Accepting request 838838 from GNOME:Next

- Add libproxy-CVE-2020-25219.patch: Rewrite url::recvline to be nonrecursive (boo#1176410 CVE-2020-25219). - Add libproxy-fix-pac-buffer-overflow.patch: fix buffer overflow when PAC is enabled (boo#1177143 CVE-2020-26154). OBS-URL: https://build.opensuse.org/request/show/838838 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/libproxy?expand=0&rev=152
2020-10-05 15:07:11 +00:00 · 2020-10-05 15:07:11 +00:00 · 2189c07bf4
commit 2189c07bf4
parent 00581a6407
4 changed files with 167 additions and 0 deletions
--- a/libproxy-CVE-2020-25219.patch
+++ b/libproxy-CVE-2020-25219.patch
@ -0,0 +1,60 @@
+From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Wed, 9 Sep 2020 11:12:02 -0500
+Subject: [PATCH] Rewrite url::recvline to be nonrecursive
+
+This function processes network input. It's semi-trusted, because the
+PAC ought to be trusted. But we still shouldn't allow it to control how
+far we recurse. A malicious PAC can cause us to overflow the stack by
+sending a sufficiently-long line without any '\n' character.
+
+Also, this function failed to properly handle EINTR, so let's fix that
+too, for good measure.
+
+Fixes #134
+---
+ libproxy/url.cpp | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/libproxy/url.cpp b/libproxy/url.cpp
+index ee776b2..68d69cd 100644
+--- a/libproxy/url.cpp
+++ b/libproxy/url.cpp
+@@ -388,16 +388,24 @@ string url::to_string() const {
+ 	return m_orig;
+ }
+ 
+-static inline string recvline(int fd) {
+-	// Read a character.
+-	// If we don't get a character, return empty string.
+-	// If we are at the end of the line, return empty string.
+-	char c = '\0';
+-	
+-	if (recv(fd, &c, 1, 0) != 1 || c == '\n')
+-		return "";
+-
+-	return string(1, c) + recvline(fd);
+static string recvline(int fd) {
+	string line;
+	int ret;
+
+	// Reserve arbitrary amount of space to avoid small memory reallocations.
+	line.reserve(128);
+
+	do {
+		char c;
+		ret = recv(fd, &c, 1, 0);
+		if (ret == 1) {
+			if (c == '\n')
+				return line;
+			line += c;
+		}
+	} while (ret == 1 || (ret == -1 && errno == EINTR));
+
+	return line;
+ }
+ 
+ char* url::get_pac() {
+-- 
+2.28.0
+
--- a/libproxy-fix-pac-buffer-overflow.patch
+++ b/libproxy-fix-pac-buffer-overflow.patch
@ -0,0 +1,93 @@
+From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001
+From: Fei Li <lifeibiren@gmail.com>
+Date: Fri, 17 Jul 2020 02:18:37 +0800
+Subject: [PATCH] Fix buffer overflow when PAC is enabled
+
+The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
+out to be the large PAC file (more than 102400 bytes) returned by a
+local proxy program with no content-length present.
+---
+ libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 31 insertions(+), 13 deletions(-)
+
+diff --git a/libproxy/url.cpp b/libproxy/url.cpp
+index ee776b2..8684086 100644
+--- a/libproxy/url.cpp
+++ b/libproxy/url.cpp
+@@ -54,7 +54,7 @@ using namespace std;
+ #define PAC_MIME_TYPE_FB "text/plain"
+ 
+ // This is the maximum pac size (to avoid memory attacks)
+-#define PAC_MAX_SIZE 102400
+#define PAC_MAX_SIZE 0x800000
+ // This is the default block size to use when receiving via HTTP
+ #define PAC_HTTP_BLOCK_SIZE 512
+ 
+@@ -478,15 +478,13 @@ char* url::get_pac() {
+ 		}
+ 
+ 		// Get content
+-		unsigned int recvd = 0;
+-		buffer = new char[PAC_MAX_SIZE];
+-		memset(buffer, 0, PAC_MAX_SIZE);
+		std::vector<char> dynamic_buffer;
+ 		do {
+ 			unsigned int chunk_length;
+ 
+ 			if (chunked) {
+ 				// Discard the empty line if we received a previous chunk
+-				if (recvd > 0) recvline(sock);
+				if (!dynamic_buffer.empty()) recvline(sock);
+ 
+ 				// Get the chunk-length line as an integer
+ 				if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break;
+@@ -498,21 +496,41 @@ char* url::get_pac() {
+ 
+ 			if (content_length >= PAC_MAX_SIZE) break;
+ 
+-			while (content_length == 0 || recvd != content_length) {
+-				int r = recv(sock, buffer + recvd,
+-				             content_length == 0 ? PAC_HTTP_BLOCK_SIZE
+-				                                 : content_length - recvd, 0);
+			while (content_length == 0 || dynamic_buffer.size() != content_length) {
+				// Calculate length to recv
+				unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
+				if (content_length > 0)
+					length_to_read = content_length - dynamic_buffer.size();
+
+				// Prepare buffer
+				dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
+
+				int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
+
+				// Shrink buffer to fit
+				if (r >= 0)
+					dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
+
+				// PAC size too large, discard
+				if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
+					chunked = false;
+					dynamic_buffer.clear();
+					break;
+				}
+
+ 				if (r <= 0) {
+ 					chunked = false;
+ 					break;
+ 				}
+-				recvd += r;
+ 			}
+ 		} while (chunked);
+ 
+-		if (content_length != 0 && string(buffer).size() != content_length) {
+-			delete[] buffer;
+-			buffer = NULL;
+		if (content_length == 0 || content_length == dynamic_buffer.size()) {
+			buffer = new char[dynamic_buffer.size() + 1];
+			if (!dynamic_buffer.empty()) {
+				memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
+			}
+			buffer[dynamic_buffer.size()] = '\0';
+ 		}
+ 	}
+ 
--- a/libproxy.changes
+++ b/libproxy.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Sep 30 18:50:44 UTC 2020 - Michael Gorse <mgorse@suse.com>
+
+- Add libproxy-CVE-2020-25219.patch: Rewrite url::recvline to be
+  nonrecursive (boo#1176410 CVE-2020-25219).
+- Add libproxy-fix-pac-buffer-overflow.patch: fix buffer overflow
+  when PAC is enabled (boo#1177143 CVE-2020-26154).
+
 -------------------------------------------------------------------
 Fri Sep 14 02:58:52 UTC 2020 - Yifan Jiang <yfjiang@suse.com>

--- a/libproxy.spec
+++ b/libproxy.spec
@ -51,6 +51,10 @@ Source99:       baselibs.conf
 Patch0:         libproxy-python3.7.patch
 # PATCH-FIX-UPSTREAM libproxy-pxgsettings.patch dimstar@opensuse.org -- pxgsettings: use the correct syntax to connect to the changed signal
 Patch1:         libproxy-pxgsettings.patch
+# PATCH-FIX-UPSTREAM libproxy-CVE-2020-25219.patch boo#1176410 mgorse@suse.com -- Rewrite url::recvline to be nonrecursive.
+Patch2:         libproxy-CVE-2020-25219.patch
+# PATCH-FIX-UPSTREAM libproxy-fix-pac-buffer-overflow.patch boo#1177143 mgorse@suse.com -- fix buffer overflow when PAC is enabled.
+Patch3:         libproxy-fix-pac-buffer-overflow.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 BuildRequires:  libmodman-devel
@ -276,6 +280,8 @@ This package contains the Mono/.NET for libproxy.
 %setup -q -n %{_sourcename}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
 mkdir build

 %build