Your message dated Wed, 14 Jan 2015 20:41:42 +0100
with message-id <[email protected]>
and subject line Re: Bug#775366: unblock: privoxy/3.0.21-5
has caused the Debian Bug report #775366,
regarding unblock: privoxy/3.0.21-5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
775366: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775366
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package privoxy/3.0.21-5
I just uploaded privoxy version 3.0.21-5, which should fix
CVE-2015-1030 and CVE-2015-1031, which are reported in #775167.
A debdiff between 3.0.21-4 and 3.0.21-5 is attached.
It contains 3 quilt patches, which are extracted from upstream 3.0.22
source.
Greetings
Roland
diff -Nru privoxy-3.0.21/debian/changelog privoxy-3.0.21/debian/changelog
--- privoxy-3.0.21/debian/changelog 2014-05-10 14:19:22.000000000 +0200
+++ privoxy-3.0.21/debian/changelog 2015-01-12 08:44:24.000000000 +0100
@@ -1,3 +1,15 @@
+privoxy (3.0.21-5) unstable; urgency=low
+
+ * 34_CVE-2015-1030: Fix memory leak in rfc2553_connect_to(). CID 66382
+ * 35_CVE-2015-1031-CID66394: unmap(): Prevent use-after-free if the map
+ only consists of one item. CID 66394.
+ * 36_CVE-2015-1031-CID66376: pcrs_execute(): Consistently set *result to
+ NULL in case of errors. Should make use-after-free in the caller less
+ likely. CID 66391, CID 66376.
+ * These 3 patches Closes: #775167.
+
+ -- Roland Rosenfeld <[email protected]> Mon, 12 Jan 2015 08:44:23 +0100
+
privoxy (3.0.21-4) unstable; urgency=low
* Enable hardening=+all
diff -Nru privoxy-3.0.21/debian/patches/34_CVE-2015-1030.patch privoxy-3.0.21/debian/patches/34_CVE-2015-1030.patch
--- privoxy-3.0.21/debian/patches/34_CVE-2015-1030.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.21/debian/patches/34_CVE-2015-1030.patch 2015-01-12 08:32:18.000000000 +0100
@@ -0,0 +1,16 @@
+Author: Fabian Keil <[email protected]>
+Description: Fix memory leak in rfc2553_connect_to()
+ CID 66382.
+Bug-Debian: http://bugs.debian.org/775167
+Origin: upstream, http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/jbsockets.c?r1=1.130&r2=1.131
+
+--- a/jbsockets.c
++++ b/jbsockets.c
+@@ -285,6 +285,7 @@
+ "Server socket number too high to use select(): %d >= %d",
+ fd, FD_SETSIZE);
+ close_socket(fd);
++ freeaddrinfo(result);
+ return JB_INVALID_SOCKET;
+ }
+ #endif
diff -Nru privoxy-3.0.21/debian/patches/35_CVE-2015-1031-CID66394.patch privoxy-3.0.21/debian/patches/35_CVE-2015-1031-CID66394.patch
--- privoxy-3.0.21/debian/patches/35_CVE-2015-1031-CID66394.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.21/debian/patches/35_CVE-2015-1031-CID66394.patch 2015-01-12 08:36:24.000000000 +0100
@@ -0,0 +1,31 @@
+Author: Fabian Keil <[email protected]>
+Description: unmap(): Prevent use-after-free if the map only consists of one
+ item
+ CID 66394.
+Bug-Debian: http://bugs.debian.org/775167
+Origin: upstream, http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/list.c?r1=1.31&r2=1.32
+
+--- a/list.c
++++ b/list.c
+@@ -1055,7 +1055,7 @@
+ assert(the_map);
+ assert(name);
+
+- last_entry = the_map->first;
++ last_entry = NULL;
+
+ for (cur_entry = the_map->first; cur_entry != NULL; cur_entry = cur_entry->next)
+ {
+@@ -1087,7 +1087,11 @@
+ freez(cur_entry->name);
+ freez(cur_entry->value);
+ freez(cur_entry);
+-
++ if (last_entry == NULL)
++ {
++ /* The map only had a single entry which has just been removed. */
++ break;
++ }
+ cur_entry = last_entry;
+ }
+ else
diff -Nru privoxy-3.0.21/debian/patches/36_CVE-2015-1031-CID66376.patch privoxy-3.0.21/debian/patches/36_CVE-2015-1031-CID66376.patch
--- privoxy-3.0.21/debian/patches/36_CVE-2015-1031-CID66376.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.21/debian/patches/36_CVE-2015-1031-CID66376.patch 2015-01-12 08:39:52.000000000 +0100
@@ -0,0 +1,47 @@
+Author: Fabian Keil <[email protected]>
+Description: pcrs_execute(): Consistently set *result to NULL in case of errors
+ Should make use-after-free in the caller less likely.
+ CID 66391, CID 66376.
+Bug-Debian: http://bugs.debian.org/775167
+Origin: upstream, http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/pcrs.c?r1=1.45&r2=1.46
+
+--- a/pcrs.c
++++ b/pcrs.c
+@@ -725,7 +725,7 @@
+ * 1 : job = the pcrs_job to be executed
+ * 2 : subject = the subject (== original) string
+ * 3 : subject_length = the subject's length
+- * 4 : result = char** for returning the result
++ * 4 : result = char** for returning the result (NULL on error)
+ * 5 : result_length = size_t* for returning the result's length
+ *
+ * Returns : On success, the number of substitutions that were made.
+@@ -747,19 +747,18 @@
+ char *result_offset;
+
+ offset = i = 0;
++ *result = NULL;
+
+ /*
+ * Sanity check & memory allocation
+ */
+ if (job == NULL || job->pattern == NULL || job->substitute == NULL || NULL == subject)
+ {
+- *result = NULL;
+ return(PCRS_ERR_BADJOB);
+ }
+
+ if (NULL == (matches = (pcrs_match *)malloc((size_t)max_matches * sizeof(pcrs_match))))
+ {
+- *result = NULL;
+ return(PCRS_ERR_NOMEM);
+ }
+ memset(matches, '\0', (size_t)max_matches * sizeof(pcrs_match));
+@@ -806,7 +805,6 @@
+ if (NULL == (dummy = (pcrs_match *)realloc(matches, (size_t)max_matches * sizeof(pcrs_match))))
+ {
+ free(matches);
+- *result = NULL;
+ return(PCRS_ERR_NOMEM);
+ }
+ matches = dummy;
diff -Nru privoxy-3.0.21/debian/patches/series privoxy-3.0.21/debian/patches/series
--- privoxy-3.0.21/debian/patches/series 2013-01-24 17:41:35.000000000 +0100
+++ privoxy-3.0.21/debian/patches/series 2015-01-12 08:41:43.000000000 +0100
@@ -8,3 +8,6 @@
28_listen_localhost.patch
32_bind_fixup.patch
33_manpage_hyphen.patch
+34_CVE-2015-1030.patch
+35_CVE-2015-1031-CID66394.patch
+36_CVE-2015-1031-CID66376.patch
--- End Message ---
--- Begin Message ---
Hi,
On Wed, Jan 14, 2015 at 07:31:07PM +0100, Roland Rosenfeld wrote:
> Please unblock package privoxy/3.0.21-5
Unblocked.
Cheers,
Ivo
--- End Message ---
