Commit d5945261 authored by Nathan Owens's avatar Nathan Owens
Browse files

user/libproxy: Add CVE-2020-26154 and CVE-2020-25219 patch

parent f7628676
......@@ -2,7 +2,7 @@
# Maintainer:
pkgname=libproxy
pkgver=0.4.15
pkgrel=2
pkgrel=3
pkgdesc="Library providing automatic proxy configuration management"
url="http://libproxy.github.io/libproxy/"
arch="all"
......@@ -14,8 +14,16 @@ subpackages="$pkgname-dev $pkgname-bin py3-$pkgname:py"
source="$pkgname-$pkgver.tar.gz::https://github.com/libproxy/libproxy/archive/$pkgver.tar.gz
libproxy-0.4.7-unistd.patch
fix-includes.patch
CVE-2020-25219.patch
CVE-2020-26154.patch
"
#secfixes:
# 0.4.15-r3:
# - CVE-2020-25219
# - CVE-2020-26154
build() {
cmake \
-DCMAKE_INSTALL_PREFIX=/usr \
......@@ -55,4 +63,6 @@ py() {
sha512sums="8f68bd56e44aeb3f553f4657bef82a5d14302780508dafa32454d6f724b724c884ceed6042f8df53a081d26ea0b05598cf35eab44823257c47c5ef8afb36442b libproxy-0.4.15.tar.gz
9929c308195bc59c1b9a7ddaaf708fb831da83c5d86d7ce122cb9774c9b9b16aef3c17fb721356e33a865de1af27db493f29a99d292e1e258cd0135218cacd32 libproxy-0.4.7-unistd.patch
e35b4f806e5f60e9b184d64dceae62e6e343c367ee96d7e461388f2665fe2ab62170d41848c9da5322bb1719eff3bfaecb273e40a97ce940a5e88d29d03bd8d9 fix-includes.patch"
e35b4f806e5f60e9b184d64dceae62e6e343c367ee96d7e461388f2665fe2ab62170d41848c9da5322bb1719eff3bfaecb273e40a97ce940a5e88d29d03bd8d9 fix-includes.patch
908fbf49bec18764a8c2ab81ef5d5e6e1fc2423cf9a6608cc7d3a6d5ac44676e171646b0f95b39b7ade108afd62cc2ede8f7b57d6ba0d67025f30b18e5084292 CVE-2020-25219.patch
01c784a8016bb2a2bf5058b6af7fac29250542bfd4e0679a91fa223c821336d651f8f4a968763072edb86a78a743618c312a2daeb2963c8e5207109f2d26a18f CVE-2020-26154.patch"
From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@gnome.org>
Date: Wed, 9 Sep 2020 11:12:02 -0500
Subject: [PATCH] Rewrite url::recvline to be nonrecursive
This function processes network input. It's semi-trusted, because the
PAC ought to be trusted. But we still shouldn't allow it to control how
far we recurse. A malicious PAC can cause us to overflow the stack by
sending a sufficiently-long line without any '\n' character.
Also, this function failed to properly handle EINTR, so let's fix that
too, for good measure.
Fixes #134
---
libproxy/url.cpp | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/libproxy/url.cpp b/libproxy/url.cpp
index ee776b2..68d69cd 100644
--- a/libproxy/url.cpp
+++ b/libproxy/url.cpp
@@ -388,16 +388,24 @@ string url::to_string() const {
return m_orig;
}
-static inline string recvline(int fd) {
- // Read a character.
- // If we don't get a character, return empty string.
- // If we are at the end of the line, return empty string.
- char c = '\0';
-
- if (recv(fd, &c, 1, 0) != 1 || c == '\n')
- return "";
-
- return string(1, c) + recvline(fd);
+static string recvline(int fd) {
+ string line;
+ int ret;
+
+ // Reserve arbitrary amount of space to avoid small memory reallocations.
+ line.reserve(128);
+
+ do {
+ char c;
+ ret = recv(fd, &c, 1, 0);
+ if (ret == 1) {
+ if (c == '\n')
+ return line;
+ line += c;
+ }
+ } while (ret == 1 || (ret == -1 && errno == EINTR));
+
+ return line;
}
char* url::get_pac() {
From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001
From: Fei Li <lifeibiren@gmail.com>
Date: Fri, 17 Jul 2020 02:18:37 +0800
Subject: [PATCH] Fix buffer overflow when PAC is enabled
The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
out to be the large PAC file (more than 102400 bytes) returned by a
local proxy program with no content-length present.
---
libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
1 file changed, 31 insertions(+), 13 deletions(-)
diff --git a/libproxy/url.cpp b/libproxy/url.cpp
index ee776b2..8684086 100644
--- a/libproxy/url.cpp
+++ b/libproxy/url.cpp
@@ -54,7 +54,7 @@ using namespace std;
#define PAC_MIME_TYPE_FB "text/plain"
// This is the maximum pac size (to avoid memory attacks)
-#define PAC_MAX_SIZE 102400
+#define PAC_MAX_SIZE 0x800000
// This is the default block size to use when receiving via HTTP
#define PAC_HTTP_BLOCK_SIZE 512
@@ -478,15 +478,13 @@ char* url::get_pac() {
}
// Get content
- unsigned int recvd = 0;
- buffer = new char[PAC_MAX_SIZE];
- memset(buffer, 0, PAC_MAX_SIZE);
+ std::vector<char> dynamic_buffer;
do {
unsigned int chunk_length;
if (chunked) {
// Discard the empty line if we received a previous chunk
- if (recvd > 0) recvline(sock);
+ if (!dynamic_buffer.empty()) recvline(sock);
// Get the chunk-length line as an integer
if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break;
@@ -498,21 +496,41 @@ char* url::get_pac() {
if (content_length >= PAC_MAX_SIZE) break;
- while (content_length == 0 || recvd != content_length) {
- int r = recv(sock, buffer + recvd,
- content_length == 0 ? PAC_HTTP_BLOCK_SIZE
- : content_length - recvd, 0);
+ while (content_length == 0 || dynamic_buffer.size() != content_length) {
+ // Calculate length to recv
+ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
+ if (content_length > 0)
+ length_to_read = content_length - dynamic_buffer.size();
+
+ // Prepare buffer
+ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
+
+ int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
+
+ // Shrink buffer to fit
+ if (r >= 0)
+ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
+
+ // PAC size too large, discard
+ if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
+ chunked = false;
+ dynamic_buffer.clear();
+ break;
+ }
+
if (r <= 0) {
chunked = false;
break;
}
- recvd += r;
}
} while (chunked);
- if (content_length != 0 && string(buffer).size() != content_length) {
- delete[] buffer;
- buffer = NULL;
+ if (content_length == 0 || content_length == dynamic_buffer.size()) {
+ buffer = new char[dynamic_buffer.size() + 1];
+ if (!dynamic_buffer.empty()) {
+ memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
+ }
+ buffer[dynamic_buffer.size()] = '\0';
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment