tinyproxy: patch CVE-2023-49606

Details https://nvd.nist.gov/vuln/detail/CVE-2023-49606 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2025-12-31 13:38:06 +00:00 · 2025-10-10 17:24:18 +13:00 · 2025-10-10 17:24:18 +13:00 · 7f8516d8db
commit 7f8516d8db
parent 95f680e0df
2 changed files with 60 additions and 0 deletions
--- a/meta-networking/recipes-support/tinyproxy/tinyproxy/0001-CVE-2023-49606.patch
+++ b/meta-networking/recipes-support/tinyproxy/tinyproxy/0001-CVE-2023-49606.patch
@ -0,0 +1,59 @@
+From 982a46347c5939e08ad659858b1ac32361d7ffb8 Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Sun, 5 May 2024 10:37:29 +0000
+Subject: [PATCH] CVE-2023-49606
+
+fix potential UAF in header handling
+
+https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
+
+this bug was brought to my attention today by the debian tinyproxy
+package maintainer. the above link states that the issue was known
+since last year and that maintainers have been contacted, but if
+that is even true then it probably was done via a private email
+to a potentially outdated email address of one of the maintainers,
+not through the channels described clearly on the tinyproxy homepage:
+
+> Feel free to report a new bug or suggest features via github issues.
+> Tinyproxy developers hang out in #tinyproxy on irc.libera.chat.
+
+no github issue was filed, and nobody mentioned a vulnerability on
+the mentioned IRC chat. if the issue had been reported on github or
+IRC, the bug would have been fixed within a day.
+
+CVE: CVE-2023-49606
+Upstream-Status: Backport [https://github.com/tinyproxy/tinyproxy/commit/12a8484265f7b00591293da492bb3c9987001956]
+
+(cherry picked from commit 12a8484265f7b00591293da492bb3c9987001956)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/reqs.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/reqs.c b/src/reqs.c
+index b865190..705ce11 100644
+--- a/src/reqs.c
+++ b/src/reqs.c
+@@ -779,7 +779,7 @@ static int remove_connection_headers (orderedmap hashofheaders)
+         char *data;
+         char *ptr;
+         ssize_t len;
+-        int i;
+        int i,j,df;
+ 
+         for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
+                 /* Look for the connection header.  If it's not found, return. */
+@@ -804,7 +804,12 @@ static int remove_connection_headers (orderedmap hashofheaders)
+                  */
+                 ptr = data;
+                 while (ptr < data + len) {
+-                        orderedmap_remove (hashofheaders, ptr);
+                        df = 0;
+                        /* check that ptr isn't one of headers to prevent
+                           double-free (CVE-2023-49606) */
+                        for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j)
+                                if(!strcasecmp(ptr, headers[j])) df = 1;
+                        if (!df) orderedmap_remove (hashofheaders, ptr);
+ 
+                         /* Advance ptr to the next token */
+                         ptr += strlen (ptr) + 1;
--- a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb
+++ b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb
@ -8,6 +8,7 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.gz
           file://tinyproxy.service \
           file://tinyproxy.conf \
           file://CVE-2022-40468.patch \
+           file://0001-CVE-2023-49606.patch \
           "

 SRC_URI[sha256sum] = "1574acf7ba83c703a89e98bb2758a4ed9fda456f092624b33cfcf0ce2d3b2047"