!43 【轻量级 PR】：Specification changelog date

From: @XWwalker 
Reviewed-by: @zengwefeng 
Signed-off-by: @zengwefeng

CVE-2020-25219-Rewrite-url-recvline-to-be-nonrecursive.patch

@@ -0,0 +1,60 @@
+From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Wed, 9 Sep 2020 11:12:02 -0500
+Subject: [PATCH] Rewrite url::recvline to be nonrecursive
+
+This function processes network input. It's semi-trusted, because the
+PAC ought to be trusted. But we still shouldn't allow it to control how
+far we recurse. A malicious PAC can cause us to overflow the stack by
+sending a sufficiently-long line without any '\n' character.
+
+Also, this function failed to properly handle EINTR, so let's fix that
+too, for good measure.
+
+Fixes #134
+---
+ libproxy/url.cpp | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/libproxy/url.cpp b/libproxy/url.cpp
+index ee776b2..68d69cd 100644
+--- a/libproxy/url.cpp
++++ b/libproxy/url.cpp
+@@ -388,16 +388,24 @@ string url::to_string() const {
+ 	return m_orig;
+ }
+ 
+-static inline string recvline(int fd) {
+-	// Read a character.
+-	// If we don't get a character, return empty string.
+-	// If we are at the end of the line, return empty string.
+-	char c = '\0';
+-	
+-	if (recv(fd, &c, 1, 0) != 1 || c == '\n')
+-		return "";
+-
+-	return string(1, c) + recvline(fd);
++static string recvline(int fd) {
++	string line;
++	int ret;
++
++	// Reserve arbitrary amount of space to avoid small memory reallocations.
++	line.reserve(128);
++
++	do {
++		char c;
++		ret = recv(fd, &c, 1, 0);
++		if (ret == 1) {
++			if (c == '\n')
++				return line;
++			line += c;
++		}
++	} while (ret == 1 || (ret == -1 && errno == EINTR));
++
++	return line;
+ }
+ 
+ char* url::get_pac() {
+-- 
+1.8.3.1
+

backport-Fix-mismatched-new-delete-in-proxy.cpp.patch

@@ -0,0 +1,56 @@
+From 83cee994952ceb2ff4c818de78f7758c75549e3d Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Thu, 10 Sep 2020 14:57:37 -0500
+Subject: [PATCH] Fix mismatched new[]/delete[] in proxy.cpp
+
+Using the wrong delete operator is undefined behavior.
+
+All this manual new/delete really ought to be replaced by
+std::unique_ptr, but this will suffice for now.
+---
+ libproxy/proxy.cpp | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libproxy/proxy.cpp b/libproxy/proxy.cpp
+index 2d01d53..72d0039 100644
+--- a/libproxy/proxy.cpp
++++ b/libproxy/proxy.cpp
+@@ -244,7 +244,7 @@ void proxy_factory::check_network_topology() {
+ 			vector<wpad_extension*> wpads = this->mm.get_extensions<wpad_extension>();
+ 			for (vector<wpad_extension*>::iterator j=wpads.begin() ; j != wpads.end() ; j++)
+ 				(*j)->rewind();
+-			if (this->pac) delete this->pac;
++			if (this->pac) delete[] this->pac;
+ 			this->pac = NULL;
+ 			break;
+ 		}
+@@ -313,7 +313,7 @@ bool proxy_factory::expand_wpad(const url &confurl)
+ 		rtv = true;
+ 		/* If the config has just changed from PAC to WPAD, clear the PAC */
+ 		if (!this->wpad) {
+-			if (this->pac)    delete this->pac;
++			if (this->pac)    delete[] this->pac;
+ 			if (this->pacurl) delete this->pacurl;
+ 			this->pac    = NULL;
+ 			this->pacurl = NULL;
+@@ -381,7 +381,7 @@ bool proxy_factory::expand_pac(url &confurl)
+ 		if (this->pac) {
+ 			if (this->pacurl->to_string() != confurl.to_string()) {
+ 				delete this->pacurl;
+-				delete this->pac;
++				delete[] this->pac;
+ 				this->pacurl = NULL;
+ 				this->pac    = NULL;
+ 			}
+@@ -424,7 +424,7 @@ void proxy_factory::run_pac(url &realurl, const url &confurl, vector<string> &re
+ 
+ void proxy_factory::clear_cache() {
+ 	this->wpad = false;
+-	if (this->pac)    { delete this->pac;    this->pac = NULL; }
++	if (this->pac)    { delete[] this->pac;  this->pac = NULL; }
+ 	if (this->pacurl) { delete this->pacurl; this->pacurl = NULL; }
+ }
+ 
+-- 
+1.8.3.1
+

libproxy-0.4.15-mozjs52.patch

@@ -1,101 +0,0 @@
-From f594720280b2e40d81fa6e286a0ef8868687ef7e Mon Sep 17 00:00:00 2001
-From: Pierre Lejeune <superheron@gmail.com>
-Date: Sat, 30 Jun 2018 21:10:06 +0200
-Subject: [PATCH] Build with mozjs-52
-
-Fixes #71
----
- libproxy/cmake/modules/pacrunner_mozjs.cmk |  2 +-
- libproxy/modules/pacrunner_mozjs.cpp       | 19 +++++++------------
- 2 files changed, 8 insertions(+), 13 deletions(-)
-
-diff --git a/libproxy/cmake/modules/pacrunner_mozjs.cmk b/libproxy/cmake/modules/pacrunner_mozjs.cmk
-index c2ae3db..20857fb 100644
---- a/libproxy/cmake/modules/pacrunner_mozjs.cmk
-+++ b/libproxy/cmake/modules/pacrunner_mozjs.cmk
-@@ -9,7 +9,7 @@ if(WIN32)
- elseif(NOT APPLE)
-   option(WITH_MOZJS "Search for MOZJS package" ON)
-   if (WITH_MOZJS)
--    pkg_search_module(MOZJS mozjs-38)
-+    pkg_search_module(MOZJS mozjs-52)
-     if(MOZJS_FOUND)
-       include_directories(${MOZJS_INCLUDE_DIRS})
-       link_directories(${MOZJS_LIBRARY_DIRS})
-diff --git a/libproxy/modules/pacrunner_mozjs.cpp b/libproxy/modules/pacrunner_mozjs.cpp
-index a70b2e9..ed07c69 100644
---- a/libproxy/modules/pacrunner_mozjs.cpp
-+++ b/libproxy/modules/pacrunner_mozjs.cpp
-@@ -35,6 +35,7 @@ using namespace libproxy;
- #pragma GCC diagnostic ignored "-Winvalid-offsetof"
- #include <jsapi.h>
- #pragma GCC diagnostic error "-Winvalid-offsetof"
-+#include <js/Initialization.h>
- #include <js/CallArgs.h>
- 
- #include "pacutils.h"
-@@ -111,17 +112,14 @@ class mozjs_pacrunner : public pacrunner {
- 	mozjs_pacrunner(string pac, const url& pacurl) throw (bad_alloc) : pacrunner(pac, pacurl) {
- 
- 		// Set defaults
--		this->jsrun = nullptr;
- 		this->jsctx = nullptr;
- 		JS_Init();
- 
--		// Initialize Javascript runtime environment
--		if (!(this->jsrun = JS_NewRuntime(1024 * 1024)))                  goto error;
--		if (!(this->jsctx = JS_NewContext(this->jsrun, 1024 * 1024)))     goto error;
-+		// Initialize Javascript context
-+		if (!(this->jsctx = JS_NewContext(1024 * 1024)))     goto error;
- 		{
- 			JS::RootedValue  rval(this->jsctx);
- 			JS::CompartmentOptions compart_opts;
--			compart_opts.setVersion(JSVERSION_LATEST);
- 
- 			this->jsglb = new JS::Heap<JSObject*>(JS_NewGlobalObject(
- 								  this->jsctx, &cls,
-@@ -139,16 +137,15 @@ class mozjs_pacrunner : public pacrunner {
- 			JS::CompileOptions options(this->jsctx);
- 			options.setUTF8(true);
- 
--			JS::Evaluate(this->jsctx, global, options, JAVASCRIPT_ROUTINES,
--				     strlen(JAVASCRIPT_ROUTINES), &rval);
-+			JS::Evaluate(this->jsctx, options, JAVASCRIPT_ROUTINES,
-+				     strlen(JAVASCRIPT_ROUTINES), JS::MutableHandleValue(&rval));
- 
- 			// Add PAC to the environment
--			JS::Evaluate(this->jsctx, global, options, pac.c_str(), pac.length(), &rval);
-+			JS::Evaluate(this->jsctx, options, pac.c_str(), pac.length(), JS::MutableHandleValue(&rval));
- 			return;
- 		}
- 		error:
- 			if (this->jsctx) JS_DestroyContext(this->jsctx);
--			if (this->jsrun) JS_DestroyRuntime(this->jsrun);
- 			throw bad_alloc();
- 	}
- 
-@@ -156,7 +153,6 @@ class mozjs_pacrunner : public pacrunner {
- 		if (this->jsac) delete this->jsac;
- 		if (this->jsglb) delete this->jsglb;
- 		if (this->jsctx) JS_DestroyContext(this->jsctx);
--		if (this->jsrun) JS_DestroyRuntime(this->jsrun);
- 		JS_ShutDown();
- 	}
- 
-@@ -178,7 +174,7 @@ class mozjs_pacrunner : public pacrunner {
- 		JS::RootedObject global(this->jsctx,this->jsglb->get());
- 		bool result = JS_CallFunctionName(this->jsctx, global, "FindProxyForURL", args, &rval);
- 		if (!result) return "";
--		
-+
- 		char * tmpanswer = JS_EncodeString(this->jsctx, rval.toString());
- 		string answer = string(tmpanswer);
- 		JS_free(this->jsctx, tmpanswer);
-@@ -188,7 +184,6 @@ class mozjs_pacrunner : public pacrunner {
- 	}
- 
- private:
--	JSRuntime *jsrun;
- 	JSContext *jsctx;
- 	JS::Heap<JSObject*> *jsglb;
- 	JSAutoCompartment *jsac;

