Hi release team! In the meantime privoxy 3.0.32 was released, which contains five more CVEs, I applied four of them to 3.0.28-2+deb10u1.patch-v4 now, while CVE-2021-20274 applies to code, that was introduced in 3.0.29, so doesn't affect buster. An updated version of my patch is attached. Greetings Roland
diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog
--- privoxy-3.0.28/debian/changelog 2019-01-06 13:07:14.000000000 +0100
+++ privoxy-3.0.28/debian/changelog 2021-03-08 13:57:15.000000000 +0100
@@ -1,3 +1,41 @@
+privoxy (3.0.28-2+deb10u1) buster; urgency=medium
+
+ * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
+ (CVE-2021-20217).
+ * 39_decompress_iob: Fix detection of insufficient data.
+ * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216).
+ * 41_CVE-2020-35502: Fixed memory leaks when a response is buffered and
+ the buffer limit is reached or Privoxy is running out of memory
+ (CVE-2020-35502).
+ * 42_CVE-2021-20209: Fixed a memory leak in the show-status CGI handler
+ when no action files are configured (CVE-2021-20209).
+ * 43_CVE-2021-20210: Fixed a memory leak in the show-status CGI handler
+ when no filter files are configured (CVE-2021-20210).
+ * 44_CVE-2021-20211: Fixes a memory leak when client tags are active
+ (CVE-2021-20211).
+ * 45_CVE-2021-20212: Fixed a memory leak if multiple filters are
+ executed and the last one is skipped due to a pcre error (CVE-2021-20212).
+ * 46_CVE-2021-20213: Prevent an unlikely dereference of a NULL-pointer
+ that could result in a crash if accept-intercepted-requests was
+ enabled, Privoxy failed to get the request destination from the Host
+ header and a memory allocation failed (CVE-2021-20213).
+ * 47_CVE-2021-20214: Fixed memory leaks in the client-tags CGI handler
+ when client tags are configured and memory allocations fail
+ (CVE-2021-20214).
+ * 48_CVE-2021-20215: Fixed memory leaks in the show-status CGI handler
+ when memory allocations fail (CVE-2021-20215).
+ * 49_CVE-2021-20272: ssplit(): Remove an assertion that could be
+ triggered with a crafted CGI request (CVE-2021-20272).
+ * 50_CVE-2021-20273: cgi_send_banner(): Overrule invalid image types.
+ Prevents a crash with a crafted CGI request if Privoxy is toggled off
+ (CVE-2021-20273).
+ * 51_CVE-2021-20275: chunked_body_is_complete(): Prevent invalid read of
+ size two (CVE-2021-20275).
+ * 52_CVE-2021-20276: Obsolete pcre: Prevent invalid memory accesses
+ (CVE-2021-20276).
+
+ -- Roland Rosenfeld <roland@debian.org> Mon, 08 Mar 2021 13:57:15 +0100
+
privoxy (3.0.28-2) unstable; urgency=medium
* d/tests/privoxy-regression-test: Remove tmpdir on exit.
diff -Nru privoxy-3.0.28/debian/gitlab-ci.yml privoxy-3.0.28/debian/gitlab-ci.yml
--- privoxy-3.0.28/debian/gitlab-ci.yml 2019-01-06 13:07:14.000000000 +0100
+++ privoxy-3.0.28/debian/gitlab-ci.yml 1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
-include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-build:
- extends: .build-unstable
-
-reprotest:
- extends: .test-reprotest
-
-lintian:
- extends: .test-lintian
-
-autopkgtest:
- extends: .test-autopkgtest
-
-piuparts:
- extends: .test-piuparts
diff -Nru privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch
--- privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,34 @@
+commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Sat Jan 30 15:04:17 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b
+Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217)
+
+ parse_cgi_parameters(): Make sure the maximum number of segments is large enough
+
+ ... for ssplit() to succeed.
+
+ Prevents an assertion from getting triggered. OVE-20210130-0001.
+
+ Reported by: Joshua Rogers (Opera)
+
+--- a/cgi.c
++++ b/cgi.c
+@@ -645,16 +645,7 @@ static struct map *parse_cgi_parameters(
+ * The same hack is used in get_last_url() so it looks like
+ * a real solution is needed.
