diff -Nru tinyproxy-1.8.3/debian/changelog tinyproxy-1.8.3/debian/changelog --- tinyproxy-1.8.3/debian/changelog 2012-01-02 20:55:48.000000000 +0700 +++ tinyproxy-1.8.3/debian/changelog 2013-03-13 16:48:22.000000000 +0700 @@ -1,3 +1,14 @@ +tinyproxy (1.8.3-1ubuntu0.1) precise-security; urgency=low + + * SECURITY UPDATE: Fix for denial of service vulnerability where remote + attackers send crafted request headers. (LP: #1154502) + - debian/patches/001-CVE-2012-3505.patch: Limit the number of headers to + prevent DoS attacks. Randomize hashmaps in order to avoid fake headers + getting included in the same bucket, allowing for DoS attacks. + - CVE-2012-3505 + + -- Christian Kuersteiner Wed, 13 Mar 2013 16:42:14 +0700 + tinyproxy (1.8.3-1) unstable; urgency=low * New upstream release. diff -Nru tinyproxy-1.8.3/debian/control tinyproxy-1.8.3/debian/control --- tinyproxy-1.8.3/debian/control 2012-01-02 20:34:46.000000000 +0700 +++ tinyproxy-1.8.3/debian/control 2013-03-13 16:49:12.000000000 +0700 @@ -1,7 +1,8 @@ Source: tinyproxy Section: web Priority: optional -Maintainer: Ed Boraas +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Ed Boraas Uploaders: Jordi Mallach Standards-Version: 3.9.2 Build-Depends: debhelper (>= 8), diff -Nru tinyproxy-1.8.3/debian/patches/001-CVE-2012-3505.patch tinyproxy-1.8.3/debian/patches/001-CVE-2012-3505.patch --- tinyproxy-1.8.3/debian/patches/001-CVE-2012-3505.patch 1970-01-01 07:00:00.000000000 +0700 +++ tinyproxy-1.8.3/debian/patches/001-CVE-2012-3505.patch 2013-03-13 17:08:52.000000000 +0700 @@ -0,0 +1,153 @@ +Description: Limit the number of headers to prevent DoS attacks, randomize +hashmaps in order to avoid fake headers getting included in the same bucket +allowing for DoS attacks. +origin: backport, https://banu.com/bugzilla/attachment.cgi?id=59, +https://banu.com/bugzilla/attachment.cgi?id=60 +Author: ckuerste@gmx.ch +Bug: https://banu.com/bugzilla/show_bug.cgi?id=110#c2 +Ubuntu-Bug: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1154502 +--- a/src/child.c ++++ b/src/child.c +@@ -20,6 +20,9 @@ + * processing incoming connections. + */ + ++#include ++#include ++ + #include "main.h" + + #include "child.h" +@@ -196,6 +199,7 @@ + } + + ptr->connects = 0; ++ srand(time(NULL)); + + while (!config.quit) { + ptr->status = T_WAITING; +--- a/src/hashmap.c ++++ b/src/hashmap.c +@@ -25,6 +25,8 @@ + * don't try to free the data, or realloc the memory. :) + */ + ++#include ++ + #include "main.h" + + #include "hashmap.h" +@@ -50,6 +52,7 @@ + }; + + struct hashmap_s { ++ uint32_t seed; + unsigned int size; + hashmap_iter end_iterator; + +@@ -65,7 +68,7 @@ + * + * If any of the arguments are invalid a negative number is returned. + */ +-static int hashfunc (const char *key, unsigned int size) ++static int hashfunc (const char *key, unsigned int size, uint32_t seed) + { + uint32_t hash; + +@@ -74,7 +77,7 @@ + if (size == 0) + return -ERANGE; + +- for (hash = tolower (*key++); *key != '\0'; key++) { ++ for (hash = seed; *key != '\0'; key++) { + uint32_t bit = (hash & 1) ? (1 << (sizeof (uint32_t) - 1)) : 0; + + hash >>= 1; +@@ -104,6 +107,7 @@ + if (!ptr) + return NULL; + ++ ptr->seed = (uint32_t)rand(); + ptr->size = nbuckets; + ptr->buckets = (struct hashbucket_s *) safecalloc (nbuckets, + sizeof (struct +@@ -201,7 +205,7 @@ + if (!data || len < 1) + return -ERANGE; + +- hash = hashfunc (key, map->size); ++ hash = hashfunc (key, map->size, map->seed); + if (hash < 0) + return hash; + +@@ -382,7 +386,7 @@ + if (map == NULL || key == NULL) + return -EINVAL; + +- hash = hashfunc (key, map->size); ++ hash = hashfunc (key, map->size, map->seed); + if (hash < 0) + return hash; + +@@ -416,7 +420,7 @@ + if (!map || !key || !data) + return -EINVAL; + +- hash = hashfunc (key, map->size); ++ hash = hashfunc (key, map->size, map->seed); + if (hash < 0) + return hash; + +@@ -451,7 +455,7 @@ + if (map == NULL || key == NULL) + return -EINVAL; + +- hash = hashfunc (key, map->size); ++ hash = hashfunc (key, map->size, map->seed); + if (hash < 0) + return hash; + +--- a/src/reqs.c ++++ b/src/reqs.c +@@ -611,12 +611,19 @@ + } + + /* ++ * define max numbers of headers. big enough to handle legitimate cases, ++ * but limited to avoid DoS ++ */ ++#define MAX_HEADERS 10000 ++ ++/* + * Read all the headers from the stream + */ + static int get_all_headers (int fd, hashmap_t hashofheaders) + { + char *line = NULL; + char *header = NULL; ++ int count; + char *tmp; + ssize_t linelen; + ssize_t len = 0; +@@ -625,7 +632,7 @@ + assert (fd >= 0); + assert (hashofheaders != NULL); + +- for (;;) { ++ for (count = 0; count < MAX_HEADERS; count++) { + if ((linelen = readline (fd, &line)) <= 0) { + safefree (header); + safefree (line); +@@ -691,6 +698,12 @@ + + safefree (line); + } ++ ++ /* if we get there, this is we reached MAX_HEADERS count. ++ bail out with error */ ++ safefree (header); ++ safefree (line); ++ return -1; + } + + /* diff -Nru tinyproxy-1.8.3/debian/patches/series tinyproxy-1.8.3/debian/patches/series --- tinyproxy-1.8.3/debian/patches/series 2012-01-02 20:25:19.000000000 +0700 +++ tinyproxy-1.8.3/debian/patches/series 2013-03-13 15:49:21.000000000 +0700 @@ -1 +1,2 @@ # Series of quilt patches. +001-CVE-2012-3505.patch