[rpms/tinyproxy] epel8: Backport upstream CVE fixes

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/tinyproxy] epel8: Backport upstream CVE fixes
@ 2026-06-18 21:54 Carl George
  0 siblings, 0 replies; only message in thread
From: Carl George @ 2026-06-18 21:54 UTC (permalink / raw)
  To: git-commits

            A new commit has been pushed.

            Repo   : rpms/tinyproxy
            Branch : epel8
            Commit : 13ff057cb3f8e5c72b415e42ef1350ff48baaf8d
            Author : Carl George <carlwgeorge@gmail.com>
            Date   : 2026-06-18T15:51:12-05:00
            Stats  : +74/-1 in 3 file(s)
            URL    : https://src.fedoraproject.org/rpms/tinyproxy/c/13ff057cb3f8e5c72b415e42ef1350ff48baaf8d?branch=epel8

            Log:
            Backport upstream CVE fixes

- Fixes CVE-2026-54387
- Fixes CVE-2026-54388

---
diff --git a/0004-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch b/0004-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch
new file mode 100644
index 0000000..f39cc54
--- /dev/null
+++ b/0004-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch
@@ -0,0 +1,33 @@
+From 0b56663461181937edd09c2a26dc5c6a83a5c2f1 Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Thu, 7 May 2026 16:33:11 +0000
+Subject: [PATCH] reqs: prevent request smuggling via both content-length and
+ chunked
+
+addressing point 1 of #609
+fixes CVE-2026-54387
+
+(cherry picked from commit 623bfc093df009296f0b85d40bc677ef9d5c09bb)
+---
+ src/reqs.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/reqs.c b/src/reqs.c
+index 6d2e94d..2704042 100644
+--- a/src/reqs.c
++++ b/src/reqs.c
+@@ -948,8 +948,13 @@ process_client_headers (struct conn_s *connptr, orderedmap hashofheaders)
+         connptr->content_length.client = get_content_length (hashofheaders);
+ 
+         /* Check whether client sends chunked data. */
+-        if (connptr->content_length.client == -1 && is_chunked_transfer (hashofheaders))
++        if (is_chunked_transfer (hashofheaders)) {
++                if (connptr->content_length.client != -1)
++                        /* request smuggling, see GH issue #609 */
++                        orderedmap_remove (hashofheaders, "content-length");
++
+                 connptr->content_length.client = -2;
++        }
+ 
+         /*
+          * See if there is a "Connection" header.  If so, we need to do a bit

diff --git a/0005-reqs-prevent-multiple-content-lengths-getting-emitted.patch b/0005-reqs-prevent-multiple-content-lengths-getting-emitted.patch
new file mode 100644
index 0000000..fb07b1b
--- /dev/null
+++ b/0005-reqs-prevent-multiple-content-lengths-getting-emitted.patch
@@ -0,0 +1,29 @@
+From 6f4faeeaf88c6d5cd1f999f1ddb009322ec118b3 Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Thu, 7 May 2026 16:39:48 +0000
+Subject: [PATCH] reqs: prevent multiple content-lengths getting emitted
+
+addressing point 2 of #609
+fixes CVE-2026-54388
+
+(cherry picked from commit 364cdb67e0ea00a8e4a7037e2693e0711e816adb)
+---
+ src/reqs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/reqs.c b/src/reqs.c
+index 2704042..9c57895 100644
+--- a/src/reqs.c
++++ b/src/reqs.c
+@@ -668,6 +668,11 @@ add_header_to_connection (orderedmap hashofheaders, char *header, size_t len)
+         /* Calculate the new length of just the data */
+         len -= sep - header - 1;
+ 
++        /* prevent multiple content-length headers from being inserted */
++        if (!strcasecmp(header, "content-length") &&
++            orderedmap_find (hashofheaders, "content-length"))
++                return 0;
++
+         return orderedmap_append (hashofheaders, header, sep);
+ }
+ 

diff --git a/tinyproxy.spec b/tinyproxy.spec
index 9cfac95..f38d107 100644
--- a/tinyproxy.spec
+++ b/tinyproxy.spec
@@ -6,7 +6,7 @@
 
 Name:           tinyproxy
 Version:        1.11.2
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        A small, efficient HTTP/SSL proxy daemon
 License:        GPL-2.0-or-later
 URL:            https://tinyproxy.github.io/
@@ -22,6 +22,12 @@ Patch1:         0002-reqs-check-negative-length-values-and-prevent-potential-int
 # CVE-2026-31842
 # https://github.com/tinyproxy/tinyproxy/commit/879bf844abffa0bf5fae6aff0c73179024dd9f98
 Patch2:         0003-reqs-fix-case-sensitive-matching-of-chunked-605.patch
+# CVE-2026-54387
+# https://github.com/tinyproxy/tinyproxy/commit/623bfc093df009296f0b85d40bc677ef9d5c09bb
+Patch3:         0004-reqs-prevent-request-smuggling-via-both-content-length-and-chunked.patch
+# CVE-2026-54388
+# https://github.com/tinyproxy/tinyproxy/commit/364cdb67e0ea00a8e4a7037e2693e0711e816adb
+Patch4:         0005-reqs-prevent-multiple-content-lengths-getting-emitted.patch
 
 BuildRequires:  make
 BuildRequires:  gcc
@@ -93,6 +99,11 @@ exit 0
 
 
 %changelog
+* Thu Jun 18 2026 Carl George <carlwgeorge@gmail.com> - 1.11.2-8
+- Backport upstream CVE fixes
+- Fixes CVE-2026-54387
+- Fixes CVE-2026-54388
+
 * Sat Apr 11 2026 Carl George <carlwgeorge@fedoraproject.org> - 1.11.2-7
 - Backport upstream CVE fixes
 - Fixes CVE-2026-3945

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-18 21:54 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-18 21:54 [rpms/tinyproxy] epel8: Backport upstream CVE fixes Carl George

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox