Hi Moritz! On Do, 04 Feb 2021, Moritz Mühlenhoff wrote: > Am Tue, Feb 02, 2021 at 07:15:37PM +0100 schrieb Roland Rosenfeld: > > Package: release.debian.org > > Severity: normal > > Tags: buster > > User: release.debian.org@packages.debian.org > > Usertags: pu > > > > This fixes CVE-2021-20216 and CVE-2021-20217. > > Since both are tagged "<no-dsa> (Minor issue)" in security tracker, I > > tend to send this into the next point release of buster. > yesterday upstream assigned a few additional CVE IDs (also no-dsa): > https://www.openwall.com/lists/oss-security/2021/02/03/3, maybe you > also want to fold these in? You're right, I just did so and updated the buster package to incorporate all additional patches. An updated patch is attached. Greetings Roland
diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog
--- privoxy-3.0.28/debian/changelog 2019-01-06 13:07:14.000000000 +0100
+++ privoxy-3.0.28/debian/changelog 2021-02-04 20:38:58.000000000 +0100
@@ -1,3 +1,30 @@
+privoxy (3.0.28-2+deb10u1) buster; urgency=medium
+
+ * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
+ (CVE-2021-20217).
+ * 39_decompress_iob: Fix detection of insufficient data.
+ * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216).
+ * 41_CVE-2020-35502: Fixed memory leaks when a response is buffered and
+ the buffer limit is reached or Privoxy is running out of memory
+ (CVE-2020-35502).
+ * 42_CVE-2021-20209: Fixed a memory leak in the show-status CGI handler
+ when no action files are configured (CVE-2021-20209).
+ * 43_CVE-2021-20210: Fixed a memory leak in the show-status CGI handler
+ when no filter files are configured (CVE-2021-20210).
+ * 44_CVE-2021-20211: Fixes a memory leak when client tags are active
+ (CVE-2021-20211).
+ * 45_CVE-2021-20212: Fixed a memory leak if multiple filters are
+ executed and the last one is skipped due to a pcre error (CVE-2021-20212).
+ * 46_CVE-2021-20213: Prevent an unlikely dereference of a NULL-pointer
+ that could result in a crash if accept-intercepted-requests was
+ enabled, Privoxy failed to get the request destination from the Host
+ header and a memory allocation failed (CVE-2021-20213).
+ * 47_CVE-2021-20214: Fixed memory leaks in the client-tags CGI handler
+ when client tags are configured and memory allocations fail
+ (CVE-2021-20214).
+
+ -- Roland Rosenfeld <roland@debian.org> Thu, 04 Feb 2021 20:38:58 +0100
+
privoxy (3.0.28-2) unstable; urgency=medium
* d/tests/privoxy-regression-test: Remove tmpdir on exit.
diff -Nru privoxy-3.0.28/debian/gitlab-ci.yml privoxy-3.0.28/debian/gitlab-ci.yml
--- privoxy-3.0.28/debian/gitlab-ci.yml 2019-01-06 13:07:14.000000000 +0100
+++ privoxy-3.0.28/debian/gitlab-ci.yml 1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
-include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-build:
- extends: .build-unstable
-
-reprotest:
- extends: .test-reprotest
-
-lintian:
- extends: .test-lintian
-
-autopkgtest:
- extends: .test-autopkgtest
-
-piuparts:
- extends: .test-piuparts
diff -Nru privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch
--- privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 2021-02-04 20:38:58.000000000 +0100
@@ -0,0 +1,34 @@
+commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Sat Jan 30 15:04:17 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b
+Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217)
+
+ parse_cgi_parameters(): Make sure the maximum number of segments is large enough
+
+ ... for ssplit() to succeed.
+
+ Prevents an assertion from getting triggered. OVE-20210130-0001.
+
+ Reported by: Joshua Rogers (Opera)
+
+--- a/cgi.c
++++ b/cgi.c
+@@ -645,16 +645,7 @@ static struct map *parse_cgi_parameters(
+ * The same hack is used in get_last_url() so it looks like
+ * a real solution is needed.
+ */
+- size_t max_segments = strlen(argstring) / 2;
+- if (max_segments == 0)
+- {
+- /*
+- * XXX: If the argstring is empty, there's really
+- * no point in creating a param list, but currently
+- * other parts of Privoxy depend on the list's existence.
+- */
+- max_segments = 1;
+- }
++ size_t max_segments = strlen(argstring) / 2 + 1;
+ vector = malloc_or_die(max_segments * sizeof(char *));
+
+ cgi_params = new_map();
diff -Nru privoxy-3.0.28/debian/patches/39_decompress_iob.patch privoxy-3.0.28/debian/patches/39_decompress_iob.patch
--- privoxy-3.0.28/debian/patches/39_decompress_iob.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/39_decompress_iob.patch 2021-02-04 20:38:58.000000000 +0100
@@ -0,0 +1,22 @@
+commit f5c1a886b7ae20da7eafb77926252eb521260728
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Thu Jan 28 16:26:45 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f5c1a
+Subject: decompress_iob(): Fix detection of insufficient data
+
+ Instead of checking the size of the iob we have to
+ check the size of the actual data.
+
+ Previously Privoxy could try to work on uninitialized data.
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -433,7 +433,7 @@ jb_err decompress_iob(struct client_stat
+
+ cur = csp->iob->cur;
+
+- if (bufsize < (size_t)10)
++ if (old_size < (size_t)10)
+ {
+ /*
+ * This is to protect the parsing of gzipped data,
diff -Nru privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch
--- privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch 2021-02-04 20:38:58.000000000 +0100
@@ -0,0 +1,21 @@
+commit f431d61740cc03c1c5f6b7f9c7a4a8d0bedd70dd
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Thu Jan 28 18:02:56 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f431d
+Subject: Fix a memory leak (CVE-2021-20216)
+ decompress_iob(): Fix a memory leak
+
+ ... when decompression fails "unexpectedly".
+
+ OVE-20210128-0001.
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -701,6 +701,7 @@ jb_err decompress_iob(struct client_stat
+ log_error(LOG_LEVEL_ERROR,
+ "Unexpected error while decompressing to the buffer (iob): %s",
+ zstr.msg);
++ freez(buf);
+ return JB_ERR_COMPRESS;
+ }
+
diff -Nru privoxy-3.0.28/debian/patches/41_CVE-2020-35502.patch privoxy-3.0.28/debian/patches/41_CVE-2020-35502.patch
--- privoxy-3.0.28/debian/patches/41_CVE-2020-35502.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/41_CVE-2020-35502.patch 2021-02-04 20:38:58.000000000 +0100
@@ -0,0 +1,25 @@
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Mon Mar 2 18:14:29 2020 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=4490d451f9b, https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=bbd53f1010b
+Subject: Fixed memory leaks when a response is buffered and the buffer limit
+ is reached or Privoxy is running out of memory (CVE-2020-35502)
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -633,6 +633,8 @@ jb_err decompress_iob(struct client_stat
+ if (bufsize >= csp->config->buffer_limit)
+ {
+ log_error(LOG_LEVEL_ERROR, "Buffer limit reached while decompressing iob");
++ freez(buf);
++ inflateEnd(&zstr);
+ return JB_ERR_MEMORY;
+ }
+
+@@ -651,6 +653,7 @@ jb_err decompress_iob(struct client_stat
+ {
+ log_error(LOG_LEVEL_ERROR, "Out of memory decompressing iob");
+ freez(buf);
++ inflateEnd(&zstr);
+ return JB_ERR_MEMORY;
+ }
+ else
diff -Nru privoxy-3.0.28/debian/patches/42_CVE-2021-20209.patch privoxy-3.0.28/debian/patches/42_CVE-2021-20209.patch
--- privoxy-3.0.28/debian/patches/42_CVE-2021-20209.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/42_CVE-2021-20209.patch 2021-02-04 20:38:58.000000000 +0100
@@ -0,0 +1,17 @@
+commit c62254a686dcd40e3b6e5753d0c7c0308209a7b6
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Sun Aug 30 09:25:47 2020 +0200
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=c62254a686
+Subject: Fixed a memory leak in the show-status CGI handler when
+ no action files are configured. CVE-2021-20209.
+
+--- a/cgisimple.c
++++ b/cgisimple.c
+@@ -1190,6 +1190,7 @@ jb_err cgi_show_status(struct client_sta
+ else
+ {
+ if (!err) err = map(exports, "actions-filenames", 1, "<tr><td>None specified</td></tr>", 1);
++ freez(s);
+ }
+
+ /*
diff -Nru privoxy-3.0.28/debian/patches/43_CVE-2021-20210.patch privoxy-3.0.28/debian/patches/43_CVE-2021-20210.patch
--- privoxy-3.0.28/debian/patches/43_CVE-2021-20210.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/43_CVE-2021-20210.patch 2021-02-04 20:38:58.000000000 +0100
@@ -0,0 +1,20 @@
+commit 1b1370f7a8a9cc5434d3e0e54dd620df1e70c873
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Sun Aug 30 09:24:48 2020 +0200
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=1b1370f7a8a
+Subject: Fixed a memory leak in the show-status CGI handler when no filter
+ files are configured (CVE-2021-20210).
+ cgi_show_status: Don't leak memory when no filter files are specified
+
+ Sponsored by: Robert Klemme
+
+--- a/cgisimple.c
++++ b/cgisimple.c
+@@ -1218,6 +1218,7 @@ jb_err cgi_show_status(struct client_sta
+ {
+ if (!err) err = map(exports, "re-filter-filenames", 1, "<tr><td>None specified</td></tr>", 1);
+ if (!err) err = map_block_killer(exports, "have-filterfile");
++ freez(s);
+ }
+
+ #ifdef FEATURE_TRUST
diff -Nru privoxy-3.0.28/debian/patches/44_CVE-2021-20211.patch privoxy-3.0.28/debian/patches/44_CVE-2021-20211.patch
--- privoxy-3.0.28/debian/patches/44_CVE-2021-20211.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/44_CVE-2021-20211.patch 2021-02-04 20:38:58.000000000 +0100
@@ -0,0 +1,24 @@
+commit 245e1cf325bc957df6226c745b7ac3f67a97ea07
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Mon Mar 2 13:05:13 2020 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=245e1cf32
+Subject: Fixes a memory leak when client tags are active (CVE-2021-20211).
+
+ free_csp_resources(): Destroy csp->client_tags
+
+ Fixes a memory leak when client tags are active.
+
+ Sponsored by: Robert Klemme
+
+--- a/loaders.c
++++ b/loaders.c
+@@ -113,6 +113,9 @@ void free_csp_resources(struct client_st
+
+ destroy_list(csp->headers);
+ destroy_list(csp->tags);
++#ifdef FEATURE_CLIENT_TAGS
++ destroy_list(csp->client_tags);
++#endif
+
+ free_current_action(csp->action);
+ }
diff -Nru privoxy-3.0.28/debian/patches/45_CVE-2021-20212.patch privoxy-3.0.28/debian/patches/45_CVE-2021-20212.patch
--- privoxy-3.0.28/debian/patches/45_CVE-2021-20212.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/45_CVE-2021-20212.patch 2021-02-04 20:38:58.000000000 +0100
@@ -0,0 +1,26 @@
+commit 5cfb7bc8feecc82eb161450faa572abf9be19cbb
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Thu Sep 24 10:44:00 2020 +0200
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5cfb7bc8fe
+Subject: Fixed a memory leak if multiple filters are executed and the last
+ one is skipped due to a pcre error (CVE-2021-20212)
+ pcrs_filter_response(): Free the old data if there are no hits
+
+ ... and it's different from the data in iob and the new data.
+
+ Fixes a memory leak if multiple filters are executed
+ and the last one is skipped due to a pcre error.
+
+--- a/filters.c
++++ b/filters.c
+@@ -1664,6 +1664,10 @@ static char *pcrs_filter_response(struct
+ */
+ if (!hits)
+ {
++ if (old != csp->iob->cur && old != new)
++ {
++ freez(old);
++ }
+ freez(new);
+ return(NULL);
+ }
diff -Nru privoxy-3.0.28/debian/patches/46_CVE-2021-20213.patch privoxy-3.0.28/debian/patches/46_CVE-2021-20213.patch
--- privoxy-3.0.28/debian/patches/46_CVE-2021-20213.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/46_CVE-2021-20213.patch 2021-02-04 20:38:58.000000000 +0100
@@ -0,0 +1,45 @@
+commit 75301323495579ff27bdaaea67e31e2df83475fc
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Tue Nov 10 13:50:59 2020 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=7530132349
+Subject: Prevent an unlikely dereference of a NULL-pointer that could result
+ in a crash if accept-intercepted-requests was enabled, Privoxy failed to get
+ the request destination from the Host header and a memory allocation failed.
+ (CVE-2021-20213).
+
+ get_request_destination_elsewhere(): Prevent unlikely dereference of a NULL-pointer
+
+ ... if getting the destination fails and list_to_text() fails
+ as well.
+
+ CID 267165
+
+--- a/jcc.c
++++ b/jcc.c
+@@ -548,8 +548,6 @@ static int client_has_unsupported_expect
+ *********************************************************************/
+ static jb_err get_request_destination_elsewhere(struct client_state *csp, struct list *headers)
+ {
+- char *req;
+-
+ if (!(csp->config->feature_flags & RUNTIME_FEATURE_ACCEPT_INTERCEPTED_REQUESTS))
+ {
+ log_error(LOG_LEVEL_ERROR, "%s's request: \'%s\' is invalid."
+@@ -578,15 +576,12 @@ static jb_err get_request_destination_el
+ {
+ /* We can't work without destination. Go spread the news.*/
+
+- req = list_to_text(headers);
+- chomp(req);
+ /* XXX: Use correct size */
+ log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 400 0",
+ csp->ip_addr_str, csp->http->cmd);
+ log_error(LOG_LEVEL_ERROR,
+- "Privoxy was unable to get the destination for %s's request:\n%s\n%s",
+- csp->ip_addr_str, csp->http->cmd, req);
+- freez(req);
++ "Privoxy was unable to get the destination for %s's request: %s",
++ csp->ip_addr_str, csp->http->cmd);
+
+ write_socket_delayed(csp->cfd, MISSING_DESTINATION_RESPONSE,
+ strlen(MISSING_DESTINATION_RESPONSE), get_write_delay(csp));
diff -Nru privoxy-3.0.28/debian/patches/47_CVE-2021-20214.patch privoxy-3.0.28/debian/patches/47_CVE-2021-20214.patch
--- privoxy-3.0.28/debian/patches/47_CVE-2021-20214.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/47_CVE-2021-20214.patch 2021-02-04 20:38:58.000000000 +0100
@@ -0,0 +1,29 @@
+commit cf5640eb2a57197717758e225ad6e11cbaab1d6c
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Tue Nov 10 12:33:53 2020 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=cf5640eb2a
+Subject: Fixed memory leaks in the client-tags CGI handler when client tags
+ are configured and memory allocations fail (CVE-2021-20214).
+
+ cgi_show_client_tags(): Plug memory leaks
+
+ CID 267168
+
+--- a/cgisimple.c
++++ b/cgisimple.c
+@@ -404,6 +404,7 @@ jb_err cgi_show_client_tags(struct clien
+ snprintf(buf, sizeof(buf), "%d", csp->config->client_tag_lifetime);
+ if (map(exports, "refresh-delay", 1, buf, 1))
+ {
++ freez(client_tag_status);
+ free_map(exports);
+ return JB_ERR_MEMORY;
+ }
+@@ -413,6 +414,7 @@ jb_err cgi_show_client_tags(struct clien
+ err = map_block_killer(exports, "tags-expire");
+ if (err != JB_ERR_OK)
+ {
++ freez(client_tag_status);
+ return err;
+ }
+ }
diff -Nru privoxy-3.0.28/debian/patches/series privoxy-3.0.28/debian/patches/series
--- privoxy-3.0.28/debian/patches/series 2019-01-06 13:07:14.000000000 +0100
+++ privoxy-3.0.28/debian/patches/series 2021-02-04 20:38:58.000000000 +0100
@@ -10,3 +10,13 @@
35_man-spelling.patch
36_trusted-cgi-referer-example.patch
37_ppedit-tests403.patch
+38_CVE-2021-20217.patch
+39_decompress_iob.patch
+40_CVE-2021-20216.patch
+41_CVE-2020-35502.patch
+42_CVE-2021-20209.patch
+43_CVE-2021-20210.patch
+44_CVE-2021-20211.patch
+45_CVE-2021-20212.patch
+46_CVE-2021-20213.patch
+47_CVE-2021-20214.patch
diff -Nru privoxy-3.0.28/debian/salsa-ci.yml privoxy-3.0.28/debian/salsa-ci.yml
--- privoxy-3.0.28/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/salsa-ci.yml 2021-02-04 20:38:58.000000000 +0100
@@ -0,0 +1,6 @@
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'buster'
Attachment:
signature.asc
Description: PGP signature