From 40a94c9dc21e260744a0bfc92a39270c276dbb18 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Sat, 24 Sep 2022 19:34:14 +0200 Subject: [PATCH] package/tinyproxy: fix CVE-2022-40468 Tinyproxy commit 84f203f and earlier does not process HTTP request lines in the process_request() function and is using uninitialized buffers. This vulnerability allows attackers to access sensitive information at system runtime. Signed-off-by: Fabrice Fontaine Signed-off-by: Thomas Petazzoni (cherry picked from commit eedd93f010ef7d385290805a6d040e7cfdf88d6b) Signed-off-by: Peter Korsgaard --- ...up-in-error-page-in-invalid-requests.patch | 32 +++++++++++++++++++ package/tinyproxy/tinyproxy.mk | 3 ++ 2 files changed, 35 insertions(+) create mode 100644 package/tinyproxy/0001-prevent-junk-from-showing-up-in-error-page-in-invalid-requests.patch diff --git a/package/tinyproxy/0001-prevent-junk-from-showing-up-in-error-page-in-invalid-requests.patch b/package/tinyproxy/0001-prevent-junk-from-showing-up-in-error-page-in-invalid-requests.patch new file mode 100644 index 0000000000..da9c21a41a --- /dev/null +++ b/package/tinyproxy/0001-prevent-junk-from-showing-up-in-error-page-in-invalid-requests.patch @@ -0,0 +1,32 @@ +From 3764b8551463b900b5b4e3ec0cd9bb9182191cb7 Mon Sep 17 00:00:00 2001 +From: rofl0r +Date: Thu, 8 Sep 2022 15:18:04 +0000 +Subject: [PATCH] prevent junk from showing up in error page in invalid + requests + +fixes #457 + +[Retrieved from: +https://github.com/tinyproxy/tinyproxy/commit/3764b8551463b900b5b4e3ec0cd9bb9182191cb7] +Signed-off-by: Fabrice Fontaine +--- + src/reqs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/reqs.c b/src/reqs.c +index bce69819..45db118d 100644 +--- a/src/reqs.c ++++ b/src/reqs.c +@@ -343,8 +343,12 @@ static struct request_s *process_request (struct conn_s *connptr, + goto fail; + } + ++ /* zero-terminate the strings so they don't contain junk in error page */ ++ request->method[0] = url[0] = request->protocol[0] = 0; ++ + ret = sscanf (connptr->request_line, "%[^ ] %[^ ] %[^ ]", + request->method, url, request->protocol); ++ + if (ret == 2 && !strcasecmp (request->method, "GET")) { + request->protocol[0] = 0; + diff --git a/package/tinyproxy/tinyproxy.mk b/package/tinyproxy/tinyproxy.mk index 6b5a3f9625..e91a886888 100644 --- a/package/tinyproxy/tinyproxy.mk +++ b/package/tinyproxy/tinyproxy.mk @@ -11,4 +11,7 @@ TINYPROXY_LICENSE = GPL-2.0+ TINYPROXY_LICENSE_FILES = COPYING TINYPROXY_CPE_ID_VENDOR = tinyproxy_project +# 0001-prevent-junk-from-showing-up-in-error-page-in-invalid-requests.patch +TINYPROXY_IGNORE_CVES += CVE-2022-40468 + $(eval $(autotools-package))