Bug#981664: buster-pu: package privoxy/3.0.28-2
Control: tags -1 + confirmed On Mon, 2021-03-08 at 14:08 +0100, Roland Rosenfeld wrote: > Hi release team! > > In the meantime privoxy 3.0.32 was released, which contains five more > CVEs, I applied four of them to 3.0.28-2+deb10u1.patch-v4 now, while > CVE-2021-20274 applies to code, that was introduced in 3.0.29, so > doesn't affect buster. > > An updated version of my patch is attached. > Please go ahead; thanks. Regards, Adam
Bug#981664: buster-pu: package privoxy/3.0.28-2
Hi release team!
In the meantime privoxy 3.0.32 was released, which contains five more
CVEs, I applied four of them to 3.0.28-2+deb10u1.patch-v4 now, while
CVE-2021-20274 applies to code, that was introduced in 3.0.29, so
doesn't affect buster.
An updated version of my patch is attached.
Greetings
Roland
diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog
--- privoxy-3.0.28/debian/changelog 2019-01-06 13:07:14.0 +0100
+++ privoxy-3.0.28/debian/changelog 2021-03-08 13:57:15.0 +0100
@@ -1,3 +1,41 @@
+privoxy (3.0.28-2+deb10u1) buster; urgency=medium
+
+ * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
+(CVE-2021-20217).
+ * 39_decompress_iob: Fix detection of insufficient data.
+ * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216).
+ * 41_CVE-2020-35502: Fixed memory leaks when a response is buffered and
+the buffer limit is reached or Privoxy is running out of memory
+(CVE-2020-35502).
+ * 42_CVE-2021-20209: Fixed a memory leak in the show-status CGI handler
+when no action files are configured (CVE-2021-20209).
+ * 43_CVE-2021-20210: Fixed a memory leak in the show-status CGI handler
+when no filter files are configured (CVE-2021-20210).
+ * 44_CVE-2021-20211: Fixes a memory leak when client tags are active
+(CVE-2021-20211).
+ * 45_CVE-2021-20212: Fixed a memory leak if multiple filters are
+executed and the last one is skipped due to a pcre error (CVE-2021-20212).
+ * 46_CVE-2021-20213: Prevent an unlikely dereference of a NULL-pointer
+that could result in a crash if accept-intercepted-requests was
+enabled, Privoxy failed to get the request destination from the Host
+header and a memory allocation failed (CVE-2021-20213).
+ * 47_CVE-2021-20214: Fixed memory leaks in the client-tags CGI handler
+when client tags are configured and memory allocations fail
+(CVE-2021-20214).
+ * 48_CVE-2021-20215: Fixed memory leaks in the show-status CGI handler
+when memory allocations fail (CVE-2021-20215).
+ * 49_CVE-2021-20272: ssplit(): Remove an assertion that could be
+triggered with a crafted CGI request (CVE-2021-20272).
+ * 50_CVE-2021-20273: cgi_send_banner(): Overrule invalid image types.
+Prevents a crash with a crafted CGI request if Privoxy is toggled off
+(CVE-2021-20273).
+ * 51_CVE-2021-20275: chunked_body_is_complete(): Prevent invalid read of
+size two (CVE-2021-20275).
+ * 52_CVE-2021-20276: Obsolete pcre: Prevent invalid memory accesses
+(CVE-2021-20276).
+
+ -- Roland Rosenfeld Mon, 08 Mar 2021 13:57:15 +0100
+
privoxy (3.0.28-2) unstable; urgency=medium
* d/tests/privoxy-regression-test: Remove tmpdir on exit.
diff -Nru privoxy-3.0.28/debian/gitlab-ci.yml
privoxy-3.0.28/debian/gitlab-ci.yml
--- privoxy-3.0.28/debian/gitlab-ci.yml 2019-01-06 13:07:14.0 +0100
+++ privoxy-3.0.28/debian/gitlab-ci.yml 1970-01-01 01:00:00.0 +0100
@@ -1,16 +0,0 @@
-include:
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-build:
-extends: .build-unstable
-
-reprotest:
-extends: .test-reprotest
-
-lintian:
-extends: .test-lintian
-
-autopkgtest:
-extends: .test-autopkgtest
-
-piuparts:
-extends: .test-piuparts
diff -Nru privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch
privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch
--- privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 1970-01-01
01:00:00.0 +0100
+++ privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 2021-03-08
13:57:15.0 +0100
@@ -0,0 +1,34 @@
+commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a
+Author: Fabian Keil
+Date: Sat Jan 30 15:04:17 2021 +0100
+Applied-Upstream:
https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b
+Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217)
+
+parse_cgi_parameters(): Make sure the maximum number of segments is large
enough
+
+... for ssplit() to succeed.
+
+Prevents an assertion from getting triggered. OVE-20210130-0001.
+
+Reported by: Joshua Rogers (Opera)
+
+--- a/cgi.c
b/cgi.c
+@@ -645,16 +645,7 @@ static struct map *parse_cgi_parameters(
+ * The same hack is used in get_last_url() so it looks like
+ * a real solution is needed.
+ */
+- size_t max_segments = strlen(argstring) / 2;
+- if (max_segments == 0)
+- {
+- /*
+- * XXX: If the argstring is empty, there's really
+- * no point in creating a param list, but currently
+- * other parts of Privoxy depend on the list's existence.
+- */
+- max_segments = 1;
+- }
++ size_t max_segments = strlen(argstring) / 2 + 1;
+vector = malloc_or_die(max_segments * sizeof(char *));
+
+cgi_params = new_map();
diff -Nru privoxy-3.0.28/debian/patches/39_decompress_iob.patch
privoxy-3.0.28/debian/patches/39_decompress_iob.patch
---
Bug#981664: buster-pu: package privoxy/3.0.28-2
Hi!
> > yesterday upstream assigned a few additional CVE IDs (also no-dsa):
> > https://www.openwall.com/lists/oss-security/2021/02/03/3, maybe you
> > also want to fold these in?
>
> You're right, I just did so and updated the buster package to
> incorporate all additional patches.
>
> An updated patch is attached.
Seems that I overlooked CVE-2021-20215.
I now added a patch for it.
An updated diff agains 3.0.28-2 is attached.
Greetings
Roland
diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog
--- privoxy-3.0.28/debian/changelog 2019-01-06 13:07:14.0 +0100
+++ privoxy-3.0.28/debian/changelog 2021-02-06 20:33:25.0 +0100
@@ -1,3 +1,32 @@
+privoxy (3.0.28-2+deb10u1) buster; urgency=medium
+
+ * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
+(CVE-2021-20217).
+ * 39_decompress_iob: Fix detection of insufficient data.
+ * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216).
+ * 41_CVE-2020-35502: Fixed memory leaks when a response is buffered and
+the buffer limit is reached or Privoxy is running out of memory
+(CVE-2020-35502).
+ * 42_CVE-2021-20209: Fixed a memory leak in the show-status CGI handler
+when no action files are configured (CVE-2021-20209).
+ * 43_CVE-2021-20210: Fixed a memory leak in the show-status CGI handler
+when no filter files are configured (CVE-2021-20210).
+ * 44_CVE-2021-20211: Fixes a memory leak when client tags are active
+(CVE-2021-20211).
+ * 45_CVE-2021-20212: Fixed a memory leak if multiple filters are
+executed and the last one is skipped due to a pcre error (CVE-2021-20212).
+ * 46_CVE-2021-20213: Prevent an unlikely dereference of a NULL-pointer
+that could result in a crash if accept-intercepted-requests was
+enabled, Privoxy failed to get the request destination from the Host
+header and a memory allocation failed (CVE-2021-20213).
+ * 47_CVE-2021-20214: Fixed memory leaks in the client-tags CGI handler
+when client tags are configured and memory allocations fail
+(CVE-2021-20214).
+ * 48_CVE-2021-20215: Fixed memory leaks in the show-status CGI handler
+when memory allocations fail (CVE-2021-20215).
