[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#981664: marked as done (buster-pu: package privoxy/3.0.28-2)

Your message dated Sat, 27 Mar 2021 10:26:45 +0000
with message-id <702e3cb8159c9986264e966af79023672688a8a4.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.9 point release
has caused the Debian Bug report #981664,
regarding buster-pu: package privoxy/3.0.28-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
981664: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981664
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

This fixes CVE-2021-20216 and CVE-2021-20217.
Since both are tagged "<no-dsa> (Minor issue)" in security tracker, I
tend to send this into the next point release of buster.

Salsa-CI passed: https://salsa.debian.org/debian/privoxy/-/pipelines/226257

Attached you'll find a diff against 3.0.28-2.

Greetings
Roland

diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog
--- privoxy-3.0.28/debian/changelog	2019-01-06 13:07:14.000000000 +0100
+++ privoxy-3.0.28/debian/changelog	2021-02-02 18:03:02.000000000 +0100
@@ -1,3 +1,12 @@
+privoxy (3.0.28-2+deb10u1) buster; urgency=medium
+
+  * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
+    (CVE-2021-20217).
+  * 39_decompress_iob: Fix detection of insufficient data.
+  * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216).
+
+ -- Roland Rosenfeld <roland@debian.org>  Tue, 02 Feb 2021 18:03:02 +0100
+
 privoxy (3.0.28-2) unstable; urgency=medium
 
   * d/tests/privoxy-regression-test: Remove tmpdir on exit.
diff -Nru privoxy-3.0.28/debian/gitlab-ci.yml privoxy-3.0.28/debian/gitlab-ci.yml
--- privoxy-3.0.28/debian/gitlab-ci.yml	2019-01-06 13:07:14.000000000 +0100
+++ privoxy-3.0.28/debian/gitlab-ci.yml	1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
-include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-build:
-    extends: .build-unstable
-
-reprotest:
-    extends: .test-reprotest
-
-lintian:
-    extends: .test-lintian
-
-autopkgtest:
-    extends: .test-autopkgtest
-
-piuparts:
-    extends: .test-piuparts
diff -Nru privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch
--- privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch	2021-02-02 18:03:02.000000000 +0100
@@ -0,0 +1,34 @@
+commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a
+Author: Fabian Keil <fk@fabiankeil.de>
+Date:   Sat Jan 30 15:04:17 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b
+Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217)
+
+    parse_cgi_parameters(): Make sure the maximum number of segments is large enough
+    
+    ... for ssplit() to succeed.
+    
+    Prevents an assertion from getting triggered. OVE-20210130-0001.
+    
+    Reported by: Joshua Rogers (Opera)
+
+--- a/cgi.c
++++ b/cgi.c
+@@ -645,16 +645,7 @@ static struct map *parse_cgi_parameters(
+     *      The same hack is used in get_last_url() so it looks like
+     *      a real solution is needed.
+     */
+-   size_t max_segments = strlen(argstring) / 2;
+-   if (max_segments == 0)
+-   {
+-      /*
+-       * XXX: If the argstring is empty, there's really
+-       *      no point in creating a param list, but currently
+-       *      other parts of Privoxy depend on the list's existence.
+-       */
+-      max_segments = 1;
+-   }
++   size_t max_segments = strlen(argstring) / 2 + 1;
+    vector = malloc_or_die(max_segments * sizeof(char *));
+ 
+    cgi_params = new_map();
diff -Nru privoxy-3.0.28/debian/patches/39_decompress_iob.patch privoxy-3.0.28/debian/patches/39_decompress_iob.patch
--- privoxy-3.0.28/debian/patches/39_decompress_iob.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/39_decompress_iob.patch	2021-02-02 18:03:02.000000000 +0100
@@ -0,0 +1,22 @@
+commit f5c1a886b7ae20da7eafb77926252eb521260728
+Author: Fabian Keil <fk@fabiankeil.de>
+Date:   Thu Jan 28 16:26:45 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f5c1a
+Subject: decompress_iob(): Fix detection of insufficient data
+    
+    Instead of checking the size of the iob we have to
+    check the size of the actual data.
+    
+    Previously Privoxy could try to work on uninitialized data.
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -433,7 +433,7 @@ jb_err decompress_iob(struct client_stat
+ 
+    cur = csp->iob->cur;
+ 
+-   if (bufsize < (size_t)10)
++   if (old_size < (size_t)10)
+    {
+       /*
+        * This is to protect the parsing of gzipped data,
diff -Nru privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch
--- privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch	2021-02-02 18:03:02.000000000 +0100
@@ -0,0 +1,21 @@
+commit f431d61740cc03c1c5f6b7f9c7a4a8d0bedd70dd
+Author: Fabian Keil <fk@fabiankeil.de>
+Date:   Thu Jan 28 18:02:56 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f431d
+Subject: Fix a memory leak (CVE-2021-20216)
+ decompress_iob(): Fix a memory leak
+    
+    ... when decompression fails "unexpectedly".
+    
+    OVE-20210128-0001.
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -701,6 +701,7 @@ jb_err decompress_iob(struct client_stat
+       log_error(LOG_LEVEL_ERROR,
+          "Unexpected error while decompressing to the buffer (iob): %s",
+          zstr.msg);
++      freez(buf);
+       return JB_ERR_COMPRESS;
+    }
+ 
diff -Nru privoxy-3.0.28/debian/patches/series privoxy-3.0.28/debian/patches/series
--- privoxy-3.0.28/debian/patches/series	2019-01-06 13:07:14.000000000 +0100
+++ privoxy-3.0.28/debian/patches/series	2021-02-02 18:03:02.000000000 +0100
@@ -10,3 +10,6 @@
 35_man-spelling.patch
 36_trusted-cgi-referer-example.patch
 37_ppedit-tests403.patch
+38_CVE-2021-20217.patch
+39_decompress_iob.patch
+40_CVE-2021-20216.patch
diff -Nru privoxy-3.0.28/debian/salsa-ci.yml privoxy-3.0.28/debian/salsa-ci.yml
--- privoxy-3.0.28/debian/salsa-ci.yml	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/salsa-ci.yml	2021-02-02 18:03:02.000000000 +0100
@@ -0,0 +1,6 @@
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'buster'

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.9

Hi,

Each of the updates referenced in these bugs was included in the 10.9
point release today.

Regards,

Adam

--- End Message ---
Reply to: