Bug#981664: buster-pu: package privoxy/3.0.28-2
Control: tags -1 + confirmed On Mon, 2021-03-08 at 14:08 +0100, Roland Rosenfeld wrote: > Hi release team! > > In the meantime privoxy 3.0.32 was released, which contains five more > CVEs, I applied four of them to 3.0.28-2+deb10u1.patch-v4 now, while > CVE-2021-20274 applies to code, that was introduced in 3.0.29, so > doesn't affect buster. > > An updated version of my patch is attached. > Please go ahead; thanks. Regards, Adam
Bug#981664: buster-pu: package privoxy/3.0.28-2
Hi release team! In the meantime privoxy 3.0.32 was released, which contains five more CVEs, I applied four of them to 3.0.28-2+deb10u1.patch-v4 now, while CVE-2021-20274 applies to code, that was introduced in 3.0.29, so doesn't affect buster. An updated version of my patch is attached. Greetings Roland diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog --- privoxy-3.0.28/debian/changelog 2019-01-06 13:07:14.0 +0100 +++ privoxy-3.0.28/debian/changelog 2021-03-08 13:57:15.0 +0100 @@ -1,3 +1,41 @@ +privoxy (3.0.28-2+deb10u1) buster; urgency=medium + + * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request +(CVE-2021-20217). + * 39_decompress_iob: Fix detection of insufficient data. + * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216). + * 41_CVE-2020-35502: Fixed memory leaks when a response is buffered and +the buffer limit is reached or Privoxy is running out of memory +(CVE-2020-35502). + * 42_CVE-2021-20209: Fixed a memory leak in the show-status CGI handler +when no action files are configured (CVE-2021-20209). + * 43_CVE-2021-20210: Fixed a memory leak in the show-status CGI handler +when no filter files are configured (CVE-2021-20210). + * 44_CVE-2021-20211: Fixes a memory leak when client tags are active +(CVE-2021-20211). + * 45_CVE-2021-20212: Fixed a memory leak if multiple filters are +executed and the last one is skipped due to a pcre error (CVE-2021-20212). + * 46_CVE-2021-20213: Prevent an unlikely dereference of a NULL-pointer +that could result in a crash if accept-intercepted-requests was +enabled, Privoxy failed to get the request destination from the Host +header and a memory allocation failed (CVE-2021-20213). + * 47_CVE-2021-20214: Fixed memory leaks in the client-tags CGI handler +when client tags are configured and memory allocations fail +(CVE-2021-20214). + * 48_CVE-2021-20215: Fixed memory leaks in the show-status CGI handler +when memory allocations fail (CVE-2021-20215). + * 49_CVE-2021-20272: ssplit(): Remove an assertion that could be +triggered with a crafted CGI request (CVE-2021-20272). + * 50_CVE-2021-20273: cgi_send_banner(): Overrule invalid image types. +Prevents a crash with a crafted CGI request if Privoxy is toggled off +(CVE-2021-20273). + * 51_CVE-2021-20275: chunked_body_is_complete(): Prevent invalid read of +size two (CVE-2021-20275). + * 52_CVE-2021-20276: Obsolete pcre: Prevent invalid memory accesses +(CVE-2021-20276). + + -- Roland Rosenfeld Mon, 08 Mar 2021 13:57:15 +0100 + privoxy (3.0.28-2) unstable; urgency=medium * d/tests/privoxy-regression-test: Remove tmpdir on exit. diff -Nru privoxy-3.0.28/debian/gitlab-ci.yml privoxy-3.0.28/debian/gitlab-ci.yml --- privoxy-3.0.28/debian/gitlab-ci.yml 2019-01-06 13:07:14.0 +0100 +++ privoxy-3.0.28/debian/gitlab-ci.yml 1970-01-01 01:00:00.0 +0100 @@ -1,16 +0,0 @@ -include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - -build: -extends: .build-unstable - -reprotest: -extends: .test-reprotest - -lintian: -extends: .test-lintian - -autopkgtest: -extends: .test-autopkgtest - -piuparts: -extends: .test-piuparts diff -Nru privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch --- privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 1970-01-01 01:00:00.0 +0100 +++ privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 