Bug#981665: stretch-pu: package privoxy/3.0.26-3
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
This fixes CVE-2021-20216 and CVE-2021-20217.
Since both are tagged "<no-dsa> (Minor issue)" in security tracker, I
tend to send this into the next point release of stretch.
Salsa-CI passed: https://salsa.debian.org/debian/privoxy/-/pipelines/226263
Attached you'll find a diff against 3.0.26-3.
Greetings
Roland
diff -Nru privoxy-3.0.26/debian/changelog privoxy-3.0.26/debian/changelog
--- privoxy-3.0.26/debian/changelog 2017-01-11 22:24:55.000000000 +0100
+++ privoxy-3.0.26/debian/changelog 2021-02-02 18:52:00.000000000 +0100
@@ -1,3 +1,12 @@
+privoxy (3.0.26-3+deb9u1) stretch; urgency=medium
+
+ * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
+ (CVE-2021-20217).
+ * 39_decompress_iob: Fix detection of insufficient data.
+ * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216).
+
+ -- Roland Rosenfeld <roland@debian.org> Tue, 02 Feb 2021 18:52:00 +0100
+
privoxy (3.0.26-3) unstable; urgency=medium
* Add da debconf translation. Thanks to Joe Dalton (Closes: #850876).
diff -Nru privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch
--- privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch 2021-02-02 18:52:00.000000000 +0100
@@ -0,0 +1,34 @@
+commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Sat Jan 30 15:04:17 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b
+Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217)
+
+ parse_cgi_parameters(): Make sure the maximum number of segments is large enough
+
+ ... for ssplit() to succeed.
+
+ Prevents an assertion from getting triggered. OVE-20210130-0001.
+
+ Reported by: Joshua Rogers (Opera)
+
+--- a/cgi.c
++++ b/cgi.c
+@@ -628,16 +628,7 @@ static struct map *parse_cgi_parameters(
+ * The same hack is used in get_last_url() so it looks like
+ * a real solution is needed.
+ */
+- size_t max_segments = strlen(argstring) / 2;
+- if (max_segments == 0)
+- {
+- /*
+- * XXX: If the argstring is empty, there's really
+- * no point in creating a param list, but currently
+- * other parts of Privoxy depend on the list's existence.
+- */
+- max_segments = 1;
+- }
++ size_t max_segments = strlen(argstring) / 2 + 1;
+ vector = malloc_or_die(max_segments * sizeof(char *));
+
+ cgi_params = new_map();
diff -Nru privoxy-3.0.26/debian/patches/39_decompress_iob.patch privoxy-3.0.26/debian/patches/39_decompress_iob.patch
--- privoxy-3.0.26/debian/patches/39_decompress_iob.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/39_decompress_iob.patch 2021-02-02 18:52:00.000000000 +0100
@@ -0,0 +1,22 @@
+commit f5c1a886b7ae20da7eafb77926252eb521260728
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Thu Jan 28 16:26:45 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f5c1a
+Subject: decompress_iob(): Fix detection of insufficient data
+
+ Instead of checking the size of the iob we have to
+ check the size of the actual data.
+
+ Previously Privoxy could try to work on uninitialized data.
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -430,7 +430,7 @@ jb_err decompress_iob(struct client_stat
+
+ cur = csp->iob->cur;
+
+- if (bufsize < (size_t)10)
++ if (old_size < (size_t)10)
+ {
+ /*
+ * This is to protect the parsing of gzipped data,
diff -Nru privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch
--- privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch 2021-02-02 18:52:00.000000000 +0100
@@ -0,0 +1,21 @@
+commit f431d61740cc03c1c5f6b7f9c7a4a8d0bedd70dd
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Thu Jan 28 18:02:56 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f431d
+Subject: Fix a memory leak (CVE-2021-20216)
+ decompress_iob(): Fix a memory leak
+
+ ... when decompression fails "unexpectedly".
+
+ OVE-20210128-0001.
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -698,6 +698,7 @@ jb_err decompress_iob(struct client_stat
+ log_error(LOG_LEVEL_ERROR,
+ "Unexpected error while decompressing to the buffer (iob): %s",
+ zstr.msg);
++ freez(buf);
+ return JB_ERR_COMPRESS;
+ }
+
diff -Nru privoxy-3.0.26/debian/patches/series privoxy-3.0.26/debian/patches/series
--- privoxy-3.0.26/debian/patches/series 2017-01-11 22:24:55.000000000 +0100
+++ privoxy-3.0.26/debian/patches/series 2021-02-02 18:52:00.000000000 +0100
@@ -11,3 +11,6 @@
35_man-spelling.patch
36_openspopenjade.patch
37_adventofcode.patch
+38_CVE-2021-20217.patch
+39_decompress_iob.patch
+40_CVE-2021-20216.patch
diff -Nru privoxy-3.0.26/debian/salsa-ci.yml privoxy-3.0.26/debian/salsa-ci.yml
--- privoxy-3.0.26/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/salsa-ci.yml 2021-02-02 18:52:00.000000000 +0100
@@ -0,0 +1,6 @@
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'stretch'
Reply to: