| Message ID | 20260406155044.3662500-1-skandigraun@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-networking,1/2] tinyproxy: patch CVE-2026-3945 | expand |
On Mon, Apr 6, 2026 at 8:50 AM Gyorgy Sarvari via lists.openembedded.org <skandigraun=gmail.com@lists.openembedded.org> wrote: > Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3945 > > Backport the patches which are references by the NVD avisory. > > Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> > --- > .../tinyproxy/tinyproxy/CVE-2026-3945-1.patch | 29 +++++++++++++++++ > .../tinyproxy/tinyproxy/CVE-2026-3945-2.patch | 31 +++++++++++++++++++ > .../tinyproxy/tinyproxy_1.11.3.bb | 2 ++ > 3 files changed, 62 insertions(+) > create mode 100644 > meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-1.patch > create mode 100644 > meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-2.patch > > diff --git > a/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-1.patch > b/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-1.patch > new file mode 100644 > index 0000000000..99c4ea705d > --- /dev/null > +++ > b/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-1.patch > @@ -0,0 +1,29 @@ > +From 245946bb789c8fc0e4758c344f735a5d53827dce Mon Sep 17 00:00:00 2001 > +From: rofl0r <rofl0r@users.noreply.github.com> > +Date: Thu, 12 Mar 2026 14:26:24 +0000 > +Subject: [PATCH] reqs: check negative length values when reading chunked > data > + > +this could lead to a DoS when a legitimate client reads from an > +attacker-controlled web server. > + > +closes #597 > + > +CVE: CVE-2026-3945 > +Upstream-Status: Backport [ > https://github.com/tinyproxy/tinyproxy/commit/969852ccdb1d19d7ed302f0e1d324661be641e0a > ] > +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> > +--- > + src/reqs.c | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/src/reqs.c b/src/reqs.c > +index a562c68..94ce767 100644 > +--- a/src/reqs.c > ++++ b/src/reqs.c > +@@ -613,6 +613,7 @@ static int pull_client_data_chunked (struct conn_s > *connptr) { > + } > + > + chunklen = strtol (buffer, (char**)0, 16); > ++ if (chunklen < 0) goto ERROR_EXIT; > + > + if (pull_client_data (connptr, chunklen+2, 0) < 0) > + goto ERROR_EXIT; > diff --git > a/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-2.patch > b/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-2.patch > new file mode 100644 > index 0000000000..3da30b54eb > --- /dev/null > +++ > b/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-2.patch > @@ -0,0 +1,31 @@ > +From 8f12872b8e50fe22be0a65ead260ebbedde905cd Mon Sep 17 00:00:00 2001 > +From: rofl0r <rofl0r@users.noreply.github.com> > +Date: Sun, 29 Mar 2026 16:48:54 +0200 > +Subject: [PATCH] reqs: prevent potential int overflow when parsing chunked > + data (#603) > + > +follow-up to 969852ccdb1d19d7ed302f0e1d324661be641e0a > + > +closes #602 > + > +CVE: CVE-2026-3945 > +Upstream-Status: Backport [ > https://github.com/tinyproxy/tinyproxy/commit/bb7edc4778041b3bc8ad7fca448b67d98039cc7d > ] > +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> > +--- > + src/reqs.c | 3 ++- > + 1 file changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/src/reqs.c b/src/reqs.c > +index 94ce767..7aacfd3 100644 > +--- a/src/reqs.c > ++++ b/src/reqs.c > +@@ -613,7 +613,8 @@ static int pull_client_data_chunked (struct conn_s > *connptr) { > + } > + > + chunklen = strtol (buffer, (char**)0, 16); > +- if (chunklen < 0) goto ERROR_EXIT; > ++ /* prevent negative or huge values causing overflow */ > ++ if (chunklen < 0 || chunklen > 0x0fffffff) goto > ERROR_EXIT; > + > + if (pull_client_data (connptr, chunklen+2, 0) < 0) > + goto ERROR_EXIT; > diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.3.bb > b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.3.bb > index 745c55bc0d..56e3296066 100644 > --- a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.3.bb > +++ b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.3.bb We have 1.11.2 in master branch, we should do the upgrade to 1.11.3 before applying this patch. > > @@ -7,6 +7,8 @@ SRC_URI = " > https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.gz > file://tinyproxy.service \ > file://tinyproxy.conf \ > file://run-ptest \ > + file://CVE-2026-3945-1.patch \ > + file://CVE-2026-3945-2.patch \ > " > > SRC_URI[sha256sum] = > "9bcf46db1a2375ff3e3d27a41982f1efec4706cce8899ff9f33323a8218f7592" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#126051): > https://lists.openembedded.org/g/openembedded-devel/message/126051 > Mute This Topic: https://lists.openembedded.org/mt/118692463/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ > raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