2021-03-08 13:57:15.0 +0100 @@ -0,0 +1,34 @@ +commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a +Author: Fabian Keil +Date: Sat Jan 30 15:04:17 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b +Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217) + +parse_cgi_parameters(): Make sure the maximum number of segments is large enough + +... for ssplit() to succeed. + +Prevents an assertion from getting triggered. OVE-20210130-0001. + +Reported by: Joshua Rogers (Opera) + +--- a/cgi.c b/cgi.c +@@ -645,16 +645,7 @@ static struct map *parse_cgi_parameters( + * The same hack is used in get_last_url() so it looks like + * a real solution is needed. + */ +- size_t max_segments = strlen(argstring) / 2; +- if (max_segments == 0) +- { +- /* +- * XXX: If the argstring is empty, there's really +- * no point in creating a param list, but currently +- * other parts of Privoxy depend on the list's existence. +- */ +- max_segments = 1; +- } ++ size_t max_segments = strlen(argstring) / 2 + 1; +vector = malloc_or_die(max_segments * sizeof(char *)); + +cgi_params = new_map(); diff -Nru privoxy-3.0.28/debian/patches/39_decompress_iob.patch privoxy-3.0.28/debian/patches/39_decompress_iob.patch ---
Bug#981664: buster-pu: package privoxy/3.0.28-2
Hi! > > yesterday upstream assigned a few additional CVE IDs (also no-dsa): > > https://www.openwall.com/lists/oss-security/2021/02/03/3, maybe you > > also want to fold these in? > > You're right, I just did so and updated the buster package to > incorporate all additional patches. > > An updated patch is attached. Seems that I overlooked CVE-2021-20215. I now added a patch for it. An updated diff agains 3.0.28-2 is attached. Greetings Roland diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog --- privoxy-3.0.28/debian/changelog 2019-01-06 13:07:14.0 +0100 +++ privoxy-3.0.28/debian/changelog 2021-02-06 20:33:25.0 +0100 @@ -1,3 +1,32 @@ +privoxy (3.0.28-2+deb10u1) buster; urgency=medium + + * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request +(CVE-2021-20217). + * 39_decompress_iob: Fix detection of insufficient data. + * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216). + * 41_CVE-2020-35502: Fixed memory leaks when a response is buffered and +the buffer limit is reached or Privoxy is running out of memory +(CVE-2020-35502). + * 42_CVE-2021-20209: Fixed a memory leak in the show-status CGI handler +when no action files are configured (CVE-2021-20209). + * 43_CVE-2021-20210: Fixed a memory leak in the show-status CGI handler +when no filter files are configured (CVE-2021-20210). + * 44_CVE-2021-20211: Fixes a memory leak when client tags are active +(CVE-2021-20211). + * 45_CVE-2021-20212: Fixed a memory leak if multiple filters are +executed and the last one is skipped due to a pcre error (CVE-2021-20212). + * 46_CVE-2021-20213: Prevent an unlikely dereference of a NULL-pointer +that could result in a crash if accept-intercepted-requests was +enabled, Privoxy failed to get the request destination from the Host +header and a memory allocation failed (CVE-2021-20213). + * 47_CVE-2021-20214: Fixed memory leaks in the client-tags CGI handler +when client tags are configured and memory allocations fail +(CVE-2021-20214). + * 48_CVE-2021-20215: Fixed memory leaks in the show-status CGI handler +when memory allocations fail (CVE-2021-20215). + + -- Roland Rosenfeld Sat, 06 Feb 2021 20:33:25 +0100 + privoxy (3.0.28-2) unstable; urgency=medium * d/tests/privoxy-regression-test: Remove tmpdir on exit. diff -Nru privoxy-3.0.28/debian/gitlab-ci.yml privoxy-3.0.28/debian/gitlab-ci.yml --- privoxy-3.0.28/debian/gitlab-ci.yml 2019-01-06 13:07:14.0 +0100 +++ privoxy-3.0.28/debian/gitlab-ci.yml 1970-01-01 01:00:00.0 +0100 @@ -1,16 +0,0 @@ -include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - -build: -extends: .build-unstable - -reprotest: -extends: .test-reprotest - -lintian: -extends: .test-lintian - -autopkgtest: -extends: .test-autopkgtest - -piuparts: -extends: .test-piuparts diff -Nru privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch --- privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 1970-01-01 01:00:00.0 +0100 +++ privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 2021-02-06 20:33:25.0 +0100 @@ -0,0 +1,34 @@ +commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a +Author: Fabian Keil +Date: Sat Jan 30 15:04:17 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b +Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217) + +parse_cgi_parameters(): Make sure the maximum number of segments is large enough + +... for ssplit() to succeed. + +Prevents an assertion from getting triggered. OVE-20210130-0001. + +Reported by: Joshua Rogers (Opera) + +--- a/cgi.c b/cgi.c +@@ -645,16 +645,7 @@ static struct map *parse_cgi_parameters( + * The same hack is used in get_last_url() so it looks like + * a real solution is needed. + */ +- size_t max_segments = strlen(argstring) / 2; +- if (max_segments == 0) +- { +- /* +- * XXX: If the argstring is empty, there's really +- * no point in creating a param list, but currently +- * other parts of Privoxy depend on the list's existence. +- */ +- max_segments = 1; +- } ++ size_t max_segments = strlen(argstring) / 2 + 1; +vector = malloc_or_die(max_segments * sizeof(char *)); + +cgi_params = new_map(); diff -Nru privoxy-3.0.28/debian/patches/39_decompress_iob.patch privoxy-3.0.28/debian/patches/39_decompress_iob.patch --- privoxy-3.0.28/debian/patches/39_decompress_iob.patch 1970-01-01 01:00:00.0 +0100 +++ privoxy-3.0.28/debian/patches/39_decompress_iob.patch 2021-02-06 20:33:25.0 +0100 @@ -0,0 +1,22 @@ +commit f5c1a886b7ae20da7eafb77926252eb521260728 +Author: Fabian Keil +Date: Thu Jan 28 16:26:45 2021 +0100 +Applied-Upstream:
Bug#981664: buster-pu: package privoxy/3.0.28-2
Hi Moritz! On Do, 04 Feb 2021, Moritz Mühlenhoff wrote: > Am Tue, Feb 02, 2021 at 07:15:37PM +0100 schrieb Roland Rosenfeld: > > Package: release.debian.org > > Severity: normal > > Tags: buster > > User: release.debian@packages.debian.org > > Usertags: pu > > > > This fixes CVE-2021-20216 and CVE-2021-20217. > > Since both are tagged " (Minor issue)" in security tracker, I > > tend to send this into the next point release of buster. > yesterday upstream assigned a few additional CVE IDs (also no-dsa): > https://www.openwall.com/lists/oss-security/2021/02/03/3, maybe you > also want to fold these in? You're right, I just did so and updated the buster package to incorporate all additional patches. An updated patch is attached. Greetings Roland diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog --- privoxy-3.0.28/debian/changelog 2019-01-06 13:07:14.0 +0100 +++ privoxy-3.0.28/debian/changelog 2021-02-04 20:38:58.0 +0100 @@ -1,3 +1,30 @@ +privoxy (3.0.28-2+deb10u1) buster; urgency=medium + + * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request +(CVE-2021-20217). + * 39_decompress_iob: Fix detection of insufficient data. + * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216). + * 41_CVE-2020-35502: Fixed memory leaks when a response is buffered and +the buffer limit is reached or Privoxy is running out of memory +(CVE-2020-35502). + * 42_CVE-2021-20209: Fixed a memory leak in the show-status CGI handler +when no action files are configured (CVE-2021-20209). + * 43_CVE-2021-20210: Fixed a memory leak in the show-status CGI handler +when no filter files are configured (CVE-2021-20210). + * 44_CVE-2021-20211: Fixes a memory leak when client tags are active +(CVE-2021-20211). + * 45_CVE-2021-20212: Fixed a memory leak if multiple filters are +executed and the last one is skipped due to a pcre error (CVE-2021-20212). + * 46_CVE-2021-20213: Prevent an unlikely dereference of a NULL-pointer +that could result in a crash if accept-intercepted-requests was +enabled, Privoxy failed to get the request destination from the Host +header and a memory allocation failed (CVE-2021-20213). + * 47_CVE-2021-20214: Fixed memory leaks in the client-tags CGI handler +when client tags are configured and memory allocations fail +(CVE-2021-20214). + + -- Roland Rosenfeld Thu, 04 Feb 2021 20:38:58 +0100 + privoxy (3.0.28-2) unstable; urgency=medium * d/tests/privoxy-regression-test: Remove tmpdir on exit. diff -Nru privoxy-3.0.28/debian/gitlab-ci.yml privoxy-3.0.28/debian/gitlab-ci.yml --- privoxy-3.0.28/debian/gitlab-ci.yml 2019-01-06 13:07:14.0 +0100 +++ privoxy-3.0.28/debian/gitlab-ci.yml 1970-01-01 01:00:00.0 +0100 @@ -1,16 +0,0 @@ -include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - -build: -extends: .build-unstable - -reprotest: -extends: .test-reprotest - -lintian: -extends: .test-lintian - -autopkgtest: -extends: .test-autopkgtest - -piuparts: -extends: .test-piuparts diff -Nru privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch --- privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 1970-01-01 01:00:00.0 +0100 +++ privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 2021-02-04 20:38:58.0 +0100 @@ -0,0 +1,34 @@ +commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a +Author: Fabian Keil +Date: Sat Jan 30 15:04:17 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b +Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217) + +parse_cgi_parameters(): Make sure the maximum number of segments is large enough + +... for ssplit() to succeed. + +Prevents an assertion from getting triggered. OVE-20210130-0001. + +Reported by: Joshua Rogers (Opera) + +--- a/cgi.c b/cgi.c +@@ -645,16 +645,7 @@ static struct map *parse_cgi_parameters( + * The same hack is used in get_last_url() so it looks like + * a real solution is needed. + */ +- size_t max_segments = strlen(argstring) / 2; +- if (max_segments == 0) +- { +- /* +- * XXX: If the argstring is empty, there's really +- * no point in creating a param list, but currently +- * other parts of Privoxy depend on the list's existence. +- */ +- max_segments = 1; +- } ++ size_t max_segments = strlen(argstring) / 2 + 1; +vector = malloc_or_die(max_segments * sizeof(char *)); + +cgi_params = new_map(); diff -Nru privoxy-3.0.28/debian/patches/39_decompress_iob.patch privoxy-3.0.28/debian/patches/39_decompress_iob.patch --- privoxy-3.0.28/debian/patches/39_decompress_iob.patch 1970-01-01 01:00:00.0 +0100 +++ privoxy-3.0.28/debian/patches/39_decompress_iob.patch 2021-02-04 20:38:58.0 +0100 @@ -0,0 +1,22 @@
Bug#981664: buster-pu: package privoxy/3.0.28-2
Am Tue, Feb 02, 2021 at 07:15:37PM +0100 schrieb Roland Rosenfeld: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian@packages.debian.org > Usertags: pu > > This fixes CVE-2021-20216 and CVE-2021-20217. > Since both are tagged " (Minor issue)" in security tracker, I > tend to send this into the next point release of buster. Hi Roland, yesterday upstream assigned a few additional CVE IDs (also no-dsa): https://www.openwall.com/lists/oss-security/2021/02/03/3, maybe you also want to fold these in? Cheers, Moritz
Bug#981664: buster-pu: package privoxy/3.0.28-2
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu This fixes CVE-2021-20216 and CVE-2021-20217. Since both are tagged " (Minor issue)" in security tracker, I tend to send this into the next point release of buster. Salsa-CI passed: https://salsa.debian.org/debian/privoxy/-/pipelines/226257 Attached you'll find a diff against 3.0.28-2. Greetings Roland diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog --- privoxy-3.0.28/debian/changelog 2019-01-06 13:07:14.0 +0100 +++ privoxy-3.0.28/debian/changelog 2021-02-02 18:03:02.0 +0100 @@ -1,3 +1,12 @@ +privoxy (3.0.28-2+deb10u1) buster; urgency=medium + + * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request +(CVE-2021-20217). + * 39_decompress_iob: Fix detection of insufficient data. + * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216). + + -- Roland Rosenfeld Tue, 02 Feb 2021 18:03:02 +0100 + privoxy (3.0.28-2) unstable; urgency=medium * d/tests/privoxy-regression-test: Remove tmpdir on exit. diff -Nru privoxy-3.0.28/debian/gitlab-ci.yml privoxy-3.0.28/debian/gitlab-ci.yml --- privoxy-3.0.28/debian/gitlab-ci.yml 2019-01-06 13:07:14.0 +0100 +++ privoxy-3.0.28/debian/gitlab-ci.yml 1970-01-01 01:00:00.0 +0100 @@ -1,16 +0,0 @@ -include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - -build: -extends: .build-unstable - -reprotest: -extends: .test-reprotest - -lintian: -extends: .test-lintian - -autopkgtest: -extends: .test-autopkgtest - -piuparts: -extends: .test-piuparts diff -Nru privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch --- privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 1970-01-01 01:00:00.0 +0100 +++ privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 2021-02-02 18:03:02.0 +0100 @@ -0,0 +1,34 @@ +commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a +Author: Fabian Keil +Date: Sat Jan 30 15:04:17 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b +Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217) + +parse_cgi_parameters(): Make sure the maximum number of segments is large enough + +... for ssplit() to succeed. + +Prevents an assertion from getting triggered. OVE-20210130-0001. + +Reported by: Joshua Rogers (Opera) + +--- a/cgi.c b/cgi.c +@@ -645,16 +645,7 @@ static struct map *parse_cgi_parameters( + * The same hack is used in get_last_url() so it looks like + * a real solution is needed. + */ +- size_t max_segments = strlen(argstring) / 2; +- if (max_segments == 0) +- { +- /* +- * XXX: If the argstring is empty, there's really +- * no point in creating a param list, but currently +- * other parts of Privoxy depend on the list's existence. +- */ +- max_segments = 1; +- } ++ size_t max_segments = strlen(argstring) / 2 + 1; +vector = malloc_or_die(max_segments * sizeof(char *)); + +cgi_params = new_map(); diff -Nru privoxy-3.0.28/debian/patches/39_decompress_iob.patch privoxy-3.0.28/debian/patches/39_decompress_iob.patch --- privoxy-3.0.28/debian/patches/39_decompress_iob.patch 1970-01-01 01:00:00.0 +0100 +++ privoxy-3.0.28/debian/patches/39_decompress_iob.patch 2021-02-02 18:03:02.0 +0100 @@ -0,0 +1,22 @@ +commit f5c1a886b7ae20da7eafb77926252eb521260728 +Author: Fabian Keil +Date: Thu Jan 28 16:26:45 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f5c1a +Subject: decompress_iob(): Fix detection of insufficient data + +Instead of checking the size of the iob we have to +check the size of the actual data. + +Previously Privoxy could try to work on uninitialized data. + +--- a/parsers.c b/parsers.c +@@ -433,7 +433,7 @@ jb_err decompress_iob(struct client_stat + +cur = csp->iob->cur; + +- if (bufsize < (size_t)10) ++ if (old_size < (size_t)10) +{ + /* +* This is to protect the parsing of gzipped data, diff -Nru privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch --- privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch 1970-01-01 01:00:00.0 +0100 +++ privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch 2021-02-02 18:03:02.0 +0100 @@ -0,0 +1,21 @@ +commit f431d61740cc03c1c5f6b7f9c7a4a8d0bedd70dd +Author: Fabian Keil +Date: Thu Jan 28 18:02:56 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f431d +Subject: Fix a memory leak (CVE-2021-20216) + decompress_iob(): Fix a memory leak + +... when decompression fails "unexpectedly". + +OVE-20210128-0001. + +--- a/parsers.c b/parsers.c +@@ -701,6 +701,7 @@ jb_err decompress_iob(struct client_stat +