Patchwork [oe] libproxy: Fix for CVE-2012-4504

login
register
mail settings
Submitter yanjun.zhu
Date Nov. 28, 2012, 10:13 a.m.
Message ID <1354097622-27424-1-git-send-email-yanjun.zhu@windriver.com>
Download mbox | patch
Permalink /patch/39777/
State New
Headers show

Comments

yanjun.zhu - Nov. 28, 2012, 10:13 a.m.
From: "yanjun.zhu" <yanjun.zhu@windriver.com>

Reference:https://code.google.com/p/libproxy/source/detail?r=853

Stack-based buffer overflow in the url::get_pac function in url.cpp
in libproxy 0.4.x before 0.4.9 allows remote servers to have an
unspecified impact via a large proxy.pac file.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4504

Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
---
 .../libproxy/libproxy/libproxy-0.4.7-CVE-2012-4504.patch  | 15 +++++++++++++++
 meta/recipes-support/libproxy/libproxy_0.4.7.bb           |  1 +
 2 files changed, 16 insertions(+)
 create mode 100644 meta/recipes-support/libproxy/libproxy/libproxy-0.4.7-CVE-2012-4504.patch
Saul Wold - Nov. 29, 2012, 5:45 p.m.
On 11/28/2012 02:13 AM, yanjun.zhu wrote:
> From: "yanjun.zhu" <yanjun.zhu@windriver.com>
>
> Reference:https://code.google.com/p/libproxy/source/detail?r=853
>
> Stack-based buffer overflow in the url::get_pac function in url.cpp
> in libproxy 0.4.x before 0.4.9 allows remote servers to have an
> unspecified impact via a large proxy.pac file.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4504
>
> Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
> ---
>   .../libproxy/libproxy/libproxy-0.4.7-CVE-2012-4504.patch  | 15 +++++++++++++++
>   meta/recipes-support/libproxy/libproxy_0.4.7.bb           |  1 +
>   2 files changed, 16 insertions(+)
>   create mode 100644 meta/recipes-support/libproxy/libproxy/libproxy-0.4.7-CVE-2012-4504.patch
>
> diff --git a/meta/recipes-support/libproxy/libproxy/libproxy-0.4.7-CVE-2012-4504.patch b/meta/recipes-support/libproxy/libproxy/libproxy-0.4.7-CVE-2012-4504.patch
> new file mode 100644
> index 0000000..323a571
> --- /dev/null
> +++ b/meta/recipes-support/libproxy/libproxy/libproxy-0.4.7-CVE-2012-4504.patch

This is missing a patch header with Signed-off-by and Upstream-Status, 
please add them.

Thanks
	Sau!

> @@ -0,0 +1,15 @@
> +diff -urpN a/libproxy/url.cpp b/libproxy/url.cpp
> +--- a/libproxy/url.cpp	2012-11-26 10:08:47.000000000 +0800
> ++++ b/libproxy/url.cpp	2012-11-26 10:05:54.000000000 +0800
> +@@ -472,9 +472,10 @@ char* url::get_pac() {
> + 				// Add this chunk to our content length,
> + 				// ensuring that we aren't over our max size
> + 				content_length += chunk_length;
> +-				if (content_length >= PAC_MAX_SIZE) break;
> + 			}
> +
> ++			if (content_length >= PAC_MAX_SIZE) break;
> ++
> + 			while (recvd != content_length) {
> + 				int r = recv(sock, buffer + recvd, content_length - recvd, 0);
> + 				if (r < 0) break;
> diff --git a/meta/recipes-support/libproxy/libproxy_0.4.7.bb b/meta/recipes-support/libproxy/libproxy_0.4.7.bb
> index e3721a8..fc32f57 100644
> --- a/meta/recipes-support/libproxy/libproxy_0.4.7.bb
> +++ b/meta/recipes-support/libproxy/libproxy_0.4.7.bb
> @@ -13,6 +13,7 @@ PR = "r4"
>   SRC_URI = "http://libproxy.googlecode.com/files/libproxy-${PV}.tar.gz \
>              file://g++-namepace.patch \
>              file://libproxy_fix_for_gcc4.7.patch \
> +           file://libproxy-0.4.7-CVE-2012-4504.patch \
>             "
>
>   SRC_URI[md5sum] = "509e03a488a61cd62bfbaf3ab6a2a7a5"
>

Patch

diff --git a/meta/recipes-support/libproxy/libproxy/libproxy-0.4.7-CVE-2012-4504.patch b/meta/recipes-support/libproxy/libproxy/libproxy-0.4.7-CVE-2012-4504.patch
new file mode 100644
index 0000000..323a571
--- /dev/null
+++ b/meta/recipes-support/libproxy/libproxy/libproxy-0.4.7-CVE-2012-4504.patch
@@ -0,0 +1,15 @@ 
+diff -urpN a/libproxy/url.cpp b/libproxy/url.cpp
+--- a/libproxy/url.cpp	2012-11-26 10:08:47.000000000 +0800
++++ b/libproxy/url.cpp	2012-11-26 10:05:54.000000000 +0800
+@@ -472,9 +472,10 @@ char* url::get_pac() {
+ 				// Add this chunk to our content length,
+ 				// ensuring that we aren't over our max size
+ 				content_length += chunk_length;
+-				if (content_length >= PAC_MAX_SIZE) break;
+ 			}
+ 
++			if (content_length >= PAC_MAX_SIZE) break;
++
+ 			while (recvd != content_length) {
+ 				int r = recv(sock, buffer + recvd, content_length - recvd, 0);
+ 				if (r < 0) break;
diff --git a/meta/recipes-support/libproxy/libproxy_0.4.7.bb b/meta/recipes-support/libproxy/libproxy_0.4.7.bb
index e3721a8..fc32f57 100644
--- a/meta/recipes-support/libproxy/libproxy_0.4.7.bb
+++ b/meta/recipes-support/libproxy/libproxy_0.4.7.bb
@@ -13,6 +13,7 @@  PR = "r4"
 SRC_URI = "http://libproxy.googlecode.com/files/libproxy-${PV}.tar.gz \
            file://g++-namepace.patch \
            file://libproxy_fix_for_gcc4.7.patch \
+           file://libproxy-0.4.7-CVE-2012-4504.patch \
           "
 
 SRC_URI[md5sum] = "509e03a488a61cd62bfbaf3ab6a2a7a5"