packages/libproxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:caa4e5066d885383545c873905ccb0b69a3f636f
Branches Tags
packages:main
..
compare: packages:0e6f65637c9a494c044f14debeecf75e8e893830
Branches Tags
packages:main

No commits in common. "caa4e5066d885383545c873905ccb0b69a3f636f" and "0e6f65637c9a494c044f14debeecf75e8e893830" have entirely different histories.
caa4e5066d ... 0e6f65637c

4 changed files with 109 additions and 144 deletions
Show Stats Expand all files Collapse all files

60
CVE-2020-25219-Rewrite-url-recvline-to-be-nonrecursive.patch
View File

@ -1,60 +0,0 @@
From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@gnome.org>
Date: Wed, 9 Sep 2020 11:12:02 -0500
Subject: [PATCH] Rewrite url::recvline to be nonrecursive
This function processes network input. It's semi-trusted, because the
PAC ought to be trusted. But we still shouldn't allow it to control how
far we recurse. A malicious PAC can cause us to overflow the stack by
sending a sufficiently-long line without any '\n' character.
Also, this function failed to properly handle EINTR, so let's fix that
too, for good measure.
Fixes #134
---
libproxy/url.cpp | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/libproxy/url.cpp b/libproxy/url.cpp
index ee776b2..68d69cd 100644
--- a/libproxy/url.cpp
+++ b/libproxy/url.cpp
@@ -388,16 +388,24 @@ string url::to_string() const {
return m_orig;
}
-static inline string recvline(int fd) {
- // Read a character.
- // If we don't get a character, return empty string.
- // If we are at the end of the line, return empty string.
- char c = '\0';
-
- if (recv(fd, &c, 1, 0) != 1 || c == '\n')
- return "";
-
- return string(1, c) + recvline(fd);
+static string recvline(int fd) {
+ string line;
+ int ret;
+
+ // Reserve arbitrary amount of space to avoid small memory reallocations.
+ line.reserve(128);
+
+ do {
+ char c;
+ ret = recv(fd, &c, 1, 0);
+ if (ret == 1) {
+ if (c == '\n')
+ return line;
+ line += c;
+ }
+ } while (ret == 1 || (ret == -1 && errno == EINTR));
+
+ return line;
}
char* url::get_pac() {
--
1.8.3.1

56
backport-Fix-mismatched-new-delete-in-proxy.cpp.patch
View File

@ -1,56 +0,0 @@
From 83cee994952ceb2ff4c818de78f7758c75549e3d Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@gnome.org>
Date: Thu, 10 Sep 2020 14:57:37 -0500
Subject: [PATCH] Fix mismatched new[]/delete[] in proxy.cpp
Using the wrong delete operator is undefined behavior.
All this manual new/delete really ought to be replaced by
std::unique_ptr, but this will suffice for now.
---
libproxy/proxy.cpp | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libproxy/proxy.cpp b/libproxy/proxy.cpp
index 2d01d53..72d0039 100644
--- a/libproxy/proxy.cpp
+++ b/libproxy/proxy.cpp
@@ -244,7 +244,7 @@ void proxy_factory::check_network_topology() {
vector<wpad_extension*> wpads = this->mm.get_extensions<wpad_extension>();
for (vector<wpad_extension*>::iterator j=wpads.begin() ; j != wpads.end() ; j++)
(*j)->rewind();
- if (this->pac) delete this->pac;
+ if (this->pac) delete[] this->pac;
this->pac = NULL;
break;
}
@@ -313,7 +313,7 @@ bool proxy_factory::expand_wpad(const url &confurl)
rtv = true;
/* If the config has just changed from PAC to WPAD, clear the PAC */
if (!this->wpad) {
- if (this->pac) delete this->pac;
+ if (this->pac) delete[] this->pac;
if (this->pacurl) delete this->pacurl;
this->pac = NULL;
this->pacurl = NULL;
@@ -381,7 +381,7 @@ bool proxy_factory::expand_pac(url &confurl)
if (this->pac) {
if (this->pacurl->to_string() != confurl.to_string()) {
delete this->pacurl;
- delete this->pac;
+ delete[] this->pac;
this->pacurl = NULL;
this->pac = NULL;
}
@@ -424,7 +424,7 @@ void proxy_factory::run_pac(url &realurl, const url &confurl, vector<string> &re
void proxy_factory::clear_cache() {
this->wpad = false;
- if (this->pac) { delete this->pac; this->pac = NULL; }
+ if (this->pac) { delete[] this->pac; this->pac = NULL; }
if (this->pacurl) { delete this->pacurl; this->pacurl = NULL; }
}
--
1.8.3.1

101
libproxy-0.4.15-mozjs52.patch Normal file
View File

@ -0,0 +1,101 @@
From f594720280b2e40d81fa6e286a0ef8868687ef7e Mon Sep 17 00:00:00 2001
From: Pierre Lejeune <superheron@gmail.com>
Date: Sat, 30 Jun 2018 21:10:06 +0200
Subject: [PATCH] Build with mozjs-52
Fixes #71
---
libproxy/cmake/modules/pacrunner_mozjs.cmk | 2 +-
libproxy/modules/pacrunner_mozjs.cpp | 19 +++++++------------
2 files changed, 8 insertions(+), 13 deletions(-)
diff --git a/libproxy/cmake/modules/pacrunner_mozjs.cmk b/libproxy/cmake/modules/pacrunner_mozjs.cmk
index c2ae3db..20857fb 100644
--- a/libproxy/cmake/modules/pacrunner_mozjs.cmk
+++ b/libproxy/cmake/modules/pacrunner_mozjs.cmk
@@ -9,7 +9,7 @@ if(WIN32)
elseif(NOT APPLE)
option(WITH_MOZJS "Search for MOZJS package" ON)
if (WITH_MOZJS)
- pkg_search_module(MOZJS mozjs-38)
+ pkg_search_module(MOZJS mozjs-52)
if(MOZJS_FOUND)
include_directories(${MOZJS_INCLUDE_DIRS})
link_directories(${MOZJS_LIBRARY_DIRS})
diff --git a/libproxy/modules/pacrunner_mozjs.cpp b/libproxy/modules/pacrunner_mozjs.cpp
index a70b2e9..ed07c69 100644
--- a/libproxy/modules/pacrunner_mozjs.cpp
+++ b/libproxy/modules/pacrunner_mozjs.cpp
@@ -35,6 +35,7 @@ using namespace libproxy;
#pragma GCC diagnostic ignored "-Winvalid-offsetof"
#include <jsapi.h>
#pragma GCC diagnostic error "-Winvalid-offsetof"
+#include <js/Initialization.h>
#include <js/CallArgs.h>
#include "pacutils.h"
@@ -111,17 +112,14 @@ class mozjs_pacrunner : public pacrunner {
mozjs_pacrunner(string pac, const url& pacurl) throw (bad_alloc) : pacrunner(pac, pacurl) {
// Set defaults
- this->jsrun = nullptr;
this->jsctx = nullptr;
JS_Init();
- // Initialize Javascript runtime environment
- if (!(this->jsrun = JS_NewRuntime(1024 * 1024))) goto error;
- if (!(this->jsctx = JS_NewContext(this->jsrun, 1024 * 1024))) goto error;
+ // Initialize Javascript context
+ if (!(this->jsctx = JS_NewContext(1024 * 1024))) goto error;
{
JS::RootedValue rval(this->jsctx);
JS::CompartmentOptions compart_opts;
- compart_opts.setVersion(JSVERSION_LATEST);
this->jsglb = new JS::Heap<JSObject*>(JS_NewGlobalObject(
this->jsctx, &cls,
@@ -139,16 +137,15 @@ class mozjs_pacrunner : public pacrunner {
JS::CompileOptions options(this->jsctx);
options.setUTF8(true);
- JS::Evaluate(this->jsctx, global, options, JAVASCRIPT_ROUTINES,
- strlen(JAVASCRIPT_ROUTINES), &rval);
+ JS::Evaluate(this->jsctx, options, JAVASCRIPT_ROUTINES,
+ strlen(JAVASCRIPT_ROUTINES), JS::MutableHandleValue(&rval));
// Add PAC to the environment
- JS::Evaluate(this->jsctx, global, options, pac.c_str(), pac.length(), &rval);
+ JS::Evaluate(this->jsctx, options, pac.c_str(), pac.length(), JS::MutableHandleValue(&rval));
return;
}
error:
if (this->jsctx) JS_DestroyContext(this->jsctx);
- if (this->jsrun) JS_DestroyRuntime(this->jsrun);
throw bad_alloc();
}
@@ -156,7 +153,6 @@ class mozjs_pacrunner : public pacrunner {
if (this->jsac) delete this->jsac;
if (this->jsglb) delete this->jsglb;
if (this->jsctx) JS_DestroyContext(this->jsctx);
- if (this->jsrun) JS_DestroyRuntime(this->jsrun);
JS_ShutDown();
}
@@ -178,7 +174,7 @@ class mozjs_pacrunner : public pacrunner {
JS::RootedObject global(this->jsctx,this->jsglb->get());
bool result = JS_CallFunctionName(this->jsctx, global, "FindProxyForURL", args, &rval);
if (!result) return "";
-
+
char * tmpanswer = JS_EncodeString(this->jsctx, rval.toString());
string answer = string(tmpanswer);
JS_free(this->jsctx, tmpanswer);
@@ -188,7 +184,6 @@ class mozjs_pacrunner : public pacrunner {
}
private:
- JSRuntime *jsrun;
JSContext *jsctx;
JS::Heap<JSObject*> *jsglb;
JSAutoCompartment *jsac;

36
libproxy.spec
View File

@ -1,6 +1,6 @@
Name: libproxy
Version: 0.4.15
Release: 18
Release: 15
Summary: Libproxy is a library that provides automatic proxy configuration management
License: LGPLv2+
@ -13,15 +13,14 @@ Patch0: 0001-Add-config-module-for-querying-PacRunner-d-mon.patch
Patch1: libproxy-0.4.11-crash.patch
# Patch 2 and 3 are backported from upstream commuity
Patch2: libproxy-0.4.15-python3738.patch
Patch3: Fix-buffer-overflow-when-PAC-is-enabled.patch
Patch4: backport-Fix-mismatched-new-delete-in-proxy.cpp.patch
Patch5: CVE-2020-25219-Rewrite-url-recvline-to-be-nonrecursive.patch
Patch3: libproxy-0.4.15-mozjs52.patch
Patch4: Fix-buffer-overflow-when-PAC-is-enabled.patch
BuildRequires: cmake >= 2.6.0 gcc-c++
BuildRequires: pkgconfig(gio-2.0) >= 2.26 pkgconfig(libnm) python2-devel python3-devel
BuildRequires: pkgconfig(gio-2.0) >= 2.26 pkgconfig(mozjs-52) pkgconfig(libnm) python2-devel python3-devel
BuildRequires: pkgconfig(dbus-1) pkgconfig(javascriptcoregtk-4.0)
Provides: %{name}-bin %{name}-gnome %{name}-kde %{name}-networkmanager %{name}-pacrunner
Provides: %{name}-bin %{name}-gnome %{name}-kde %{name}-mozjs %{name}-networkmanager %{name}-pacrunner
Obsoletes: %{name}-bin %{name}-gnome %{name}-kde %{name}-mozjs %{name}-networkmanager %{name}-pacrunner
%description
@ -74,9 +73,8 @@ This package contains libraries and header files for developing applications.
%build
%{cmake} \
-DMODULE_INSTALL_DIR=%{_libdir}/%{name}/%{version}/modules \
-DBIPR=OFF \
-DWITH_PERL=OFF -DWITH_GNOME3=ON -DWITH_PYTHON2=ON -DPYTHON2_EXECUTABLE=%{__python2} \
-DWITH_PYTHON3=ON -DWITH_WEBKIT3=ON -DWITH_MOZJS=OFF .
-DWITH_PYTHON3=ON -DWITH_WEBKIT3=ON -DWITH_MOZJS=ON .
%make_build
%install
@ -125,31 +123,13 @@ make test
%{_mandir}/man1/proxy.1*
%changelog
* Thu Jul 14 2022 zhouyihang <zhouyihang3@h-partners.com> - 0.4.15-18
- Type:cves
- CVE:CVE-2020-25219
- SUG:NA
- DESC:fix CVE-2020-25219
* Tue May 25 2021 xinghe <xinghe2@huawei.com> - 0.4.15-17
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:delete mozjs-52 dependency
* Mon Mar 29 2021 yuboyun <yuboyun@huawei.com> - 0.4.15-16
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:Fix mismatched new[]/delete[] in proxy.cpp
* Mon Nov 09 2020 gaihuiying <gaihuiying1@huawei.com> - 0.4.15-15
* Mon Nov 9 gaihuiying <gaihuiying1@huawei.com> - 0.4.15-15
- Type:bugfix
- Id:NA
- SUG:NA
- DESC:drop dependency of libmodman
* Tue Oct 20 2020 hanzhijun <hanzhijun1@huawei.com> - 0.4.15-14
* Tue Oct 20 hanzhijun <hanzhijun1@huawei.com> - 0.4.15-14
- Type:cves
- Id:NA
- SUG:NA