Hi!
(please Cc: me in reply, since I'm not subscribed to debian-lts)
Privoxy upstream just released version 3.0.32, which fixes five new
CVEs, which are also reported at security-tracker.
I prepared a package that fixes CVE-2021-20272, CVE-2021-20273,
CVE-2021-20275, and CVE-2021-20276.
CVE-2021-20274 is missing, since this affects code, that was
introduced in 3.0.29, so stretch package is not affected, since we
shipped 3.0.26 in stretch. I requested on IRC #debian-security to
tag stretch and buster as not affected for this CVE.
Since all other CVEs are tagged "minor issue" on security-tracker, I'm
not sure whether it's worth doing a LTS upload for this.
If you think so, feel free to use it or tell me, what I have to do to
upload it...
A patch agains 3.0.26-3+deb9u1 is attached.
Salsa pipeline was successful with this:
https://salsa.debian.org/debian/privoxy/-/pipelines/237014 including
the testsuite.
Greetings
Roland
diff -Nru privoxy-3.0.26/debian/changelog privoxy-3.0.26/debian/changelog
--- privoxy-3.0.26/debian/changelog 2021-02-06 21:42:01.0 +0100
+++ privoxy-3.0.26/debian/changelog 2021-03-08 14:11:04.0 +0100
@@ -1,3 +1,17 @@
+privoxy (3.0.26-3+deb9u2) stretch-security; urgency=medium
+
+ * 49_CVE-2021-20272: ssplit(): Remove an assertion that could be
+triggered with a crafted CGI request (CVE-2021-20272).
+ * 50_CVE-2021-20273: cgi_send_banner(): Overrule invalid image types.
+Prevents a crash with a crafted CGI request if Privoxy is toggled off
+(CVE-2021-20273).
+ * 51_CVE-2021-20275: chunked_body_is_complete(): Prevent invalid read of
+size two (CVE-2021-20275).
+ * 52_CVE-2021-20276: Obsolete pcre: Prevent invalid memory accesses
+(CVE-2021-20276).
+
+ -- Roland Rosenfeld Mon, 08 Mar 2021 14:11:04 +0100
+
privoxy (3.0.26-3+deb9u1) stretch-security; urgency=medium
* 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
diff -Nru privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch
--- privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch 1970-01-01 01:00:00.0 +0100
+++ privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch 2021-03-08 14:11:04.0 +0100
@@ -0,0 +1,32 @@
+commit 2256d7b4d67dd9c364386877d5af59943433458b
+Author: Fabian Keil
+Date: Wed Feb 3 19:08:20 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=2256d7b4d67
+Subject: ssplit(): Remove an assertion that could be triggered with a crafted
+ CGI request (CVE-2021-20272).
+
+This reverts dc4e311bcf.
+
+OVE-20210203-0001.
+
+Reported by: Joshua Rogers (Opera)
+
+--- a/ssplit.c
b/ssplit.c
+@@ -37,7 +37,6 @@ const char ssplit_rcs[] = "$Id: ssplit.c
+
+ #include
+ #include
+-#include
+
+ #include "ssplit.h"
+ #include "miscutil.h"
+@@ -153,8 +152,6 @@ int ssplit(char *str, const char *delim,
+ }
+}
+/* null terminate the substring */
+- /* XXX: this shouldn't be necessary, so assert that it isn't. */
+- assert(*str == '\0');
+*str = '\0';
+
+return(vec_count);
diff -Nru privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch
--- privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch 1970-01-01 01:00:00.0 +0100
+++ privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch 2021-03-08 14:11:04.0 +0100
@@ -0,0 +1,28 @@
+commit e711c505c4830ab271938d61af90a2075523f058
+Author: Fabian Keil
+Date: Sat Feb 6 20:43:06 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=e711c505c48
+Subject: cgi_send_banner(): Overrule invalid image types. Prevents a crash with
+ a crafted CGI request if Privoxy is toggled off.(CVE-2021-20273).
+
+OVE-20210206-0001.
+
+Reported by: Joshua Rogers (Opera)
+
+--- a/cgisimple.c
b/cgisimple.c
+@@ -468,6 +468,14 @@ jb_err cgi_send_banner(struct client_sta
+ {
+char imagetype = lookup(parameters, "type")[0];
+
++ if (imagetype != 'a' && imagetype != 'b' &&
++ imagetype != 'p' && imagetype != 't')
++ {
++ log_error(LOG_LEVEL_ERROR, "Overruling invalid image type '%c'.",
++ imagetype);
++ imagetype = 'p';
++ }
++
+/*
+ * If type is auto, then determine the right thing
+ * to do from the set-image-blocker action
diff -Nru privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch
--- privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch 1970-01-01 01:00:00.0 +0100
+++ privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch 2021-03-08 14:11:04.0 +0100
@@ -0,0 +1,26 @@
+commit a912ba7bc9ce5855a810d09332e9d94566ce1521
+Author: Fabian Keil
+Date: Fri Feb 5 05:06:56 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=a912ba7bc9c
+Subject: chunked_body_is_complete(): Prevent invalid read of size two
+