Hi, In response to #627503, I had prepared a stable-security upload of tinyproxy to address this issue. After discussing with jmm, we're discarding doing a DSA for this issue as an exploit can't happen if an attacker doesn't control the configuration file. He thinks the patch would be fine for s-p-u though, so I'm attaching the following patch so the upload can be considered. -- Jordi Mallach Pérez -- Debian developer http://www.debian.org/ jordi@sindominio.net jordi@debian.org http://www.sindominio.net/ GnuPG public key information available at http://oskuro.net/
Index: squeeze/debian/changelog =================================================================== --- squeeze/debian/changelog (revision 18458) +++ squeeze/debian/changelog (revision 19756) @@ -1,3 +1,13 @@ +tinyproxy (1.8.2-1squeeze2) stable; urgency=low + + * Add validate_port_number.patch: validate port number specified in Port + directive, to avoid possible buffer overflows that could allow for + access restriction bypasses [CVE-2011-1843] (closes: #627503). + As the configuration file is under the control of the admin, this is + not considered a security issue. + + -- Jordi Mallach <jordi@debian.org> Mon, 02 Jan 2012 15:05:27 +0100 + tinyproxy (1.8.2-1squeeze1) stable-security; urgency=low * Add netmask_generation.patch: fix bug in ACL netmask generation, Index: squeeze/debian/patches/validate_port_number.patch =================================================================== --- squeeze/debian/patches/validate_port_number.patch (revision 0) +++ squeeze/debian/patches/validate_port_number.patch (revision 19756) @@ -0,0 +1,29 @@ +From: Mukund Sivaraman <muks@banu.com> +Subject: Validate port number specified in Port directive +Origin: https://banu.com/cgit/tinyproxy/commit/?h=1.8&id=95a6f8259c0e19d980f8dfe54c33c21d4ab9fe86 +Forwarded: not-needed +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627503 +--- +diff --git a/src/conf.c b/src/conf.c +index b16b8e9..59630a2 100644 +--- a/src/conf.c ++++ b/src/conf.c +@@ -779,7 +779,15 @@ static HANDLE_FUNC (handle_bindsame) + + static HANDLE_FUNC (handle_port) + { +- return set_int_arg (&conf->port, line, &match[2]); ++ set_int_arg (&conf->port, line, &match[2]); ++ ++ if (conf->port > 65535) { ++ fprintf (stderr, "Bad port number (%d) supplied for Port.\n", ++ conf->port); ++ return 1; ++ } ++ ++ return 0; + } + + static HANDLE_FUNC (handle_maxclients) +-- +cgit Index: squeeze/debian/patches/series =================================================================== --- squeeze/debian/patches/series (revision 18458) +++ squeeze/debian/patches/series (revision 19756) @@ -1,3 +1,4 @@ # Series of quilt patches. upstream_matching_fix.patch netmask_generation.patch +validate_port_number.patch
Attachment:
signature.asc
Description: Digital signature