Download raw body.
UPDATE: tinyproxy - CVE-2023-49606
Apply a fix for tinyproxy to resolve CVE-2023-49606.
Also remove an unnecessary patch as the LINE_MAX issue was fixed
a number of years ago.
Index: Makefile
===================================================================
RCS file: /cvs/ports/www/tinyproxy/Makefile,v
retrieving revision 1.38
diff -u -p -u -p -r1.38 Makefile
--- Makefile 27 Sep 2023 19:13:06 -0000 1.38
+++ Makefile 8 May 2024 00:59:12 -0000
@@ -3,7 +3,7 @@ COMMENT = lightweight HTTP/SSL proxy
V = 1.11.1
DISTNAME = tinyproxy-$V
CATEGORIES = www net
-REVISION = 0
+REVISION = 1
HOMEPAGE = https://tinyproxy.github.io/
Index: patches/patch-etc_tinyproxy_conf_in
===================================================================
RCS file: /cvs/ports/www/tinyproxy/patches/patch-etc_tinyproxy_conf_in,v
retrieving revision 1.4
diff -u -p -u -p -r1.4 patch-etc_tinyproxy_conf_in
--- patches/patch-etc_tinyproxy_conf_in 11 Mar 2022 20:11:03 -0000 1.4
+++ patches/patch-etc_tinyproxy_conf_in 8 May 2024 00:59:12 -0000
@@ -1,5 +1,6 @@
---- etc/tinyproxy.conf.in.orig Wed Mar 3 09:37:24 2010
-+++ etc/tinyproxy.conf.in Tue Apr 9 05:48:57 2013
+Index: etc/tinyproxy.conf.in
+--- etc/tinyproxy.conf.in.orig
++++ etc/tinyproxy.conf.in
@@ -12,8 +12,8 @@
# as the root user. Either the user or group name or the UID or GID
# number may be used.
Index: patches/patch-src_conf_c
===================================================================
RCS file: patches/patch-src_conf_c
diff -N patches/patch-src_conf_c
--- patches/patch-src_conf_c 11 Mar 2022 20:11:03 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,14 +0,0 @@
-for LINE_MAX
-
-Index: src/conf.c
---- src/conf.c.orig
-+++ src/conf.c
-@@ -23,6 +23,8 @@
- * add new directives to. Who knows if I'm right though.
- */
-
-+#include <limits.h>
-+
- #include "common.h"
- #include <regex.h>
- #include "conf.h"
Index: patches/patch-src_reqs_c
===================================================================
RCS file: patches/patch-src_reqs_c
diff -N patches/patch-src_reqs_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_reqs_c 8 May 2024 00:59:12 -0000
@@ -0,0 +1,29 @@
+fix potential UAF in header handling (CVE-2023-49606)
+12a8484265f7b00591293da492bb3c9987001956
+
+Index: src/reqs.c
+--- src/reqs.c.orig
++++ src/reqs.c
+@@ -775,7 +775,7 @@ static int remove_connection_headers (orderedmap hasho
+ char *data;
+ char *ptr;
+ ssize_t len;
+- int i;
++ int i,j,df;
+
+ for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
+ /* Look for the connection header. If it's not found, return. */
+@@ -800,7 +800,12 @@ static int remove_connection_headers (orderedmap hasho
+ */
+ ptr = data;
+ while (ptr < data + len) {
+- orderedmap_remove (hashofheaders, ptr);
++ df = 0;
++ /* check that ptr isn't one of headers to prevent
++ double-free (CVE-2023-49606) */
++ for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j)
++ if(!strcasecmp(ptr, headers[j])) df = 1;
++ if (!df) orderedmap_remove (hashofheaders, ptr);
+
+ /* Advance ptr to the next token */
+ ptr += strlen (ptr) + 1;
UPDATE: tinyproxy - CVE-2023-49606