[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#775366: marked as done (unblock: privoxy/3.0.21-5)

Your message dated Wed, 14 Jan 2015 20:41:42 +0100
with message-id <20150114194141.GG10245@ugent.be>
and subject line Re: Bug#775366: unblock: privoxy/3.0.21-5
has caused the Debian Bug report #775366,
regarding unblock: privoxy/3.0.21-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
775366: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775366
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package privoxy/3.0.21-5

I just uploaded privoxy version 3.0.21-5, which should fix
CVE-2015-1030 and CVE-2015-1031, which are reported in #775167.

A debdiff between 3.0.21-4 and 3.0.21-5 is attached.

It contains 3 quilt patches, which are extracted from upstream 3.0.22
source.

Greetings

        Roland

diff -Nru privoxy-3.0.21/debian/changelog privoxy-3.0.21/debian/changelog
--- privoxy-3.0.21/debian/changelog	2014-05-10 14:19:22.000000000 +0200
+++ privoxy-3.0.21/debian/changelog	2015-01-12 08:44:24.000000000 +0100
@@ -1,3 +1,15 @@
+privoxy (3.0.21-5) unstable; urgency=low
+
+  * 34_CVE-2015-1030: Fix memory leak in rfc2553_connect_to().  CID 66382
+  * 35_CVE-2015-1031-CID66394: unmap(): Prevent use-after-free if the map 
+    only consists of one item.  CID 66394.
+  * 36_CVE-2015-1031-CID66376: pcrs_execute(): Consistently set *result to
+    NULL in case of errors.  Should make use-after-free in the caller less
+    likely.  CID 66391, CID 66376.
+  * These 3 patches Closes: #775167.
+  
+ -- Roland Rosenfeld <roland@debian.org>  Mon, 12 Jan 2015 08:44:23 +0100
+
 privoxy (3.0.21-4) unstable; urgency=low
 
   * Enable hardening=+all
diff -Nru privoxy-3.0.21/debian/patches/34_CVE-2015-1030.patch privoxy-3.0.21/debian/patches/34_CVE-2015-1030.patch
--- privoxy-3.0.21/debian/patches/34_CVE-2015-1030.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.21/debian/patches/34_CVE-2015-1030.patch	2015-01-12 08:32:18.000000000 +0100
@@ -0,0 +1,16 @@
+Author: Fabian Keil <fk@fabiankeil.de>
+Description: Fix memory leak in rfc2553_connect_to()
+ CID 66382.
+Bug-Debian: http://bugs.debian.org/775167
+Origin: upstream, http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/jbsockets.c?r1=1.130&r2=1.131
+
+--- a/jbsockets.c
++++ b/jbsockets.c
+@@ -285,6 +285,7 @@
+             "Server socket number too high to use select(): %d >= %d",
+             fd, FD_SETSIZE);
+          close_socket(fd);
++         freeaddrinfo(result);
+          return JB_INVALID_SOCKET;
+       }
+ #endif
diff -Nru privoxy-3.0.21/debian/patches/35_CVE-2015-1031-CID66394.patch privoxy-3.0.21/debian/patches/35_CVE-2015-1031-CID66394.patch
--- privoxy-3.0.21/debian/patches/35_CVE-2015-1031-CID66394.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.21/debian/patches/35_CVE-2015-1031-CID66394.patch	2015-01-12 08:36:24.000000000 +0100
@@ -0,0 +1,31 @@
+Author: Fabian Keil <fk@fabiankeil.de>
+Description: unmap(): Prevent use-after-free if the map only consists of one
+ item
+ CID 66394.
+Bug-Debian: http://bugs.debian.org/775167
+Origin: upstream, http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/list.c?r1=1.31&r2=1.32
+
+--- a/list.c
++++ b/list.c
+@@ -1055,7 +1055,7 @@
+    assert(the_map);
+    assert(name);
+ 
+-   last_entry = the_map->first;
++   last_entry = NULL;
+ 
+    for (cur_entry = the_map->first; cur_entry != NULL; cur_entry = cur_entry->next)
+    {
+@@ -1087,7 +1087,11 @@
+          freez(cur_entry->name);
+          freez(cur_entry->value);
+          freez(cur_entry);
+-
++         if (last_entry == NULL)
++         {
++            /* The map only had a single entry which has just been removed. */
++            break;
++         }
+          cur_entry = last_entry;
+       }
+       else
diff -Nru privoxy-3.0.21/debian/patches/36_CVE-2015-1031-CID66376.patch privoxy-3.0.21/debian/patches/36_CVE-2015-1031-CID66376.patch
--- privoxy-3.0.21/debian/patches/36_CVE-2015-1031-CID66376.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.21/debian/patches/36_CVE-2015-1031-CID66376.patch	2015-01-12 08:39:52.000000000 +0100
@@ -0,0 +1,47 @@
+Author: Fabian Keil <fk@fabiankeil.de>
+Description: pcrs_execute(): Consistently set *result to NULL in case of errors
+ Should make use-after-free in the caller less likely.
+ CID 66391, CID 66376.
+Bug-Debian: http://bugs.debian.org/775167
+Origin: upstream, http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/pcrs.c?r1=1.45&r2=1.46
+
+--- a/pcrs.c
++++ b/pcrs.c
+@@ -725,7 +725,7 @@
+  *          1  :  job = the pcrs_job to be executed
+  *          2  :  subject = the subject (== original) string
+  *          3  :  subject_length = the subject's length
+- *          4  :  result = char** for returning  the result
++ *          4  :  result = char** for returning the result (NULL on error)
+  *          5  :  result_length = size_t* for returning the result's length
+  *
+  * Returns     :  On success, the number of substitutions that were made.
+@@ -747,19 +747,18 @@
+    char *result_offset;
+ 
+    offset = i = 0;
++   *result = NULL;
+ 
+    /*
+     * Sanity check & memory allocation
+     */
+    if (job == NULL || job->pattern == NULL || job->substitute == NULL || NULL == subject)
+    {
+-      *result = NULL;
+       return(PCRS_ERR_BADJOB);
+    }
+ 
+    if (NULL == (matches = (pcrs_match *)malloc((size_t)max_matches * sizeof(pcrs_match))))
+    {
+-      *result = NULL;
+       return(PCRS_ERR_NOMEM);
+    }
+    memset(matches, '\0', (size_t)max_matches * sizeof(pcrs_match));
+@@ -806,7 +805,6 @@
+          if (NULL == (dummy = (pcrs_match *)realloc(matches, (size_t)max_matches * sizeof(pcrs_match))))
+          {
+             free(matches);
+-            *result = NULL;
+             return(PCRS_ERR_NOMEM);
+          }
+          matches = dummy;
diff -Nru privoxy-3.0.21/debian/patches/series privoxy-3.0.21/debian/patches/series
--- privoxy-3.0.21/debian/patches/series	2013-01-24 17:41:35.000000000 +0100
+++ privoxy-3.0.21/debian/patches/series	2015-01-12 08:41:43.000000000 +0100
@@ -8,3 +8,6 @@
 28_listen_localhost.patch
 32_bind_fixup.patch
 33_manpage_hyphen.patch
+34_CVE-2015-1030.patch
+35_CVE-2015-1031-CID66394.patch
+36_CVE-2015-1031-CID66376.patch

--- End Message ---
--- Begin Message --- 
Hi,

On Wed, Jan 14, 2015 at 07:31:07PM +0100, Roland Rosenfeld wrote:
> Please unblock package privoxy/3.0.21-5

Unblocked.

Cheers,

Ivo

--- End Message ---
Reply to: