Bug#817258: marked as done (wheezy-pu: package privoxy/3.0.19-2+deb7u4)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 5 May 2016 16:45:06 +0200
with message-id <20160505144506.GA2718@betterave.cristau.org>
and subject line Re: Bug#817258: wheezy-pu: package privoxy/3.0.19-2+deb7u4
has caused the Debian Bug report #817258,
regarding wheezy-pu: package privoxy/3.0.19-2+deb7u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
817258: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817258
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: wheezy-pu: package privoxy/3.0.19-2+deb7u4
• From: Roland Rosenfeld <roland@spinnaker.de>
• Date: Wed, 9 Mar 2016 15:08:40 +0100
• Message-id: <20160309140840.GA20641@dinghy.sail.spinnaker.de>

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

I prepared a patch against privoxy 3.0.19-2+deb7u3, which closes the
CVE-2013-2503, see
https://security-tracker.debian.org/tracker/CVE-2013-2503
The patch is attached.

The security team asked me to place it here, since it's a minor issue
and no DSA is required.

Please tell me, if I'm allowed to upload 

Tschoeeee

        Roland

diff -Nru privoxy-3.0.19/debian/changelog privoxy-3.0.19/debian/changelog
--- privoxy-3.0.19/debian/changelog	2016-01-22 17:51:41.000000000 +0100
+++ privoxy-3.0.19/debian/changelog	2016-03-09 14:56:58.000000000 +0100
@@ -1,3 +1,12 @@
+privoxy (3.0.19-2+deb7u4) stable; urgency=high
+
+  * 42_CVE-2013-2503: Proxy authentication headers are removed unless the
+    new directive enable-proxy-authentication-forwarding is used.
+    Forwarding the headers potentionally allows malicious sites to trick
+    the user into providing it with login information (Closes: #702896).
+
+ -- Roland Rosenfeld <roland@debian.org>  Tue, 08 Mar 2016 08:52:26 +0100
+
 privoxy (3.0.19-2+deb7u3) wheezy-security; urgency=high
 
   * 40_CVE-2016-1982: Prevent invalid reads in case of corrupt
diff -Nru privoxy-3.0.19/debian/patches/42_CVE-2013-2503.patch privoxy-3.0.19/debian/patches/42_CVE-2013-2503.patch
--- privoxy-3.0.19/debian/patches/42_CVE-2013-2503.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.19/debian/patches/42_CVE-2013-2503.patch	2016-03-09 14:56:58.000000000 +0100
@@ -0,0 +1,238 @@
+Author: Fabian Keil <fk@fabiankeil.de>
+Description: CVE-2013-2503: Proxy authentication headers are removed
+ unless the new directive enable-proxy-authentication-forwarding is
+ used. Forwarding the headers potentionally allows malicious sites to
+ trick the user into providing it with login information.
+Origin: upstream, picked from CVS
+--- a/config
++++ b/config
+@@ -1125,6 +1125,46 @@ enforce-blocks 0
+ #
+ buffer-limit 4096
+ #
++#  4.9. enable-proxy-authentication-forwarding
++#  ============================================
++#
++#  Specifies:
++#
++#      Whether or not proxy authentication through Privoxy should
++#      work.
++#
++#  Type of value:
++#
++#      0 or 1
++#
++#  Default value:
++#
++#      0
++#
++#  Effect if unset:
++#
++#      Proxy authentication headers are removed.
++#
++#  Notes:
++#
++#      Privoxy itself does not support proxy authentication, but can
++#      allow clients to authenticate against Privoxy's parent proxy.
++#
++#      By default Privoxy (3.0.21 and later) don't do that and remove
++#      Proxy-Authorization headers in requests and Proxy-Authenticate
++#      headers in responses to make it harder for malicious sites to
++#      trick inexperienced users into providing login information.
++#
++#      If this option is enabled the headers are forwarded.
++#
++#      Enabling this option is not recommended if there is no parent
++#      proxy that requires authentication or if the local network
++#      between Privoxy and the parent proxy isn't trustworthy. If
++#      proxy authentication is only required for some requests, it is
++#      recommended to use a client header filter to remove the
++#      authentication headers for requests where they aren't needed.
++#
++enable-proxy-authentication-forwarding 0
+ #
+ #  5. FORWARDING
+ #  ==============
+--- a/doc/source/p-config.sgml
++++ b/doc/source/p-config.sgml
+@@ -1888,6 +1888,67 @@ ACLs: permit-access and deny-access</tit
+ <![%config-file;[<literallayout>@@buffer-limit 4096</literallayout>]]>
+ </sect3>
+ 
++<!--   ~~~~~       New section      ~~~~~     -->
++<sect3 renderas="sect4" id="enable-proxy-authentication-forwarding"><title>enable-proxy-authentication-forwarding</title>
++<variablelist>
++ <varlistentry>
++  <term>Specifies:</term>
++  <listitem>
++   <para>
++    Whether or not proxy authentication through &my-app; should work.
++   </para>
++  </listitem>
++ </varlistentry>
++ <varlistentry>
++  <term>Type of value:</term>
++  <listitem>
++   <para>0 or 1</para>
++  </listitem>
++ </varlistentry>
++ <varlistentry>
++  <term>Default value:</term>
++  <listitem>
++   <para>0</para>
++  </listitem>
++ </varlistentry>
++ <varlistentry>
++  <term>Effect if unset:</term>
++  <listitem>
++   <para>
++    Proxy authentication headers are removed.
++   </para>
++  </listitem>
++ </varlistentry>
++ <varlistentry>
++  <term>Notes:</term>
++  <listitem>
++   <para>
++    Privoxy itself does not support proxy authentication, but can
++    allow clients to authenticate against Privoxy's parent proxy.
++   </para>
++   <para>
++    By default Privoxy (3.0.21 and later) don't do that and remove
++    Proxy-Authorization headers in requests and Proxy-Authenticate
++    headers in responses to make it harder for malicious sites to
++    trick inexperienced users into providing login information.
++   </para>
++   <para>
++    If this option is enabled the headers are forwarded.
++   </para>
++   <para>
++    Enabling this option is <emphasis>not recommended</emphasis> if there is
++    no parent proxy that requires authentication or if the local network between
++    Privoxy and the parent proxy isn't trustworthy. If proxy authentication is
++    only required for some requests, it is recommended to use a client header filter
++    to remove the authentication headers for requests where they aren't needed.
++   </para>
++  </listitem>
++ </varlistentry>
++</variablelist>
++
++<![%config-file;[<literallayout>@@enable-proxy-authentication-forwarding 0</literallayout>]]>
++</sect3>
++
+ </sect2>
+ 
+ <!--  ~  End section  ~  -->
+--- a/loadcfg.c
++++ b/loadcfg.c
+@@ -141,6 +141,7 @@ static struct file_list *current_configf
+ #define hash_deny_access                 1227333715ul /* "deny-access" */
+ #define hash_enable_edit_actions         2517097536ul /* "enable-edit-actions" */
+ #define hash_enable_compression          3943696946ul /* "enable-compression" */
++#define hash_enable_proxy_authentication_forwarding 4040610791ul /* enable-proxy-authentication-forwarding */
+ #define hash_enable_remote_toggle        2979744683ul /* "enable-remote-toggle" */
+ #define hash_enable_remote_http_toggle    110543988ul /* "enable-remote-http-toggle" */
+ #define hash_enforce_blocks              1862427469ul /* "enforce-blocks" */
+@@ -414,6 +415,7 @@ struct configuration_spec * load_config(
+    config->feature_flags            &= ~RUNTIME_FEATURE_SPLIT_LARGE_FORMS;
+    config->feature_flags            &= ~RUNTIME_FEATURE_ACCEPT_INTERCEPTED_REQUESTS;
+    config->feature_flags            &= ~RUNTIME_FEATURE_EMPTY_DOC_RETURNS_OK;
++   config->feature_flags            &= ~RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS;
+ #ifdef FEATURE_COMPRESSION
+    config->feature_flags            &= ~RUNTIME_FEATURE_COMPRESSION;
+    /*
+@@ -742,6 +744,19 @@ struct configuration_spec * load_config(
+             break;
+ #endif /* def FEATURE_COMPRESSION */
+ 
++/* *************************************************************************
++ * enable-proxy-authentication-forwarding 0|1
++ * *************************************************************************/
++         case hash_enable_proxy_authentication_forwarding:
++            if (parse_toggle_state(cmd, arg) == 1)
++            {
++               config->feature_flags |= RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS;
++            }
++            else
++            {
++               config->feature_flags &= ~RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS;
++            }
++            break;
+ 
+ /* *************************************************************************
+  * enable-remote-toggle 0|1
+--- a/parsers.c
++++ b/parsers.c
+@@ -173,6 +173,7 @@ static jb_err server_connection_adder(st
+ #ifdef FEATURE_CONNECTION_KEEP_ALIVE
+ static jb_err server_proxy_connection_adder(struct client_state *csp);
+ #endif /* def FEATURE_CONNECTION_KEEP_ALIVE */
++static jb_err proxy_authentication(struct client_state *csp, char **header);
+ 
+ static jb_err create_forged_referrer(char **header, const char *hostport);
+ static jb_err create_fake_referrer(char **header, const char *fake_referrer);
+@@ -222,6 +223,7 @@ static const struct parsers client_patte
+    { "Request-Range:",           14,   client_range },
+    { "If-Range:",                 9,   client_range },
+    { "X-Filter:",                 9,   client_x_filter },
++   { "Proxy-Authorization:",     20,   proxy_authentication },
+    { "*",                         0,   crunch_client_header },
+    { "*",                         0,   filter_header },
+    { NULL,                        0,   NULL }
+@@ -244,6 +246,7 @@ static const struct parsers server_patte
+    { "Transfer-Encoding:",       18, server_transfer_coding },
+    { "content-disposition:",     20, server_content_disposition },
+    { "Last-Modified:",           14, server_last_modified },
++   { "Proxy-Authenticate:",      19, proxy_authentication },
+    { "*",                         0, crunch_server_header },
+    { "*",                         0, filter_header },
+    { NULL,                        0, NULL }
+@@ -1688,6 +1691,36 @@ static jb_err server_proxy_connection(st
+    return JB_ERR_OK;
+ }
+ 
++
++/*********************************************************************
++ *
++ * Function    :  proxy_authentication
++ *
++ * Description :  Removes headers that are relevant for proxy
++ *                authentication unless forwarding them has
++ *                been explicitly requested.
++ *
++ * Parameters  :
++ *          1  :  csp = Current client state (buffers, headers, etc...)
++ *          2  :  header = On input, pointer to header to modify.
++ *                On output, pointer to the modified header, or NULL
++ *                to remove the header.  This function frees the
++ *                original string if necessary.
++ *
++ * Returns     :  JB_ERR_OK.
++ *
++ *********************************************************************/
++static jb_err proxy_authentication(struct client_state *csp, char **header)
++{
++   if ((csp->config->feature_flags &
++      RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS) == 0) {
++      log_error(LOG_LEVEL_HEADER,
++         "Forwarding proxy authentication headers is disabled. Crunching: %s", *header);
++      freez(*header);
++   }
++   return JB_ERR_OK;
++}
++
+ 
+ /*********************************************************************
+  *
+--- a/project.h
++++ b/project.h
+@@ -1199,6 +1199,9 @@ struct access_control_list
+ /** configuration_spec::feature_flags: Buffered content is sent compressed if the client supports it. */
+ #define RUNTIME_FEATURE_COMPRESSION               1024U
+ 
++/** configuration_spec::feature_flags: Proxy authentication headers are forwarded instead of removed. */
++#define RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS      4096U
++
+ /**
+  * Data loaded from the configuration file.
+  *
diff -Nru privoxy-3.0.19/debian/patches/series privoxy-3.0.19/debian/patches/series
--- privoxy-3.0.19/debian/patches/series	2016-01-22 17:50:51.000000000 +0100
+++ privoxy-3.0.19/debian/patches/series	2016-03-09 14:56:58.000000000 +0100
@@ -14,3 +14,4 @@
 39_CVE-2015-1382.patch
 40_CVE-2016-1982.patch
 41_CVE-2016-1983.patch
+42_CVE-2013-2503.patch

--- End Message ---

--- Begin Message ---

• To: Roland Rosenfeld <roland@spinnaker.de>, 817258-done@bugs.debian.org
• Subject: Re: Bug#817258: wheezy-pu: package privoxy/3.0.19-2+deb7u4
• From: Julien Cristau <jcristau@debian.org>
• Date: Thu, 5 May 2016 16:45:06 +0200
• Message-id: <20160505144506.GA2718@betterave.cristau.org>
• In-reply-to: <20160309140840.GA20641@dinghy.sail.spinnaker.de>
• References: <20160309140840.GA20641@dinghy.sail.spinnaker.de>

On Wed, Mar  9, 2016 at 15:08:40 +0100, Roland Rosenfeld wrote:

> Package: release.debian.org
> Severity: normal
> Tags: wheezy
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> I prepared a patch against privoxy 3.0.19-2+deb7u3, which closes the
> CVE-2013-2503, see
> https://security-tracker.debian.org/tracker/CVE-2013-2503
> The patch is attached.
> 
> The security team asked me to place it here, since it's a minor issue
> and no DSA is required.
> 
> Please tell me, if I'm allowed to upload 
> 
Hi,

sorry we didn't get to this before wheezy was EOLed.  At this point,
further updates should go through the LTS process instead of
wheezy-proposed-updates.

Thanks,
Julien

Attachment: signature.asc
Description: PGP signature

--- End Message ---