Bug#775366: unblock: privoxy/3.0.21-5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package privoxy/3.0.21-5
I just uploaded privoxy version 3.0.21-5, which should fix
CVE-2015-1030 and CVE-2015-1031, which are reported in #775167.
A debdiff between 3.0.21-4 and 3.0.21-5 is attached.
It contains 3 quilt patches, which are extracted from upstream 3.0.22
source.
Greetings
Roland
diff -Nru privoxy-3.0.21/debian/changelog privoxy-3.0.21/debian/changelog
--- privoxy-3.0.21/debian/changelog 2014-05-10 14:19:22.000000000 +0200
+++ privoxy-3.0.21/debian/changelog 2015-01-12 08:44:24.000000000 +0100
@@ -1,3 +1,15 @@
+privoxy (3.0.21-5) unstable; urgency=low
+
+ * 34_CVE-2015-1030: Fix memory leak in rfc2553_connect_to(). CID 66382
+ * 35_CVE-2015-1031-CID66394: unmap(): Prevent use-after-free if the map
+ only consists of one item. CID 66394.
+ * 36_CVE-2015-1031-CID66376: pcrs_execute(): Consistently set *result to
+ NULL in case of errors. Should make use-after-free in the caller less
+ likely. CID 66391, CID 66376.
+ * These 3 patches Closes: #775167.
+
+ -- Roland Rosenfeld <roland@debian.org> Mon, 12 Jan 2015 08:44:23 +0100
+
privoxy (3.0.21-4) unstable; urgency=low
* Enable hardening=+all
diff -Nru privoxy-3.0.21/debian/patches/34_CVE-2015-1030.patch privoxy-3.0.21/debian/patches/34_CVE-2015-1030.patch
--- privoxy-3.0.21/debian/patches/34_CVE-2015-1030.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.21/debian/patches/34_CVE-2015-1030.patch 2015-01-12 08:32:18.000000000 +0100
@@ -0,0 +1,16 @@
+Author: Fabian Keil <fk@fabiankeil.de>
+Description: Fix memory leak in rfc2553_connect_to()
+ CID 66382.
+Bug-Debian: http://bugs.debian.org/775167
+Origin: upstream, http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/jbsockets.c?r1=1.130&r2=1.131
+
+--- a/jbsockets.c
++++ b/jbsockets.c
+@@ -285,6 +285,7 @@
+ "Server socket number too high to use select(): %d >= %d",
+ fd, FD_SETSIZE);
+ close_socket(fd);
++ freeaddrinfo(result);
+ return JB_INVALID_SOCKET;
+ }
+ #endif
diff -Nru privoxy-3.0.21/debian/patches/35_CVE-2015-1031-CID66394.patch privoxy-3.0.21/debian/patches/35_CVE-2015-1031-CID66394.patch
--- privoxy-3.0.21/debian/patches/35_CVE-2015-1031-CID66394.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.21/debian/patches/35_CVE-2015-1031-CID66394.patch 2015-01-12 08:36:24.000000000 +0100
@@ -0,0 +1,31 @@
+Author: Fabian Keil <fk@fabiankeil.de>
+Description: unmap(): Prevent use-after-free if the map only consists of one
+ item
+ CID 66394.
+Bug-Debian: http://bugs.debian.org/775167
+Origin: upstream, http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/list.c?r1=1.31&r2=1.32
+
+--- a/list.c
++++ b/list.c
+@@ -1055,7 +1055,7 @@
+ assert(the_map);
+ assert(name);
+
+- last_entry = the_map->first;
++ last_entry = NULL;
+
+ for (cur_entry = the_map->first; cur_entry != NULL; cur_entry = cur_entry->next)
+ {
+@@ -1087,7 +1087,11 @@
+ freez(cur_entry->name);
+ freez(cur_entry->value);
+ freez(cur_entry);
+-
++ if (last_entry == NULL)
++ {
++ /* The map only had a single entry which has just been removed. */
++ break;
++ }
+ cur_entry = last_entry;
+ }
+ else
diff -Nru privoxy-3.0.21/debian/patches/36_CVE-2015-1031-CID66376.patch privoxy-3.0.21/debian/patches/36_CVE-2015-1031-CID66376.patch
--- privoxy-3.0.21/debian/patches/36_CVE-2015-1031-CID66376.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.21/debian/patches/36_CVE-2015-1031-CID66376.patch 2015-01-12 08:39:52.000000000 +0100
@@ -0,0 +1,47 @@
+Author: Fabian Keil <fk@fabiankeil.de>
+Description: pcrs_execute(): Consistently set *result to NULL in case of errors
+ Should make use-after-free in the caller less likely.
+ CID 66391, CID 66376.
+Bug-Debian: http://bugs.debian.org/775167
+Origin: upstream, http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/pcrs.c?r1=1.45&r2=1.46
+
+--- a/pcrs.c
++++ b/pcrs.c
+@@ -725,7 +725,7 @@
+ * 1 : job = the pcrs_job to be executed
+ * 2 : subject = the subject (== original) string
+ * 3 : subject_length = the subject's length
+- * 4 : result = char** for returning the result
++ * 4 : result = char** for returning the result (NULL on error)
+ * 5 : result_length = size_t* for returning the result's length
+ *
+ * Returns : On success, the number of substitutions that were made.
+@@ -747,19 +747,18 @@
+ char *result_offset;
+
+ offset = i = 0;
++ *result = NULL;
+
+ /*
+ * Sanity check & memory allocation
+ */
+ if (job == NULL || job->pattern == NULL || job->substitute == NULL || NULL == subject)
+ {
+- *result = NULL;
+ return(PCRS_ERR_BADJOB);
+ }
+
+ if (NULL == (matches = (pcrs_match *)malloc((size_t)max_matches * sizeof(pcrs_match))))
+ {
+- *result = NULL;
+ return(PCRS_ERR_NOMEM);
+ }
+ memset(matches, '\0', (size_t)max_matches * sizeof(pcrs_match));
+@@ -806,7 +805,6 @@
+ if (NULL == (dummy = (pcrs_match *)realloc(matches, (size_t)max_matches * sizeof(pcrs_match))))
+ {
+ free(matches);
+- *result = NULL;
+ return(PCRS_ERR_NOMEM);
+ }
+ matches = dummy;
diff -Nru privoxy-3.0.21/debian/patches/series privoxy-3.0.21/debian/patches/series
--- privoxy-3.0.21/debian/patches/series 2013-01-24 17:41:35.000000000 +0100
+++ privoxy-3.0.21/debian/patches/series 2015-01-12 08:41:43.000000000 +0100
@@ -8,3 +8,6 @@
28_listen_localhost.patch
32_bind_fixup.patch
33_manpage_hyphen.patch
+34_CVE-2015-1030.patch
+35_CVE-2015-1031-CID66394.patch
+36_CVE-2015-1031-CID66376.patch
Reply to: