CVE: CVE-2020-25219
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ libproxy/url.cpp | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/libproxy/url.cpp b/libproxy/url.cpp
+index ee776b2..68d69cd 100644
+--- a/libproxy/url.cpp
++++ b/libproxy/url.cpp
+@@ -388,16 +388,24 @@ string url::to_string() const {
+ return m_orig;
+ }
+
+-static inline string recvline(int fd) {
+- // Read a character.
+- // If we don't get a character, return empty string.
+- // If we are at the end of the line, return empty string.
+- char c = '\0';
+-
+- if (recv(fd, &c, 1, 0) != 1 || c == '\n')
+- return "";
+-
+- return string(1, c) + recvline(fd);
++static string recvline(int fd) {
++ string line;
++ int ret;
++
++ // Reserve arbitrary amount of space to avoid small memory reallocations.
++ line.reserve(128);
++
++ do {
++ char c;
++ ret = recv(fd, &c, 1, 0);
++ if (ret == 1) {
++ if (c == '\n')
++ return line;
++ line += c;
++ }
++ } while (ret == 1 || (ret == -1 && errno == EINTR));
++
++ return line;
+ }
+
+ char* url::get_pac() {
diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
index 19dddebd44..a14c358cc2 100644
--- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb
+++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
@@ -10,6 +10,7 @@ DEPENDS = "glib-2.0"
SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \
file://0001-get-pac-test-Fix-build-with-clang-libc.patch \
+ file://CVE-2020-25219.patch \
"
SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"
SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"
--
2.17.1
next prev parent reply other threads:[~2020-10-22 15:53 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-22 15:51 [OE-core][dunfell 00/14] Patch review Steve Sakoman
2020-10-22 15:51 ` [OE-core][dunfell 01/14] arch-armv7a.inc: fix typo Steve Sakoman
2020-10-22 15:51 ` [OE-core][dunfell 02/14] arch-mips.inc: remove duplicated mips64el-o32 from PACKAGE_EXTRA_ARCHS_tune-mips64el-o32 Steve Sakoman
2020-10-22 15:51 ` [OE-core][dunfell 03/14] tune-mips64r6.inc: fix typo in mipsisa64r6-nf Steve Sakoman
2020-10-22 15:51 ` [OE-core][dunfell 04/14] tune-ep9312.inc: add t suffix for thumb to PACKAGE_EXTRA_ARCHS_tune-ep9312 Steve Sakoman
2020-10-22 15:51 ` [OE-core][dunfell 05/14] tune-riscv.inc: use nf suffix also for TUNE_PKGARCH Steve Sakoman
2020-10-22 15:51 ` [OE-core][dunfell 06/14] toolchain-shar-extract.sh: don't print useless info Steve Sakoman
2020-10-22 15:51 ` [OE-core][dunfell 07/14] siteinfo: Recognize 32bit PPC LE Steve Sakoman
2020-10-22 15:51 ` [OE-core][dunfell 08/14] siteinfo: Recognize bigendian sh3be and sh4be Steve Sakoman
2020-10-22 15:51 ` Steve Sakoman [this message]
2020-10-22 15:51 ` [OE-core][dunfell 10/14] python3: fix CVE-2020-26116 Steve Sakoman
2020-10-22 15:51 ` [OE-core][dunfell 11/14] grub2: fix CVE-2020-10713 Steve Sakoman
2020-10-22 15:51 ` [OE-core][dunfell 12/14] selftest/virgl: drop the custom 30 sec timeout Steve Sakoman
2020-10-22 15:51 ` [OE-core][dunfell 13/14] packagegroup-core-tools-debug: Disable for rv32/glibc as well Steve Sakoman
2020-10-22 15:51 ` [OE-core][dunfell 14/14] qemu: change TLBs number to 64 in 34Kf mips cpu model Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f2e07dcf2c8ced2efcb6b67db45b9c5dc5ca5309.1603381705.git.steve@sakoman.com \
--to=steve@sakoman.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox