[rpms/tinyproxy] rawhide: Backport upstream CVE fixes

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/tinyproxy] rawhide: Backport upstream CVE fixes
@ 2026-06-18 21:32 Carl George
  0 siblings, 0 replies; only message in thread
From: Carl George @ 2026-06-18 21:32 UTC (permalink / raw)
  To: git-commits

            A new commit has been pushed.

            Repo   : rpms/tinyproxy
            Branch : rawhide
            Commit : c672b8adfa1d7cfb04d14056c6f738ae28287c8a
            Author : Carl George <carlwgeorge@gmail.com>
            Date   : 2026-06-18T15:49:44-05:00
            Stats  : +68/-0 in 3 file(s)
            URL    : https://src.fedoraproject.org/rpms/tinyproxy/c/c672b8adfa1d7cfb04d14056c6f738ae28287c8a?branch=rawhide

            Log:
            Backport upstream CVE fixes

- Fixes CVE-2026-54387
- Fixes CVE-2026-54388

---
diff --git a/0003-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch b/0003-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch
new file mode 100644
index 0000000..ee52e18
--- /dev/null
+++ b/0003-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch
@@ -0,0 +1,33 @@
+From 11a1611c6b29400c1ddcc7c7e96767c7ed0a4921 Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Thu, 7 May 2026 16:33:11 +0000
+Subject: [PATCH] reqs: prevent request smuggling via both content-length and
+ chunked
+
+addressing point 1 of #609
+fixes CVE-2026-54387
+
+(cherry picked from commit 623bfc093df009296f0b85d40bc677ef9d5c09bb)
+---
+ src/reqs.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/reqs.c b/src/reqs.c
+index 8b68538..e3cfe76 100644
+--- a/src/reqs.c
++++ b/src/reqs.c
+@@ -942,8 +942,13 @@ process_client_headers (struct conn_s *connptr, pseudomap *hashofheaders)
+         connptr->content_length.client = get_content_length (hashofheaders);
+ 
+         /* Check whether client sends chunked data. */
+-        if (connptr->content_length.client == -1 && is_chunked_transfer (hashofheaders))
++        if (is_chunked_transfer (hashofheaders)) {
++                if (connptr->content_length.client != -1)
++                        /* request smuggling, see GH issue #609 */
++                        pseudomap_remove (hashofheaders, "content-length");
++
+                 connptr->content_length.client = -2;
++        }
+ 
+         /*
+          * See if there is a "Connection" header.  If so, we need to do a bit

diff --git a/0004-reqs-prevent-multiple-content-lengths-getting-emitted.patch b/0004-reqs-prevent-multiple-content-lengths-getting-emitted.patch
new file mode 100644
index 0000000..cca9a2a
--- /dev/null
+++ b/0004-reqs-prevent-multiple-content-lengths-getting-emitted.patch
@@ -0,0 +1,29 @@
+From 954ab2a8bc7961f3c3030155d7068a11eacd9d8d Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Thu, 7 May 2026 16:39:48 +0000
+Subject: [PATCH] reqs: prevent multiple content-lengths getting emitted
+
+addressing point 2 of #609
+fixes CVE-2026-54388
+
+(cherry picked from commit 364cdb67e0ea00a8e4a7037e2693e0711e816adb)
+---
+ src/reqs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/reqs.c b/src/reqs.c
+index e3cfe76..0c4d791 100644
+--- a/src/reqs.c
++++ b/src/reqs.c
+@@ -668,6 +668,11 @@ add_header_to_connection (pseudomap *hashofheaders, char *header, size_t len)
+         /* Calculate the new length of just the data */
+         len -= sep - header - 1;
+ 
++        /* prevent multiple content-length headers from being inserted */
++        if (!strcasecmp(header, "content-length") &&
++            pseudomap_find (hashofheaders, "content-length"))
++                return 0;
++
+         return pseudomap_append (hashofheaders, header, sep);
+ }
+ 

diff --git a/tinyproxy.spec b/tinyproxy.spec
index de616ce..baba076 100644
--- a/tinyproxy.spec
+++ b/tinyproxy.spec
@@ -15,6 +15,12 @@ Patch:          0001-reqs-check-negative-length-values-and-prevent-potential-int
 # CVE-2026-31842
 # https://github.com/tinyproxy/tinyproxy/commit/879bf844abffa0bf5fae6aff0c73179024dd9f98
 Patch:          0002-reqs-fix-case-sensitive-matching-of-chunked-605.patch
+# CVE-2026-54387
+# https://github.com/tinyproxy/tinyproxy/commit/623bfc093df009296f0b85d40bc677ef9d5c09bb
+Patch:          0003-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch
+# CVE-2026-54388
+# https://github.com/tinyproxy/tinyproxy/commit/364cdb67e0ea00a8e4a7037e2693e0711e816adb
+Patch:          0004-reqs-prevent-multiple-content-lengths-getting-emitted.patch
 
 BuildRequires:  make
 BuildRequires:  gcc

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-18 21:32 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-18 21:32 [rpms/tinyproxy] rawhide: Backport upstream CVE fixes Carl George

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox