2 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch
new file mode 100644
index 0000000000..3ef7f85451
--- /dev/null
+++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch
@@ -0,0 +1,61 @@
+From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Wed, 9 Sep 2020 11:12:02 -0500
+Subject: [PATCH] Rewrite url::recvline to be nonrecursive
+This function processes network input. It's semi-trusted, because the
+PAC ought to be trusted. But we still shouldn't allow it to control how
+far we recurse. A malicious PAC can cause us to overflow the stack by
+sending a sufficiently-long line without any '\n' character.
+Also, this function failed to properly handle EINTR, so let's fix that
+too, for good measure.
+Fixes #134
+Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/836c10b60c65e947ff1e10eb02fbcc676d909ffa]
+CVE: CVE-2020-25219
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ libproxy/url.cpp | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+diff --git a/libproxy/url.cpp b/libproxy/url.cpp
+index ee776b2..68d69cd 100644
+--- a/libproxy/url.cpp
+++ b/libproxy/url.cpp
+@@ -388,16 +388,24 @@ string url::to_string() const {
+        return m_orig;
+ }
+ 
+-static inline string recvline(int fd) {
+-       // Read a character.
+-       // If we don't get a character, return empty string.
+-       // If we are at the end of the line, return empty string.
+-       char c = '\0';
+-       
+-       if (recv(fd, &c, 1, 0) != 1 || c == '\n')
+-               return "";
+-
+-       return string(1, c) + recvline(fd);
+static string recvline(int fd) {
+       string line;
+       int ret;
+
+       // Reserve arbitrary amount of space to avoid small memory reallocations.
+       line.reserve(128);
+
+       do {
+               char c;
+               ret = recv(fd, &c, 1, 0);
+               if (ret == 1) {
+                       if (c == '\n')
+                               return line;
+                       line += c;
+               }
+       } while (ret == 1 || (ret == -1 && errno == EINTR));
+
+       return line;
+ }
+ 
+ char* url::get_pac() {
diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
index 19dddebd44..a14c358cc2 100644
--- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb
+++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
@@ -10,6 +10,7 @@ DEPENDS = "glib-2.0"
 SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \
           file://0001-get-pac-test-Fix-build-with-clang-libc.patch \
+           file://CVE-2020-25219.patch \
          "
 SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"
 SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"

diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch new file mode 100644 index 0000000000..3ef7f85451 --- /dev/null +++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch
@@ -0,0 +1,61 @@
		1	From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
		2	From: Michael Catanzaro <mcatanzaro@gnome.org>
		3	Date: Wed, 9 Sep 2020 11:12:02 -0500
		4	Subject: [PATCH] Rewrite url::recvline to be nonrecursive
		5
		6	This function processes network input. It's semi-trusted, because the
		7	PAC ought to be trusted. But we still shouldn't allow it to control how
		8	far we recurse. A malicious PAC can cause us to overflow the stack by
		9	sending a sufficiently-long line without any '\n' character.
		10
		11	Also, this function failed to properly handle EINTR, so let's fix that
		12	too, for good measure.
		13
		14	Fixes #134
		15
		16	Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/836c10b60c65e947ff1e10eb02fbcc676d909ffa]
		17	CVE: CVE-2020-25219
		18	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		19	---
		20	libproxy/url.cpp \| 28 ++++++++++++++++++----------
		21	1 file changed, 18 insertions(+), 10 deletions(-)
		22
		23	diff --git a/libproxy/url.cpp b/libproxy/url.cpp
		24	index ee776b2..68d69cd 100644
		25	--- a/libproxy/url.cpp
		26	+++ b/libproxy/url.cpp
		27	@@ -388,16 +388,24 @@ string url::to_string() const {
		28	return m_orig;
		29	}
		30
		31	-static inline string recvline(int fd) {
		32	- // Read a character.
		33	- // If we don't get a character, return empty string.
		34	- // If we are at the end of the line, return empty string.
		35	- char c = '\0';
		36	-
		37	- if (recv(fd, &c, 1, 0) != 1 \|\| c == '\n')
		38	- return "";
		39	-
		40	- return string(1, c) + recvline(fd);
		41	+static string recvline(int fd) {
		42	+ string line;
		43	+ int ret;
		44	+
		45	+ // Reserve arbitrary amount of space to avoid small memory reallocations.
		46	+ line.reserve(128);
		47	+
		48	+ do {
		49	+ char c;
		50	+ ret = recv(fd, &c, 1, 0);
		51	+ if (ret == 1) {
		52	+ if (c == '\n')
		53	+ return line;
		54	+ line += c;
		55	+ }
		56	+ } while (ret == 1 \|\| (ret == -1 && errno == EINTR));
		57	+
		58	+ return line;
		59	}
		60
		61	char* url::get_pac() {


diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb index 19dddebd44..a14c358cc2 100644 --- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb +++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
@@ -10,6 +10,7 @@ DEPENDS = "glib-2.0"
10		10
11	SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \	11	SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \
12	file://0001-get-pac-test-Fix-build-with-clang-libc.patch \	12	file://0001-get-pac-test-Fix-build-with-clang-libc.patch \
		13	file://CVE-2020-25219.patch \
13	"	14	"
14	SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"	15	SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"
15	SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"	16	SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"