mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-01-29 21:08:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

libproxy: fix CVE-2020-25219

Browse Source 
(From OE-Core rev: 3b1701a8e6bbeb51d2415a7a361efdadaae29b0b)

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Lee Chee Yang
2020-10-14 17:22:09 +08:00
committed by Richard Purdie
parent d4ecc90268
commit 458b7e9369
2 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch Normal file
View File

@@ -0,0 +1,61 @@
From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@gnome.org>
Date: Wed, 9 Sep 2020 11:12:02 -0500
Subject: [PATCH] Rewrite url::recvline to be nonrecursive
This function processes network input. It's semi-trusted, because the
PAC ought to be trusted. But we still shouldn't allow it to control how
far we recurse. A malicious PAC can cause us to overflow the stack by
sending a sufficiently-long line without any '\n' character.
Also, this function failed to properly handle EINTR, so let's fix that
too, for good measure.
Fixes #134
Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/836c10b60c65e947ff1e10eb02fbcc676d909ffa]
CVE: CVE-2020-25219
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
libproxy/url.cpp | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/libproxy/url.cpp b/libproxy/url.cpp
index ee776b2..68d69cd 100644
--- a/libproxy/url.cpp
+++ b/libproxy/url.cpp
@@ -388,16 +388,24 @@ string url::to_string() const {
return m_orig;
}
-static inline string recvline(int fd) {
- // Read a character.
- // If we don't get a character, return empty string.
- // If we are at the end of the line, return empty string.
- char c = '\0';
-
- if (recv(fd, &c, 1, 0) != 1 || c == '\n')
- return "";
-
- return string(1, c) + recvline(fd);
+static string recvline(int fd) {
+ string line;
+ int ret;
+
+ // Reserve arbitrary amount of space to avoid small memory reallocations.
+ line.reserve(128);
+
+ do {
+ char c;
+ ret = recv(fd, &c, 1, 0);
+ if (ret == 1) {
+ if (c == '\n')
+ return line;
+ line += c;
+ }
+ } while (ret == 1 || (ret == -1 && errno == EINTR));
+
+ return line;
}
char* url::get_pac() {

1
meta/recipes-support/libproxy/libproxy_0.4.15.bb
View File

@@ -10,6 +10,7 @@ DEPENDS = "glib-2.0"
SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \
file://0001-get-pac-test-Fix-build-with-clang-libc.patch \
file://CVE-2020-25219.patch \
"
SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"
SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"