summaryrefslogtreecommitdiff
path: root/user/libproxy/CVE-2020-25219.patch
diff options
context:
space:
mode:
authorNathan <ndowens@artixlinux.org>2020-10-26 22:16:00 +0000
committerNathan <ndowens@artixlinux.org>2020-10-26 22:16:00 +0000
commitd594526178c13672b3d94f393416c652816a7de9 (patch)
treeb21ac0939a4e18c867f5249cee6738fa2fcff54b /user/libproxy/CVE-2020-25219.patch
parentf7628676c6a915f3ab24cfae976b973e1d041245 (diff)
downloadpackages-d594526178c13672b3d94f393416c652816a7de9.tar.gz
packages-d594526178c13672b3d94f393416c652816a7de9.tar.bz2
packages-d594526178c13672b3d94f393416c652816a7de9.tar.xz
packages-d594526178c13672b3d94f393416c652816a7de9.zip
user/libproxy: Add CVE-2020-26154 and CVE-2020-25219 patch
Diffstat (limited to 'user/libproxy/CVE-2020-25219.patch')
-rw-r--r--user/libproxy/CVE-2020-25219.patch57
1 files changed, 57 insertions, 0 deletions
diff --git a/user/libproxy/CVE-2020-25219.patch b/user/libproxy/CVE-2020-25219.patch
new file mode 100644
index 000000000..03cfbc00e
--- /dev/null
+++ b/user/libproxy/CVE-2020-25219.patch
@@ -0,0 +1,57 @@
+From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Wed, 9 Sep 2020 11:12:02 -0500
+Subject: [PATCH] Rewrite url::recvline to be nonrecursive
+
+This function processes network input. It's semi-trusted, because the
+PAC ought to be trusted. But we still shouldn't allow it to control how
+far we recurse. A malicious PAC can cause us to overflow the stack by
+sending a sufficiently-long line without any '\n' character.
+
+Also, this function failed to properly handle EINTR, so let's fix that
+too, for good measure.
+
+Fixes #134
+---
+ libproxy/url.cpp | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/libproxy/url.cpp b/libproxy/url.cpp
+index ee776b2..68d69cd 100644
+--- a/libproxy/url.cpp
++++ b/libproxy/url.cpp
+@@ -388,16 +388,24 @@ string url::to_string() const {
+ return m_orig;
+ }
+
+-static inline string recvline(int fd) {
+- // Read a character.
+- // If we don't get a character, return empty string.
+- // If we are at the end of the line, return empty string.
+- char c = '\0';
+-
+- if (recv(fd, &c, 1, 0) != 1 || c == '\n')
+- return "";
+-
+- return string(1, c) + recvline(fd);
++static string recvline(int fd) {
++ string line;
++ int ret;
++
++ // Reserve arbitrary amount of space to avoid small memory reallocations.
++ line.reserve(128);
++
++ do {
++ char c;
++ ret = recv(fd, &c, 1, 0);
++ if (ret == 1) {
++ if (c == '\n')
++ return line;
++ line += c;
++ }
++ } while (ret == 1 || (ret == -1 && errno == EINTR));
++
++ return line;
+ }
+
+ char* url::get_pac() {