Apply a fix for tinyproxy to resolve CVE-2023-49606. Also remove an unnecessary patch as the LINE_MAX issue was fixed a number of years ago.
Index: Makefile =================================================================== RCS file: /cvs/ports/www/tinyproxy/Makefile,v retrieving revision 1.38 diff -u -p -u -p -r1.38 Makefile --- Makefile 27 Sep 2023 19:13:06 -0000 1.38 +++ Makefile 8 May 2024 00:59:12 -0000 @@ -3,7 +3,7 @@ COMMENT = lightweight HTTP/SSL proxy V = 1.11.1 DISTNAME = tinyproxy-$V CATEGORIES = www net -REVISION = 0 +REVISION = 1 HOMEPAGE = https://tinyproxy.github.io/ Index: patches/patch-etc_tinyproxy_conf_in =================================================================== RCS file: /cvs/ports/www/tinyproxy/patches/patch-etc_tinyproxy_conf_in,v retrieving revision 1.4 diff -u -p -u -p -r1.4 patch-etc_tinyproxy_conf_in --- patches/patch-etc_tinyproxy_conf_in 11 Mar 2022 20:11:03 -0000 1.4 +++ patches/patch-etc_tinyproxy_conf_in 8 May 2024 00:59:12 -0000 @@ -1,5 +1,6 @@ ---- etc/tinyproxy.conf.in.orig Wed Mar 3 09:37:24 2010 -+++ etc/tinyproxy.conf.in Tue Apr 9 05:48:57 2013 +Index: etc/tinyproxy.conf.in +--- etc/tinyproxy.conf.in.orig ++++ etc/tinyproxy.conf.in @@ -12,8 +12,8 @@ # as the root user. Either the user or group name or the UID or GID # number may be used. Index: patches/patch-src_conf_c =================================================================== RCS file: patches/patch-src_conf_c diff -N patches/patch-src_conf_c --- patches/patch-src_conf_c 11 Mar 2022 20:11:03 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,14 +0,0 @@ -for LINE_MAX - -Index: src/conf.c ---- src/conf.c.orig -+++ src/conf.c -@@ -23,6 +23,8 @@ - * add new directives to. Who knows if I'm right though. - */ - -+#include <limits.h> -+ - #include "common.h" - #include <regex.h> - #include "conf.h" Index: patches/patch-src_reqs_c =================================================================== RCS file: patches/patch-src_reqs_c diff -N patches/patch-src_reqs_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_reqs_c 8 May 2024 00:59:12 -0000 @@ -0,0 +1,29 @@ +fix potential UAF in header handling (CVE-2023-49606) +12a8484265f7b00591293da492bb3c9987001956 + +Index: src/reqs.c +--- src/reqs.c.orig ++++ src/reqs.c +@@ -775,7 +775,7 @@ static int remove_connection_headers (orderedmap hasho + char *data; + char *ptr; + ssize_t len; +- int i; ++ int i,j,df; + + for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) { + /* Look for the connection header. If it's not found, return. */ +@@ -800,7 +800,12 @@ static int remove_connection_headers (orderedmap hasho + */ + ptr = data; + while (ptr < data + len) { +- orderedmap_remove (hashofheaders, ptr); ++ df = 0; ++ /* check that ptr isn't one of headers to prevent ++ double-free (CVE-2023-49606) */ ++ for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j) ++ if(!strcasecmp(ptr, headers[j])) df = 1; ++ if (!df) orderedmap_remove (hashofheaders, ptr); + + /* Advance ptr to the next token */ + ptr += strlen (ptr) + 1;
