diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2020-10-19 20:59:55 +0800 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2020-10-20 06:58:44 -1000 |
commit | f2e07dcf2c8ced2efcb6b67db45b9c5dc5ca5309 (patch) | |
tree | b65a2f64f1c62d0ab3b39be16c2807b428a93e50 /meta | |
parent | 197b405dd098f6b214837d224f40d33b018b7c16 (diff) | |
download | openembedded-core-contrib-f2e07dcf2c8ced2efcb6b67db45b9c5dc5ca5309.tar.gz |
libproxy: fix CVE-2020-25219
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch | 61 | ||||
-rw-r--r-- | meta/recipes-support/libproxy/libproxy_0.4.15.bb | 1 |
2 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch new file mode 100644 index 0000000000..3ef7f85451 --- /dev/null +++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch @@ -0,0 +1,61 @@ +From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro <mcatanzaro@gnome.org> +Date: Wed, 9 Sep 2020 11:12:02 -0500 +Subject: [PATCH] Rewrite url::recvline to be nonrecursive + +This function processes network input. It's semi-trusted, because the +PAC ought to be trusted. But we still shouldn't allow it to control how +far we recurse. A malicious PAC can cause us to overflow the stack by +sending a sufficiently-long line without any '\n' character. + +Also, this function failed to properly handle EINTR, so let's fix that +too, for good measure. + +Fixes #134 + +Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/836c10b60c65e947ff1e10eb02fbcc676d909ffa] +CVE: CVE-2020-25219 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + libproxy/url.cpp | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/libproxy/url.cpp b/libproxy/url.cpp +index ee776b2..68d69cd 100644 +--- a/libproxy/url.cpp ++++ b/libproxy/url.cpp +@@ -388,16 +388,24 @@ string url::to_string() const { + return m_orig; + } + +-static inline string recvline(int fd) { +- // Read a character. +- // If we don't get a character, return empty string. +- // If we are at the end of the line, return empty string. +- char c = '\0'; +- +- if (recv(fd, &c, 1, 0) != 1 || c == '\n') +- return ""; +- +- return string(1, c) + recvline(fd); ++static string recvline(int fd) { ++ string line; ++ int ret; ++ ++ // Reserve arbitrary amount of space to avoid small memory reallocations. ++ line.reserve(128); ++ ++ do { ++ char c; ++ ret = recv(fd, &c, 1, 0); ++ if (ret == 1) { ++ if (c == '\n') ++ return line; ++ line += c; ++ } ++ } while (ret == 1 || (ret == -1 && errno == EINTR)); ++ ++ return line; + } + + char* url::get_pac() { diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb index 19dddebd44..a14c358cc2 100644 --- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb +++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb @@ -10,6 +10,7 @@ DEPENDS = "glib-2.0" SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \ file://0001-get-pac-test-Fix-build-with-clang-libc.patch \ + file://CVE-2020-25219.patch \ " SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152" SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f" |