privoxy stretch package 3.0.26-3+deb9u3 prepared

To: Debian LTS <debian-lts@lists.debian.org>
Subject: privoxy stretch package 3.0.26-3+deb9u3 prepared
From: Roland Rosenfeld <roland@debian.org>
Date: Fri, 10 Dec 2021 13:13:05 +0100
Message-id: <[🔎] 20211210121305.tzpms52ljxv5hatl@dinghy.sail.spinnaker.de>

Hi!

(please Cc: me in reply, since I'm not subscribed to debian-lts)

Privoxy upstream just released version 3.0.33, which fixes four new
CVEs, which are also reported at security-tracker.

I prepared a package that fixes CVE-2021-44540 and CVE-2021-44543.

CVE-2021-44541 and CVE-2021-44542 are missing, since this affect code,
that was introduced in 3.0.29 or later, so stretch package is not
affected, since we shipped 3.0.26 in stretch.

Since the two CVEs are tagged "minor issue" on security-tracker, I'm
not sure whether it's worth doing a LTS upload for this.

If you think so, feel free to use it or tell me, what I have to do to
upload it...

A patch against 3.0.26-3+deb9u2 is attached.

Salsa pipeline was successful with this:
https://salsa.debian.org/debian/privoxy/-/pipelines/325721 including
the testsuite.

Greetings
Roland

diff -Nru privoxy-3.0.26/debian/changelog privoxy-3.0.26/debian/changelog
--- privoxy-3.0.26/debian/changelog	2021-03-08 14:11:04.000000000 +0100
+++ privoxy-3.0.26/debian/changelog	2021-12-07 19:59:33.000000000 +0100
@@ -1,3 +1,12 @@
+privoxy (3.0.26-3+deb9u3) stretch-security; urgency=medium
+
+  * 53_CVE-2021-44540: get_url_spec_param(): Free memory of compiled
+    pattern spec before bailing (CVE-2021-44540).
+  * 56_CVE-2021-44543: cgi_error_no_template(): Encode the template name
+    to prevent XSS (CVE-2021-44543).
+
+ -- Roland Rosenfeld <roland@debian.org>  Tue, 07 Dec 2021 19:59:33 +0100
+
 privoxy (3.0.26-3+deb9u2) stretch-security; urgency=medium
 
   * 49_CVE-2021-20272: ssplit(): Remove an assertion that could be
diff -Nru privoxy-3.0.26/debian/patches/53_CVE-2021-44540.patch privoxy-3.0.26/debian/patches/53_CVE-2021-44540.patch
--- privoxy-3.0.26/debian/patches/53_CVE-2021-44540.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/53_CVE-2021-44540.patch	2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,39 @@
+From 652b4b7cb07592c0912cf938a50fcd009fa29a0a Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <jrogers@opera.com>
+Date: Fri, 19 Nov 2021 17:32:23 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=652b4b7c
+Subject: get_url_spec_param(): Free memory of compiled pattern spec before
+ bailing
+
+OVE-20211201-0003. CVE-2021-44540.
+
+--- a/cgiedit.c
++++ b/cgiedit.c
+@@ -1856,12 +1856,12 @@ static jb_err get_url_spec_param(struct
+    }
+    err = create_pattern_spec(compiled, s);
+    free(s);
++   free_pattern_spec(compiled);
+    if (err)
+    {
+       free(param);
+       return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS;
+    }
+-   free_pattern_spec(compiled);
+ 
+    if (param[strlen(param) - 1] == '\\')
+    {
+@@ -1892,12 +1892,12 @@ static jb_err get_url_spec_param(struct
+       }
+       err = create_pattern_spec(compiled, s);
+       free(s);
++      free_pattern_spec(compiled);
+       if (err)
+       {
+          free(param);
+          return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS;
+       }
+-      free_pattern_spec(compiled);
+    }
+ 
+    *pvalue = param;
diff -Nru privoxy-3.0.26/debian/patches/56_CVE-2021-44543.patch privoxy-3.0.26/debian/patches/56_CVE-2021-44543.patch
--- privoxy-3.0.26/debian/patches/56_CVE-2021-44543.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/56_CVE-2021-44543.patch	2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,41 @@
+From 0e668e9409cbf4ab8bf2d79be204bd4e81a00d85 Mon Sep 17 00:00:00 2001
+From: Fabian Keil <fk@fabiankeil.de>
+Date: Tue, 2 Nov 2021 12:11:37 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=0e668e94
+Subject: cgi_error_no_template(): Encode the template name to prevent XSS
+
+OVE-20211102-0001. CVE-2021-44543.
+
+Reported by: Artem Ivanov
+
+--- a/cgi.c
++++ b/cgi.c
+@@ -1156,7 +1156,8 @@ jb_err cgi_error_no_template(const struc
+       ").</p>\n"
+       "</body>\n"
+       "</html>\n";
+-   const size_t body_size = strlen(body_prefix) + strlen(template_name) + strlen(body_suffix) + 1;
++   size_t body_size = strlen(body_prefix) + strlen(body_suffix) + 1;
++   const char *encoded_template_name;
+ 
+    assert(csp);
+    assert(rsp);
+@@ -1170,9 +1171,17 @@ jb_err cgi_error_no_template(const struc
+    rsp->head_length = 0;
+    rsp->is_static = 0;
+ 
++   encoded_template_name = html_encode(template_name);
++   if (encoded_template_name == NULL)
++   {
++      return JB_ERR_MEMORY;
++   }
++
++   body_size += strlen(encoded_template_name);
+    rsp->body = malloc_or_die(body_size);
+    strlcpy(rsp->body, body_prefix, body_size);
+-   strlcat(rsp->body, template_name, body_size);
++   strlcat(rsp->body, encoded_template_name, body_size);
++   freez(encoded_template_name);
+    strlcat(rsp->body, body_suffix, body_size);
+ 
+    rsp->status = strdup(status);
diff -Nru privoxy-3.0.26/debian/patches/series privoxy-3.0.26/debian/patches/series
--- privoxy-3.0.26/debian/patches/series	2021-03-08 14:11:04.000000000 +0100
+++ privoxy-3.0.26/debian/patches/series	2021-12-07 19:59:33.000000000 +0100
@@ -25,3 +25,5 @@
 50_CVE-2021-20273.patch
 51_CVE-2021-20275.patch
 52_CVE-2021-20276.patch
+53_CVE-2021-44540.patch
+56_CVE-2021-44543.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: privoxy stretch package 3.0.26-3+deb9u3 prepared
  - From: Utkarsh Gupta <utkarsh@debian.org>

Prev by Date: Re: ClamAV LTS.
Next by Date: Re: privoxy stretch package 3.0.26-3+deb9u3 prepared
Previous by thread: Re: ClamAV LTS.
Next by thread: Re: privoxy stretch package 3.0.26-3+deb9u3 prepared
Index(es):
- Date
- Thread