* [PATCH 1/4] libproxy: fix CVE-2020-26154
@ 2020-11-18 13:22 Lee Chee Yang
2020-11-18 13:22 ` [PATCH 2/4] python3: fix CVE-2020-27619 Lee Chee Yang
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Lee Chee Yang @ 2020-11-18 13:22 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
.../libproxy/libproxy/CVE-2020-26154.patch | 98 +++++++++++++++++++
.../libproxy/libproxy_0.4.15.bb | 1 +
2 files changed, 99 insertions(+)
create mode 100644 meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
new file mode 100644
index 0000000000..0ccb99da81
--- /dev/null
+++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
@@ -0,0 +1,98 @@
+From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001
+From: Fei Li <lifeibiren@gmail.com>
+Date: Fri, 17 Jul 2020 02:18:37 +0800
+Subject: [PATCH] Fix buffer overflow when PAC is enabled
+
+The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
+out to be the large PAC file (more than 102400 bytes) returned by a
+local proxy program with no content-length present.
+
+Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952e2be271b5742c5f8]
+CVE: CVE-2020-26154
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 31 insertions(+), 13 deletions(-)
+
+diff --git a/libproxy/url.cpp b/libproxy/url.cpp
+index ee776b2..8684086 100644
+--- a/libproxy/url.cpp
++++ b/libproxy/url.cpp
+@@ -54,7 +54,7 @@ using namespace std;
+ #define PAC_MIME_TYPE_FB "text/plain"
+
+ // This is the maximum pac size (to avoid memory attacks)
+-#define PAC_MAX_SIZE 102400
++#define PAC_MAX_SIZE 0x800000
+ // This is the default block size to use when receiving via HTTP
+ #define PAC_HTTP_BLOCK_SIZE 512
+
+@@ -478,15 +478,13 @@ char* url::get_pac() {
+ }
+
+ // Get content
+- unsigned int recvd = 0;
+- buffer = new char[PAC_MAX_SIZE];
+- memset(buffer, 0, PAC_MAX_SIZE);
++ std::vector<char> dynamic_buffer;
+ do {
+ unsigned int chunk_length;
+
+ if (chunked) {
+ // Discard the empty line if we received a previous chunk
+- if (recvd > 0) recvline(sock);
++ if (!dynamic_buffer.empty()) recvline(sock);
+
+ // Get the chunk-length line as an integer
+ if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break;
+@@ -498,21 +496,41 @@ char* url::get_pac() {
+
+ if (content_length >= PAC_MAX_SIZE) break;
+
+- while (content_length == 0 || recvd != content_length) {
+- int r = recv(sock, buffer + recvd,
+- content_length == 0 ? PAC_HTTP_BLOCK_SIZE
+- : content_length - recvd, 0);
++ while (content_length == 0 || dynamic_buffer.size() != content_length) {
++ // Calculate length to recv
++ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
++ if (content_length > 0)
++ length_to_read = content_length - dynamic_buffer.size();
++
++ // Prepare buffer
++ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
++
++ int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
++
++ // Shrink buffer to fit
++ if (r >= 0)
++ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
++
++ // PAC size too large, discard
++ if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
++ chunked = false;
++ dynamic_buffer.clear();
++ break;
++ }
++
+ if (r <= 0) {
+ chunked = false;
+ break;
+ }
+- recvd += r;
+ }
+ } while (chunked);
+
+- if (content_length != 0 && string(buffer).size() != content_length) {
+- delete[] buffer;
+- buffer = NULL;
++ if (content_length == 0 || content_length == dynamic_buffer.size()) {
++ buffer = new char[dynamic_buffer.size() + 1];
++ if (!dynamic_buffer.empty()) {
++ memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
++ }
++ buffer[dynamic_buffer.size()] = '\0';
+ }
+ }
+
diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
index a14c358cc2..6f704d7a91 100644
--- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb
+++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
@@ -11,6 +11,7 @@ DEPENDS = "glib-2.0"
SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \
file://0001-get-pac-test-Fix-build-with-clang-libc.patch \
file://CVE-2020-25219.patch \
+ file://CVE-2020-26154.patch \
"
SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"
SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/4] python3: fix CVE-2020-27619
2020-11-18 13:22 [PATCH 1/4] libproxy: fix CVE-2020-26154 Lee Chee Yang
@ 2020-11-18 13:22 ` Lee Chee Yang
2020-11-18 13:22 ` [PATCH 3/4] python3: whitelist CVE-2020-15523 Lee Chee Yang
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Lee Chee Yang @ 2020-11-18 13:22 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
.../python/python3/CVE-2020-27619.patch | 69 +++++++++++++++++++
meta/recipes-devtools/python/python3_3.9.0.bb | 1 +
2 files changed, 70 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2020-27619.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch b/meta/recipes-devtools/python/python3/CVE-2020-27619.patch
new file mode 100644
index 0000000000..b2053e7a47
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2020-27619.patch
@@ -0,0 +1,69 @@
+From b664a1df4ee71d3760ab937653b10997081b1794 Mon Sep 17 00:00:00 2001
+From: "Miss Skeleton (bot)" <31488909+miss-islington@users.noreply.github.com>
+Date: Tue, 6 Oct 2020 05:37:36 -0700
+Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP
+ in the CJK codec tests (GH-22566)
+
+(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8)
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/b664a1df4ee71d3760ab937653b10997081b1794]
+CVE: CVE-2020-27619
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ Lib/test/multibytecodec_support.py | 22 +++++++------------
+ .../2020-10-05-17-43-46.bpo-41944.rf1dYb.rst | 1 +
+ 2 files changed, 9 insertions(+), 14 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
+
+diff --git a/Lib/test/multibytecodec_support.py b/Lib/test/multibytecodec_support.py
+index cca8af67d6d1d..f76c0153f5ecf 100644
+--- a/Lib/test/multibytecodec_support.py
++++ b/Lib/test/multibytecodec_support.py
+@@ -305,29 +305,23 @@ def test_mapping_file(self):
+ self._test_mapping_file_plain()
+
+ def _test_mapping_file_plain(self):
+- unichrs = lambda s: ''.join(map(chr, map(eval, s.split('+'))))
++ def unichrs(s):
++ return ''.join(chr(int(x, 16)) for x in s.split('+'))
++
+ urt_wa = {}
+
+ with self.open_mapping_file() as f:
+ for line in f:
+ if not line:
+ break
+- data = line.split('#')[0].strip().split()
++ data = line.split('#')[0].split()
+ if len(data) != 2:
+ continue
+
+- csetval = eval(data[0])
+- if csetval <= 0x7F:
+- csetch = bytes([csetval & 0xff])
+- elif csetval >= 0x1000000:
+- csetch = bytes([(csetval >> 24), ((csetval >> 16) & 0xff),
+- ((csetval >> 8) & 0xff), (csetval & 0xff)])
+- elif csetval >= 0x10000:
+- csetch = bytes([(csetval >> 16), ((csetval >> 8) & 0xff),
+- (csetval & 0xff)])
+- elif csetval >= 0x100:
+- csetch = bytes([(csetval >> 8), (csetval & 0xff)])
+- else:
++ if data[0][:2] != '0x':
++ self.fail(f"Invalid line: {line!r}")
++ csetch = bytes.fromhex(data[0][2:])
++ if len(csetch) == 1 and 0x80 <= csetch[0]:
+ continue
+
+ unich = unichrs(data[1])
+diff --git a/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
+new file mode 100644
+index 0000000000000..4f9782f1c85af
+--- /dev/null
++++ b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
+@@ -0,0 +1 @@
++Tests for CJK codecs no longer call ``eval()`` on content received via HTTP.
diff --git a/meta/recipes-devtools/python/python3_3.9.0.bb b/meta/recipes-devtools/python/python3_3.9.0.bb
index 8fe60ea016..ae9a974f04 100644
--- a/meta/recipes-devtools/python/python3_3.9.0.bb
+++ b/meta/recipes-devtools/python/python3_3.9.0.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-Makefile-do-not-compile-.pyc-in-parallel.patch \
file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
file://0001-Lib-sysconfig.py-use-libdir-values-from-configuratio.patch \
+ file://CVE-2020-27619.patch \
"
SRC_URI_append_class-native = " \
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] python3: whitelist CVE-2020-15523
2020-11-18 13:22 [PATCH 1/4] libproxy: fix CVE-2020-26154 Lee Chee Yang
2020-11-18 13:22 ` [PATCH 2/4] python3: fix CVE-2020-27619 Lee Chee Yang
@ 2020-11-18 13:22 ` Lee Chee Yang
2020-11-18 13:22 ` [PATCH 4/4] qemu: fix CVE-2020-24352 Lee Chee Yang
2020-11-18 14:44 ` [OE-core] [PATCH 1/4] libproxy: fix CVE-2020-26154 Steve Sakoman
3 siblings, 0 replies; 6+ messages in thread
From: Lee Chee Yang @ 2020-11-18 13:22 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
This CVE is issue on _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath.
Since it is .dll issue (on windows only), hence whitelist it.
https://bugs.python.org/issue29778
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
meta/recipes-devtools/python/python3_3.9.0.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-devtools/python/python3_3.9.0.bb b/meta/recipes-devtools/python/python3_3.9.0.bb
index ae9a974f04..d29a779a81 100644
--- a/meta/recipes-devtools/python/python3_3.9.0.bb
+++ b/meta/recipes-devtools/python/python3_3.9.0.bb
@@ -49,6 +49,9 @@ CVE_PRODUCT = "python"
# This is not exploitable when glibc has CVE-2016-10739 fixed.
CVE_CHECK_WHITELIST += "CVE-2019-18348"
+# This is windows only issue.
+CVE_CHECK_WHITELIST += "CVE-2020-15523"
+
PYTHON_MAJMIN = "3.9"
S = "${WORKDIR}/Python-${PV}"
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] qemu: fix CVE-2020-24352
2020-11-18 13:22 [PATCH 1/4] libproxy: fix CVE-2020-26154 Lee Chee Yang
2020-11-18 13:22 ` [PATCH 2/4] python3: fix CVE-2020-27619 Lee Chee Yang
2020-11-18 13:22 ` [PATCH 3/4] python3: whitelist CVE-2020-15523 Lee Chee Yang
@ 2020-11-18 13:22 ` Lee Chee Yang
2020-11-18 14:44 ` [OE-core] [PATCH 1/4] libproxy: fix CVE-2020-26154 Steve Sakoman
3 siblings, 0 replies; 6+ messages in thread
From: Lee Chee Yang @ 2020-11-18 13:22 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2020-24352.patch | 52 +++++++++++++++++++
2 files changed, 53 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 84f600cec0..11be545cb5 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -32,6 +32,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://find_datadir.patch \
file://usb-fix-setup_len-init.patch \
file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
+ file://CVE-2020-24352.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
new file mode 100644
index 0000000000..861ff6c3b0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-24352.patch
@@ -0,0 +1,52 @@
+From ca1f9cbfdce4d63b10d57de80fef89a89d92a540 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 21 Oct 2020 16:08:18 +0530
+Subject: [PATCH 1/1] ati: check x y display parameter values
+
+The source and destination x,y display parameters in ati_2d_blt()
+may run off the vga limits if either of s->regs.[src|dst]_[xy] is
+zero. Check the parameter values to avoid potential crash.
+
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20201021103818.1704030-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport [ https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ca1f9cbfdce4d63b10d57de80fef89a89d92a540;hp=2ddafce7f797082ad216657c830afd4546f16e37 ]
+CVE: CVE-2020-24352
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/display/ati_2d.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
+index 23a8ae0..4dc10ea 100644
+--- a/hw/display/ati_2d.c
++++ b/hw/display/ati_2d.c
+@@ -75,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s)
+ dst_stride *= bpp;
+ }
+ uint8_t *end = s->vga.vram_ptr + s->vga.vram_size;
+- if (dst_bits >= end || dst_bits + dst_x + (dst_y + s->regs.dst_height) *
+- dst_stride >= end) {
++ if (dst_x > 0x3fff || dst_y > 0x3fff || dst_bits >= end
++ || dst_bits + dst_x
++ + (dst_y + s->regs.dst_height) * dst_stride >= end) {
+ qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
+ return;
+ }
+@@ -107,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s)
+ src_bits += s->regs.crtc_offset & 0x07ffffff;
+ src_stride *= bpp;
+ }
+- if (src_bits >= end || src_bits + src_x +
+- (src_y + s->regs.dst_height) * src_stride >= end) {
++ if (src_x > 0x3fff || src_y > 0x3fff || src_bits >= end
++ || src_bits + src_x
++ + (src_y + s->regs.dst_height) * src_stride >= end) {
+ qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
+ return;
+ }
+--
+1.8.3.1
+
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH 1/4] libproxy: fix CVE-2020-26154
2020-11-18 13:22 [PATCH 1/4] libproxy: fix CVE-2020-26154 Lee Chee Yang
` (2 preceding siblings ...)
2020-11-18 13:22 ` [PATCH 4/4] qemu: fix CVE-2020-24352 Lee Chee Yang
@ 2020-11-18 14:44 ` Steve Sakoman
2020-11-19 0:28 ` Lee Chee Yang
3 siblings, 1 reply; 6+ messages in thread
From: Steve Sakoman @ 2020-11-18 14:44 UTC (permalink / raw)
To: Lee Chee Yang; +Cc: Patches and discussions about the oe-core layer
Thanks for helping with CVE fixes!
This first patch is also appropriate for dunfell, so I will
cherry-pick it when it hits master.
Do you plan to do dunfell versions of the other 3 patches?
Steve
On Wed, Nov 18, 2020 at 3:22 AM Lee Chee Yang <chee.yang.lee@intel.com> wrote:
>
> From: Lee Chee Yang <chee.yang.lee@intel.com>
>
> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
> ---
> .../libproxy/libproxy/CVE-2020-26154.patch | 98 +++++++++++++++++++
> .../libproxy/libproxy_0.4.15.bb | 1 +
> 2 files changed, 99 insertions(+)
> create mode 100644 meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
>
> diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
> new file mode 100644
> index 0000000000..0ccb99da81
> --- /dev/null
> +++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
> @@ -0,0 +1,98 @@
> +From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001
> +From: Fei Li <lifeibiren@gmail.com>
> +Date: Fri, 17 Jul 2020 02:18:37 +0800
> +Subject: [PATCH] Fix buffer overflow when PAC is enabled
> +
> +The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
> +out to be the large PAC file (more than 102400 bytes) returned by a
> +local proxy program with no content-length present.
> +
> +Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952e2be271b5742c5f8]
> +CVE: CVE-2020-26154
> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> +
> +---
> + libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
> + 1 file changed, 31 insertions(+), 13 deletions(-)
> +
> +diff --git a/libproxy/url.cpp b/libproxy/url.cpp
> +index ee776b2..8684086 100644
> +--- a/libproxy/url.cpp
> ++++ b/libproxy/url.cpp
> +@@ -54,7 +54,7 @@ using namespace std;
> + #define PAC_MIME_TYPE_FB "text/plain"
> +
> + // This is the maximum pac size (to avoid memory attacks)
> +-#define PAC_MAX_SIZE 102400
> ++#define PAC_MAX_SIZE 0x800000
> + // This is the default block size to use when receiving via HTTP
> + #define PAC_HTTP_BLOCK_SIZE 512
> +
> +@@ -478,15 +478,13 @@ char* url::get_pac() {
> + }
> +
> + // Get content
> +- unsigned int recvd = 0;
> +- buffer = new char[PAC_MAX_SIZE];
> +- memset(buffer, 0, PAC_MAX_SIZE);
> ++ std::vector<char> dynamic_buffer;
> + do {
> + unsigned int chunk_length;
> +
> + if (chunked) {
> + // Discard the empty line if we received a previous chunk
> +- if (recvd > 0) recvline(sock);
> ++ if (!dynamic_buffer.empty()) recvline(sock);
> +
> + // Get the chunk-length line as an integer
> + if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break;
> +@@ -498,21 +496,41 @@ char* url::get_pac() {
> +
> + if (content_length >= PAC_MAX_SIZE) break;
> +
> +- while (content_length == 0 || recvd != content_length) {
> +- int r = recv(sock, buffer + recvd,
> +- content_length == 0 ? PAC_HTTP_BLOCK_SIZE
> +- : content_length - recvd, 0);
> ++ while (content_length == 0 || dynamic_buffer.size() != content_length) {
> ++ // Calculate length to recv
> ++ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
> ++ if (content_length > 0)
> ++ length_to_read = content_length - dynamic_buffer.size();
> ++
> ++ // Prepare buffer
> ++ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
> ++
> ++ int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
> ++
> ++ // Shrink buffer to fit
> ++ if (r >= 0)
> ++ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
> ++
> ++ // PAC size too large, discard
> ++ if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
> ++ chunked = false;
> ++ dynamic_buffer.clear();
> ++ break;
> ++ }
> ++
> + if (r <= 0) {
> + chunked = false;
> + break;
> + }
> +- recvd += r;
> + }
> + } while (chunked);
> +
> +- if (content_length != 0 && string(buffer).size() != content_length) {
> +- delete[] buffer;
> +- buffer = NULL;
> ++ if (content_length == 0 || content_length == dynamic_buffer.size()) {
> ++ buffer = new char[dynamic_buffer.size() + 1];
> ++ if (!dynamic_buffer.empty()) {
> ++ memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
> ++ }
> ++ buffer[dynamic_buffer.size()] = '\0';
> + }
> + }
> +
> diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
> index a14c358cc2..6f704d7a91 100644
> --- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb
> +++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
> @@ -11,6 +11,7 @@ DEPENDS = "glib-2.0"
> SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \
> file://0001-get-pac-test-Fix-build-with-clang-libc.patch \
> file://CVE-2020-25219.patch \
> + file://CVE-2020-26154.patch \
> "
> SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"
> SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"
> --
> 2.17.1
>
>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH 1/4] libproxy: fix CVE-2020-26154
2020-11-18 14:44 ` [OE-core] [PATCH 1/4] libproxy: fix CVE-2020-26154 Steve Sakoman
@ 2020-11-19 0:28 ` Lee Chee Yang
0 siblings, 0 replies; 6+ messages in thread
From: Lee Chee Yang @ 2020-11-19 0:28 UTC (permalink / raw)
To: Steve Sakoman; +Cc: Patches and discussions about the oe-core layer
Yes, will send separate patch series for dunfell and gatesgarth.
>-----Original Message-----
>From: openembedded-core@lists.openembedded.org <openembedded-
>core@lists.openembedded.org> On Behalf Of Steve Sakoman
>Sent: Wednesday, 18 November, 2020 10:44 PM
>To: Lee, Chee Yang <chee.yang.lee@intel.com>
>Cc: Patches and discussions about the oe-core layer <openembedded-
>core@lists.openembedded.org>
>Subject: Re: [OE-core] [PATCH 1/4] libproxy: fix CVE-2020-26154
>
>Thanks for helping with CVE fixes!
>
>This first patch is also appropriate for dunfell, so I will cherry-pick it when it hits
>master.
>
>Do you plan to do dunfell versions of the other 3 patches?
>
>Steve
>
>On Wed, Nov 18, 2020 at 3:22 AM Lee Chee Yang <chee.yang.lee@intel.com>
>wrote:
>>
>> From: Lee Chee Yang <chee.yang.lee@intel.com>
>>
>> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
>> ---
>> .../libproxy/libproxy/CVE-2020-26154.patch | 98 +++++++++++++++++++
>> .../libproxy/libproxy_0.4.15.bb | 1 +
>> 2 files changed, 99 insertions(+)
>> create mode 100644
>> meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
>>
>> diff --git
>> a/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
>> b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
>> new file mode 100644
>> index 0000000000..0ccb99da81
>> --- /dev/null
>> +++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
>> @@ -0,0 +1,98 @@
>> +From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00
>> +2001
>> +From: Fei Li <lifeibiren@gmail.com>
>> +Date: Fri, 17 Jul 2020 02:18:37 +0800
>> +Subject: [PATCH] Fix buffer overflow when PAC is enabled
>> +
>> +The bug was found on Windows 10 (MINGW64) when PAC is enabled. It
>> +turned out to be the large PAC file (more than 102400 bytes) returned
>> +by a local proxy program with no content-length present.
>> +
>> +Upstream-Status: Backport
>> +[https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952
>> +e2be271b5742c5f8]
>> +CVE: CVE-2020-26154
>> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
>> +
>> +---
>> + libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
>> + 1 file changed, 31 insertions(+), 13 deletions(-)
>> +
>> +diff --git a/libproxy/url.cpp b/libproxy/url.cpp index
>> +ee776b2..8684086 100644
>> +--- a/libproxy/url.cpp
>> ++++ b/libproxy/url.cpp
>> +@@ -54,7 +54,7 @@ using namespace std; #define PAC_MIME_TYPE_FB
>> +"text/plain"
>> +
>> + // This is the maximum pac size (to avoid memory attacks) -#define
>> +PAC_MAX_SIZE 102400
>> ++#define PAC_MAX_SIZE 0x800000
>> + // This is the default block size to use when receiving via HTTP
>> + #define PAC_HTTP_BLOCK_SIZE 512
>> +
>> +@@ -478,15 +478,13 @@ char* url::get_pac() {
>> + }
>> +
>> + // Get content
>> +- unsigned int recvd = 0;
>> +- buffer = new char[PAC_MAX_SIZE];
>> +- memset(buffer, 0, PAC_MAX_SIZE);
>> ++ std::vector<char> dynamic_buffer;
>> + do {
>> + unsigned int chunk_length;
>> +
>> + if (chunked) {
>> + // Discard the empty line if we received a previous chunk
>> +- if (recvd > 0) recvline(sock);
>> ++ if (!dynamic_buffer.empty())
>> ++ recvline(sock);
>> +
>> + // Get the chunk-length line as an integer
>> + if (sscanf(recvline(sock).c_str(),
>> +"%x", &chunk_length) != 1 || chunk_length == 0) break; @@ -498,21
>> ++496,41 @@ char* url::get_pac() {
>> +
>> + if (content_length >= PAC_MAX_SIZE) break;
>> +
>> +- while (content_length == 0 || recvd != content_length) {
>> +- int r = recv(sock, buffer + recvd,
>> +- content_length == 0 ? PAC_HTTP_BLOCK_SIZE
>> +- : content_length - recvd, 0);
>> ++ while (content_length == 0 || dynamic_buffer.size() !=
>content_length) {
>> ++ // Calculate length to recv
>> ++ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
>> ++ if (content_length > 0)
>> ++ length_to_read =
>> ++ content_length - dynamic_buffer.size();
>> ++
>> ++ // Prepare buffer
>> ++
>> ++ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
>> ++
>> ++ int r = recv(sock,
>> ++ dynamic_buffer.data() + dynamic_buffer.size() - length_to_read,
>> ++ length_to_read, 0);
>> ++
>> ++ // Shrink buffer to fit
>> ++ if (r >= 0)
>> ++
>> ++ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
>> ++
>> ++ // PAC size too large, discard
>> ++ if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
>> ++ chunked = false;
>> ++ dynamic_buffer.clear();
>> ++ break;
>> ++ }
>> ++
>> + if (r <= 0) {
>> + chunked = false;
>> + break;
>> + }
>> +- recvd += r;
>> + }
>> + } while (chunked);
>> +
>> +- if (content_length != 0 && string(buffer).size() != content_length) {
>> +- delete[] buffer;
>> +- buffer = NULL;
>> ++ if (content_length == 0 || content_length == dynamic_buffer.size()) {
>> ++ buffer = new char[dynamic_buffer.size() + 1];
>> ++ if (!dynamic_buffer.empty()) {
>> ++ memcpy(buffer, dynamic_buffer.data(),
>dynamic_buffer.size());
>> ++ }
>> ++ buffer[dynamic_buffer.size()] = '\0';
>> + }
>> + }
>> +
>> diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb
>> b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
>> index a14c358cc2..6f704d7a91 100644
>> --- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb
>> +++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
>> @@ -11,6 +11,7 @@ DEPENDS = "glib-2.0"
>> SRC_URI =
>"https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \
>> file://0001-get-pac-test-Fix-build-with-clang-libc.patch \
>> file://CVE-2020-25219.patch \
>> + file://CVE-2020-26154.patch \
>> "
>> SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"
>> SRC_URI[sha256sum] =
>"654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"
>> --
>> 2.17.1
>>
>>
>>
>>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-11-19 0:28 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-18 13:22 [PATCH 1/4] libproxy: fix CVE-2020-26154 Lee Chee Yang
2020-11-18 13:22 ` [PATCH 2/4] python3: fix CVE-2020-27619 Lee Chee Yang
2020-11-18 13:22 ` [PATCH 3/4] python3: whitelist CVE-2020-15523 Lee Chee Yang
2020-11-18 13:22 ` [PATCH 4/4] qemu: fix CVE-2020-24352 Lee Chee Yang
2020-11-18 14:44 ` [OE-core] [PATCH 1/4] libproxy: fix CVE-2020-26154 Steve Sakoman
2020-11-19 0:28 ` Lee Chee Yang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.