Hi Thijs and Jordi On Sun, Aug 19, 2012 at 01:23:38PM +0200, Jordi Mallach wrote: > On Sun, Aug 19, 2012 at 11:42:57AM +0200, Thijs Kinkhorst wrote: > > A Denial of Service attack has been reported against tinyproxy: > > https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985 > > https://banu.com/bugzilla/show_bug.cgi?id=110#c2 > > > > Can you please see to it that this gets addressed in unstable > > (and by extension wheezy)? > > > > Please use CVE-2012-3505 to refer to this issue. > > Will try to get something done ASAP. > > Should I do something about stable too? The codebase should be really > similar.
I looked at the current prepared version for unstable in the tinyproxy subversion repository, attached is the debdiff to the current version in unstable. Are you fine if I upload this as it is to unstable? @SecurityTeam: I'm not Maintainer of the package but tinyproxy appeared on the radar for RC bugs for wheezy, so noticed this one. Regards, Salvatore
diff -Nru tinyproxy-1.8.3/debian/changelog tinyproxy-1.8.3/debian/changelog
--- tinyproxy-1.8.3/debian/changelog 2012-01-23 12:10:36.000000000 +0100
+++ tinyproxy-1.8.3/debian/changelog 2012-09-29 13:49:33.000000000 +0200
@@ -1,3 +1,15 @@
+tinyproxy (1.8.3-3) unstable; urgency=high
+
+ * Add patches for CVE-2012-3505 (closes: #685281):
+ - CVE-2012-3505-tinyproxy-limit-headers.patch: Limit the number of
+ headers to prevent DoS attacks.
+ - CVE-2012-3505-tinyproxy-randomized-hashmaps.patch: Randomize hashmaps
+ in order to avoid fake headers getting included in the same bucket,
+ allowing for DoS attacks.
+ Bug reported and patches contributed by gpernot.
+
+ -- Jordi Mallach <jo...@debian.org> Mon, 24 Sep 2012 21:05:41 +0200
+
tinyproxy (1.8.3-2) unstable; urgency=low
* Update Homepage again: webpage is served over https.
@@ -5,7 +17,7 @@
LDFLAGS. Enable dh_autoreconf support.
* Switch to debhelper v9 to take advantage of automatic dpkg-buildflags
setting and enable hardened build flags (closes: #655870).
- * Bump Build-Deps to debhelper (>= 8.9.4)
+ * Bump Build-Deps to debhelper (>= 8.9.4).
-- Jordi Mallach <jo...@debian.org> Mon, 23 Jan 2012 12:10:34 +0100
diff -Nru tinyproxy-1.8.3/debian/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch tinyproxy-1.8.3/debian/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch
--- tinyproxy-1.8.3/debian/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch 1970-01-01 01:00:00.000000000 +0100
+++ tinyproxy-1.8.3/debian/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch 2012-09-29 13:49:33.000000000 +0200
@@ -0,0 +1,101 @@
+--- a/src/child.c
++++ a/src/child.c
+@@ -20,6 +20,9 @@
+ * processing incoming connections.
+ */
+
++#include <stdlib.h>
++#include <time.h>
++
+ #include "main.h"
+
+ #include "child.h"
+@@ -196,6 +200,7 @@ static void child_main (struct child_s *ptr)
+ }
+
+ ptr->connects = 0;
++ srand(time(NULL));
+
+ while (!config.quit) {
+ ptr->status = T_WAITING;
+--- a/src/hashmap.c
++++ a/src/hashmap.c
+@@ -25,6 +25,8 @@
+ * don't try to free the data, or realloc the memory. :)
+ */
+
++#include <stdlib.h>
++
+ #include "main.h"
+
+ #include "hashmap.h"
+@@ -50,6 +52,7 @@ struct hashbucket_s {
+ };
+
+ struct hashmap_s {
++ uint32_t seed;
+ unsigned int size;
+ hashmap_iter end_iterator;
+
+@@ -65,7 +68,7 @@ struct hashmap_s {
+ *
+ * If any of the arguments are invalid a negative number is returned.
