Hi! (please Cc: me in reply, since I'm not subscribed to debian-lts) As the maintainer of privoxy package, I just checked all new CVEs on https://security-tracker.debian.org/tracker/source-package/privoxy and prepared a stretch package with the patches fixing all CVEs. Only the patch for CVE-2021-20214 was not included, since this CVE doesn't affect 3.0.26 (the fixed tags "refresh-delay" and "tags-expire" where introduced with 3.0.27), this should be changed in the security-tracker. Since all other CVEs are tagged "minor issue" on security-tracker, I'm not sure whether it's worth doing a LTS upload for this. If you think so, feel free to use it or tell me, what I have to do to upload it... A patch agains 3.0.26-3 is attached. Salsa pipeline was successful with this: https://salsa.debian.org/debian/privoxy/-/pipelines/227800 including the testsuite. Greetings Roland
diff -Nru privoxy-3.0.26/debian/changelog privoxy-3.0.26/debian/changelog
--- privoxy-3.0.26/debian/changelog 2017-01-11 22:24:55.000000000 +0100
+++ privoxy-3.0.26/debian/changelog 2021-02-06 11:10:50.000000000 +0100
@@ -1,3 +1,27 @@
+privoxy (3.0.26-3+deb9u1) stretch; urgency=medium
+
+ * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
+ (CVE-2021-20217).
+ * 39_decompress_iob: Fix detection of insufficient data.
+ * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216).
+ * 41_CVE-2020-35502: Fixed memory leaks when a response is buffered and
+ the buffer limit is reached or Privoxy is running out of memory
+ (CVE-2020-35502).
+ * 42_CVE-2021-20209: Fixed a memory leak in the show-status CGI handler
+ when no action files are configured (CVE-2021-20209).
+ * 43_CVE-2021-20210: Fixed a memory leak in the show-status CGI handler
+ when no filter files are configured (CVE-2021-20210).
+ * 44_CVE-2021-20211: Fixes a memory leak when client tags are active
+ (CVE-2021-20211).
+ * 45_CVE-2021-20212: Fixed a memory leak if multiple filters are
+ executed and the last one is skipped due to a pcre error (CVE-2021-20212).
+ * 46_CVE-2021-20213: Prevent an unlikely dereference of a NULL-pointer
+ that could result in a crash if accept-intercepted-requests was
+ enabled, Privoxy failed to get the request destination from the Host
+ header and a memory allocation failed (CVE-2021-20213).
+
+ -- Roland Rosenfeld <roland@debian.org> Sat, 06 Feb 2021 11:10:50 +0100
+
privoxy (3.0.26-3) unstable; urgency=medium
* Add da debconf translation. Thanks to Joe Dalton (Closes: #850876).
diff -Nru privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch
--- privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch 2021-02-06 11:10:50.000000000 +0100
@@ -0,0 +1,34 @@
+commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Sat Jan 30 15:04:17 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b
+Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217)
+
+ parse_cgi_parameters(): Make sure the maximum number of segments is large enough
+
+ ... for ssplit() to succeed.
+
+ Prevents an assertion from getting triggered. OVE-20210130-0001.
+
+ Reported by: Joshua Rogers (Opera)
+
+--- a/cgi.c
++++ b/cgi.c
+@@ -628,16 +628,7 @@ static struct map *parse_cgi_parameters(
+ * The same hack is used in get_last_url() so it looks like
+ * a real solution is needed.
+ */
+- size_t max_segments = strlen(argstring) / 2;
+- if (max_segments == 0)
+- {
+- /*
+- * XXX: If the argstring is empty, there's really
+- * no point in creating a param list, but currently
+- * other parts of Privoxy depend on the list's existence.
+- */
+- max_segments = 1;
+- }
++ size_t max_segments = strlen(argstring) / 2 + 1;
+ vector = malloc_or_die(max_segments * sizeof(char *));
+
+ cgi_params = new_map();
diff -Nru privoxy-3.0.26/debian/patches/39_decompress_iob.patch privoxy-3.0.26/debian/patches/39_decompress_iob.patch
--- privoxy-3.0.26/debian/patches/39_decompress_iob.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/39_decompress_iob.patch 2021-02-06 11:10:50.000000000 +0100
@@ -0,0 +1,22 @@
+commit f5c1a886b7ae20da7eafb77926252eb521260728
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Thu Jan 28 16:26:45 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f5c1a
+Subject: decompress_iob(): Fix detection of insufficient data
+
+ Instead of checking the size of the iob we have to
+ check the size of the actual data.
+
+ Previously Privoxy could try to work on uninitialized data.
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -430,7 +430,7 @@ jb_err decompress_iob(struct client_stat
+
+ cur = csp->iob->cur;
+
+- if (bufsize < (size_t)10)
++ if (old_size < (size_t)10)
+ {
+ /*
+ * This is to protect the parsing of gzipped data,
diff -Nru privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch
--- privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch 2021-02-06 11:10:50.000000000 +0100
@@ -0,0 +1,21 @@
+commit f431d61740cc03c1c5f6b7f9c7a4a8d0bedd70dd
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Thu Jan 28 18:02:56 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f431d
+Subject: Fix a memory leak (CVE-2021-20216)
+ decompress_iob(): Fix a memory leak
+
+ ... when decompression fails "unexpectedly".
+
+ OVE-20210128-0001.
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -698,6 +698,7 @@ jb_err decompress_iob(struct client_stat
+ log_error(LOG_LEVEL_ERROR,
+ "Unexpected error while decompressing to the buffer (iob): %s",
+ zstr.msg);
++ freez(buf);
+ return JB_ERR_COMPRESS;
+ }
+
diff -Nru privoxy-3.0.26/debian/patches/41_CVE-2020-35502.patch privoxy-3.0.26/debian/patches/41_CVE-2020-35502.patch
--- privoxy-3.0.26/debian/patches/41_CVE-2020-35502.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/41_CVE-2020-35502.patch 2021-02-06 11:10:50.000000000 +0100
@@ -0,0 +1,25 @@
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Mon Mar 2 18:14:29 2020 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=4490d451f9b, https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=bbd53f1010b
+Subject: Fixed memory leaks when a response is buffered and the buffer limit
+ is reached or Privoxy is running out of memory (CVE-2020-35502)
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -630,6 +630,8 @@ jb_err decompress_iob(struct client_stat
+ if (bufsize >= csp->config->buffer_limit)
+ {
+ log_error(LOG_LEVEL_ERROR, "Buffer limit reached while decompressing iob");
++ freez(buf);
++ inflateEnd(&zstr);
+ return JB_ERR_MEMORY;
+ }
+
+@@ -648,6 +650,7 @@ jb_err decompress_iob(struct client_stat
+ {
+ log_error(LOG_LEVEL_ERROR, "Out of memory decompressing iob");
+ freez(buf);
++ inflateEnd(&zstr);
+ return JB_ERR_MEMORY;
+ }
+ else
diff -Nru privoxy-3.0.26/debian/patches/42_CVE-2021-20209.patch privoxy-3.0.26/debian/patches/42_CVE-2021-20209.patch
--- privoxy-3.0.26/debian/patches/42_CVE-2021-20209.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/42_CVE-2021-20209.patch 2021-02-06 11:10:50.000000000 +0100
@@ -0,0 +1,17 @@
+commit c62254a686dcd40e3b6e5753d0c7c0308209a7b6
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Sun Aug 30 09:25:47 2020 +0200
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=c62254a686
+Subject: Fixed a memory leak in the show-status CGI handler when
+ no action files are configured. CVE-2021-20209.
+
+--- a/cgisimple.c
++++ b/cgisimple.c
+@@ -1167,6 +1167,7 @@ jb_err cgi_show_status(struct client_sta
+ else
+ {
+ if (!err) err = map(exports, "actions-filenames", 1, "<tr><td>None specified</td></tr>", 1);
++ freez(s);
+ }
+
+ /*
diff -Nru privoxy-3.0.26/debian/patches/43_CVE-2021-20210.patch privoxy-3.0.26/debian/patches/43_CVE-2021-20210.patch
--- privoxy-3.0.26/debian/patches/43_CVE-2021-20210.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/43_CVE-2021-20210.patch 2021-02-06 11:10:50.000000000 +0100
@@ -0,0 +1,20 @@
+commit 1b1370f7a8a9cc5434d3e0e54dd620df1e70c873
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Sun Aug 30 09:24:48 2020 +0200
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=1b1370f7a8a
+Subject: Fixed a memory leak in the show-status CGI handler when no filter
+ files are configured (CVE-2021-20210).
+ cgi_show_status: Don't leak memory when no filter files are specified
+
+ Sponsored by: Robert Klemme
+
+--- a/cgisimple.c
++++ b/cgisimple.c
+@@ -1195,6 +1195,7 @@ jb_err cgi_show_status(struct client_sta
+ {
+ if (!err) err = map(exports, "re-filter-filenames", 1, "<tr><td>None specified</td></tr>", 1);
+ if (!err) err = map_block_killer(exports, "have-filterfile");
++ freez(s);
+ }
+
+ #ifdef FEATURE_TRUST
diff -Nru privoxy-3.0.26/debian/patches/44_CVE-2021-20211.patch privoxy-3.0.26/debian/patches/44_CVE-2021-20211.patch
--- privoxy-3.0.26/debian/patches/44_CVE-2021-20211.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/44_CVE-2021-20211.patch 2021-02-06 11:10:50.000000000 +0100
@@ -0,0 +1,24 @@
+commit 245e1cf325bc957df6226c745b7ac3f67a97ea07
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Mon Mar 2 13:05:13 2020 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=245e1cf32
+Subject: Fixes a memory leak when client tags are active (CVE-2021-20211).
+
+ free_csp_resources(): Destroy csp->client_tags
+
+ Fixes a memory leak when client tags are active.
