From: "Lee Chee Yang" <chee.yang.lee@intel.com>
To: Steve Sakoman <steve@sakoman.com>
Cc: Patches and discussions about the oe-core layer
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH 1/4] libproxy: fix CVE-2020-26154
Date: Thu, 19 Nov 2020 00:28:44 +0000 [thread overview]
Message-ID: <MWHPR11MB2000EDB067ED3BB37B7AB8CBB9E00@MWHPR11MB2000.namprd11.prod.outlook.com> (raw)
In-Reply-To: <CAOSpxdYf+5fTzRjrpjteD1t2ntuFLSgw-4X_zcsQ37aGkZLGkQ@mail.gmail.com>
Yes, will send separate patch series for dunfell and gatesgarth.
>-----Original Message-----
>From: openembedded-core@lists.openembedded.org <openembedded-
>core@lists.openembedded.org> On Behalf Of Steve Sakoman
>Sent: Wednesday, 18 November, 2020 10:44 PM
>To: Lee, Chee Yang <chee.yang.lee@intel.com>
>Cc: Patches and discussions about the oe-core layer <openembedded-
>core@lists.openembedded.org>
>Subject: Re: [OE-core] [PATCH 1/4] libproxy: fix CVE-2020-26154
>
>Thanks for helping with CVE fixes!
>
>This first patch is also appropriate for dunfell, so I will cherry-pick it when it hits
>master.
>
>Do you plan to do dunfell versions of the other 3 patches?
>
>Steve
>
>On Wed, Nov 18, 2020 at 3:22 AM Lee Chee Yang <chee.yang.lee@intel.com>
>wrote:
>>
>> From: Lee Chee Yang <chee.yang.lee@intel.com>
>>
>> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
>> ---
>> .../libproxy/libproxy/CVE-2020-26154.patch | 98 +++++++++++++++++++
>> .../libproxy/libproxy_0.4.15.bb | 1 +
>> 2 files changed, 99 insertions(+)
>> create mode 100644
>> meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
>>
>> diff --git
>> a/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
>> b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
>> new file mode 100644
>> index 0000000000..0ccb99da81
>> --- /dev/null
>> +++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
>> @@ -0,0 +1,98 @@
>> +From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00
>> +2001
>> +From: Fei Li <lifeibiren@gmail.com>
>> +Date: Fri, 17 Jul 2020 02:18:37 +0800
>> +Subject: [PATCH] Fix buffer overflow when PAC is enabled
>> +
>> +The bug was found on Windows 10 (MINGW64) when PAC is enabled. It
>> +turned out to be the large PAC file (more than 102400 bytes) returned
>> +by a local proxy program with no content-length present.
>> +
>> +Upstream-Status: Backport
>> +[https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952
>> +e2be271b5742c5f8]
>> +CVE: CVE-2020-26154
>> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
>> +
>> +---
>> + libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
>> + 1 file changed, 31 insertions(+), 13 deletions(-)
>> +
>> +diff --git a/libproxy/url.cpp b/libproxy/url.cpp index
>> +ee776b2..8684086 100644
>> +--- a/libproxy/url.cpp
>> ++++ b/libproxy/url.cpp
>> +@@ -54,7 +54,7 @@ using namespace std; #define PAC_MIME_TYPE_FB
>> +"text/plain"
>> +
>> + // This is the maximum pac size (to avoid memory attacks) -#define
>> +PAC_MAX_SIZE 102400
>> ++#define PAC_MAX_SIZE 0x800000
>> + // This is the default block size to use when receiving via HTTP
>> + #define PAC_HTTP_BLOCK_SIZE 512
>> +
>> +@@ -478,15 +478,13 @@ char* url::get_pac() {
>> + }
>> +
>> + // Get content
>> +- unsigned int recvd = 0;
>> +- buffer = new char[PAC_MAX_SIZE];
>> +- memset(buffer, 0, PAC_MAX_SIZE);
>> ++ std::vector<char> dynamic_buffer;
>> + do {
>> + unsigned int chunk_length;
>> +
>> + if (chunked) {
>> + // Discard the empty line if we received a previous chunk
>> +- if (recvd > 0) recvline(sock);
>> ++ if (!dynamic_buffer.empty())
>> ++ recvline(sock);
>> +
>> + // Get the chunk-length line as an integer
>> + if (sscanf(recvline(sock).c_str(),
>> +"%x", &chunk_length) != 1 || chunk_length == 0) break; @@ -498,21
>> ++496,41 @@ char* url::get_pac() {
>> +
>> + if (content_length >= PAC_MAX_SIZE) break;
>> +
>> +- while (content_length == 0 || recvd != content_length) {
>> +- int r = recv(sock, buffer + recvd,
>> +- content_length == 0 ? PAC_HTTP_BLOCK_SIZE
>> +- : content_length - recvd, 0);
>> ++ while (content_length == 0 || dynamic_buffer.size() !=
>content_length) {
>> ++ // Calculate length to recv
>> ++ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
>> ++ if (content_length > 0)
>> ++ length_to_read =
>> ++ content_length - dynamic_buffer.size();
>> ++
>> ++ // Prepare buffer
>> ++
>> ++ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
>> ++
>> ++ int r = recv(sock,
>> ++ dynamic_buffer.data() + dynamic_buffer.size() - length_to_read,
>> ++ length_to_read, 0);
>> ++
>> ++ // Shrink buffer to fit
>> ++ if (r >= 0)
>> ++
>> ++ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
>> ++
>> ++ // PAC size too large, discard
>> ++ if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
>> ++ chunked = false;
>> ++ dynamic_buffer.clear();
>> ++ break;
>> ++ }
>> ++
>> + if (r <= 0) {
>> + chunked = false;
>> + break;
>> + }
>> +- recvd += r;
>> + }
>> + } while (chunked);
>> +
>> +- if (content_length != 0 && string(buffer).size() != content_length) {
>> +- delete[] buffer;
>> +- buffer = NULL;
>> ++ if (content_length == 0 || content_length == dynamic_buffer.size()) {
>> ++ buffer = new char[dynamic_buffer.size() + 1];
>> ++ if (!dynamic_buffer.empty()) {
>> ++ memcpy(buffer, dynamic_buffer.data(),
>dynamic_buffer.size());
>> ++ }
>> ++ buffer[dynamic_buffer.size()] = '\0';
>> + }
>> + }
>> +
>> diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb
>> b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
>> index a14c358cc2..6f704d7a91 100644
>> --- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb
>> +++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
>> @@ -11,6 +11,7 @@ DEPENDS = "glib-2.0"
>> SRC_URI =
>"https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \
>> file://0001-get-pac-test-Fix-build-with-clang-libc.patch \
>> file://CVE-2020-25219.patch \
>> + file://CVE-2020-26154.patch \
>> "
>> SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"
>> SRC_URI[sha256sum] =
>"654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"
>> --
>> 2.17.1
>>
>>
>>
>>
prev parent reply other threads:[~2020-11-19 0:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-18 13:22 [PATCH 1/4] libproxy: fix CVE-2020-26154 Lee Chee Yang
2020-11-18 13:22 ` [PATCH 2/4] python3: fix CVE-2020-27619 Lee Chee Yang
2020-11-18 13:22 ` [PATCH 3/4] python3: whitelist CVE-2020-15523 Lee Chee Yang
2020-11-18 13:22 ` [PATCH 4/4] qemu: fix CVE-2020-24352 Lee Chee Yang
2020-11-18 14:44 ` [OE-core] [PATCH 1/4] libproxy: fix CVE-2020-26154 Steve Sakoman
2020-11-19 0:28 ` Lee Chee Yang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MWHPR11MB2000EDB067ED3BB37B7AB8CBB9E00@MWHPR11MB2000.namprd11.prod.outlook.com \
--to=chee.yang.lee@intel.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=steve@sakoman.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.