Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

This fixes CVE-2021-44540, CVE-2021-44541, CVE-2021-44542, and
CVE-2021-44543.
Since all are tagged "minor issue" in the security-tracer, I tend to
send this into the next point release of bullseye.

Salsa-CI passed:
https://salsa.debian.org/debian/privoxy/-/pipelines/325715

Attached you'll find a diff against 3.0.32-2.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Greetings
Roland
diff -Nru privoxy-3.0.32/debian/changelog privoxy-3.0.32/debian/changelog
--- privoxy-3.0.32/debian/changelog	2021-04-03 11:17:39.000000000 +0200
+++ privoxy-3.0.32/debian/changelog	2021-12-07 19:59:33.000000000 +0100
@@ -1,3 +1,16 @@
+privoxy (3.0.32-2+deb11u1) bullseye; urgency=medium
+
+  * 53_CVE-2021-44540: get_url_spec_param(): Free memory of compiled
+    pattern spec before bailing (CVE-2021-44540).
+  * 54_CVE-2021-44541: process_encrypted_request_headers(): Free header
+    memory when failing to get the request destination (CVE-2021-44541).
+  * 55_CVE-2021-44542: send_http_request(): Prevent memory leaks when
+    handling errors (CVE-2021-44542).
+  * 56_CVE-2021-44543: cgi_error_no_template(): Encode the template name
+    to prevent XSS (CVE-2021-44543).
+
+ -- Roland Rosenfeld <rol...@debian.org>  Tue, 07 Dec 2021 19:59:33 +0100
+
 privoxy (3.0.32-2) unstable; urgency=medium
 
   * Work around apparmor failure in testsuite (Closes: #986258).
diff -Nru privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch
--- privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch	2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,39 @@
+From 652b4b7cb07592c0912cf938a50fcd009fa29a0a Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <jrog...@opera.com>
+Date: Fri, 19 Nov 2021 17:32:23 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=652b4b7c
+Subject: get_url_spec_param(): Free memory of compiled pattern spec before
+ bailing
+
+OVE-20211201-0003. CVE-2021-44540.
+
+--- a/cgiedit.c
++++ b/cgiedit.c
+@@ -1869,12 +1869,12 @@ static jb_err get_url_spec_param(struct
+    }
+    err = create_pattern_spec(compiled, s);
+    free(s);
++   free_pattern_spec(compiled);
+    if (err)
+    {
+       free(param);
+       return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS;
+    }
+-   free_pattern_spec(compiled);
+ 
+    if (param[strlen(param) - 1] == '\\')
+    {
+@@ -1905,12 +1905,12 @@ static jb_err get_url_spec_param(struct
+       }
+       err = create_pattern_spec(compiled, s);
+       free(s);
++      free_pattern_spec(compiled);
+       if (err)
+       {
+          free(param);
+          return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS;
+       }
+-      free_pattern_spec(compiled);
+    }
+ 
+    *pvalue = param;
diff -Nru privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch
--- privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch	2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,20 @@
+From 0509c58045b26463844188e07c5e87c74ea21044 Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <jrog...@opera.com>
+Date: Fri, 19 Nov 2021 18:31:59 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=0509c580
+Subject: process_encrypted_request_headers(): Free header memory when
+ failing to get the request destination.
+
+OVE-20211201-0002. CVE-2021-44541.
+
+--- a/jcc.c
++++ b/jcc.c
+@@ -2775,6 +2775,8 @@ static jb_err process_encrypted_request(
+          "Failed to get the encrypted request destination");
+       ssl_send_data_delayed(&(csp->ssl_client_attr),
+          (const unsigned char *)CHEADER, strlen(CHEADER), get_write_delay(csp));
++      destroy_list(headers);
++
+       return JB_ERR_PARSE;
+    }
+ 
diff -Nru privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch
--- privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch	2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,29 @@
+From c48d1d6d08996116cbcea55cd3fc6c2a558e499a Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <jrog...@opera.com>
+Date: Fri, 19 Nov 2021 18:57:26 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=c48d1d6d0
+Subject: send_http_request(): Prevent memory leaks when handling errors
+
+OVE-20211201-0001. CVE-2021-44542.
+
+--- a/jcc.c
++++ b/jcc.c
+@@ -2182,6 +2182,7 @@ static int send_http_request(struct clie
+          update_client_headers(csp, to_send_len))
+       {
+          log_error(LOG_LEVEL_HEADER, "Error updating client headers");
++         freez(to_send);
+          return 1;
+       }
+       csp->expected_client_content_length = 0;
+@@ -2206,6 +2207,10 @@ static int send_http_request(struct clie
+    {
+       log_error(LOG_LEVEL_CONNECT, "Failed sending request headers to: %s: %E",
+          csp->http->hostport);
++      if (filter_client_body)
++      {
++         freez(to_send);
++      }
+       return 1;
+    }
+ 
diff -Nru privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch
--- privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch	2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,41 @@
+From 0e668e9409cbf4ab8bf2d79be204bd4e81a00d85 Mon Sep 17 00:00:00 2001
+From: Fabian Keil <f...@fabiankeil.de>
+Date: Tue, 2 Nov 2021 12:11:37 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=0e668e94
+Subject: cgi_error_no_template(): Encode the template name to prevent XSS
+
+OVE-20211102-0001. CVE-2021-44543.
+
+Reported by: Artem Ivanov
+
+--- a/cgi.c
++++ b/cgi.c
+@@ -1196,7 +1196,8 @@ jb_err cgi_error_no_template(const struc
+       ").</p>\n"
+       "</body>\n"
+       "</html>\n";
+-   const size_t body_size = strlen(body_prefix) + strlen(template_name) + strlen(body_suffix) + 1;
++   size_t body_size = strlen(body_prefix) + strlen(body_suffix) + 1;
++   const char *encoded_template_name;
+ 
+    assert(csp);
+    assert(rsp);
+@@ -1210,9 +1211,17 @@ jb_err cgi_error_no_template(const struc
+    rsp->head_length = 0;
+    rsp->is_static = 0;
+ 
++   encoded_template_name = html_encode(template_name);
++   if (encoded_template_name == NULL)
++   {
++      return JB_ERR_MEMORY;
++   }
++
++   body_size += strlen(encoded_template_name);
+    rsp->body = malloc_or_die(body_size);
+    strlcpy(rsp->body, body_prefix, body_size);
+-   strlcat(rsp->body, template_name, body_size);
++   strlcat(rsp->body, encoded_template_name, body_size);
++   freez(encoded_template_name);
+    strlcat(rsp->body, body_suffix, body_size);
+ 
+    rsp->status = strdup(status);
diff -Nru privoxy-3.0.32/debian/patches/series privoxy-3.0.32/debian/patches/series
--- privoxy-3.0.32/debian/patches/series	2021-04-03 11:17:39.000000000 +0200
+++ privoxy-3.0.32/debian/patches/series	2021-12-07 19:59:33.000000000 +0100
@@ -5,3 +5,7 @@
 32_bind_fixup.patch
 33_manpage_hyphen.patch
 34_system-docbook2man.patch
+53_CVE-2021-44540.patch
+54_CVE-2021-44541.patch
+55_CVE-2021-44542.patch
+56_CVE-2021-44543.patch
diff -Nru privoxy-3.0.32/debian/salsa-ci.yml privoxy-3.0.32/debian/salsa-ci.yml
--- privoxy-3.0.32/debian/salsa-ci.yml	2021-04-03 11:17:39.000000000 +0200
+++ privoxy-3.0.32/debian/salsa-ci.yml	2021-12-07 19:59:33.000000000 +0100
@@ -1,3 +1,6 @@
 include:
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'bullseye'

Attachment: signature.asc
Description: PGP signature

Reply via email to