diff --git a/libproxy-CVE-2020-25219.patch b/libproxy-CVE-2020-25219.patch new file mode 100644 index 0000000..1ac6ce5 --- /dev/null +++ b/libproxy-CVE-2020-25219.patch @@ -0,0 +1,60 @@ +From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Wed, 9 Sep 2020 11:12:02 -0500 +Subject: [PATCH] Rewrite url::recvline to be nonrecursive + +This function processes network input. It's semi-trusted, because the +PAC ought to be trusted. But we still shouldn't allow it to control how +far we recurse. A malicious PAC can cause us to overflow the stack by +sending a sufficiently-long line without any '\n' character. + +Also, this function failed to properly handle EINTR, so let's fix that +too, for good measure. + +Fixes #134 +--- + libproxy/url.cpp | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/libproxy/url.cpp b/libproxy/url.cpp +index ee776b2..68d69cd 100644 +--- a/libproxy/url.cpp ++++ b/libproxy/url.cpp +@@ -388,16 +388,24 @@ string url::to_string() const { + return m_orig; + } + +-static inline string recvline(int fd) { +- // Read a character. +- // If we don't get a character, return empty string. +- // If we are at the end of the line, return empty string. +- char c = '\0'; +- +- if (recv(fd, &c, 1, 0) != 1 || c == '\n') +- return ""; +- +- return string(1, c) + recvline(fd); ++static string recvline(int fd) { ++ string line; ++ int ret; ++ ++ // Reserve arbitrary amount of space to avoid small memory reallocations. ++ line.reserve(128); ++ ++ do { ++ char c; ++ ret = recv(fd, &c, 1, 0); ++ if (ret == 1) { ++ if (c == '\n') ++ return line; ++ line += c; ++ } ++ } while (ret == 1 || (ret == -1 && errno == EINTR)); ++ ++ return line; + } + + char* url::get_pac() { +-- +2.28.0 + diff --git a/libproxy-fix-pac-buffer-overflow.patch b/libproxy-fix-pac-buffer-overflow.patch new file mode 100644 index 0000000..aeaa75e --- /dev/null +++ b/libproxy-fix-pac-buffer-overflow.patch @@ -0,0 +1,93 @@ +From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001 +From: Fei Li +Date: Fri, 17 Jul 2020 02:18:37 +0800 +Subject: [PATCH] Fix buffer overflow when PAC is enabled + +The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned +out to be the large PAC file (more than 102400 bytes) returned by a +local proxy program with no content-length present. +--- + libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++------------- + 1 file changed, 31 insertions(+), 13 deletions(-) + +diff --git a/libproxy/url.cpp b/libproxy/url.cpp +index ee776b2..8684086 100644 +--- a/libproxy/url.cpp ++++ b/libproxy/url.cpp +@@ -54,7 +54,7 @@ using namespace std; + #define PAC_MIME_TYPE_FB "text/plain" + + // This is the maximum pac size (to avoid memory attacks) +-#define PAC_MAX_SIZE 102400 ++#define PAC_MAX_SIZE 0x800000 + // This is the default block size to use when receiving via HTTP + #define PAC_HTTP_BLOCK_SIZE 512 + +@@ -478,15 +478,13 @@ char* url::get_pac() { + } + + // Get content +- unsigned int recvd = 0; +- buffer = new char[PAC_MAX_SIZE]; +- memset(buffer, 0, PAC_MAX_SIZE); ++ std::vector dynamic_buffer; + do { + unsigned int chunk_length; + + if (chunked) { + // Discard the empty line if we received a previous chunk +- if (recvd > 0) recvline(sock); ++ if (!dynamic_buffer.empty()) recvline(sock); + + // Get the chunk-length line as an integer + if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break; +@@ -498,21 +496,41 @@ char* url::get_pac() { + + if (content_length >= PAC_MAX_SIZE) break; + +- while (content_length == 0 || recvd != content_length) { +- int r = recv(sock, buffer + recvd, +- content_length == 0 ? PAC_HTTP_BLOCK_SIZE +- : content_length - recvd, 0); ++ while (content_length == 0 || dynamic_buffer.size() != content_length) { ++ // Calculate length to recv ++ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE; ++ if (content_length > 0) ++ length_to_read = content_length - dynamic_buffer.size(); ++ ++ // Prepare buffer ++ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read); ++ ++ int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0); ++ ++ // Shrink buffer to fit ++ if (r >= 0) ++ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r); ++ ++ // PAC size too large, discard ++ if (dynamic_buffer.size() >= PAC_MAX_SIZE) { ++ chunked = false; ++ dynamic_buffer.clear(); ++ break; ++ } ++ + if (r <= 0) { + chunked = false; + break; + } +- recvd += r; + } + } while (chunked); + +- if (content_length != 0 && string(buffer).size() != content_length) { +- delete[] buffer; +- buffer = NULL; ++ if (content_length == 0 || content_length == dynamic_buffer.size()) { ++ buffer = new char[dynamic_buffer.size() + 1]; ++ if (!dynamic_buffer.empty()) { ++ memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size()); ++ } ++ buffer[dynamic_buffer.size()] = '\0'; + } + } + diff --git a/libproxy.changes b/libproxy.changes index dc389a1..65df76d 100644 --- a/libproxy.changes +++ b/libproxy.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Sep 30 18:50:44 UTC 2020 - Michael Gorse + +- Add libproxy-CVE-2020-25219.patch: Rewrite url::recvline to be + nonrecursive (boo#1176410 CVE-2020-25219). +- Add libproxy-fix-pac-buffer-overflow.patch: fix buffer overflow + when PAC is enabled (boo#1177143 CVE-2020-26154). + ------------------------------------------------------------------- Fri Sep 14 02:58:52 UTC 2020 - Yifan Jiang diff --git a/libproxy.spec b/libproxy.spec index aeab473..a035432 100644 --- a/libproxy.spec +++ b/libproxy.spec @@ -51,6 +51,10 @@ Source99: baselibs.conf Patch0: libproxy-python3.7.patch # PATCH-FIX-UPSTREAM libproxy-pxgsettings.patch dimstar@opensuse.org -- pxgsettings: use the correct syntax to connect to the changed signal Patch1: libproxy-pxgsettings.patch +# PATCH-FIX-UPSTREAM libproxy-CVE-2020-25219.patch boo#1176410 mgorse@suse.com -- Rewrite url::recvline to be nonrecursive. +Patch2: libproxy-CVE-2020-25219.patch +# PATCH-FIX-UPSTREAM libproxy-fix-pac-buffer-overflow.patch boo#1177143 mgorse@suse.com -- fix buffer overflow when PAC is enabled. +Patch3: libproxy-fix-pac-buffer-overflow.patch BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: libmodman-devel @@ -276,6 +280,8 @@ This package contains the Mono/.NET for libproxy. %setup -q -n %{_sourcename} %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 mkdir build %build