summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--user/libproxy/APKBUILD14
-rw-r--r--user/libproxy/CVE-2020-25219.patch57
-rw-r--r--user/libproxy/CVE-2020-26154.patch93
3 files changed, 162 insertions, 2 deletions
diff --git a/user/libproxy/APKBUILD b/user/libproxy/APKBUILD
index 1cdb0c9b5..dec45d3a1 100644
--- a/user/libproxy/APKBUILD
+++ b/user/libproxy/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer:
pkgname=libproxy
pkgver=0.4.15
-pkgrel=2
+pkgrel=3
pkgdesc="Library providing automatic proxy configuration management"
url="http://libproxy.github.io/libproxy/"
arch="all"
@@ -14,8 +14,16 @@ subpackages="$pkgname-dev $pkgname-bin py3-$pkgname:py"
source="$pkgname-$pkgver.tar.gz::https://github.com/libproxy/libproxy/archive/$pkgver.tar.gz
libproxy-0.4.7-unistd.patch
fix-includes.patch
+ CVE-2020-25219.patch
+ CVE-2020-26154.patch
"
+#secfixes:
+# 0.4.15-r3:
+# - CVE-2020-25219
+# - CVE-2020-26154
+
+
build() {
cmake \
-DCMAKE_INSTALL_PREFIX=/usr \
@@ -55,4 +63,6 @@ py() {
sha512sums="8f68bd56e44aeb3f553f4657bef82a5d14302780508dafa32454d6f724b724c884ceed6042f8df53a081d26ea0b05598cf35eab44823257c47c5ef8afb36442b libproxy-0.4.15.tar.gz
9929c308195bc59c1b9a7ddaaf708fb831da83c5d86d7ce122cb9774c9b9b16aef3c17fb721356e33a865de1af27db493f29a99d292e1e258cd0135218cacd32 libproxy-0.4.7-unistd.patch
-e35b4f806e5f60e9b184d64dceae62e6e343c367ee96d7e461388f2665fe2ab62170d41848c9da5322bb1719eff3bfaecb273e40a97ce940a5e88d29d03bd8d9 fix-includes.patch"
+e35b4f806e5f60e9b184d64dceae62e6e343c367ee96d7e461388f2665fe2ab62170d41848c9da5322bb1719eff3bfaecb273e40a97ce940a5e88d29d03bd8d9 fix-includes.patch
+908fbf49bec18764a8c2ab81ef5d5e6e1fc2423cf9a6608cc7d3a6d5ac44676e171646b0f95b39b7ade108afd62cc2ede8f7b57d6ba0d67025f30b18e5084292 CVE-2020-25219.patch
+01c784a8016bb2a2bf5058b6af7fac29250542bfd4e0679a91fa223c821336d651f8f4a968763072edb86a78a743618c312a2daeb2963c8e5207109f2d26a18f CVE-2020-26154.patch"
diff --git a/user/libproxy/CVE-2020-25219.patch b/user/libproxy/CVE-2020-25219.patch
new file mode 100644
index 000000000..03cfbc00e
--- /dev/null
+++ b/user/libproxy/CVE-2020-25219.patch
@@ -0,0 +1,57 @@
+From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Wed, 9 Sep 2020 11:12:02 -0500
+Subject: [PATCH] Rewrite url::recvline to be nonrecursive
+
+This function processes network input. It's semi-trusted, because the
+PAC ought to be trusted. But we still shouldn't allow it to control how
+far we recurse. A malicious PAC can cause us to overflow the stack by
+sending a sufficiently-long line without any '\n' character.
+
+Also, this function failed to properly handle EINTR, so let's fix that
+too, for good measure.
+
+Fixes #134
+---
+ libproxy/url.cpp | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/libproxy/url.cpp b/libproxy/url.cpp
+index ee776b2..68d69cd 100644
+--- a/libproxy/url.cpp
++++ b/libproxy/url.cpp
+@@ -388,16 +388,24 @@ string url::to_string() const {
+ return m_orig;
+ }
+
+-static inline string recvline(int fd) {
+- // Read a character.
+- // If we don't get a character, return empty string.
+- // If we are at the end of the line, return empty string.
+- char c = '\0';
+-
+- if (recv(fd, &c, 1, 0) != 1 || c == '\n')
+- return "";
+-
+- return string(1, c) + recvline(fd);
++static string recvline(int fd) {
++ string line;
++ int ret;
++
++ // Reserve arbitrary amount of space to avoid small memory reallocations.
++ line.reserve(128);
++
++ do {
++ char c;
++ ret = recv(fd, &c, 1, 0);
++ if (ret == 1) {
++ if (c == '\n')
++ return line;
++ line += c;
++ }
++ } while (ret == 1 || (ret == -1 && errno == EINTR));
++
++ return line;
+ }
+
+ char* url::get_pac() {
diff --git a/user/libproxy/CVE-2020-26154.patch b/user/libproxy/CVE-2020-26154.patch
new file mode 100644
index 000000000..929083327
--- /dev/null
+++ b/user/libproxy/CVE-2020-26154.patch
@@ -0,0 +1,93 @@
+From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001
+From: Fei Li <lifeibiren@gmail.com>
+Date: Fri, 17 Jul 2020 02:18:37 +0800
+Subject: [PATCH] Fix buffer overflow when PAC is enabled
+
+The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
+out to be the large PAC file (more than 102400 bytes) returned by a
+local proxy program with no content-length present.
+---
+ libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 31 insertions(+), 13 deletions(-)
+
+diff --git a/libproxy/url.cpp b/libproxy/url.cpp
+index ee776b2..8684086 100644
+--- a/libproxy/url.cpp
++++ b/libproxy/url.cpp
+@@ -54,7 +54,7 @@ using namespace std;
+ #define PAC_MIME_TYPE_FB "text/plain"
+
+ // This is the maximum pac size (to avoid memory attacks)
+-#define PAC_MAX_SIZE 102400
++#define PAC_MAX_SIZE 0x800000
+ // This is the default block size to use when receiving via HTTP
+ #define PAC_HTTP_BLOCK_SIZE 512
+
+@@ -478,15 +478,13 @@ char* url::get_pac() {
+ }
+
+ // Get content
+- unsigned int recvd = 0;
+- buffer = new char[PAC_MAX_SIZE];
+- memset(buffer, 0, PAC_MAX_SIZE);
++ std::vector<char> dynamic_buffer;
+ do {
+ unsigned int chunk_length;
+
+ if (chunked) {
+ // Discard the empty line if we received a previous chunk
+- if (recvd > 0) recvline(sock);
++ if (!dynamic_buffer.empty()) recvline(sock);
+
+ // Get the chunk-length line as an integer
+ if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break;
+@@ -498,21 +496,41 @@ char* url::get_pac() {
+
+ if (content_length >= PAC_MAX_SIZE) break;
+
+- while (content_length == 0 || recvd != content_length) {
+- int r = recv(sock, buffer + recvd,
+- content_length == 0 ? PAC_HTTP_BLOCK_SIZE
+- : content_length - recvd, 0);
++ while (content_length == 0 || dynamic_buffer.size() != content_length) {
++ // Calculate length to recv
++ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
++ if (content_length > 0)
++ length_to_read = content_length - dynamic_buffer.size();
++
++ // Prepare buffer
++ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
++
++ int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
++
++ // Shrink buffer to fit
++ if (r >= 0)
++ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
++
++ // PAC size too large, discard
++ if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
++ chunked = false;
++ dynamic_buffer.clear();
++ break;
++ }
++
+ if (r <= 0) {
+ chunked = false;
+ break;
+ }
+- recvd += r;
+ }
+ } while (chunked);
+
+- if (content_length != 0 && string(buffer).size() != content_length) {
+- delete[] buffer;
+- buffer = NULL;
++ if (content_length == 0 || content_length == dynamic_buffer.size()) {
++ buffer = new char[dynamic_buffer.size() + 1];
++ if (!dynamic_buffer.empty()) {
++ memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
++ }
++ buffer[dynamic_buffer.size()] = '\0';
+ }
+ }
+