+ */
+-static int hashfunc (const char *key, unsigned int size)
++static int hashfunc (const char *key, unsigned int size, uint32_t seed)
+ {
+ uint32_t hash;
+
+@@ -74,7 +77,7 @@ static int hashfunc (const char *key, unsigned int size)
+ if (size == 0)
+ return -ERANGE;
+
+- for (hash = tolower (*key++); *key != '\0'; key++) {
++ for (hash = seed; *key != '\0'; key++) {
+ uint32_t bit = (hash & 1) ? (1 << (sizeof (uint32_t) - 1)) : 0;
+
+ hash >>= 1;
+@@ -104,6 +107,7 @@ hashmap_t hashmap_create (unsigned int nbuckets)
+ if (!ptr)
+ return NULL;
+
++ ptr->seed = (uint32_t)rand();
+ ptr->size = nbuckets;
+ ptr->buckets = (struct hashbucket_s *) safecalloc (nbuckets,
+ sizeof (struct
+@@ -201,7 +205,7 @@ hashmap_insert (hashmap_t map, const char *key, const void *data, size_t len)
+ if (!data || len < 1)
+ return -ERANGE;
+
+- hash = hashfunc (key, map->size);
++ hash = hashfunc (key, map->size, map->seed);
+ if (hash < 0)
+ return hash;
+
+@@ -382,7 +386,7 @@ ssize_t hashmap_search (hashmap_t map, const char *key)
+ if (map == NULL || key == NULL)
+ return -EINVAL;
+
+- hash = hashfunc (key, map->size);
++ hash = hashfunc (key, map->size, map->seed);
+ if (hash < 0)
+ return hash;
+
+@@ -416,7 +420,7 @@ ssize_t hashmap_entry_by_key (hashmap_t map, const char *key, void **data)
+ if (!map || !key || !data)
+ return -EINVAL;
+
+- hash = hashfunc (key, map->size);
++ hash = hashfunc (key, map->size, map->seed);
+ if (hash < 0)
+ return hash;
+
+@@ -451,7 +455,7 @@ ssize_t hashmap_remove (hashmap_t map, const char *key)
+ if (map == NULL || key == NULL)
+ return -EINVAL;
+
+- hash = hashfunc (key, map->size);
++ hash = hashfunc (key, map->size, map->seed);
+ if (hash < 0)
+ return hash;
+
diff -Nru tinyproxy-1.8.3/debian/patches/CVE-2012-3505-tinyproxy-limit-headers.patch tinyproxy-1.8.3/debian/patches/CVE-2012-3505-tinyproxy-limit-headers.patch
--- tinyproxy-1.8.3/debian/patches/CVE-2012-3505-tinyproxy-limit-headers.patch 1970-01-01 01:00:00.000000000 +0100
+++ tinyproxy-1.8.3/debian/patches/CVE-2012-3505-tinyproxy-limit-headers.patch 2012-09-29 13:49:33.000000000 +0200
@@ -0,0 +1,44 @@
+--- a/src/reqs.c
++++ a/src/reqs.c
+@@ -641,6 +641,11 @@ add_header_to_connection (hashmap_t hashofheaders, char *header, size_t len)
+ return hashmap_insert (hashofheaders, header, sep, len);
+ }
+
++/* define max number of headers. big enough to handle legitimate cases,
++ * but limited to avoid DoS
++ */
++#define MAX_HEADERS 10000
++
+ /*
+ * Read all the headers from the stream
+ */
+@@ -648,6 +653,7 @@ static int get_all_headers (int fd, hashmap_t hashofheaders)
+ {
+ char *line = NULL;
+ char *header = NULL;
++ int count;
+ char *tmp;
+ ssize_t linelen;
+ ssize_t len = 0;
+@@ -656,7 +662,7 @@ static int get_all_headers (int fd, hashmap_t hashofheaders)
+ assert (fd >= 0);
+ assert (hashofheaders != NULL);
+
+- for (;;) {
++ for (count = 0; count < MAX_HEADERS; count++) {
+ if ((linelen = readline (fd, &line)) <= 0) {
+ safefree (header);
+ safefree (line);
+@@ -722,6 +728,12 @@ static int get_all_headers (int fd, hashmap_t hashofheaders)
+
+ safefree (line);
+ }
++
++ /* if we get there, this is we reached MAX_HEADERS count.
++ bail out with error */
++ safefree (header);
++ safefree (line);
++ return -1;
+ }
+
+ /*
diff -Nru tinyproxy-1.8.3/debian/patches/series tinyproxy-1.8.3/debian/patches/series
--- tinyproxy-1.8.3/debian/patches/series 2012-01-23 12:09:02.000000000 +0100
+++ tinyproxy-1.8.3/debian/patches/series 2012-09-29 13:49:33.000000000 +0200
@@ -1,2 +1,4 @@
# Series of quilt patches.
prepend_ldflags.patch
+CVE-2012-3505-tiniproxy-randomized-hashmaps.patch
+CVE-2012-3505-tinyproxy-limit-headers.patch
signature.asc
Description: Digital signature
