tinyproxy: add patch for CVE-2023-49606 (#20051)

tinyproxy/tinyproxy@12a8484
2024-06-19 07:37:06 +00:00 · 2024-05-08 13:38:19 +00:00 · 2024-05-08 13:38:19 +00:00 · 60306fe4d1
commit 60306fe4d1
parent b8cc78ee8d
2 changed files with 55 additions and 1 deletions
--- a/packages/tinyproxy/CVE-2023-49606.patch
+++ b/packages/tinyproxy/CVE-2023-49606.patch
@ -0,0 +1,54 @@
+From 12a8484265f7b00591293da492bb3c9987001956 Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Sun, 5 May 2024 10:37:29 +0000
+Subject: [PATCH] fix potential UAF in header handling (CVE-2023-49606)
+
+https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
+
+this bug was brought to my attention today by the debian tinyproxy
+package maintainer. the above link states that the issue was known
+since last year and that maintainers have been contacted, but if
+that is even true then it probably was done via a private email
+to a potentially outdated email address of one of the maintainers,
+not through the channels described clearly on the tinyproxy homepage:
+
+> Feel free to report a new bug or suggest features via github issues.
+> Tinyproxy developers hang out in #tinyproxy on irc.libera.chat.
+
+no github issue was filed, and nobody mentioned a vulnerability on
+the mentioned IRC chat. if the issue had been reported on github or
+IRC, the bug would have been fixed within a day.
+---
+ src/reqs.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/reqs.c b/src/reqs.c
+index 58c97a8..a65ed54 100644
+--- a/src/reqs.c
+++ b/src/reqs.c
+@@ -779,7 +779,7 @@ static int remove_connection_headers (orderedmap hashofheaders)
+         char *data;
+         char *ptr;
+         ssize_t len;
+-        int i;
+        int i,j,df;
+ 
+         for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
+                 /* Look for the connection header.  If it's not found, return. */
+@@ -804,7 +804,12 @@ static int remove_connection_headers (orderedmap hashofheaders)
+                  */
+                 ptr = data;
+                 while (ptr < data + len) {
+-                        orderedmap_remove (hashofheaders, ptr);
+                        df = 0;
+                        /* check that ptr isn't one of headers to prevent
+                           double-free (CVE-2023-49606) */
+                        for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j)
+                                if(!strcasecmp(ptr, headers[j])) df = 1;
+                        if (!df) orderedmap_remove (hashofheaders, ptr);
+ 
+                         /* Advance ptr to the next token */
+                         ptr += strlen (ptr) + 1;
+-- 
+2.45.0
+
--- a/packages/tinyproxy/build.sh
+++ b/packages/tinyproxy/build.sh
@ -3,7 +3,7 @@ TERMUX_PKG_DESCRIPTION="Light-weight HTTP proxy daemon for POSIX operating syste
 TERMUX_PKG_LICENSE="GPL-2.0"
 TERMUX_PKG_MAINTAINER="@termux"
 TERMUX_PKG_VERSION=1.11.1
-TERMUX_PKG_REVISION=1
+TERMUX_PKG_REVISION=2
 TERMUX_PKG_SRCURL=https://github.com/tinyproxy/tinyproxy/releases/download/${TERMUX_PKG_VERSION}/tinyproxy-${TERMUX_PKG_VERSION}.tar.xz
 TERMUX_PKG_SHA256=d66388448215d0aeb90d0afdd58ed00386fb81abc23ebac9d80e194fceb40f7c
 TERMUX_PKG_AUTO_UPDATE=true