From ac1d47851349b0d788c38ed83e0e6477c5d4f96a Mon Sep 17 00:00:00 2001
From: David King <amigadave@amigadave.com>
Date: Sep 18 2020 12:15:26 +0000
Subject: Fix CVE-2020-25219 (#1880350)


---

diff --git a/libproxy-0.4.15-fix-CVE-2020-25219.patch b/libproxy-0.4.15-fix-CVE-2020-25219.patch
new file mode 100644
index 0000000..03cfbc0
--- /dev/null
+++ b/libproxy-0.4.15-fix-CVE-2020-25219.patch
@@ -0,0 +1,57 @@
+From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Wed, 9 Sep 2020 11:12:02 -0500
+Subject: [PATCH] Rewrite url::recvline to be nonrecursive
+
+This function processes network input. It's semi-trusted, because the
+PAC ought to be trusted. But we still shouldn't allow it to control how
+far we recurse. A malicious PAC can cause us to overflow the stack by
+sending a sufficiently-long line without any '\n' character.
+
+Also, this function failed to properly handle EINTR, so let's fix that
+too, for good measure.
+
+Fixes #134
+---
+ libproxy/url.cpp | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/libproxy/url.cpp b/libproxy/url.cpp
+index ee776b2..68d69cd 100644
+--- a/libproxy/url.cpp
++++ b/libproxy/url.cpp
+@@ -388,16 +388,24 @@ string url::to_string() const {
+ 	return m_orig;
+ }
+ 
+-static inline string recvline(int fd) {
+-	// Read a character.
+-	// If we don't get a character, return empty string.
+-	// If we are at the end of the line, return empty string.
+-	char c = '\0';
+-	
+-	if (recv(fd, &c, 1, 0) != 1 || c == '\n')
+-		return "";
+-
+-	return string(1, c) + recvline(fd);
++static string recvline(int fd) {
++	string line;
++	int ret;
++
++	// Reserve arbitrary amount of space to avoid small memory reallocations.
++	line.reserve(128);
++
++	do {
++		char c;
++		ret = recv(fd, &c, 1, 0);
++		if (ret == 1) {
++			if (c == '\n')
++				return line;
++			line += c;
++		}
++	} while (ret == 1 || (ret == -1 && errno == EINTR));
++
++	return line;
+ }
+ 
+ char* url::get_pac() {
diff --git a/libproxy.spec b/libproxy.spec
index d01c8e4..b88198c 100644
--- a/libproxy.spec
+++ b/libproxy.spec
@@ -4,7 +4,7 @@
 
 Name:           libproxy
 Version:        0.4.15
-Release:        24%{?dist}
+Release:        25%{?dist}
 Summary:        A library handling all the details of proxy configuration
 
 License:        LGPLv2+
@@ -27,6 +27,8 @@ Patch5:         libproxy-0.4.15-python39.patch
 Patch6:         libproxy-0.4.15-mozjs68.patch
 # https://github.com/libproxy/libproxy/pull/118
 Patch7:         libproxy-0.4.15-mozjs-use-after-free.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1880350
+Patch8:         libproxy-0.4.15-fix-CVE-2020-25219.patch
 
 BuildRequires:  cmake >= 2.6.0
 BuildRequires:  gcc-c++
@@ -231,6 +233,9 @@ install -Dpm 0644 %{SOURCE1} %{buildroot}/%{_mandir}/man1/proxy.1
 
 
 %changelog
+* Fri Sep 18 2020 David King <amigadave@amigadave.com> - 0.4.15-25
+- Fix CVE-2020-25219 (#1880350)
+
 * Tue Aug 18 2020 Jeff Law <law@redhat.com> - 0.4.15-24
 - Force C++14 as this code is not C++17 ready