libproxy: fix CVE-2020-25219, CVE-2020-26154

CVE-2020-25219:
url::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a
remote HTTP server to trigger uncontrolled recursion via a response
composed of an infinite stream that lacks a newline character. This
leads to stack exhaustion.

CVE-2020-26154:
url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when
PAC is enabled, as demonstrated by a large PAC file that is delivered
without a Content-length header.

Fixes: CVE-2020-25219, CVE-2020-26154
This commit is contained in:
Martin Weinelt 2020-11-28 21:52:23 +01:00
parent ebe455a410
commit c0e0a6876f
No known key found for this signature in database
GPG key ID: 87C1E9888F856759

View file

@ -71,6 +71,17 @@ stdenv.mkDerivation rec {
url = "https://github.com/libproxy/libproxy/pull/95.patch";
sha256 = "18vyr6wlis9zfwml86606jpgb9mss01l9aj31iiciml8p857aixi";
})
(fetchpatch {
name = "CVE-2020-25219.patch";
url = "https://github.com/libproxy/libproxy/commit/a83dae404feac517695c23ff43ce1e116e2bfbe0.patch";
sha256 = "0wdh9qjq99aw0jnf2840237i3hagqzy42s09hz9chfgrw8pyr72k";
})
(fetchpatch {
name = "CVE-2020-26154.patch";
url = "https://github.com/libproxy/libproxy/commit/4411b523545b22022b4be7d0cac25aa170ae1d3e.patch";
sha256 = "0pdy9sw49lxpaiwq073cisk0npir5bkch70nimdmpszxwp3fv1d8";
})
] ++ stdenv.lib.optionals stdenv.isDarwin [
(fetchpatch {
url = "https://github.com/libproxy/libproxy/commit/44158f03f8522116758d335688ed840dfcb50ac8.patch";