tinyproxy: patch CVE-2026-3945

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3945 Backport the patches which are references by the NVD avisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-05-07 05:10:20 +00:00 · 2026-04-06 17:50:43 +02:00
parent d8c66c4428
commit c789281ecf
3 changed files with 62 additions and 0 deletions
--- a/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-1.patch
+++ b/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-1.patch
@@ -0,0 +1,29 @@
+From 245946bb789c8fc0e4758c344f735a5d53827dce Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Thu, 12 Mar 2026 14:26:24 +0000
+Subject: [PATCH] reqs: check negative length values when reading chunked data
+
+this could lead to a DoS when a legitimate client reads from an
+attacker-controlled web server.
+
+closes #597
+
+CVE: CVE-2026-3945
+Upstream-Status: Backport [https://github.com/tinyproxy/tinyproxy/commit/969852ccdb1d19d7ed302f0e1d324661be641e0a]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/reqs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/reqs.c b/src/reqs.c
+index a562c68..94ce767 100644
+--- a/src/reqs.c
+++ b/src/reqs.c
+@@ -613,6 +613,7 @@ static int pull_client_data_chunked (struct conn_s *connptr) {
+                 }
+ 
+                 chunklen = strtol (buffer, (char**)0, 16);
+                if (chunklen < 0) goto ERROR_EXIT;
+ 
+                 if (pull_client_data (connptr, chunklen+2, 0) < 0)
+                         goto ERROR_EXIT;
--- a/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-2.patch
+++ b/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-2.patch
@@ -0,0 +1,31 @@
+From 8f12872b8e50fe22be0a65ead260ebbedde905cd Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Sun, 29 Mar 2026 16:48:54 +0200
+Subject: [PATCH] reqs: prevent potential int overflow when parsing chunked
+ data (#603)
+
+follow-up to 969852ccdb1d19d7ed302f0e1d324661be641e0a
+
+closes #602
+
+CVE: CVE-2026-3945
+Upstream-Status: Backport [https://github.com/tinyproxy/tinyproxy/commit/bb7edc4778041b3bc8ad7fca448b67d98039cc7d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/reqs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/reqs.c b/src/reqs.c
+index 94ce767..7aacfd3 100644
+--- a/src/reqs.c
+++ b/src/reqs.c
+@@ -613,7 +613,8 @@ static int pull_client_data_chunked (struct conn_s *connptr) {
+                 }
+ 
+                 chunklen = strtol (buffer, (char**)0, 16);
+-                if (chunklen < 0) goto ERROR_EXIT;
+                /* prevent negative or huge values causing overflow */
+                if (chunklen < 0 || chunklen > 0x0fffffff) goto ERROR_EXIT;
+ 
+                 if (pull_client_data (connptr, chunklen+2, 0) < 0)
+                         goto ERROR_EXIT;
--- a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.3.bb
+++ b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.3.bb
@@ -7,6 +7,8 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.gz
           file://tinyproxy.service \
           file://tinyproxy.conf \
           file://run-ptest \
+           file://CVE-2026-3945-1.patch \
+           file://CVE-2026-3945-2.patch \
           "

 SRC_URI[sha256sum] = "9bcf46db1a2375ff3e3d27a41982f1efec4706cce8899ff9f33323a8218f7592"