+
+ -- Roland Rosenfeld Sat, 06 Feb 2021 20:33:25 +0100
+
privoxy (3.0.28-2) unstable; urgency=medium
* d/tests/privoxy-regression-test: Remove tmpdir on exit.
diff -Nru privoxy-3.0.28/debian/gitlab-ci.yml
privoxy-3.0.28/debian/gitlab-ci.yml
--- privoxy-3.0.28/debian/gitlab-ci.yml 2019-01-06 13:07:14.0 +0100
+++ privoxy-3.0.28/debian/gitlab-ci.yml 1970-01-01 01:00:00.0 +0100
@@ -1,16 +0,0 @@
-include:
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-build:
-extends: .build-unstable
-
-reprotest:
-extends: .test-reprotest
-
-lintian:
-extends: .test-lintian
-
-autopkgtest:
-extends: .test-autopkgtest
-
-piuparts:
-extends: .test-piuparts
diff -Nru privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch
privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch
--- privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 1970-01-01
01:00:00.0 +0100
+++ privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 2021-02-06
20:33:25.0 +0100
@@ -0,0 +1,34 @@
+commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a
+Author: Fabian Keil
+Date: Sat Jan 30 15:04:17 2021 +0100
+Applied-Upstream:
https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b
+Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217)
+
+parse_cgi_parameters(): Make sure the maximum number of segments is large
enough
+
+... for ssplit() to succeed.
+
+Prevents an assertion from getting triggered. OVE-20210130-0001.
+
+Reported by: Joshua Rogers (Opera)
+
+--- a/cgi.c
b/cgi.c
+@@ -645,16 +645,7 @@ static struct map *parse_cgi_parameters(
+ * The same hack is used in get_last_url() so it looks like
+ * a real solution is needed.
+ */
+- size_t max_segments = strlen(argstring) / 2;
+- if (max_segments == 0)
+- {
+- /*
+- * XXX: If the argstring is empty, there's really
+- * no point in creating a param list, but currently
+- * other parts of Privoxy depend on the list's existence.
+- */
+- max_segments = 1;
+- }
++ size_t max_segments = strlen(argstring) / 2 + 1;
+vector = malloc_or_die(max_segments * sizeof(char *));
+
+cgi_params = new_map();
diff -Nru privoxy-3.0.28/debian/patches/39_decompress_iob.patch
privoxy-3.0.28/debian/patches/39_decompress_iob.patch
--- privoxy-3.0.28/debian/patches/39_decompress_iob.patch 1970-01-01
01:00:00.0 +0100
+++ privoxy-3.0.28/debian/patches/39_decompress_iob.patch 2021-02-06
20:33:25.0 +0100
@@ -0,0 +1,22 @@
+commit f5c1a886b7ae20da7eafb77926252eb521260728
+Author: Fabian Keil
+Date: Thu Jan 28 16:26:45 2021 +0100
+Applied-Upstream:
Bug#981664: buster-pu: package privoxy/3.0.28-2
Hi Moritz!
On Do, 04 Feb 2021, Moritz Mühlenhoff wrote:
> Am Tue, Feb 02, 2021 at 07:15:37PM +0100 schrieb Roland Rosenfeld:
> > Package: release.debian.org
> > Severity: normal
> > Tags: buster
> > User: release.debian@packages.debian.org
> > Usertags: pu
> >
> > This fixes CVE-2021-20216 and CVE-2021-20217.
> > Since both are tagged " (Minor issue)" in security tracker, I
> > tend to send this into the next point release of buster.
> yesterday upstream assigned a few additional CVE IDs (also no-dsa):
> https://www.openwall.com/lists/oss-security/2021/02/03/3, maybe you
> also want to fold these in?
You're right, I just did so and updated the buster package to
incorporate all additional patches.
An updated patch is attached.
Greetings
Roland
diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog
--- privoxy-3.0.28/debian/changelog 2019-01-06 13:07:14.0 +0100
+++ privoxy-3.0.28/debian/changelog 2021-02-04 20:38:58.0 +0100
@@ -1,3 +1,30 @@
+privoxy (3.0.28-2+deb10u1) buster; urgency=medium
+
+ * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
+(CVE-2021-20217).
+ * 39_decompress_iob: Fix detection of insufficient data.
+ * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216).
+ * 41_CVE-2020-35502: Fixed memory leaks when a response is buffered and
+the buffer limit is reached or Privoxy is running out of memory
+(CVE-2020-35502).
+ * 42_CVE-2021-20209: Fixed a memory leak in the show-status CGI handler
+when no action files are configured (CVE-2021-20209).
+ * 43_CVE-2021-20210: Fixed a memory leak in the show-status CGI handler
+when no filter files are configured (CVE-2021-20210).
+ * 44_CVE-2021-20211: Fixes a memory leak when client tags are active
+(CVE-2021-20211).
+ * 45_CVE-2021-20212: Fixed a memory leak if multiple filters are
+executed and the last one is skipped due to a pcre error (CVE-2021-20212).
+ * 46_CVE-2021-20213: Prevent an unlikely dereference of a NULL-pointer
+that could result in a crash if accept-intercepted-requests was
+enabled, Privoxy failed to get the request destination from the Host
+header and a memory allocation failed (CVE-2021-20213).
+ * 47_CVE-2021-20214: Fixed memory leaks in the client-tags CGI handler
+when client tags are configured and memory allocations fail
+(CVE-2021-20214).
+
+ -- Roland Rosenfeld Thu, 04 Feb 2021 20:38:58 +0100
+
privoxy (3.0.28-2) unstable; urgency=medium
* d/tests/privoxy-regression-test: Remove tmpdir on exit.
diff -Nru privoxy-3.0.28/debian/gitlab-ci.yml
privoxy-3.0.28/debian/gitlab-ci.yml
--- privoxy-3.0.28/debian/gitlab-ci.yml 2019-01-06 13:07:14.0 +0100
+++ privoxy-3.0.28/debian/gitlab-ci.yml 1970-01-01 01:00:00.0 +0100
@@ -1,16 +0,0 @@
-include:
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-build:
-extends: .build-unstable
-
-reprotest:
-extends: .test-reprotest
-
-lintian:
-extends: .test-lintian
-
-autopkgtest:
-extends: .test-autopkgtest
-
-piuparts:
-extends: .test-piuparts
diff -Nru privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch
privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch
--- privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 1970-01-01
01:00:00.0 +0100
+++ privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 2021-02-04
20:38:58.0 +0100
@@ -0,0 +1,34 @@
+commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a
+Author: Fabian Keil
+Date: Sat Jan 30 15:04:17 2021 +0100
+Applied-Upstream:
https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b
+Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217)
+
+parse_cgi_parameters(): Make sure the maximum number of segments is large
enough
+
+... for ssplit() to succeed.
+
+Prevents an assertion from getting triggered. OVE-20210130-0001.
+
+Reported by: Joshua Rogers (Opera)
+
+--- a/cgi.c
b/cgi.c
+@@ -645,16 +645,7 @@ static struct map *parse_cgi_parameters(
+ * The same hack is used in get_last_url() so it looks like
+ * a real solution is needed.
+ */
+- size_t max_segments = strlen(argstring) / 2;
+- if (max_segments == 0)
+- {
+- /*
+- * XXX: If the argstring is empty, there's really
+- * no point in creating a param list, but currently
+- * other parts of Privoxy depend on the list's existence.
+- */
+- max_segments = 1;
+- }
++ size_t max_segments = strlen(argstring) / 2 + 1;
+vector = malloc_or_die(max_segments * sizeof(char *));
+
+cgi_params = new_map();
diff -Nru privoxy-3.0.28/debian/patches/39_decompress_iob.patch
privoxy-3.0.28/debian/patches/39_decompress_iob.patch
--- privoxy-3.0.28/debian/patches/39_decompress_iob.patch 1970-01-01
01:00:00.0 +0100
+++ privoxy-3.0.28/debian/patches/39_decompress_iob.patch 2021-02-04
20:38:58.0 +0100
@@ -0,0 +1,22 @@
Bug#981664: buster-pu: package privoxy/3.0.28-2
Am Tue, Feb 02, 2021 at 07:15:37PM +0100 schrieb Roland Rosenfeld: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian@packages.debian.org > Usertags: pu > > This fixes CVE-2021-20216 and CVE-2021-20217. > Since both are tagged " (Minor issue)" in security tracker, I > tend to send this into the next point release of buster. Hi Roland, yesterday upstream assigned a few additional CVE IDs (also no-dsa): https://www.openwall.com/lists/oss-security/2021/02/03/3, maybe you also want to fold these in? Cheers, Moritz
Bug#981664: buster-pu: package privoxy/3.0.28-2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
This fixes CVE-2021-20216 and CVE-2021-20217.
Since both are tagged " (Minor issue)" in security tracker, I
tend to send this into the next point release of buster.
Salsa-CI passed: https://salsa.debian.org/debian/privoxy/-/pipelines/226257
Attached you'll find a diff against 3.0.28-2.
Greetings
Roland
diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog
--- privoxy-3.0.28/debian/changelog 2019-01-06 13:07:14.0 +0100
+++ privoxy-3.0.28/debian/changelog 2021-02-02 18:03:02.0 +0100
@@ -1,3 +1,12 @@
+privoxy (3.0.28-2+deb10u1) buster; urgency=medium
+
+ * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
+(CVE-2021-20217).
+ * 39_decompress_iob: Fix detection of insufficient data.
+ * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216).
+
+ -- Roland Rosenfeld Tue, 02 Feb 2021 18:03:02 +0100
+
privoxy (3.0.28-2) unstable; urgency=medium
* d/tests/privoxy-regression-test: Remove tmpdir on exit.
diff -Nru privoxy-3.0.28/debian/gitlab-ci.yml privoxy-3.0.28/debian/gitlab-ci.yml
--- privoxy-3.0.28/debian/gitlab-ci.yml 2019-01-06 13:07:14.0 +0100
+++ privoxy-3.0.28/debian/gitlab-ci.yml 1970-01-01 01:00:00.0 +0100
@@ -1,16 +0,0 @@
-include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-build:
-extends: .build-unstable
-
-reprotest:
-extends: .test-reprotest
-
-lintian:
-extends: .test-lintian
-
-autopkgtest:
-extends: .test-autopkgtest
-
-piuparts:
-extends: .test-piuparts
diff -Nru privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch
--- privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 1970-01-01 01:00:00.0 +0100
+++ privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 2021-02-02 18:03:02.0 +0100
@@ -0,0 +1,34 @@
+commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a
+Author: Fabian Keil
+Date: Sat Jan 30 15:04:17 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b
+Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217)
+
+parse_cgi_parameters(): Make sure the maximum number of segments is large enough
+
+... for ssplit() to succeed.
+
+Prevents an assertion from getting triggered. OVE-20210130-0001.
+
+Reported by: Joshua Rogers (Opera)
+
+--- a/cgi.c
b/cgi.c
+@@ -645,16 +645,7 @@ static struct map *parse_cgi_parameters(
+ * The same hack is used in get_last_url() so it looks like
+ * a real solution is needed.
+ */
+- size_t max_segments = strlen(argstring) / 2;
+- if (max_segments == 0)
+- {
+- /*
+- * XXX: If the argstring is empty, there's really
+- * no point in creating a param list, but currently
+- * other parts of Privoxy depend on the list's existence.
+- */
+- max_segments = 1;
+- }
++ size_t max_segments = strlen(argstring) / 2 + 1;
+vector = malloc_or_die(max_segments * sizeof(char *));
+
+cgi_params = new_map();
diff -Nru privoxy-3.0.28/debian/patches/39_decompress_iob.patch privoxy-3.0.28/debian/patches/39_decompress_iob.patch
--- privoxy-3.0.28/debian/patches/39_decompress_iob.patch 1970-01-01 01:00:00.0 +0100
+++ privoxy-3.0.28/debian/patches/39_decompress_iob.patch 2021-02-02 18:03:02.0 +0100
@@ -0,0 +1,22 @@
+commit f5c1a886b7ae20da7eafb77926252eb521260728
+Author: Fabian Keil
+Date: Thu Jan 28 16:26:45 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f5c1a
+Subject: decompress_iob(): Fix detection of insufficient data
+
+Instead of checking the size of the iob we have to
+check the size of the actual data.
+
+Previously Privoxy could try to work on uninitialized data.
+
+--- a/parsers.c
b/parsers.c
+@@ -433,7 +433,7 @@ jb_err decompress_iob(struct client_stat
+
+cur = csp->iob->cur;
+
+- if (bufsize < (size_t)10)
++ if (old_size < (size_t)10)
+{
+ /*
+* This is to protect the parsing of gzipped data,
diff -Nru privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch
--- privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch 1970-01-01 01:00:00.0 +0100
+++ privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch 2021-02-02 18:03:02.0 +0100
@@ -0,0 +1,21 @@
+commit f431d61740cc03c1c5f6b7f9c7a4a8d0bedd70dd
+Author: Fabian Keil
+Date: Thu Jan 28 18:02:56 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f431d
+Subject: Fix a memory leak (CVE-2021-20216)
+ decompress_iob(): Fix a memory leak
+
+... when decompression fails "unexpectedly".
+
+OVE-20210128-0001.
+
+--- a/parsers.c
b/parsers.c
+@@ -701,6 +701,7 @@ jb_err decompress_iob(struct client_stat
+
