[rpms/tinyproxy] rawhide: Backport upstream CVE fixes

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

From: Carl George <carlwgeorge@gmail.com>
To: git-commits@fedoraproject.org
Subject: [rpms/tinyproxy] rawhide: Backport upstream CVE fixes
Date: Thu, 18 Jun 2026 21:32:24 GMT	[thread overview]
Message-ID: <178181834413.1.14857620099189119669.rpms-tinyproxy-c672b8adfa1d@fedoraproject.org> (raw)

            A new commit has been pushed.

            Repo   : rpms/tinyproxy
            Branch : rawhide
            Commit : c672b8adfa1d7cfb04d14056c6f738ae28287c8a
            Author : Carl George <carlwgeorge@gmail.com>
            Date   : 2026-06-18T15:49:44-05:00
            Stats  : +68/-0 in 3 file(s)
            URL    : https://src.fedoraproject.org/rpms/tinyproxy/c/c672b8adfa1d7cfb04d14056c6f738ae28287c8a?branch=rawhide

            Log:
            Backport upstream CVE fixes

- Fixes CVE-2026-54387
- Fixes CVE-2026-54388

---
diff --git a/0003-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch b/0003-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch
new file mode 100644
index 0000000..ee52e18
--- /dev/null
+++ b/0003-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch
@@ -0,0 +1,33 @@
+From 11a1611c6b29400c1ddcc7c7e96767c7ed0a4921 Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Thu, 7 May 2026 16:33:11 +0000
+Subject: [PATCH] reqs: prevent request smuggling via both content-length and
+ chunked
+
+addressing point 1 of #609
+fixes CVE-2026-54387
+
+(cherry picked from commit 623bfc093df009296f0b85d40bc677ef9d5c09bb)
+---
+ src/reqs.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/reqs.c b/src/reqs.c
+index 8b68538..e3cfe76 100644
+--- a/src/reqs.c
++++ b/src/reqs.c
+@@ -942,8 +942,13 @@ process_client_headers (struct conn_s *connptr, pseudomap *hashofheaders)
+         connptr->content_length.client = get_content_length (hashofheaders);
+ 
+         /* Check whether client sends chunked data. */
+-        if (connptr->content_length.client == -1 && is_chunked_transfer (hashofheaders))
++        if (is_chunked_transfer (hashofheaders)) {
++                if (connptr->content_length.client != -1)
++                        /* request smuggling, see GH issue #609 */
++                        pseudomap_remove (hashofheaders, "content-length");
++
+                 connptr->content_length.client = -2;
++        }
+ 
+         /*
+          * See if there is a "Connection" header.  If so, we need to do a bit

diff --git a/0004-reqs-prevent-multiple-content-lengths-getting-emitted.patch b/0004-reqs-prevent-multiple-content-lengths-getting-emitted.patch
new file mode 100644
index 0000000..cca9a2a
--- /dev/null
+++ b/0004-reqs-prevent-multiple-content-lengths-getting-emitted.patch
@@ -0,0 +1,29 @@
+From 954ab2a8bc7961f3c3030155d7068a11eacd9d8d Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Thu, 7 May 2026 16:39:48 +0000
+Subject: [PATCH] reqs: prevent multiple content-lengths getting emitted
+
+addressing point 2 of #609
+fixes CVE-2026-54388
+
+(cherry picked from commit 364cdb67e0ea00a8e4a7037e2693e0711e816adb)
+---
+ src/reqs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/reqs.c b/src/reqs.c
+index e3cfe76..0c4d791 100644
+--- a/src/reqs.c
++++ b/src/reqs.c
+@@ -668,6 +668,11 @@ add_header_to_connection (pseudomap *hashofheaders, char *header, size_t len)
+         /* Calculate the new length of just the data */
+         len -= sep - header - 1;
+ 
++        /* prevent multiple content-length headers from being inserted */
++        if (!strcasecmp(header, "content-length") &&
++            pseudomap_find (hashofheaders, "content-length"))
++                return 0;
++
+         return pseudomap_append (hashofheaders, header, sep);
+ }
+ 

diff --git a/tinyproxy.spec b/tinyproxy.spec
index de616ce..baba076 100644
--- a/tinyproxy.spec
+++ b/tinyproxy.spec
@@ -15,6 +15,12 @@ Patch:          0001-reqs-check-negative-length-values-and-prevent-potential-int
 # CVE-2026-31842
 # https://github.com/tinyproxy/tinyproxy/commit/879bf844abffa0bf5fae6aff0c73179024dd9f98
 Patch:          0002-reqs-fix-case-sensitive-matching-of-chunked-605.patch
+# CVE-2026-54387
+# https://github.com/tinyproxy/tinyproxy/commit/623bfc093df009296f0b85d40bc677ef9d5c09bb
+Patch:          0003-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch
+# CVE-2026-54388
+# https://github.com/tinyproxy/tinyproxy/commit/364cdb67e0ea00a8e4a7037e2693e0711e816adb
+Patch:          0004-reqs-prevent-multiple-content-lengths-getting-emitted.patch
 
 BuildRequires:  make
 BuildRequires:  gcc

                 reply	other threads:[~2026-06-18 21:32 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=178181834413.1.14857620099189119669.rpms-tinyproxy-c672b8adfa1d@fedoraproject.org \
    --to=carlwgeorge@gmail.com \
    --cc=git-commits@fedoraproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox