From f2be7dada46f4745a8ea6eb1b16c4e58bdb19622 Mon Sep 17 00:00:00 2001 From: termux-pacman-bot Date: Wed, 8 May 2024 14:08:42 +0000 Subject: [PATCH] tinyproxy: add patch for CVE-2023-49606 (#20051) tinyproxy/tinyproxy@12a8484 --- packages/tinyproxy/CVE-2023-49606.patch | 54 +++++++++++++++++++++++++ packages/tinyproxy/build.sh | 2 +- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 packages/tinyproxy/CVE-2023-49606.patch diff --git a/packages/tinyproxy/CVE-2023-49606.patch b/packages/tinyproxy/CVE-2023-49606.patch new file mode 100644 index 0000000000..07465534cf --- /dev/null +++ b/packages/tinyproxy/CVE-2023-49606.patch @@ -0,0 +1,54 @@ +From 12a8484265f7b00591293da492bb3c9987001956 Mon Sep 17 00:00:00 2001 +From: rofl0r +Date: Sun, 5 May 2024 10:37:29 +0000 +Subject: [PATCH] fix potential UAF in header handling (CVE-2023-49606) + +https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889 + +this bug was brought to my attention today by the debian tinyproxy +package maintainer. the above link states that the issue was known +since last year and that maintainers have been contacted, but if +that is even true then it probably was done via a private email +to a potentially outdated email address of one of the maintainers, +not through the channels described clearly on the tinyproxy homepage: + +> Feel free to report a new bug or suggest features via github issues. +> Tinyproxy developers hang out in #tinyproxy on irc.libera.chat. + +no github issue was filed, and nobody mentioned a vulnerability on +the mentioned IRC chat. if the issue had been reported on github or +IRC, the bug would have been fixed within a day. +--- + src/reqs.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/reqs.c b/src/reqs.c +index 58c97a8..a65ed54 100644 +--- a/src/reqs.c ++++ b/src/reqs.c +@@ -779,7 +779,7 @@ static int remove_connection_headers (orderedmap hashofheaders) + char *data; + char *ptr; + ssize_t len; +- int i; ++ int i,j,df; + + for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) { + /* Look for the connection header. If it's not found, return. */ +@@ -804,7 +804,12 @@ static int remove_connection_headers (orderedmap hashofheaders) + */ + ptr = data; + while (ptr < data + len) { +- orderedmap_remove (hashofheaders, ptr); ++ df = 0; ++ /* check that ptr isn't one of headers to prevent ++ double-free (CVE-2023-49606) */ ++ for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j) ++ if(!strcasecmp(ptr, headers[j])) df = 1; ++ if (!df) orderedmap_remove (hashofheaders, ptr); + + /* Advance ptr to the next token */ + ptr += strlen (ptr) + 1; +-- +2.45.0 + diff --git a/packages/tinyproxy/build.sh b/packages/tinyproxy/build.sh index 779d8b178e..02bda214cd 100644 --- a/packages/tinyproxy/build.sh +++ b/packages/tinyproxy/build.sh @@ -3,7 +3,7 @@ TERMUX_PKG_DESCRIPTION="Light-weight HTTP proxy daemon for POSIX operating syste TERMUX_PKG_LICENSE="GPL-2.0" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION=1.11.1 -TERMUX_PKG_REVISION=1 +TERMUX_PKG_REVISION=2 TERMUX_PKG_SRCURL=https://github.com/tinyproxy/tinyproxy/releases/download/${TERMUX_PKG_VERSION}/tinyproxy-${TERMUX_PKG_VERSION}.tar.xz TERMUX_PKG_SHA256=d66388448215d0aeb90d0afdd58ed00386fb81abc23ebac9d80e194fceb40f7c TERMUX_PKG_AUTO_UPDATE=true