libproxy.spec

@@ -1,6 +1,6 @@
 Name:           libproxy
 Version:        0.4.15
-Release:        15
+Release:        18
 Summary:        Libproxy is a library that provides automatic proxy configuration management
 
 License:        LGPLv2+
@@ -13,14 +13,15 @@ Patch0:         0001-Add-config-module-for-querying-PacRunner-d-mon.patch
 Patch1:         libproxy-0.4.11-crash.patch
 # Patch 2 and 3 are backported from upstream commuity
 Patch2:         libproxy-0.4.15-python3738.patch
-Patch3:         libproxy-0.4.15-mozjs52.patch
+Patch3:         Fix-buffer-overflow-when-PAC-is-enabled.patch 
-Patch4:         Fix-buffer-overflow-when-PAC-is-enabled.patch 
+Patch4:		backport-Fix-mismatched-new-delete-in-proxy.cpp.patch
+Patch5:		CVE-2020-25219-Rewrite-url-recvline-to-be-nonrecursive.patch
 
 BuildRequires:  cmake >= 2.6.0 gcc-c++
-BuildRequires:  pkgconfig(gio-2.0) >= 2.26 pkgconfig(mozjs-52) pkgconfig(libnm) python2-devel python3-devel
+BuildRequires:  pkgconfig(gio-2.0) >= 2.26 pkgconfig(libnm) python2-devel python3-devel
 BuildRequires:  pkgconfig(dbus-1) pkgconfig(javascriptcoregtk-4.0) 
 
-Provides:       %{name}-bin %{name}-gnome %{name}-kde %{name}-mozjs %{name}-networkmanager %{name}-pacrunner 
+Provides:       %{name}-bin %{name}-gnome %{name}-kde %{name}-networkmanager %{name}-pacrunner 
 Obsoletes:      %{name}-bin %{name}-gnome %{name}-kde %{name}-mozjs %{name}-networkmanager %{name}-pacrunner 
 
 %description
@@ -73,8 +74,9 @@ This package contains libraries and header files for developing applications.
 %build
 %{cmake} \
   -DMODULE_INSTALL_DIR=%{_libdir}/%{name}/%{version}/modules \
+  -DBIPR=OFF \
   -DWITH_PERL=OFF -DWITH_GNOME3=ON -DWITH_PYTHON2=ON -DPYTHON2_EXECUTABLE=%{__python2} \
-  -DWITH_PYTHON3=ON -DWITH_WEBKIT3=ON -DWITH_MOZJS=ON .
+  -DWITH_PYTHON3=ON -DWITH_WEBKIT3=ON -DWITH_MOZJS=OFF .
 %make_build
 
 %install
@@ -123,13 +125,31 @@ make test
 %{_mandir}/man1/proxy.1*
 
 %changelog
-* Mon Nov 9 gaihuiying <gaihuiying1@huawei.com> - 0.4.15-15
+* Thu Jul 14 2022 zhouyihang <zhouyihang3@h-partners.com> - 0.4.15-18
+- Type:cves
+- CVE:CVE-2020-25219
+- SUG:NA
+- DESC:fix CVE-2020-25219
+
+* Tue May 25 2021 xinghe <xinghe2@huawei.com> - 0.4.15-17
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:delete mozjs-52 dependency 
+
+* Mon Mar 29 2021 yuboyun <yuboyun@huawei.com> - 0.4.15-16
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:Fix mismatched new[]/delete[] in proxy.cpp
+
+* Mon Nov 09 2020 gaihuiying <gaihuiying1@huawei.com> - 0.4.15-15
 - Type:bugfix
 - Id:NA
 - SUG:NA
 - DESC:drop dependency of libmodman
 
-* Tue Oct 20 hanzhijun <hanzhijun1@huawei.com> - 0.4.15-14
+* Tue Oct 20 2020 hanzhijun <hanzhijun1@huawei.com> - 0.4.15-14
 - Type:cves
 - Id:NA
 - SUG:NA