Hi! (please Cc: me in reply, since I'm not subscribed to debian-lts)
Privoxy upstream just released version 3.0.32, which fixes five new CVEs, which are also reported at security-tracker. I prepared a package that fixes CVE-2021-20272, CVE-2021-20273, CVE-2021-20275, and CVE-2021-20276. CVE-2021-20274 is missing, since this affects code, that was introduced in 3.0.29, so stretch package is not affected, since we shipped 3.0.26 in stretch. I requested on IRC #debian-security to tag stretch and buster as not affected for this CVE. Since all other CVEs are tagged "minor issue" on security-tracker, I'm not sure whether it's worth doing a LTS upload for this. If you think so, feel free to use it or tell me, what I have to do to upload it... A patch agains 3.0.26-3+deb9u1 is attached. Salsa pipeline was successful with this: https://salsa.debian.org/debian/privoxy/-/pipelines/237014 including the testsuite. Greetings Roland
diff -Nru privoxy-3.0.26/debian/changelog privoxy-3.0.26/debian/changelog --- privoxy-3.0.26/debian/changelog 2021-02-06 21:42:01.000000000 +0100 +++ privoxy-3.0.26/debian/changelog 2021-03-08 14:11:04.000000000 +0100 @@ -1,3 +1,17 @@ +privoxy (3.0.26-3+deb9u2) stretch-security; urgency=medium + + * 49_CVE-2021-20272: ssplit(): Remove an assertion that could be + triggered with a crafted CGI request (CVE-2021-20272). + * 50_CVE-2021-20273: cgi_send_banner(): Overrule invalid image types. + Prevents a crash with a crafted CGI request if Privoxy is toggled off + (CVE-2021-20273). + * 51_CVE-2021-20275: chunked_body_is_complete(): Prevent invalid read of + size two (CVE-2021-20275). + * 52_CVE-2021-20276: Obsolete pcre: Prevent invalid memory accesses + (CVE-2021-20276). + + -- Roland Rosenfeld <rol...@debian.org> Mon, 08 Mar 2021 14:11:04 +0100 + privoxy (3.0.26-3+deb9u1) stretch-security; urgency=medium * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request diff -Nru privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch --- privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch 2021-03-08 14:11:04.000000000 +0100 @@ -0,0 +1,32 @@ +commit 2256d7b4d67dd9c364386877d5af59943433458b +Author: Fabian Keil <f...@fabiankeil.de> +Date: Wed Feb 3 19:08:20 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=2256d7b4d67 +Subject: ssplit(): Remove an assertion that could be triggered with a crafted + CGI request (CVE-2021-20272). + + This reverts dc4e311bcf. + + OVE-20210203-0001. + + Reported by: Joshua Rogers (Opera) + +--- a/ssplit.c ++++ b/ssplit.c +@@ -37,7 +37,6 @@ const char ssplit_rcs[] = "$Id: ssplit.c + + #include <string.h> + #include <stdlib.h> +-#include <assert.h> + + #include "ssplit.h" + #include "miscutil.h" +@@ -153,8 +152,6 @@ int ssplit(char *str, const char *delim, + } + } + /* null terminate the substring */ +- /* XXX: this shouldn't be necessary, so assert that it isn't. */ +- assert(*str == '\0'); + *str = '\0'; + + return(vec_count); diff -Nru privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch --- privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch 2021-03-08 14:11:04.000000000 +0100 @@ -0,0 +1,28 @@ +commit e711c505c4830ab271938d61af90a2075523f058 +Author: Fabian Keil <f...@fabiankeil.de> +Date: Sat Feb 6 20:43:06 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=e711c505c48 +Subject: cgi_send_banner(): Overrule invalid image types. Prevents a crash with + a crafted CGI request if Privoxy is toggled off.(CVE-2021-20273). + + OVE-20210206-0001. + + Reported by: Joshua Rogers (Opera) + +--- a/cgisimple.c ++++ b/cgisimple.c +@@ -468,6 +468,14 @@ jb_err cgi_send_banner(struct client_sta + { + char imagetype = lookup(parameters, "type")[0]; + ++ if (imagetype != 'a' && imagetype != 'b' && ++ imagetype != 'p' && imagetype != 't') ++ { ++ log_error(LOG_LEVEL_ERROR, "Overruling invalid image type '%c'.", ++ imagetype); ++ imagetype = 'p'; ++ } ++ + /* + * If type is auto, then determine the right thing + * to do from the set-image-blocker action diff -Nru privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch --- privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch 2021-03-08 14:11:04.000000000 +0100 @@ -0,0 +1,26 @@ +commit a912ba7bc9ce5855a810d09332e9d94566ce1521 +Author: Fabian Keil <f...@fabiankeil.de> +Date: Fri Feb 5 05:06:56 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=a912ba7bc9c +Subject: chunked_body_is_complete(): Prevent invalid read of size two + (CVE-2021-20275). + + OVE-20210205-0001. + + Reported by: Joshua Rogers (Opera) + +--- a/jcc.c ++++ b/jcc.c +@@ -1383,6 +1383,12 @@ static enum chunk_status chunked_body_is + /* Move beyond the chunkdata. */ + p += 2 + chunksize; + ++ /* Make sure we're still within the buffer and have two bytes left */ ++ if (p + 2 > iob->eod) ++ { ++ return CHUNK_STATUS_MISSING_DATA; ++ } ++ + /* There should be another "\r\n" to skip */ + if (memcmp(p, "\r\n", 2)) + { diff -Nru privoxy-3.0.26/debian/patches/52_CVE-2021-20276.patch privoxy-3.0.26/debian/patches/52_CVE-2021-20276.patch --- privoxy-3.0.26/debian/patches/52_CVE-2021-20276.