+ */
+- size_t max_segments = strlen(argstring) / 2;
+- if (max_segments == 0)
+- {
+- /*
+- * XXX: If the argstring is empty, there's really
+- * no point in creating a param list, but currently
+- * other parts of Privoxy depend on the list's existence.
+- */
+- max_segments = 1;
+- }
++ size_t max_segments = strlen(argstring) / 2 + 1;
+ vector = malloc_or_die(max_segments * sizeof(char *));
+
+ cgi_params = new_map();
diff -Nru privoxy-3.0.28/debian/patches/39_decompress_iob.patch privoxy-3.0.28/debian/patches/39_decompress_iob.patch
--- privoxy-3.0.28/debian/patches/39_decompress_iob.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/39_decompress_iob.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,22 @@
+commit f5c1a886b7ae20da7eafb77926252eb521260728
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Thu Jan 28 16:26:45 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f5c1a
+Subject: decompress_iob(): Fix detection of insufficient data
+
+ Instead of checking the size of the iob we have to
+ check the size of the actual data.
+
+ Previously Privoxy could try to work on uninitialized data.
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -433,7 +433,7 @@ jb_err decompress_iob(struct client_stat
+
+ cur = csp->iob->cur;
+
+- if (bufsize < (size_t)10)
++ if (old_size < (size_t)10)
+ {
+ /*
+ * This is to protect the parsing of gzipped data,
diff -Nru privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch
--- privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,21 @@
+commit f431d61740cc03c1c5f6b7f9c7a4a8d0bedd70dd
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Thu Jan 28 18:02:56 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f431d
+Subject: Fix a memory leak (CVE-2021-20216)
+ decompress_iob(): Fix a memory leak
+
+ ... when decompression fails "unexpectedly".
+
+ OVE-20210128-0001.
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -701,6 +701,7 @@ jb_err decompress_iob(struct client_stat
+ log_error(LOG_LEVEL_ERROR,
+ "Unexpected error while decompressing to the buffer (iob): %s",
+ zstr.msg);
++ freez(buf);
+ return JB_ERR_COMPRESS;
+ }
+
diff -Nru privoxy-3.0.28/debian/patches/41_CVE-2020-35502.patch privoxy-3.0.28/debian/patches/41_CVE-2020-35502.patch
--- privoxy-3.0.28/debian/patches/41_CVE-2020-35502.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/41_CVE-2020-35502.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,25 @@
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Mon Mar 2 18:14:29 2020 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=4490d451f9b, https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=bbd53f1010b
+Subject: Fixed memory leaks when a response is buffered and the buffer limit
+ is reached or Privoxy is running out of memory (CVE-2020-35502)
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -633,6 +633,8 @@ jb_err decompress_iob(struct client_stat
+ if (bufsize >= csp->config->buffer_limit)
+ {
+ log_error(LOG_LEVEL_ERROR, "Buffer limit reached while decompressing iob");
++ freez(buf);
++ inflateEnd(&zstr);
+ return JB_ERR_MEMORY;
+ }
+
+@@ -651,6 +653,7 @@ jb_err decompress_iob(struct client_stat
+ {
+ log_error(LOG_LEVEL_ERROR, "Out of memory decompressing iob");
+ freez(buf);
++ inflateEnd(&zstr);
+ return JB_ERR_MEMORY;
+ }
+ else
diff -Nru privoxy-3.0.28/debian/patches/42_CVE-2021-20209.patch privoxy-3.0.28/debian/patches/42_CVE-2021-20209.patch
--- privoxy-3.0.28/debian/patches/42_CVE-2021-20209.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/42_CVE-2021-20209.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,17 @@
+commit c62254a686dcd40e3b6e5753d0c7c0308209a7b6
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Sun Aug 30 09:25:47 2020 +0200
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=c62254a686
+Subject: Fixed a memory leak in the show-status CGI handler when
+ no action files are configured. CVE-2021-20209.
+
+--- a/cgisimple.c
++++ b/cgisimple.c
+@@ -1190,6 +1190,7 @@ jb_err cgi_show_status(struct client_sta
+ else
+ {
+ if (!err) err = map(exports, "actions-filenames", 1, "<tr><td>None specified</td></tr>", 1);
++ freez(s);
+ }
+
+ /*
diff -Nru privoxy-3.0.28/debian/patches/43_CVE-2021-20210.patch privoxy-3.0.28/debian/patches/43_CVE-2021-20210.patch
--- privoxy-3.0.28/debian/patches/43_CVE-2021-20210.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/43_CVE-2021-20210.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,20 @@
+commit 1b1370f7a8a9cc5434d3e0e54dd620df1e70c873
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Sun Aug 30 09:24:48 2020 +0200
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=1b1370f7a8a
+Subject: Fixed a memory leak in the show-status CGI handler when no filter
+ files are configured (CVE-2021-20210).
