2 files changed, 60 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy/0001-CVE-2023-49606.patch b/meta-networking/recipes-support/tinyproxy/tinyproxy/0001-CVE-2023-49606.patch
new file mode 100644
index 0000000000..dd10d2cd33
--- /dev/null
+++ b/meta-networking/recipes-support/tinyproxy/tinyproxy/0001-CVE-2023-49606.patch
@@ -0,0 +1,59 @@
+From 982a46347c5939e08ad659858b1ac32361d7ffb8 Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Sun, 5 May 2024 10:37:29 +0000
+Subject: [PATCH] CVE-2023-49606
+fix potential UAF in header handling
+https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
+this bug was brought to my attention today by the debian tinyproxy
+package maintainer. the above link states that the issue was known
+since last year and that maintainers have been contacted, but if
+that is even true then it probably was done via a private email
+to a potentially outdated email address of one of the maintainers,
+not through the channels described clearly on the tinyproxy homepage:
+> Feel free to report a new bug or suggest features via github issues.
+> Tinyproxy developers hang out in #tinyproxy on irc.libera.chat.
+no github issue was filed, and nobody mentioned a vulnerability on
+the mentioned IRC chat. if the issue had been reported on github or
+IRC, the bug would have been fixed within a day.
+CVE: CVE-2023-49606
+Upstream-Status: Backport [https://github.com/tinyproxy/tinyproxy/commit/12a8484265f7b00591293da492bb3c9987001956]
+(cherry picked from commit 12a8484265f7b00591293da492bb3c9987001956)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/reqs.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+diff --git a/src/reqs.c b/src/reqs.c
+index b865190..705ce11 100644
+--- a/src/reqs.c
+++ b/src/reqs.c
+@@ -779,7 +779,7 @@ static int remove_connection_headers (orderedmap hashofheaders)
+         char *data;
+         char *ptr;
+         ssize_t len;
+-        int i;
+        int i,j,df;
+ 
+         for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
+                 /* Look for the connection header.  If it's not found, return. */
+@@ -804,7 +804,12 @@ static int remove_connection_headers (orderedmap hashofheaders)
+                  */
+                 ptr = data;
+                 while (ptr < data + len) {
+-                        orderedmap_remove (hashofheaders, ptr);
+                        df = 0;
+                        /* check that ptr isn't one of headers to prevent
+                           double-free (CVE-2023-49606) */
+                        for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j)
+                                if(!strcasecmp(ptr, headers[j])) df = 1;
+                        if (!df) orderedmap_remove (hashofheaders, ptr);
+ 
+                         /* Advance ptr to the next token */
+                         ptr += strlen (ptr) + 1;
diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb
index 999deff4de..8aff50fac8 100644
--- a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb
+++ b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb
@@ -8,6 +8,7 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.gz
           file://tinyproxy.service \
           file://tinyproxy.conf \
           file://CVE-2022-40468.patch \
+           file://0001-CVE-2023-49606.patch \
           "
 SRC_URI[sha256sum] = "1574acf7ba83c703a89e98bb2758a4ed9fda456f092624b33cfcf0ce2d3b2047"

diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy/0001-CVE-2023-49606.patch b/meta-networking/recipes-support/tinyproxy/tinyproxy/0001-CVE-2023-49606.patch new file mode 100644 index 0000000000..dd10d2cd33 --- /dev/null +++ b/meta-networking/recipes-support/tinyproxy/tinyproxy/0001-CVE-2023-49606.patch
@@ -0,0 +1,59 @@
		1	From 982a46347c5939e08ad659858b1ac32361d7ffb8 Mon Sep 17 00:00:00 2001
		2	From: rofl0r <rofl0r@users.noreply.github.com>
		3	Date: Sun, 5 May 2024 10:37:29 +0000
		4	Subject: [PATCH] CVE-2023-49606
		5
		6	fix potential UAF in header handling
		7
		8	https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
		9
		10	this bug was brought to my attention today by the debian tinyproxy
		11	package maintainer. the above link states that the issue was known
		12	since last year and that maintainers have been contacted, but if
		13	that is even true then it probably was done via a private email
		14	to a potentially outdated email address of one of the maintainers,
		15	not through the channels described clearly on the tinyproxy homepage:
		16
		17	> Feel free to report a new bug or suggest features via github issues.
		18	> Tinyproxy developers hang out in #tinyproxy on irc.libera.chat.
		19
		20	no github issue was filed, and nobody mentioned a vulnerability on
		21	the mentioned IRC chat. if the issue had been reported on github or
		22	IRC, the bug would have been fixed within a day.
		23
		24	CVE: CVE-2023-49606
		25	Upstream-Status: Backport [https://github.com/tinyproxy/tinyproxy/commit/12a8484265f7b00591293da492bb3c9987001956]
		26
		27	(cherry picked from commit 12a8484265f7b00591293da492bb3c9987001956)
		28	Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
		29	---
		30	src/reqs.c \| 9 +++++++--
		31	1 file changed, 7 insertions(+), 2 deletions(-)
		32
		33	diff --git a/src/reqs.c b/src/reqs.c
		34	index b865190..705ce11 100644
		35	--- a/src/reqs.c
		36	+++ b/src/reqs.c
		37	@@ -779,7 +779,7 @@ static int remove_connection_headers (orderedmap hashofheaders)
		38	char *data;
		39	char *ptr;
		40	ssize_t len;
		41	- int i;
		42	+ int i,j,df;
		43
		44	for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
		45	/* Look for the connection header. If it's not found, return. */
		46	@@ -804,7 +804,12 @@ static int remove_connection_headers (orderedmap hashofheaders)
		47	*/
		48	ptr = data;
		49	while (ptr < data + len) {
		50	- orderedmap_remove (hashofheaders, ptr);
		51	+ df = 0;
		52	+ /* check that ptr isn't one of headers to prevent
		53	+ double-free (CVE-2023-49606) */
		54	+ for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j)
		55	+ if(!strcasecmp(ptr, headers[j])) df = 1;
		56	+ if (!df) orderedmap_remove (hashofheaders, ptr);
		57
		58	/* Advance ptr to the next token */
		59	ptr += strlen (ptr) + 1;


diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb index 999deff4de..8aff50fac8 100644 --- a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb +++ b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb
@@ -8,6 +8,7 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.gz
8	file://tinyproxy.service \	8	file://tinyproxy.service \
9	file://tinyproxy.conf \	9	file://tinyproxy.conf \
10	file://CVE-2022-40468.patch \	10	file://CVE-2022-40468.patch \
		11	file://0001-CVE-2023-49606.patch \
11	"	12	"
12		13
13	SRC_URI[sha256sum] = "1574acf7ba83c703a89e98bb2758a4ed9fda456f092624b33cfcf0ce2d3b2047"	14	SRC_URI[sha256sum] = "1574acf7ba83c703a89e98bb2758a4ed9fda456f092624b33cfcf0ce2d3b2047"