On 4/6/26 18:45, Khem Raj wrote: > > > On Mon, Apr 6, 2026 at 8:50 AM Gyorgy Sarvari via lists.openembedded.org > <http://lists.openembedded.org> > <skandigraun=gmail.com@lists.openembedded.org > <mailto:gmail.com@lists.openembedded.org>> wrote: > > Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3945 <https:// > nvd.nist.gov/vuln/detail/CVE-2026-3945> > > Backport the patches which are references by the NVD avisory. > > Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com > <mailto:skandigraun@gmail.com>> > --- > .../tinyproxy/tinyproxy/CVE-2026-3945-1.patch | 29 +++++++++++++++++ > .../tinyproxy/tinyproxy/CVE-2026-3945-2.patch | 31 +++++++++++++++++++ > .../tinyproxy/tinyproxy_1.11.3.bb <http://tinyproxy_1.11.3.bb> > | 2 ++ > 3 files changed, 62 insertions(+) > create mode 100644 meta-networking/recipes-support/tinyproxy/ > tinyproxy/CVE-2026-3945-1.patch > create mode 100644 meta-networking/recipes-support/tinyproxy/ > tinyproxy/CVE-2026-3945-2.patch > > diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy/ > CVE-2026-3945-1.patch b/meta-networking/recipes-support/tinyproxy/ > tinyproxy/CVE-2026-3945-1.patch > new file mode 100644 > index 0000000000..99c4ea705d > --- /dev/null > +++ b/meta-networking/recipes-support/tinyproxy/tinyproxy/ > CVE-2026-3945-1.patch > @@ -0,0 +1,29 @@ > +From 245946bb789c8fc0e4758c344f735a5d53827dce Mon Sep 17 00:00:00 2001 > +From: rofl0r <rofl0r@users.noreply.github.com > <mailto:rofl0r@users.noreply.github.com>> > +Date: Thu, 12 Mar 2026 14:26:24 +0000 > +Subject: [PATCH] reqs: check negative length values when reading > chunked data > + > +this could lead to a DoS when a legitimate client reads from an > +attacker-controlled web server. > + > +closes #597 > + > +CVE: CVE-2026-3945 > +Upstream-Status: Backport [https://github.com/tinyproxy/tinyproxy/ > commit/969852ccdb1d19d7ed302f0e1d324661be641e0a <https://github.com/ > tinyproxy/tinyproxy/commit/969852ccdb1d19d7ed302f0e1d324661be641e0a>] > +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com > <mailto:skandigraun@gmail.com>> > +--- > + src/reqs.c | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/src/reqs.c b/src/reqs.c > +index a562c68..94ce767 100644 > +--- a/src/reqs.c > ++++ b/src/reqs.c > +@@ -613,6 +613,7 @@ static int pull_client_data_chunked (struct > conn_s *connptr) { > + } > + > + chunklen = strtol (buffer, (char**)0, 16); > ++ if (chunklen < 0) goto ERROR_EXIT; > + > + if (pull_client_data (connptr, chunklen+2, 0) < 0) > + goto ERROR_EXIT; > diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy/ > CVE-2026-3945-2.patch b/meta-networking/recipes-support/tinyproxy/ > tinyproxy/CVE-2026-3945-2.patch > new file mode 100644 > index 0000000000..3da30b54eb > --- /dev/null > +++ b/meta-networking/recipes-support/tinyproxy/tinyproxy/ > CVE-2026-3945-2.patch > @@ -0,0 +1,31 @@ > +From 8f12872b8e50fe22be0a65ead260ebbedde905cd Mon Sep 17 00:00:00 2001 > +From: rofl0r <rofl0r@users.noreply.github.com > <mailto:rofl0r@users.noreply.github.com>> > +Date: Sun, 29 Mar 2026 16:48:54 +0200 > +Subject: [PATCH] reqs: prevent potential int overflow when parsing > chunked > + data (#603) > + > +follow-up to 969852ccdb1d19d7ed302f0e1d324661be641e0a > + > +closes #602 > + > +CVE: CVE-2026-3945 > +Upstream-Status: Backport [https://github.com/tinyproxy/tinyproxy/ > commit/bb7edc4778041b3bc8ad7fca448b67d98039cc7d <https://github.com/ > tinyproxy/tinyproxy/commit/bb7edc4778041b3bc8ad7fca448b67d98039cc7d>] > +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com > <mailto:skandigraun@gmail.com>> > +--- > + src/reqs.c | 3 ++- > + 1 file changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/src/reqs.c b/src/reqs.c > +index 94ce767..7aacfd3 100644 > +--- a/src/reqs.c > ++++ b/src/reqs.c > +@@ -613,7 +613,8 @@ static int pull_client_data_chunked (struct > conn_s *connptr) { > + } > + > + chunklen = strtol (buffer, (char**)0, 16); > +- if (chunklen < 0) goto ERROR_EXIT; > ++ /* prevent negative or huge values causing overflow */ > ++ if (chunklen < 0 || chunklen > 0x0fffffff) goto > ERROR_EXIT; > + > + if (pull_client_data (connptr, chunklen+2, 0) < 0) > + goto ERROR_EXIT; > diff --git a/meta-networking/recipes-support/tinyproxy/ > tinyproxy_1.11.3.bb <http://tinyproxy_1.11.3.bb> b/meta-networking/ > recipes-support/tinyproxy/tinyproxy_1.11.3.bb <http:// > tinyproxy_1.11.3.bb> > index 745c55bc0d..56e3296066 100644 > --- a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.3.bb > <http://tinyproxy_1.11.3.bb> > +++ b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.3.bb > <http://tinyproxy_1.11.3.bb> > > > We have 1.11.2 in master branch, we should do the upgrade to 1.11.3 > before applying this patch. Yeah, *somebody* forgot to submit it along with this patch, even though it was prepared... Sorry for that, it should be floating around the ML now.
diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-1.patch b/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-1.patch new file mode 100644 index 0000000000..99c4ea705d --- /dev/null +++ b/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-1.patch @@ -0,0 +1,29 @@ +From 245946bb789c8fc0e4758c344f735a5d53827dce Mon Sep 17 00:00:00 2001 +From: rofl0r <rofl0r@users.noreply.github.com> +Date: Thu, 12 Mar 2026 14:26:24 +0000 +Subject: [PATCH] reqs: check negative length values when reading chunked data + +this could lead to a DoS when a legitimate client reads from an +attacker-controlled web server. + +closes #597 + +CVE: CVE-2026-3945 +Upstream-Status: Backport [https://github.com/tinyproxy/tinyproxy/commit/969852ccdb1d19d7ed302f0e1d324661be641e0a] +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> +--- + src/reqs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/reqs.c b/src/reqs.c +index a562c68..94ce767 100644 +--- a/src/reqs.c ++++ b/src/reqs.c +@@ -613,6 +613,7 @@ static int pull_client_data_chunked (struct conn_s *connptr) { + } + + chunklen = strtol (buffer, (char**)0, 16); ++ if (chunklen < 0) goto ERROR_EXIT; + + if (pull_client_data (connptr, chunklen+2, 0) < 0) + goto ERROR_EXIT; diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-2.patch b/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-2.patch new file mode 100644 index 0000000000..3da30b54eb --- /dev/null +++ b/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-2.patch @@ -0,0 +1,31 @@ +From 8f12872b8e50fe22be0a65ead260ebbedde905cd Mon Sep 17 00:00:00 2001 +From: rofl0r <rofl0r@users.noreply.github.com> +Date: Sun, 29 Mar 2026 16:48:54 +0200 +Subject: [PATCH] reqs: prevent potential int overflow when parsing chunked + data (#603) + +follow-up to 969852ccdb1d19d7ed302f0e1d324661be641e0a + +closes #602 + +CVE: CVE-2026-3945 +Upstream-Status: Backport [https://github.com/tinyproxy/tinyproxy/commit/bb7edc4778041b3bc8ad7fca448b67d98039cc7d] +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> +--- + src/reqs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/reqs.c b/src/reqs.c +index 94ce767..7aacfd3 100644 +--- a/src/reqs.c ++++ b/src/reqs.c +@@ -613,7 +613,8 @@ static int pull_client_data_chunked (struct conn_s *connptr) { + } + + chunklen = strtol (buffer, (char**)0, 16); +- if (chunklen < 0) goto ERROR_EXIT; ++ /* prevent negative or huge values causing overflow */ ++ if (chunklen < 0 || chunklen > 0x0fffffff) goto ERROR_EXIT; + + if (pull_client_data (connptr, chunklen+2, 0) < 0) + goto ERROR_EXIT; diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.3.bb b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.3.bb index 745c55bc0d..56e3296066 100644 --- a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.3.bb +++ b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.3.bb @@ -7,6 +7,8 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.gz file://tinyproxy.service \ file://tinyproxy.conf \ file://run-ptest \ + file://CVE-2026-3945-1.patch \ + file://CVE-2026-3945-2.patch \ " SRC_URI[sha256sum] = "9bcf46db1a2375ff3e3d27a41982f1efec4706cce8899ff9f33323a8218f7592"
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3945 Backport the patches which are references by the NVD avisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../tinyproxy/tinyproxy/CVE-2026-3945-1.patch | 29 +++++++++++++++++ .../tinyproxy/tinyproxy/CVE-2026-3945-2.patch | 31 +++++++++++++++++++ .../tinyproxy/tinyproxy_1.11.3.bb | 2 ++ 3 files changed, 62 insertions(+) create mode 100644 meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-1.patch create mode 100644 meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2026-3945-2.patch