packages/libproxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!10 CVE-2020-25219代码回合

Browse Source 
From: @bitcoffee
Reviewed-by: @zengwefeng
Signed-off-by: @zengwefeng
This commit is contained in:
openeuler-ci-bot 2020-10-29 14:05:38 +08:00 committed by Gitee
commit b5c58e693f
2 changed files with 69 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
libproxy-0.4.15-fix-CVE-2020-25219.patch Normal file
View File

@ -0,0 +1,58 @@
From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@gnome.org>
Date: Wed, 9 Sep 2020 11:12:02 -0500
Subject: [PATCH] Rewrite url::recvline to be nonrecursive
This function processes network input. It's semi-trusted, because the
PAC ought to be trusted. But we still shouldn't allow it to control how
far we recurse. A malicious PAC can cause us to overflow the stack by
sending a sufficiently-long line without any '\n' character.
Also, this function failed to properly handle EINTR, so let's fix that
too, for good measure.
Fixes #134
---
libproxy/url.cpp | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/libproxy/url.cpp b/libproxy/url.cpp
index ee776b2..68d69cd 100644
--- a/libproxy/url.cpp
+++ b/libproxy/url.cpp
@@ -386,16 +386,24 @@ string url::to_string() const {
return m_orig;
}
-static inline string recvline(int fd) {
- // Read a character.
- // If we don't get a character, return empty string.
- // If we are at the end of the line, return empty string.
- char c = '\0';
-
- if (recv(fd, &c, 1, 0) != 1 || c == '\n')
- return "";
-
- return string(1, c) + recvline(fd);
+static string recvline(int fd) {
+ string line;
+ int ret;
+
+ // Reserve arbitrary amount of space to avoid small memory reallocations.
+ line.reserve(128);
+
+ do {
+ char c;
+ ret = recv(fd, &c, 1, 0);
+ if (ret == 1) {
+ if (c == '\n')
+ return line;
+ line += c;
+ }
+ } while (ret == 1 || (ret == -1 && errno == EINTR));
+
+ return line;
}
char* url::get_pac() {

9
libproxy.spec
View File

@ -1,6 +1,6 @@
Name: libproxy Name: libproxy
Version: 0.4.15 Version: 0.4.15
Release: 16 Release: 17
Summary: Libproxy is a library that provides automatic proxy configuration management Summary: Libproxy is a library that provides automatic proxy configuration management
License: LGPLv2+ License: LGPLv2+
@ -18,6 +18,7 @@ Patch4: Fix-buffer-overflow-when-PAC-is-enabled.patch
Patch5: libproxy-0.4.15-mozjs60.patch Patch5: libproxy-0.4.15-mozjs60.patch
Patch6: libproxy-0.4.15-mozjs68.patch Patch6: libproxy-0.4.15-mozjs68.patch
Patch7: libproxy-0.4.15-mozjs-use-after-free.patch Patch7: libproxy-0.4.15-mozjs-use-after-free.patch
Patch8: libproxy-0.4.15-fix-CVE-2020-25219.patch
BuildRequires: cmake >= 2.6.0 gcc-c++ BuildRequires: cmake >= 2.6.0 gcc-c++
@ -127,6 +128,12 @@ make test
%{_mandir}/man1/proxy.1* %{_mandir}/man1/proxy.1*
%changelog %changelog
* Thu Oct 29 liuxin <liuxin264@huawei.com> - 0.4.15-17
- Type:cves
- Id:NA
- SUG:NA
- DESC:Disable mozjs backend by default and fix CVE-2020-25219
* Tue Oct 27 orange-snn <songnannan2@huawei.com> - 0.4.15-16 * Tue Oct 27 orange-snn <songnannan2@huawei.com> - 0.4.15-16
- change the mozjs52 to mozjs68 in buildRequires - change the mozjs52 to mozjs68 in buildRequires