Hello community, here is the log from the commit of package libproxy for openSUSE:Factory checked in at 2020-10-08 13:10:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libproxy (Old) and /work/SRC/openSUSE:Factory/.libproxy.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libproxy" Thu Oct 8 13:10:35 2020 rev:78 rq:839601 version:0.4.15 Changes: -------- --- /work/SRC/openSUSE:Factory/libproxy/libproxy.changes 2020-09-25 16:27:54.591697747 +0200 +++ /work/SRC/openSUSE:Factory/.libproxy.new.4249/libproxy.changes 2020-10-08 13:11:35.283140050 +0200 @@ -1,0 +2,8 @@ +Wed Sep 30 18:50:44 UTC 2020 - Michael Gorse <[email protected]> + +- Add libproxy-CVE-2020-25219.patch: Rewrite url::recvline to be + nonrecursive (boo#1176410 CVE-2020-25219). +- Add libproxy-fix-pac-buffer-overflow.patch: fix buffer overflow + when PAC is enabled (boo#1177143 CVE-2020-26154). + +------------------------------------------------------------------- New: ---- libproxy-CVE-2020-25219.patch libproxy-fix-pac-buffer-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libproxy.spec ++++++ --- /var/tmp/diff_new_pack.jjXiLy/_old 2020-10-08 13:11:35.911140619 +0200 +++ /var/tmp/diff_new_pack.jjXiLy/_new 2020-10-08 13:11:35.915140622 +0200 @@ -51,6 +51,10 @@ Patch0: libproxy-python3.7.patch # PATCH-FIX-UPSTREAM libproxy-pxgsettings.patch [email protected] -- pxgsettings: use the correct syntax to connect to the changed signal Patch1: libproxy-pxgsettings.patch +# PATCH-FIX-UPSTREAM libproxy-CVE-2020-25219.patch boo#1176410 [email protected] -- Rewrite url::recvline to be nonrecursive. +Patch2: libproxy-CVE-2020-25219.patch +# PATCH-FIX-UPSTREAM libproxy-fix-pac-buffer-overflow.patch boo#1177143 [email protected] -- fix buffer overflow when PAC is enabled. +Patch3: libproxy-fix-pac-buffer-overflow.patch BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: libmodman-devel @@ -276,6 +280,8 @@ %setup -q -n %{_sourcename} %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 mkdir build %build ++++++ libproxy-CVE-2020-25219.patch ++++++ >From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001 From: Michael Catanzaro <[email protected]> Date: Wed, 9 Sep 2020 11:12:02 -0500 Subject: [PATCH] Rewrite url::recvline to be nonrecursive This function processes network input. It's semi-trusted, because the PAC ought to be trusted. But we still shouldn't allow it to control how far we recurse. A malicious PAC can cause us to overflow the stack by sending a sufficiently-long line without any '\n' character. Also, this function failed to properly handle EINTR, so let's fix that too, for good measure. Fixes #134 --- libproxy/url.cpp | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/libproxy/url.cpp b/libproxy/url.cpp index ee776b2..68d69cd 100644 --- a/libproxy/url.cpp +++ b/libproxy/url.cpp @@ -388,16 +388,24 @@ string url::to_string() const { return m_orig; } -static inline string recvline(int fd) { - // Read a character. - // If we don't get a character, return empty string. - // If we are at the end of the line, return empty string. - char c = '\0'; - - if (recv(fd, &c, 1, 0) != 1 || c == '\n') - return ""; - - return string(1, c) + recvline(fd); +static string recvline(int fd) { + string line; + int ret; + + // Reserve arbitrary amount of space to avoid small memory reallocations. + line.reserve(128); + + do { + char c; + ret = recv(fd, &c, 1, 0); + if (ret == 1) { + if (c == '\n') + return line; + line += c; + } + } while (ret == 1 || (ret == -1 && errno == EINTR)); + + return line; } char* url::get_pac() { -- 2.28.0 ++++++ libproxy-fix-pac-buffer-overflow.patch ++++++ >From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001 From: Fei Li <[email protected]> Date: Fri, 17 Jul 2020 02:18:37 +0800 Subject: [PATCH] Fix buffer overflow when PAC is enabled The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned out to be the large PAC file (more than 102400 bytes) returned by a local proxy program with no content-length present. --- libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 13 deletions(-) diff --git a/libproxy/url.cpp b/libproxy/url.cpp index ee776b2..8684086 100644 --- a/libproxy/url.cpp +++ b/libproxy/url.cpp @@ -54,7 +54,7 @@ using namespace std; #define PAC_MIME_TYPE_FB "text/plain" // This is the maximum pac size (to avoid memory attacks) -#define PAC_MAX_SIZE 102400 +#define PAC_MAX_SIZE 0x800000 // This is the default block size to use when receiving via HTTP #define PAC_HTTP_BLOCK_SIZE 512 @@ -478,15 +478,13 @@ char* url::get_pac() { } // Get content - unsigned int recvd = 0; - buffer = new char[PAC_MAX_SIZE]; - memset(buffer, 0, PAC_MAX_SIZE); + std::vector<char> dynamic_buffer; do { unsigned int chunk_length; if (chunked) { // Discard the empty line if we received a previous chunk - if (recvd > 0) recvline(sock); + if (!dynamic_buffer.empty()) recvline(sock); // Get the chunk-length line as an integer if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break; @@ -498,21 +496,41 @@ char* url::get_pac() { if (content_length >= PAC_MAX_SIZE) break; - while (content_length == 0 || recvd != content_length) { - int r = recv(sock, buffer + recvd, - content_length == 0 ? PAC_HTTP_BLOCK_SIZE - : content_length - recvd, 0); + while (content_length == 0 || dynamic_buffer.size() != content_length) { + // Calculate length to recv + unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE; + if (content_length > 0) + length_to_read = content_length - dynamic_buffer.size(); + + // Prepare buffer + dynamic_buffer.resize(dynamic_buffer.size() + length_to_read); + + int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0); + + // Shrink buffer to fit + if (r >= 0) + dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r); + + // PAC size too large, discard + if (dynamic_buffer.size() >= PAC_MAX_SIZE) { + chunked = false; + dynamic_buffer.clear(); + break; + } + if (r <= 0) { chunked = false; break; } - recvd += r; } } while (chunked); - if (content_length != 0 && string(buffer).size() != content_length) { - delete[] buffer; - buffer = NULL; + if (content_length == 0 || content_length == dynamic_buffer.size()) { + buffer = new char[dynamic_buffer.size() + 1]; + if (!dynamic_buffer.empty()) { + memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size()); + } + buffer[dynamic_buffer.size()] = '\0'; } }