+
+ Sponsored by: Robert Klemme
+
+--- a/loaders.c
++++ b/loaders.c
+@@ -199,6 +199,9 @@ unsigned int sweep(void)
+
+ destroy_list(csp->headers);
+ destroy_list(csp->tags);
++#ifdef FEATURE_CLIENT_TAGS
++ destroy_list(csp->client_tags);
++#endif
+
+ free_current_action(csp->action);
+
diff -Nru privoxy-3.0.26/debian/patches/45_CVE-2021-20212.patch privoxy-3.0.26/debian/patches/45_CVE-2021-20212.patch
--- privoxy-3.0.26/debian/patches/45_CVE-2021-20212.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/45_CVE-2021-20212.patch 2021-02-06 11:10:50.000000000 +0100
@@ -0,0 +1,26 @@
+commit 5cfb7bc8feecc82eb161450faa572abf9be19cbb
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Thu Sep 24 10:44:00 2020 +0200
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5cfb7bc8fe
+Subject: Fixed a memory leak if multiple filters are executed and the last
+ one is skipped due to a pcre error (CVE-2021-20212)
+ pcrs_filter_response(): Free the old data if there are no hits
+
+ ... and it's different from the data in iob and the new data.
+
+ Fixes a memory leak if multiple filters are executed
+ and the last one is skipped due to a pcre error.
+
+--- a/filters.c
++++ b/filters.c
+@@ -1702,6 +1702,10 @@ static char *pcrs_filter_response(struct
+ */
+ if (!hits)
+ {
++ if (old != csp->iob->cur && old != new)
++ {
++ freez(old);
++ }
+ freez(new);
+ return(NULL);
+ }
diff -Nru privoxy-3.0.26/debian/patches/46_CVE-2021-20213.patch privoxy-3.0.26/debian/patches/46_CVE-2021-20213.patch
--- privoxy-3.0.26/debian/patches/46_CVE-2021-20213.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/46_CVE-2021-20213.patch 2021-02-06 11:10:50.000000000 +0100
@@ -0,0 +1,45 @@
+commit 75301323495579ff27bdaaea67e31e2df83475fc
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Tue Nov 10 13:50:59 2020 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=7530132349
+Subject: Prevent an unlikely dereference of a NULL-pointer that could result
+ in a crash if accept-intercepted-requests was enabled, Privoxy failed to get
+ the request destination from the Host header and a memory allocation failed.
+ (CVE-2021-20213).
+
+ get_request_destination_elsewhere(): Prevent unlikely dereference of a NULL-pointer
+
+ ... if getting the destination fails and list_to_text() fails
+ as well.
+
+ CID 267165
+
+--- a/jcc.c
++++ b/jcc.c
+@@ -504,8 +504,6 @@ static int client_has_unsupported_expect
+ *********************************************************************/
+ static jb_err get_request_destination_elsewhere(struct client_state *csp, struct list *headers)
+ {
+- char *req;
+-
+ if (!(csp->config->feature_flags & RUNTIME_FEATURE_ACCEPT_INTERCEPTED_REQUESTS))
+ {
+ log_error(LOG_LEVEL_ERROR, "%s's request: \'%s\' is invalid."
+@@ -533,15 +531,12 @@ static jb_err get_request_destination_el
+ {
+ /* We can't work without destination. Go spread the news.*/
+
+- req = list_to_text(headers);
+- chomp(req);
+ /* XXX: Use correct size */
+ log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 400 0",
+ csp->ip_addr_str, csp->http->cmd);
+ log_error(LOG_LEVEL_ERROR,
+- "Privoxy was unable to get the destination for %s's request:\n%s\n%s",
+- csp->ip_addr_str, csp->http->cmd, req);
+- freez(req);
++ "Privoxy was unable to get the destination for %s's request: %s",
++ csp->ip_addr_str, csp->http->cmd);
+
+ write_socket(csp->cfd, MISSING_DESTINATION_RESPONSE, strlen(MISSING_DESTINATION_RESPONSE));
+ destroy_list(headers);
diff -Nru privoxy-3.0.26/debian/patches/series privoxy-3.0.26/debian/patches/series
--- privoxy-3.0.26/debian/patches/series 2017-01-11 22:24:55.000000000 +0100
+++ privoxy-3.0.26/debian/patches/series 2021-02-06 11:10:50.000000000 +0100
@@ -11,3 +11,12 @@
35_man-spelling.patch
36_openspopenjade.patch
37_adventofcode.patch
+38_CVE-2021-20217.patch
+39_decompress_iob.patch
+40_CVE-2021-20216.patch
+41_CVE-2020-35502.patch
+42_CVE-2021-20209.patch
+43_CVE-2021-20210.patch
+44_CVE-2021-20211.patch
+45_CVE-2021-20212.patch
+46_CVE-2021-20213.patch
diff -Nru privoxy-3.0.26/debian/salsa-ci.yml privoxy-3.0.26/debian/salsa-ci.yml
--- privoxy-3.0.26/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/salsa-ci.yml 2021-02-06 11:10:50.000000000 +0100
@@ -0,0 +1,6 @@
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'stretch'
Attachment:
signature.asc
Description: PGP signature