Hi! (please Cc: me in reply, since I'm not subscribed to debian-lts) Privoxy upstream just released version 3.0.32, which fixes five new CVEs, which are also reported at security-tracker. I prepared a package that fixes CVE-2021-20272, CVE-2021-20273, CVE-2021-20275, and CVE-2021-20276. CVE-2021-20274 is missing, since this affects code, that was introduced in 3.0.29, so stretch package is not affected, since we shipped 3.0.26 in stretch. I requested on IRC #debian-security to tag stretch and buster as not affected for this CVE. Since all other CVEs are tagged "minor issue" on security-tracker, I'm not sure whether it's worth doing a LTS upload for this. If you think so, feel free to use it or tell me, what I have to do to upload it... A patch agains 3.0.26-3+deb9u1 is attached. Salsa pipeline was successful with this: https://salsa.debian.org/debian/privoxy/-/pipelines/237014 including the testsuite. Greetings Roland
diff -Nru privoxy-3.0.26/debian/changelog privoxy-3.0.26/debian/changelog
--- privoxy-3.0.26/debian/changelog 2021-02-06 21:42:01.000000000 +0100
+++ privoxy-3.0.26/debian/changelog 2021-03-08 14:11:04.000000000 +0100
@@ -1,3 +1,17 @@
+privoxy (3.0.26-3+deb9u2) stretch-security; urgency=medium
+
+ * 49_CVE-2021-20272: ssplit(): Remove an assertion that could be
+ triggered with a crafted CGI request (CVE-2021-20272).
+ * 50_CVE-2021-20273: cgi_send_banner(): Overrule invalid image types.
+ Prevents a crash with a crafted CGI request if Privoxy is toggled off
+ (CVE-2021-20273).
+ * 51_CVE-2021-20275: chunked_body_is_complete(): Prevent invalid read of
+ size two (CVE-2021-20275).
+ * 52_CVE-2021-20276: Obsolete pcre: Prevent invalid memory accesses
+ (CVE-2021-20276).
+
+ -- Roland Rosenfeld <roland@debian.org> Mon, 08 Mar 2021 14:11:04 +0100
+
privoxy (3.0.26-3+deb9u1) stretch-security; urgency=medium
* 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
diff -Nru privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch
--- privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch 2021-03-08 14:11:04.000000000 +0100
@@ -0,0 +1,32 @@
+commit 2256d7b4d67dd9c364386877d5af59943433458b
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Wed Feb 3 19:08:20 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=2256d7b4d67
+Subject: ssplit(): Remove an assertion that could be triggered with a crafted
+ CGI request (CVE-2021-20272).
+
+ This reverts dc4e311bcf.
+
+ OVE-20210203-0001.
+
+ Reported by: Joshua Rogers (Opera)
+
+--- a/ssplit.c
++++ b/ssplit.c
+@@ -37,7 +37,6 @@ const char ssplit_rcs[] = "$Id: ssplit.c
+
+ #include <string.h>
+ #include <stdlib.h>
+-#include <assert.h>
+
+ #include "ssplit.h"
+ #include "miscutil.h"
+@@ -153,8 +152,6 @@ int ssplit(char *str, const char *delim,
+ }
+ }
+ /* null terminate the substring */
+- /* XXX: this shouldn't be necessary, so assert that it isn't. */
+- assert(*str == '\0');
+ *str = '\0';
+
+ return(vec_count);
diff -Nru privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch
--- privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch 2021-03-08 14:11:04.000000000 +0100
@@ -0,0 +1,28 @@
+commit e711c505c4830ab271938d61af90a2075523f058
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Sat Feb 6 20:43:06 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=e711c505c48
+Subject: cgi_send_banner(): Overrule invalid image types. Prevents a crash with
+ a crafted CGI request if Privoxy is toggled off.(CVE-2021-20273).
+
+ OVE-20210206-0001.
+
+ Reported by: Joshua Rogers (Opera)
+
+--- a/cgisimple.c
++++ b/cgisimple.c
+@@ -468,6 +468,14 @@ jb_err cgi_send_banner(struct client_sta
+ {
+ char imagetype = lookup(parameters, "type")[0];
+
++ if (imagetype != 'a' && imagetype != 'b' &&
++ imagetype != 'p' && imagetype != 't')
++ {
++ log_error(LOG_LEVEL_ERROR, "Overruling invalid image type '%c'.",
++ imagetype);
++ imagetype = 'p';
++ }
++
+ /*
+ * If type is auto, then determine the right thing
+ * to do from the set-image-blocker action
diff -Nru privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch
--- privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch 2021-03-08 14:11:04.000000000 +0100
@@ -0,0 +1,26 @@
+commit a912ba7bc9ce5855a810d09332e9d94566ce1521
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Fri Feb 5 05:06:56 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=a912ba7bc9c
+Subject: chunked_body_is_complete(): Prevent invalid read of size two
+ (CVE-2021-20275).
+
+ OVE-20210205-0001.
+
+ Reported by: Joshua Rogers (Opera)
+
+--- a/jcc.c
++++ b/jcc.c
+@@ -1383,6 +1383,12 @@ static enum chunk_status chunked_body_is
+ /* Move beyond the chunkdata. */
+ p += 2 + chunksize;
+
++ /* Make sure we're still within the buffer and have two bytes left */
++ if (p + 2 > iob->eod)
++ {
++ return CHUNK_STATUS_MISSING_DATA;
++ }
++
+ /* There should be another "\r\n" to skip */
+ if (memcmp(p, "\r\n", 2))
+ {
diff -Nru privoxy-3.0.26/debian/patches/52_CVE-2021-20276.patch privoxy-3.0.26/debian/patches/52_CVE-2021-20276.patch
--- privoxy-3.0.26/debian/patches/52_CVE-2021-20276.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/52_CVE-2021-20276.patch 2021-03-08 14:11:04.000000000 +0100
@@ -0,0 +1,79 @@
+commit 28512e5b62457f0ff6f2d72e3e5c9226b9e0203d
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Mon Feb 22 09:17:30 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=28512e5b624
+Subject: Obsolete pcre: Prevent invalid memory accesses (CVE-2021-20276)
+
+ ... with an invalid pattern passed to pcre_compile().
+
+ ==22377== Invalid write of size 1
+ ==22377== at 0x466E37: compile_branch (pcre.c:2001)
+ ==22377== by 0x45FA64: compile_regex (pcre.c:2164)
+ ==22377== by 0x45EE77: pcre_compile (pcre.c:3077)
+ ==22377== by 0x467B6D: regcomp (pcreposix.c:206)
+ ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667)
+ ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752)
+ ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243)
+ ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870)
+ ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587)
+ ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588)
+ ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383)
+ ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920)
+ ==22377== Address 0x7177469 is 4 bytes after a block of size 1,125 alloc'd
+ ==22377== at 0x4C26A44: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
+ ==22377== by 0x45ED5C: pcre_compile (pcre.c:3054)
+ ==22377== by 0x467B6D: regcomp (pcreposix.c:206)
+ ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667)
+ ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752)
+ ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243)
+ ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870)
+ ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587)
+ ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588)
+ ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383)
+ ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920)
+ ==22377== by 0x43ADDB: chat (jcc.c:4241)
+
+ ==22377== Invalid read of size 1
+ ==22377== at 0x466FCC: compile_branch (pcre.c:2053)
+ ==22377== by 0x45FA64: compile_regex (pcre.c:2164)
+ ==22377== by 0x45EE77: pcre_compile (pcre.c:3077)
+ ==22377== by 0x467B6D: regcomp (pcreposix.c:206)
+ ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667)
+ ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752)
+ ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243)
+ ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870)
+ ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587)
+ ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588)
+ ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383)
+ ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920)
+ ==22377== Address 0x7176fb1 is 0 bytes after a block of size 1,057 alloc'd
+ ==22377== at 0x4C26A44: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
+ ==22377== by 0x44C3F0: malloc_or_die (miscutil.c:194)
+ ==22377== by 0x456FBB: compile_pattern (urlmatch.c:662)
+ ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752)
+ ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243)
+ ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870)
+ ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587)
+ ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588)
+ ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383)
+ ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920)
+ ==22377== by 0x43ADDB: chat (jcc.c:4241)
+ ==22377== by 0x439DA5: serve (jcc.c:4778)
+
+ OVE-20210222-0001.
+
+ pcre 8.44 does not seem to be affected.
+
+ Reported by: Joshua Rogers (Opera)
+
+--- a/pcre/pcre.c
++++ b/pcre/pcre.c
+@@ -2050,7 +2050,7 @@ for (;; ptr++)
+
+ /* This "while" is the end of the "do" above. */
+
+- while (length < MAXLIT && (cd->ctypes[c = *(++ptr)] & ctype_meta) == 0);
++ while (*ptr && length < MAXLIT && (cd->ctypes[c = *(++ptr)] & ctype_meta) == 0);
+
+ /* Update the last character and the count of literals */
+
diff -Nru privoxy-3.0.26/debian/patches/series privoxy-3.0.26/debian/patches/series
--- privoxy-3.0.26/debian/patches/series 2021-02-06 21:42:01.000000000 +0100
+++ privoxy-3.0.26/debian/patches/series 2021-03-08 14:11:04.000000000 +0100
@@ -21,3 +21,7 @@
45_CVE-2021-20212.patch
46_CVE-2021-20213.patch
48_CVE-2021-20215.patch
+49_CVE-2021-20272.patch
+50_CVE-2021-20273.patch
+51_CVE-2021-20275.patch
+52_CVE-2021-20276.patch
Attachment:
signature.asc
Description: PGP signature