+ cgi_show_status: Don't leak memory when no filter files are specified
+
+ Sponsored by: Robert Klemme
+
+--- a/cgisimple.c
++++ b/cgisimple.c
+@@ -1218,6 +1218,7 @@ jb_err cgi_show_status(struct client_sta
+ {
+ if (!err) err = map(exports, "re-filter-filenames", 1, "<tr><td>None specified</td></tr>", 1);
+ if (!err) err = map_block_killer(exports, "have-filterfile");
++ freez(s);
+ }
+
+ #ifdef FEATURE_TRUST
diff -Nru privoxy-3.0.28/debian/patches/44_CVE-2021-20211.patch privoxy-3.0.28/debian/patches/44_CVE-2021-20211.patch
--- privoxy-3.0.28/debian/patches/44_CVE-2021-20211.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/44_CVE-2021-20211.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,24 @@
+commit 245e1cf325bc957df6226c745b7ac3f67a97ea07
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Mon Mar 2 13:05:13 2020 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=245e1cf32
+Subject: Fixes a memory leak when client tags are active (CVE-2021-20211).
+
+ free_csp_resources(): Destroy csp->client_tags
+
+ Fixes a memory leak when client tags are active.
+
+ Sponsored by: Robert Klemme
+
+--- a/loaders.c
++++ b/loaders.c
+@@ -113,6 +113,9 @@ void free_csp_resources(struct client_st
+
+ destroy_list(csp->headers);
+ destroy_list(csp->tags);
++#ifdef FEATURE_CLIENT_TAGS
++ destroy_list(csp->client_tags);
++#endif
+
+ free_current_action(csp->action);
+ }
diff -Nru privoxy-3.0.28/debian/patches/45_CVE-2021-20212.patch privoxy-3.0.28/debian/patches/45_CVE-2021-20212.patch
--- privoxy-3.0.28/debian/patches/45_CVE-2021-20212.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/45_CVE-2021-20212.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,26 @@
+commit 5cfb7bc8feecc82eb161450faa572abf9be19cbb
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Thu Sep 24 10:44:00 2020 +0200
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5cfb7bc8fe
+Subject: Fixed a memory leak if multiple filters are executed and the last
+ one is skipped due to a pcre error (CVE-2021-20212)
+ pcrs_filter_response(): Free the old data if there are no hits
+
+ ... and it's different from the data in iob and the new data.
+
+ Fixes a memory leak if multiple filters are executed
+ and the last one is skipped due to a pcre error.
+
+--- a/filters.c
++++ b/filters.c
+@@ -1664,6 +1664,10 @@ static char *pcrs_filter_response(struct
+ */
+ if (!hits)
+ {
++ if (old != csp->iob->cur && old != new)
++ {
++ freez(old);
++ }
+ freez(new);
+ return(NULL);
+ }
diff -Nru privoxy-3.0.28/debian/patches/46_CVE-2021-20213.patch privoxy-3.0.28/debian/patches/46_CVE-2021-20213.patch
--- privoxy-3.0.28/debian/patches/46_CVE-2021-20213.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/46_CVE-2021-20213.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,45 @@
+commit 75301323495579ff27bdaaea67e31e2df83475fc
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Tue Nov 10 13:50:59 2020 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=7530132349
+Subject: Prevent an unlikely dereference of a NULL-pointer that could result
+ in a crash if accept-intercepted-requests was enabled, Privoxy failed to get
+ the request destination from the Host header and a memory allocation failed.
+ (CVE-2021-20213).
+
+ get_request_destination_elsewhere(): Prevent unlikely dereference of a NULL-pointer
+
+ ... if getting the destination fails and list_to_text() fails
+ as well.
