From c0e0a6876f8377096223c39d035924f77c9dcff1 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Sat, 28 Nov 2020 21:52:23 +0100
Subject: [PATCH] libproxy: fix CVE-2020-25219, CVE-2020-26154

CVE-2020-25219:
url::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a
remote HTTP server to trigger uncontrolled recursion via a response
composed of an infinite stream that lacks a newline character. This
leads to stack exhaustion.

CVE-2020-26154:
url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when
PAC is enabled, as demonstrated by a large PAC file that is delivered
without a Content-length header.

Fixes: CVE-2020-25219, CVE-2020-26154
---
 pkgs/development/libraries/libproxy/default.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/pkgs/development/libraries/libproxy/default.nix b/pkgs/development/libraries/libproxy/default.nix
index 61c25e183bd0..7fcc8c58c1ce 100644
--- a/pkgs/development/libraries/libproxy/default.nix
+++ b/pkgs/development/libraries/libproxy/default.nix
@@ -71,6 +71,17 @@ stdenv.mkDerivation rec {
       url = "https://github.com/libproxy/libproxy/pull/95.patch";
       sha256 = "18vyr6wlis9zfwml86606jpgb9mss01l9aj31iiciml8p857aixi";
     })
+    (fetchpatch {
+      name = "CVE-2020-25219.patch";
+      url = "https://github.com/libproxy/libproxy/commit/a83dae404feac517695c23ff43ce1e116e2bfbe0.patch";
+      sha256 = "0wdh9qjq99aw0jnf2840237i3hagqzy42s09hz9chfgrw8pyr72k";
+    })
+    (fetchpatch {
+      name = "CVE-2020-26154.patch";
+      url = "https://github.com/libproxy/libproxy/commit/4411b523545b22022b4be7d0cac25aa170ae1d3e.patch";
+      sha256 = "0pdy9sw49lxpaiwq073cisk0npir5bkch70nimdmpszxwp3fv1d8";
+    })
+
   ] ++ stdenv.lib.optionals stdenv.isDarwin [
     (fetchpatch {
       url = "https://github.com/libproxy/libproxy/commit/44158f03f8522116758d335688ed840dfcb50ac8.patch";