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.26/debian/patches/52_CVE-2021-20276.patch 2021-03-08 14:11:04.000000000 +0100 @@ -0,0 +1,79 @@ +commit 28512e5b62457f0ff6f2d72e3e5c9226b9e0203d +Author: Fabian Keil <f...@fabiankeil.de> +Date: Mon Feb 22 09:17:30 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=28512e5b624 +Subject: Obsolete pcre: Prevent invalid memory accesses (CVE-2021-20276) + + ... with an invalid pattern passed to pcre_compile(). + + ==22377== Invalid write of size 1 + ==22377== at 0x466E37: compile_branch (pcre.c:2001) + ==22377== by 0x45FA64: compile_regex (pcre.c:2164) + ==22377== by 0x45EE77: pcre_compile (pcre.c:3077) + ==22377== by 0x467B6D: regcomp (pcreposix.c:206) + ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667) + ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752) + ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243) + ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870) + ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587) + ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588) + ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383) + ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920) + ==22377== Address 0x7177469 is 4 bytes after a block of size 1,125 alloc'd + ==22377== at 0x4C26A44: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so) + ==22377== by 0x45ED5C: pcre_compile (pcre.c:3054) + ==22377== by 0x467B6D: regcomp (pcreposix.c:206) + ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667) + ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752) + ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243) + ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870) + ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587) + ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588) + ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383) + ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920) + ==22377== by 0x43ADDB: chat (jcc.c:4241) + + ==22377== Invalid read of size 1 + ==22377== at 0x466FCC: compile_branch (pcre.c:2053) + ==22377== by 0x45FA64: compile_regex (pcre.c:2164) + ==22377== by 0x45EE77: pcre_compile (pcre.c:3077) + ==22377== by 0x467B6D: regcomp (pcreposix.c:206) + ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667) + ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752) + ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243) + ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870) + ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587) + ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588) + ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383) + ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920) + ==22377== Address 0x7176fb1 is 0 bytes after a block of size 1,057 alloc'd + ==22377== at 0x4C26A44: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so) + ==22377== by 0x44C3F0: malloc_or_die (miscutil.c:194) + ==22377== by 0x456FBB: compile_pattern (urlmatch.c:662) + ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752) + ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243) + ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870) + ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587) + ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588) + ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383) + ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920) + ==22377== by 0x43ADDB: chat (jcc.c:4241) + ==22377== by 0x439DA5: serve (jcc.c:4778) + + OVE-20210222-0001. + + pcre 8.44 does not seem to be affected. + + Reported by: Joshua Rogers (Opera) + +--- a/pcre/pcre.c ++++ b/pcre/pcre.c +@@ -2050,7 +2050,7 @@ for (;; ptr++) + + /* This "while" is the end of the "do" above. */ + +- while (length < MAXLIT && (cd->ctypes[c = *(++ptr)] & ctype_meta) == 0); ++ while (*ptr && length < MAXLIT && (cd->ctypes[c = *(++ptr)] & ctype_meta) == 0); + + /* Update the last character and the count of literals */ + diff -Nru privoxy-3.0.26/debian/patches/series privoxy-3.0.26/debian/patches/series --- privoxy-3.0.26/debian/patches/series 2021-02-06 21:42:01.000000000 +0100 +++ privoxy-3.0.26/debian/patches/series 2021-03-08 14:11:04.000000000 +0100 @@ -21,3 +21,7 @@ 45_CVE-2021-20212.patch 46_CVE-2021-20213.patch 48_CVE-2021-20215.patch +49_CVE-2021-20272.patch +50_CVE-2021-20273.patch +51_CVE-2021-20275.patch +52_CVE-2021-20276.patch
signature.asc
Description: PGP signature