+
+ CID 267165
+
+--- a/jcc.c
++++ b/jcc.c
+@@ -548,8 +548,6 @@ static int client_has_unsupported_expect
+ *********************************************************************/
+ static jb_err get_request_destination_elsewhere(struct client_state *csp, struct list *headers)
+ {
+- char *req;
+-
+ if (!(csp->config->feature_flags & RUNTIME_FEATURE_ACCEPT_INTERCEPTED_REQUESTS))
+ {
+ log_error(LOG_LEVEL_ERROR, "%s's request: \'%s\' is invalid."
+@@ -578,15 +576,12 @@ static jb_err get_request_destination_el
+ {
+ /* We can't work without destination. Go spread the news.*/
+
+- req = list_to_text(headers);
+- chomp(req);
+ /* XXX: Use correct size */
+ log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 400 0",
+ csp->ip_addr_str, csp->http->cmd);
+ log_error(LOG_LEVEL_ERROR,
+- "Privoxy was unable to get the destination for %s's request:\n%s\n%s",
+- csp->ip_addr_str, csp->http->cmd, req);
+- freez(req);
++ "Privoxy was unable to get the destination for %s's request: %s",
++ csp->ip_addr_str, csp->http->cmd);
+
+ write_socket_delayed(csp->cfd, MISSING_DESTINATION_RESPONSE,
+ strlen(MISSING_DESTINATION_RESPONSE), get_write_delay(csp));
diff -Nru privoxy-3.0.28/debian/patches/47_CVE-2021-20214.patch privoxy-3.0.28/debian/patches/47_CVE-2021-20214.patch
--- privoxy-3.0.28/debian/patches/47_CVE-2021-20214.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/47_CVE-2021-20214.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,29 @@
+commit cf5640eb2a57197717758e225ad6e11cbaab1d6c
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Tue Nov 10 12:33:53 2020 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=cf5640eb2a
+Subject: Fixed memory leaks in the client-tags CGI handler when client tags
+ are configured and memory allocations fail (CVE-2021-20214).
+
+ cgi_show_client_tags(): Plug memory leaks
+
+ CID 267168
+
+--- a/cgisimple.c
++++ b/cgisimple.c
+@@ -404,6 +404,7 @@ jb_err cgi_show_client_tags(struct clien
+ snprintf(buf, sizeof(buf), "%d", csp->config->client_tag_lifetime);
+ if (map(exports, "refresh-delay", 1, buf, 1))
+ {
++ freez(client_tag_status);
+ free_map(exports);
+ return JB_ERR_MEMORY;
+ }
+@@ -413,6 +414,7 @@ jb_err cgi_show_client_tags(struct clien
+ err = map_block_killer(exports, "tags-expire");
+ if (err != JB_ERR_OK)
+ {
++ freez(client_tag_status);
+ return err;
+ }
+ }
diff -Nru privoxy-3.0.28/debian/patches/48_CVE-2021-20215.patch privoxy-3.0.28/debian/patches/48_CVE-2021-20215.patch
--- privoxy-3.0.28/debian/patches/48_CVE-2021-20215.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/48_CVE-2021-20215.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,38 @@
+commit fdee85c0bf3e2dbd7722ddc45e9ed912f02a2136
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Tue Nov 10 11:47:18 2020 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=064eac5fd0
+ https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=fdee85c0bf3
+Subject: Fixed memory leaks in the show-status CGI handler when memory
+ allocations fail (CVE-2021-20215).
+
+ Plug memory leak in cgi_show_status()
+
+ CID 305233
+
+--- a/cgisimple.c
++++ b/cgisimple.c
+@@ -1185,9 +1185,9 @@ jb_err cgi_show_status(struct client_sta
+ if (!err) err = string_append(&s, "</td></tr>\n");
+ }
+ }
+- if (*s != '\0')
++ if (!err && *s != '\0')
+ {
+- if (!err) err = map(exports, "actions-filenames", 1, s, 0);
++ err = map(exports, "actions-filenames", 1, s, 0);
+ }
+ else
+ {
+@@ -1212,9 +1212,9 @@ jb_err cgi_show_status(struct client_sta
+ if (!err) err = string_append(&s, "</td></tr>\n");
+ }
+ }
+- if (*s != '\0')
++ if (!err && *s != '\0')
+ {
+- if (!err) err = map(exports, "re-filter-filenames", 1, s, 0);
++ err = map(exports, "re-filter-filenames", 1, s, 0);
+ }
+ else
+ {
diff -Nru privoxy-3.0.28/debian/patches/49_CVE-2021-20272.patch privoxy-3.0.28/debian/patches/49_CVE-2021-20272.patch
--- privoxy-3.0.28/debian/patches/49_CVE-2021-20272.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/49_CVE-2021-20272.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,32 @@
+commit 2256d7b4d67dd9c364386877d5af59943433458b
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Wed Feb 3 19:08:20 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=2256d7b4d67
+Subject: ssplit(): Remove an assertion that could be triggered with a crafted
+ CGI request (CVE-2021-20272).
