mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
tinyproxy: patch CVE-2023-49606
Details https://nvd.nist.gov/vuln/detail/CVE-2023-49606 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
committed by
Gyorgy Sarvari
parent
95f680e0df
commit
7f8516d8db
@@ -0,0 +1,59 @@
|
|||||||
|
From 982a46347c5939e08ad659858b1ac32361d7ffb8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: rofl0r <rofl0r@users.noreply.github.com>
|
||||||
|
Date: Sun, 5 May 2024 10:37:29 +0000
|
||||||
|
Subject: [PATCH] CVE-2023-49606
|
||||||
|
|
||||||
|
fix potential UAF in header handling
|
||||||
|
|
||||||
|
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
|
||||||
|
|
||||||
|
this bug was brought to my attention today by the debian tinyproxy
|
||||||
|
package maintainer. the above link states that the issue was known
|
||||||
|
since last year and that maintainers have been contacted, but if
|
||||||
|
that is even true then it probably was done via a private email
|
||||||
|
to a potentially outdated email address of one of the maintainers,
|
||||||
|
not through the channels described clearly on the tinyproxy homepage:
|
||||||
|
|
||||||
|
> Feel free to report a new bug or suggest features via github issues.
|
||||||
|
> Tinyproxy developers hang out in #tinyproxy on irc.libera.chat.
|
||||||
|
|
||||||
|
no github issue was filed, and nobody mentioned a vulnerability on
|
||||||
|
the mentioned IRC chat. if the issue had been reported on github or
|
||||||
|
IRC, the bug would have been fixed within a day.
|
||||||
|
|
||||||
|
CVE: CVE-2023-49606
|
||||||
|
Upstream-Status: Backport [https://github.com/tinyproxy/tinyproxy/commit/12a8484265f7b00591293da492bb3c9987001956]
|
||||||
|
|
||||||
|
(cherry picked from commit 12a8484265f7b00591293da492bb3c9987001956)
|
||||||
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||||
|
---
|
||||||
|
src/reqs.c | 9 +++++++--
|
||||||
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/reqs.c b/src/reqs.c
|
||||||
|
index b865190..705ce11 100644
|
||||||
|
--- a/src/reqs.c
|
||||||
|
+++ b/src/reqs.c
|
||||||
|
@@ -779,7 +779,7 @@ static int remove_connection_headers (orderedmap hashofheaders)
|
||||||
|
char *data;
|
||||||
|
char *ptr;
|
||||||
|
ssize_t len;
|
||||||
|
- int i;
|
||||||
|
+ int i,j,df;
|
||||||
|
|
||||||
|
for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
|
||||||
|
/* Look for the connection header. If it's not found, return. */
|
||||||
|
@@ -804,7 +804,12 @@ static int remove_connection_headers (orderedmap hashofheaders)
|
||||||
|
*/
|
||||||
|
ptr = data;
|
||||||
|
while (ptr < data + len) {
|
||||||
|
- orderedmap_remove (hashofheaders, ptr);
|
||||||
|
+ df = 0;
|
||||||
|
+ /* check that ptr isn't one of headers to prevent
|
||||||
|
+ double-free (CVE-2023-49606) */
|
||||||
|
+ for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j)
|
||||||
|
+ if(!strcasecmp(ptr, headers[j])) df = 1;
|
||||||
|
+ if (!df) orderedmap_remove (hashofheaders, ptr);
|
||||||
|
|
||||||
|
/* Advance ptr to the next token */
|
||||||
|
ptr += strlen (ptr) + 1;
|
||||||
@@ -8,6 +8,7 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.gz
|
|||||||
file://tinyproxy.service \
|
file://tinyproxy.service \
|
||||||
file://tinyproxy.conf \
|
file://tinyproxy.conf \
|
||||||
file://CVE-2022-40468.patch \
|
file://CVE-2022-40468.patch \
|
||||||
|
file://0001-CVE-2023-49606.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "1574acf7ba83c703a89e98bb2758a4ed9fda456f092624b33cfcf0ce2d3b2047"
|
SRC_URI[sha256sum] = "1574acf7ba83c703a89e98bb2758a4ed9fda456f092624b33cfcf0ce2d3b2047"
|
||||||
|
|||||||
Reference in New Issue
Block a user