fix CVE-2020-25219
(cherry picked from commit 1b26a18af7c31a81c7197d5a9d7431fd327676bf)
This commit is contained in:
sherlock2010
openeuler-sync-bot
parent
7caed36273
commit
4567bfeb53
60
CVE-2020-25219-Rewrite-url-recvline-to-be-nonrecursive.patch
Normal file
60
CVE-2020-25219-Rewrite-url-recvline-to-be-nonrecursive.patch
Normal file
@ -0,0 +1,60 @@
|
||||
From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Catanzaro <mcatanzaro@gnome.org>
|
||||
Date: Wed, 9 Sep 2020 11:12:02 -0500
|
||||
Subject: [PATCH] Rewrite url::recvline to be nonrecursive
|
||||
|
||||
This function processes network input. It's semi-trusted, because the
|
||||
PAC ought to be trusted. But we still shouldn't allow it to control how
|
||||
far we recurse. A malicious PAC can cause us to overflow the stack by
|
||||
sending a sufficiently-long line without any '\n' character.
|
||||
|
||||
Also, this function failed to properly handle EINTR, so let's fix that
|
||||
too, for good measure.
|
||||
|
||||
Fixes #134
|
||||
---
|
||||
libproxy/url.cpp | 28 ++++++++++++++++++----------
|
||||
1 file changed, 18 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/libproxy/url.cpp b/libproxy/url.cpp
|
||||
index ee776b2..68d69cd 100644
|
||||
--- a/libproxy/url.cpp
|
||||
+++ b/libproxy/url.cpp
|
||||
@@ -388,16 +388,24 @@ string url::to_string() const {
|
||||
return m_orig;
|
||||
}
|
||||
|
||||
-static inline string recvline(int fd) {
|
||||
- // Read a character.
|
||||
- // If we don't get a character, return empty string.
|
||||
- // If we are at the end of the line, return empty string.
|
||||
- char c = '\0';
|
||||
-
|
||||
- if (recv(fd, &c, 1, 0) != 1 || c == '\n')
|
||||
- return "";
|
||||
-
|
||||
- return string(1, c) + recvline(fd);
|
||||
+static string recvline(int fd) {
|
||||
+ string line;
|
||||
+ int ret;
|
||||
+
|
||||
+ // Reserve arbitrary amount of space to avoid small memory reallocations.
|
||||
+ line.reserve(128);
|
||||
+
|
||||
+ do {
|
||||
+ char c;
|
||||
+ ret = recv(fd, &c, 1, 0);
|
||||
+ if (ret == 1) {
|
||||
+ if (c == '\n')
|
||||
+ return line;
|
||||
+ line += c;
|
||||
+ }
|
||||
+ } while (ret == 1 || (ret == -1 && errno == EINTR));
|
||||
+
|
||||
+ return line;
|
||||
}
|
||||
|
||||
char* url::get_pac() {
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: libproxy
|
||||
Version: 0.4.15
|
||||
Release: 17
|
||||
Release: 18
|
||||
Summary: Libproxy is a library that provides automatic proxy configuration management
|
||||
|
||||
License: LGPLv2+
|
||||
@ -15,6 +15,7 @@ Patch1: libproxy-0.4.11-crash.patch
|
||||
Patch2: libproxy-0.4.15-python3738.patch
|
||||
Patch3: Fix-buffer-overflow-when-PAC-is-enabled.patch
|
||||
Patch4: backport-Fix-mismatched-new-delete-in-proxy.cpp.patch
|
||||
Patch5: CVE-2020-25219-Rewrite-url-recvline-to-be-nonrecursive.patch
|
||||
|
||||
BuildRequires: cmake >= 2.6.0 gcc-c++
|
||||
BuildRequires: pkgconfig(gio-2.0) >= 2.26 pkgconfig(libnm) python2-devel python3-devel
|
||||
@ -124,6 +125,12 @@ make test
|
||||
%{_mandir}/man1/proxy.1*
|
||||
|
||||
%changelog
|
||||
* Thu Jul 14 2022 zhouyihang <zhouyihang3@h-partners.com> - 0.4.15-18
|
||||
- Type:cves
|
||||
- CVE:CVE-2020-25219
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2020-25219
|
||||
|
||||
* Tue May 25 xinghe <xinghe2@huawei.com> - 0.4.15-17
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user