+
+ This reverts dc4e311bcf.
+
+ OVE-20210203-0001.
+
+ Reported by: Joshua Rogers (Opera)
+
+--- a/ssplit.c
++++ b/ssplit.c
+@@ -36,7 +36,6 @@
+
+ #include <string.h>
+ #include <stdlib.h>
+-#include <assert.h>
+
+ #include "ssplit.h"
+ #include "miscutil.h"
+@@ -150,8 +149,6 @@ int ssplit(char *str, const char *delim,
+ }
+ }
+ /* null terminate the substring */
+- /* XXX: this shouldn't be necessary, so assert that it isn't. */
+- assert(*str == '\0');
+ *str = '\0';
+
+ return(vec_count);
diff -Nru privoxy-3.0.28/debian/patches/50_CVE-2021-20273.patch privoxy-3.0.28/debian/patches/50_CVE-2021-20273.patch
--- privoxy-3.0.28/debian/patches/50_CVE-2021-20273.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/50_CVE-2021-20273.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,28 @@
+commit e711c505c4830ab271938d61af90a2075523f058
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Sat Feb 6 20:43:06 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=e711c505c48
+Subject: cgi_send_banner(): Overrule invalid image types. Prevents a crash with
+ a crafted CGI request if Privoxy is toggled off.(CVE-2021-20273).
+
+ OVE-20210206-0001.
+
+ Reported by: Joshua Rogers (Opera)
+
+--- a/cgisimple.c
++++ b/cgisimple.c
+@@ -536,6 +536,14 @@ jb_err cgi_send_banner(struct client_sta
+ {
+ char imagetype = lookup(parameters, "type")[0];
+
++ if (imagetype != 'a' && imagetype != 'b' &&
++ imagetype != 'p' && imagetype != 't')
++ {
++ log_error(LOG_LEVEL_ERROR, "Overruling invalid image type '%c'.",
++ imagetype);
++ imagetype = 'p';
++ }
++
+ /*
+ * If type is auto, then determine the right thing
+ * to do from the set-image-blocker action
diff -Nru privoxy-3.0.28/debian/patches/51_CVE-2021-20275.patch privoxy-3.0.28/debian/patches/51_CVE-2021-20275.patch
--- privoxy-3.0.28/debian/patches/51_CVE-2021-20275.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/51_CVE-2021-20275.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,26 @@
+commit a912ba7bc9ce5855a810d09332e9d94566ce1521
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Fri Feb 5 05:06:56 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=a912ba7bc9c
+Subject: chunked_body_is_complete(): Prevent invalid read of size two
+ (CVE-2021-20275).
+
+ OVE-20210205-0001.
+
+ Reported by: Joshua Rogers (Opera)
+
+--- a/jcc.c
++++ b/jcc.c
+@@ -1435,6 +1435,12 @@ static enum chunk_status chunked_body_is
+ /* Move beyond the chunkdata. */
+ p += 2 + chunksize;
+
++ /* Make sure we're still within the buffer and have two bytes left */
++ if (p + 2 > iob->eod)
++ {
++ return CHUNK_STATUS_MISSING_DATA;
++ }
++
+ /* There should be another "\r\n" to skip */
+ if (memcmp(p, "\r\n", 2))
+ {
diff -Nru privoxy-3.0.28/debian/patches/52_CVE-2021-20276.patch privoxy-3.0.28/debian/patches/52_CVE-2021-20276.patch
--- privoxy-3.0.28/debian/patches/52_CVE-2021-20276.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/52_CVE-2021-20276.patch 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,79 @@
+commit 28512e5b62457f0ff6f2d72e3e5c9226b9e0203d
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Mon Feb 22 09:17:30 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=28512e5b624
+Subject: Obsolete pcre: Prevent invalid memory accesses (CVE-2021-20276)
+
+ ... with an invalid pattern passed to pcre_compile().
+
+ ==22377== Invalid write of size 1
+ ==22377== at 0x466E37: compile_branch (pcre.c:2001)
+ ==22377== by 0x45FA64: compile_regex (pcre.c:2164)
+ ==22377== by 0x45EE77: pcre_compile (pcre.c:3077)
+ ==22377== by 0x467B6D: regcomp (pcreposix.c:206)
+ ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667)
+ ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752)
+ ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243)
+ ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870)
+ ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587)
+ ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588)
+ ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383)
+ ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920)
+ ==22377== Address 0x7177469 is 4 bytes after a block of size 1,125 alloc'd
+ ==22377== at 0x4C26A44: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
+ ==22377== by 0x45ED5C: pcre_compile (pcre.c:3054)
+ ==22377== by 0x467B6D: regcomp (pcreposix.c:206)
+ ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667)
+ ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752)
+ ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243)
+ ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870)
+ ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587)
+ ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588)
+ ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383)
+ ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920)
+ ==22377== by 0x43ADDB: chat (jcc.c:4241)
+
+ ==22377== Invalid read of size 1
+ ==22377== at 0x466FCC: compile_branch (pcre.c:2053)
+ ==22377== by 0x45FA64: compile_regex (pcre.c:2164)
+ ==22377== by 0x45EE77: pcre_compile (pcre.c:3077)
+ ==22377== by 0x467B6D: regcomp (pcreposix.c:206)
+ ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667)
+ ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752)
+ ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243)
+ ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870)
+ ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587)
+ ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588)
+ ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383)
+ ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920)
+ ==22377== Address 0x7176fb1 is 0 bytes after a block of size 1,057 alloc'd
+ ==22377== at 0x4C26A44: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
+ ==22377== by 0x44C3F0: malloc_or_die (miscutil.c:194)
+ ==22377== by 0x456FBB: compile_pattern (urlmatch.c:662)
+ ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752)
+ ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243)
+ ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870)
+ ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587)
+ ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588)
+ ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383)
+ ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920)
+ ==22377== by 0x43ADDB: chat (jcc.c:4241)
+ ==22377== by 0x439DA5: serve (jcc.c:4778)
+
+ OVE-20210222-0001.
+
+ pcre 8.44 does not seem to be affected.
+
+ Reported by: Joshua Rogers (Opera)
+
+--- a/pcre/pcre.c
++++ b/pcre/pcre.c
+@@ -2050,7 +2050,7 @@ for (;; ptr++)
+
+ /* This "while" is the end of the "do" above. */
+
+- while (length < MAXLIT && (cd->ctypes[c = *(++ptr)] & ctype_meta) == 0);
++ while (*ptr && length < MAXLIT && (cd->ctypes[c = *(++ptr)] & ctype_meta) == 0);
+
+ /* Update the last character and the count of literals */
+
diff -Nru privoxy-3.0.28/debian/patches/series privoxy-3.0.28/debian/patches/series
--- privoxy-3.0.28/debian/patches/series 2019-01-06 13:07:14.000000000 +0100
+++ privoxy-3.0.28/debian/patches/series 2021-03-08 13:57:15.000000000 +0100
@@ -10,3 +10,18 @@
35_man-spelling.patch
36_trusted-cgi-referer-example.patch
37_ppedit-tests403.patch
+38_CVE-2021-20217.patch
+39_decompress_iob.patch
+40_CVE-2021-20216.patch
+41_CVE-2020-35502.patch
+42_CVE-2021-20209.patch
+43_CVE-2021-20210.patch
+44_CVE-2021-20211.patch
+45_CVE-2021-20212.patch
+46_CVE-2021-20213.patch
+47_CVE-2021-20214.patch
+48_CVE-2021-20215.patch
+49_CVE-2021-20272.patch
+50_CVE-2021-20273.patch
+51_CVE-2021-20275.patch
+52_CVE-2021-20276.patch
diff -Nru privoxy-3.0.28/debian/salsa-ci.yml privoxy-3.0.28/debian/salsa-ci.yml
--- privoxy-3.0.28/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/salsa-ci.yml 2021-03-08 13:57:15.000000000 +0100
@@ -0,0 +1,6 @@
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'buster'
Attachment:
signature.asc
Description: PGP signature