diff options
-rw-r--r-- | www/tinyproxy/Makefile | 3 | ||||
-rw-r--r-- | www/tinyproxy/distinfo | 5 | ||||
-rw-r--r-- | www/tinyproxy/patches/patch-src_child.c | 24 | ||||
-rw-r--r-- | www/tinyproxy/patches/patch-src_hashmap.c | 85 | ||||
-rw-r--r-- | www/tinyproxy/patches/patch-src_reqs.c | 48 |
5 files changed, 163 insertions, 2 deletions
diff --git a/www/tinyproxy/Makefile b/www/tinyproxy/Makefile index 987397539ba..4231c3d4f50 100644 --- a/www/tinyproxy/Makefile +++ b/www/tinyproxy/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.29 2012/12/12 13:01:23 wiz Exp $ +# $NetBSD: Makefile,v 1.30 2012/12/13 09:01:26 wiz Exp $ # DISTNAME= tinyproxy-1.8.3 +PKGREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=tinyproxy/} diff --git a/www/tinyproxy/distinfo b/www/tinyproxy/distinfo index 815f863fa9b..5aa2c22902c 100644 --- a/www/tinyproxy/distinfo +++ b/www/tinyproxy/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.7 2012/12/12 13:01:23 wiz Exp $ +$NetBSD: distinfo,v 1.8 2012/12/13 09:01:26 wiz Exp $ SHA1 (tinyproxy-1.8.3.tar.gz) = ebf4bda60ff2d0fdf1846467f07b3bbd9ef90faf RMD160 (tinyproxy-1.8.3.tar.gz) = 41cae4c8fcc99650a76d7bed52a379a9dd0faef0 @@ -6,3 +6,6 @@ Size (tinyproxy-1.8.3.tar.gz) = 266744 bytes SHA1 (patch-docs_man5_tinyproxy.conf.txt.in) = 1641f7c44ce84f2ebac6e945760af3ba77976f31 SHA1 (patch-docs_man8_tinyproxy.txt.in) = 12c43d0f874a8794cbe8da7c702e406e8b10a99b SHA1 (patch-etc_Makefile.in) = 34ab3402bf11be5d2c1521f8ca0254ecbf19fc3c +SHA1 (patch-src_child.c) = 2263f1aa7edbc31a7b31343487afa4be4fb30405 +SHA1 (patch-src_hashmap.c) = 92234430d31cd97620038a268ffd813344b262ba +SHA1 (patch-src_reqs.c) = 9a1186ab9ebe71009384ec12aa56aff86f3a1007 diff --git a/www/tinyproxy/patches/patch-src_child.c b/www/tinyproxy/patches/patch-src_child.c new file mode 100644 index 00000000000..f1ed2d06fd4 --- /dev/null +++ b/www/tinyproxy/patches/patch-src_child.c @@ -0,0 +1,24 @@ +$NetBSD: patch-src_child.c,v 1.1 2012/12/13 09:01:26 wiz Exp $ + +Fix CVE-2012-3505 using Debian patch. + +--- src/child.c.orig 2010-01-10 22:52:04.000000000 +0000 ++++ src/child.c +@@ -20,6 +20,9 @@ + * processing incoming connections. + */ + ++#include <stdlib.h> ++#include <time.h> ++ + #include "main.h" + + #include "child.h" +@@ -196,6 +199,7 @@ static void child_main (struct child_s * + } + + ptr->connects = 0; ++ srand(time(NULL)); + + while (!config.quit) { + ptr->status = T_WAITING; diff --git a/www/tinyproxy/patches/patch-src_hashmap.c b/www/tinyproxy/patches/patch-src_hashmap.c new file mode 100644 index 00000000000..6c6ca62ac67 --- /dev/null +++ b/www/tinyproxy/patches/patch-src_hashmap.c @@ -0,0 +1,85 @@ +$NetBSD: patch-src_hashmap.c,v 1.1 2012/12/13 09:01:26 wiz Exp $ + +Fix CVE-2012-3505 using Debian patch. + +--- src/hashmap.c.orig 2010-01-25 18:24:01.000000000 +0000 ++++ src/hashmap.c +@@ -25,6 +25,8 @@ + * don't try to free the data, or realloc the memory. :) + */ + ++#include <stdlib.h> ++ + #include "main.h" + + #include "hashmap.h" +@@ -50,6 +52,7 @@ struct hashbucket_s { + }; + + struct hashmap_s { ++ uint32_t seed; + unsigned int size; + hashmap_iter end_iterator; + +@@ -65,7 +68,7 @@ struct hashmap_s { + * + * If any of the arguments are invalid a negative number is returned. + */ +-static int hashfunc (const char *key, unsigned int size) ++static int hashfunc (const char *key, unsigned int size, uint32_t seed) + { + uint32_t hash; + +@@ -74,7 +77,7 @@ static int hashfunc (const char *key, un + if (size == 0) + return -ERANGE; + +- for (hash = tolower (*key++); *key != '\0'; key++) { ++ for (hash = seed; *key != '\0'; key++) { + uint32_t bit = (hash & 1) ? (1 << (sizeof (uint32_t) - 1)) : 0; + + hash >>= 1; +@@ -104,6 +107,7 @@ hashmap_t hashmap_create (unsigned int n + if (!ptr) + return NULL; + ++ ptr->seed = (uint32_t)rand(); + ptr->size = nbuckets; + ptr->buckets = (struct hashbucket_s *) safecalloc (nbuckets, + sizeof (struct +@@ -201,7 +205,7 @@ hashmap_insert (hashmap_t map, const cha + if (!data || len < 1) + return -ERANGE; + +- hash = hashfunc (key, map->size); ++ hash = hashfunc (key, map->size, map->seed); + if (hash < 0) + return hash; + +@@ -382,7 +386,7 @@ ssize_t hashmap_search (hashmap_t map, c + if (map == NULL || key == NULL) + return -EINVAL; + +- hash = hashfunc (key, map->size); ++ hash = hashfunc (key, map->size, map->seed); + if (hash < 0) + return hash; + +@@ -416,7 +420,7 @@ ssize_t hashmap_entry_by_key (hashmap_t + if (!map || !key || !data) + return -EINVAL; + +- hash = hashfunc (key, map->size); ++ hash = hashfunc (key, map->size, map->seed); + if (hash < 0) + return hash; + +@@ -451,7 +455,7 @@ ssize_t hashmap_remove (hashmap_t map, c + if (map == NULL || key == NULL) + return -EINVAL; + +- hash = hashfunc (key, map->size); ++ hash = hashfunc (key, map->size, map->seed); + if (hash < 0) + return hash; + diff --git a/www/tinyproxy/patches/patch-src_reqs.c b/www/tinyproxy/patches/patch-src_reqs.c new file mode 100644 index 00000000000..34a8215176e --- /dev/null +++ b/www/tinyproxy/patches/patch-src_reqs.c @@ -0,0 +1,48 @@ +$NetBSD: patch-src_reqs.c,v 1.1 2012/12/13 09:01:27 wiz Exp $ + +Fix CVE-2012-3505 using Debian patch. + +--- src/reqs.c.orig 2011-02-07 12:31:03.000000000 +0000 ++++ src/reqs.c +@@ -610,6 +610,11 @@ add_header_to_connection (hashmap_t hash + return hashmap_insert (hashofheaders, header, sep, len); + } + ++/* define max number of headers. big enough to handle legitimate cases, ++ * but limited to avoid DoS ++ */ ++#define MAX_HEADERS 10000 ++ + /* + * Read all the headers from the stream + */ +@@ -617,6 +622,7 @@ static int get_all_headers (int fd, hash + { + char *line = NULL; + char *header = NULL; ++ int count; + char *tmp; + ssize_t linelen; + ssize_t len = 0; +@@ -625,7 +631,7 @@ static int get_all_headers (int fd, hash + assert (fd >= 0); + assert (hashofheaders != NULL); + +- for (;;) { ++ for (count = 0; count < MAX_HEADERS; count++) { + if ((linelen = readline (fd, &line)) <= 0) { + safefree (header); + safefree (line); +@@ -691,6 +697,12 @@ static int get_all_headers (int fd, hash + + safefree (line); + } ++ ++ /* if we get there, this is we reached MAX_HEADERS count. ++ bail out with error */ ++ safefree (header); ++ safefree (line); ++ return -1; + } + + /* |