public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Carl George <carlwgeorge@gmail.com>
To: git-commits@fedoraproject.org
Subject: [rpms/tinyproxy] f44: Backport upstream CVE fixes
Date: Thu, 18 Jun 2026 21:32:32 GMT [thread overview]
Message-ID: <178181835295.1.1358145075402426626.rpms-tinyproxy-13ff057cb3f8@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/tinyproxy
Branch : f44
Commit : 13ff057cb3f8e5c72b415e42ef1350ff48baaf8d
Author : Carl George <carlwgeorge@gmail.com>
Date : 2026-06-18T15:51:12-05:00
Stats : +74/-1 in 3 file(s)
URL : https://src.fedoraproject.org/rpms/tinyproxy/c/13ff057cb3f8e5c72b415e42ef1350ff48baaf8d?branch=f44
Log:
Backport upstream CVE fixes
- Fixes CVE-2026-54387
- Fixes CVE-2026-54388
---
diff --git a/0004-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch b/0004-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch
new file mode 100644
index 0000000..f39cc54
--- /dev/null
+++ b/0004-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch
@@ -0,0 +1,33 @@
+From 0b56663461181937edd09c2a26dc5c6a83a5c2f1 Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Thu, 7 May 2026 16:33:11 +0000
+Subject: [PATCH] reqs: prevent request smuggling via both content-length and
+ chunked
+
+addressing point 1 of #609
+fixes CVE-2026-54387
+
+(cherry picked from commit 623bfc093df009296f0b85d40bc677ef9d5c09bb)
+---
+ src/reqs.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/reqs.c b/src/reqs.c
+index 6d2e94d..2704042 100644
+--- a/src/reqs.c
++++ b/src/reqs.c
+@@ -948,8 +948,13 @@ process_client_headers (struct conn_s *connptr, orderedmap hashofheaders)
+ connptr->content_length.client = get_content_length (hashofheaders);
+
+ /* Check whether client sends chunked data. */
+- if (connptr->content_length.client == -1 && is_chunked_transfer (hashofheaders))
++ if (is_chunked_transfer (hashofheaders)) {
++ if (connptr->content_length.client != -1)
++ /* request smuggling, see GH issue #609 */
++ orderedmap_remove (hashofheaders, "content-length");
++
+ connptr->content_length.client = -2;
++ }
+
+ /*
+ * See if there is a "Connection" header. If so, we need to do a bit
diff --git a/0005-reqs-prevent-multiple-content-lengths-getting-emitted.patch b/0005-reqs-prevent-multiple-content-lengths-getting-emitted.patch
new file mode 100644
index 0000000..fb07b1b
--- /dev/null
+++ b/0005-reqs-prevent-multiple-content-lengths-getting-emitted.patch
@@ -0,0 +1,29 @@
+From 6f4faeeaf88c6d5cd1f999f1ddb009322ec118b3 Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Thu, 7 May 2026 16:39:48 +0000
+Subject: [PATCH] reqs: prevent multiple content-lengths getting emitted
+
+addressing point 2 of #609
+fixes CVE-2026-54388
+
+(cherry picked from commit 364cdb67e0ea00a8e4a7037e2693e0711e816adb)
+---
+ src/reqs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/reqs.c b/src/reqs.c
+index 2704042..9c57895 100644
+--- a/src/reqs.c
++++ b/src/reqs.c
+@@ -668,6 +668,11 @@ add_header_to_connection (orderedmap hashofheaders, char *header, size_t len)
+ /* Calculate the new length of just the data */
+ len -= sep - header - 1;
+
++ /* prevent multiple content-length headers from being inserted */
++ if (!strcasecmp(header, "content-length") &&
++ orderedmap_find (hashofheaders, "content-length"))
++ return 0;
++
+ return orderedmap_append (hashofheaders, header, sep);
+ }
+
diff --git a/tinyproxy.spec b/tinyproxy.spec
index 9cfac95..f38d107 100644
--- a/tinyproxy.spec
+++ b/tinyproxy.spec
@@ -6,7 +6,7 @@
Name: tinyproxy
Version: 1.11.2
-Release: 7%{?dist}
+Release: 8%{?dist}
Summary: A small, efficient HTTP/SSL proxy daemon
License: GPL-2.0-or-later
URL: https://tinyproxy.github.io/
@@ -22,6 +22,12 @@ Patch1: 0002-reqs-check-negative-length-values-and-prevent-potential-int
# CVE-2026-31842
# https://github.com/tinyproxy/tinyproxy/commit/879bf844abffa0bf5fae6aff0c73179024dd9f98
Patch2: 0003-reqs-fix-case-sensitive-matching-of-chunked-605.patch
+# CVE-2026-54387
+# https://github.com/tinyproxy/tinyproxy/commit/623bfc093df009296f0b85d40bc677ef9d5c09bb
+Patch3: 0004-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch
+# CVE-2026-54388
+# https://github.com/tinyproxy/tinyproxy/commit/364cdb67e0ea00a8e4a7037e2693e0711e816adb
+Patch4: 0005-reqs-prevent-multiple-content-lengths-getting-emitted.patch
BuildRequires: make
BuildRequires: gcc
@@ -93,6 +99,11 @@ exit 0
%changelog
+* Thu Jun 18 2026 Carl George <carlwgeorge@gmail.com> - 1.11.2-8
+- Backport upstream CVE fixes
+- Fixes CVE-2026-54387
+- Fixes CVE-2026-54388
+
* Sat Apr 11 2026 Carl George <carlwgeorge@fedoraproject.org> - 1.11.2-7
- Backport upstream CVE fixes
- Fixes CVE-2026-3945
reply other threads:[~2026-06-18 21:32 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178181835295.1.1358145075402426626.rpms-tinyproxy-13ff057cb3f8@fedoraproject.org \
--to=carlwgeorge@gmail.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox