Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu This fixes CVE-2021-44540, CVE-2021-44541, CVE-2021-44542, and CVE-2021-44543. Since all are tagged "minor issue" in the security-tracer, I tend to send this into the next point release of bullseye. Salsa-CI passed: https://salsa.debian.org/debian/privoxy/-/pipelines/325715 Attached you'll find a diff against 3.0.32-2. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Greetings Roland
diff -Nru privoxy-3.0.32/debian/changelog privoxy-3.0.32/debian/changelog
--- privoxy-3.0.32/debian/changelog 2021-04-03 11:17:39.000000000 +0200
+++ privoxy-3.0.32/debian/changelog 2021-12-07 19:59:33.000000000 +0100
@@ -1,3 +1,16 @@
+privoxy (3.0.32-2+deb11u1) bullseye; urgency=medium
+
+ * 53_CVE-2021-44540: get_url_spec_param(): Free memory of compiled
+ pattern spec before bailing (CVE-2021-44540).
+ * 54_CVE-2021-44541: process_encrypted_request_headers(): Free header
+ memory when failing to get the request destination (CVE-2021-44541).
+ * 55_CVE-2021-44542: send_http_request(): Prevent memory leaks when
+ handling errors (CVE-2021-44542).
+ * 56_CVE-2021-44543: cgi_error_no_template(): Encode the template name
+ to prevent XSS (CVE-2021-44543).
+
+ -- Roland Rosenfeld <roland@debian.org> Tue, 07 Dec 2021 19:59:33 +0100
+
privoxy (3.0.32-2) unstable; urgency=medium
* Work around apparmor failure in testsuite (Closes: #986258).
diff -Nru privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch
--- privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch 2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,39 @@
+From 652b4b7cb07592c0912cf938a50fcd009fa29a0a Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <jrogers@opera.com>
+Date: Fri, 19 Nov 2021 17:32:23 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=652b4b7c
+Subject: get_url_spec_param(): Free memory of compiled pattern spec before
+ bailing
+
+OVE-20211201-0003. CVE-2021-44540.
+
+--- a/cgiedit.c
++++ b/cgiedit.c
+@@ -1869,12 +1869,12 @@ static jb_err get_url_spec_param(struct
+ }
+ err = create_pattern_spec(compiled, s);
+ free(s);
++ free_pattern_spec(compiled);
+ if (err)
+ {
+ free(param);
+ return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS;
+ }
+- free_pattern_spec(compiled);
+
+ if (param[strlen(param) - 1] == '\\')
+ {
+@@ -1905,12 +1905,12 @@ static jb_err get_url_spec_param(struct
+ }
+ err = create_pattern_spec(compiled, s);
+ free(s);
++ free_pattern_spec(compiled);
+ if (err)
+ {
+ free(param);
+ return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS;
+ }
+- free_pattern_spec(compiled);
+ }
+
+ *pvalue = param;
diff -Nru privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch
--- privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch 2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,20 @@
+From 0509c58045b26463844188e07c5e87c74ea21044 Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <jrogers@opera.com>
+Date: Fri, 19 Nov 2021 18:31:59 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=0509c580
+Subject: process_encrypted_request_headers(): Free header memory when
+ failing to get the request destination.
+
+OVE-20211201-0002. CVE-2021-44541.
+
+--- a/jcc.c
++++ b/jcc.c
+@@ -2775,6 +2775,8 @@ static jb_err process_encrypted_request(
+ "Failed to get the encrypted request destination");
+ ssl_send_data_delayed(&(csp->ssl_client_attr),
+ (const unsigned char *)CHEADER, strlen(CHEADER), get_write_delay(csp));
++ destroy_list(headers);
++
+ return JB_ERR_PARSE;
+ }
+
diff -Nru privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch
--- privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch 2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,29 @@
+From c48d1d6d08996116cbcea55cd3fc6c2a558e499a Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <jrogers@opera.com>
+Date: Fri, 19 Nov 2021 18:57:26 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=c48d1d6d0
+Subject: send_http_request(): Prevent memory leaks when handling errors
+
+OVE-20211201-0001. CVE-2021-44542.
+
+--- a/jcc.c
++++ b/jcc.c
+@@ -2182,6 +2182,7 @@ static int send_http_request(struct clie
+ update_client_headers(csp, to_send_len))
+ {
+ log_error(LOG_LEVEL_HEADER, "Error updating client headers");
++ freez(to_send);
+ return 1;
+ }
+ csp->expected_client_content_length = 0;
+@@ -2206,6 +2207,10 @@ static int send_http_request(struct clie
+ {
+ log_error(LOG_LEVEL_CONNECT, "Failed sending request headers to: %s: %E",
+ csp->http->hostport);
++ if (filter_client_body)
++ {
++ freez(to_send);
++ }
+ return 1;
+ }
+
diff -Nru privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch
--- privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch 2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,41 @@
+From 0e668e9409cbf4ab8bf2d79be204bd4e81a00d85 Mon Sep 17 00:00:00 2001
+From: Fabian Keil <fk@fabiankeil.de>
+Date: Tue, 2 Nov 2021 12:11:37 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=0e668e94
+Subject: cgi_error_no_template(): Encode the template name to prevent XSS
+
+OVE-20211102-0001. CVE-2021-44543.
+
+Reported by: Artem Ivanov
+
+--- a/cgi.c
++++ b/cgi.c
+@@ -1196,7 +1196,8 @@ jb_err cgi_error_no_template(const struc
+ ").</p>\n"
+ "</body>\n"
+ "</html>\n";
+- const size_t body_size = strlen(body_prefix) + strlen(template_name) + strlen(body_suffix) + 1;
++ size_t body_size = strlen(body_prefix) + strlen(body_suffix) + 1;
++ const char *encoded_template_name;
+
+ assert(csp);
+ assert(rsp);
+@@ -1210,9 +1211,17 @@ jb_err cgi_error_no_template(const struc
+ rsp->head_length = 0;
+ rsp->is_static = 0;
+
++ encoded_template_name = html_encode(template_name);
++ if (encoded_template_name == NULL)
++ {
++ return JB_ERR_MEMORY;
++ }
++
++ body_size += strlen(encoded_template_name);
+ rsp->body = malloc_or_die(body_size);
+ strlcpy(rsp->body, body_prefix, body_size);
+- strlcat(rsp->body, template_name, body_size);
++ strlcat(rsp->body, encoded_template_name, body_size);
++ freez(encoded_template_name);
+ strlcat(rsp->body, body_suffix, body_size);
+
+ rsp->status = strdup(status);
diff -Nru privoxy-3.0.32/debian/patches/series privoxy-3.0.32/debian/patches/series
--- privoxy-3.0.32/debian/patches/series 2021-04-03 11:17:39.000000000 +0200
+++ privoxy-3.0.32/debian/patches/series 2021-12-07 19:59:33.000000000 +0100
@@ -5,3 +5,7 @@
32_bind_fixup.patch
33_manpage_hyphen.patch
34_system-docbook2man.patch
+53_CVE-2021-44540.patch
+54_CVE-2021-44541.patch
+55_CVE-2021-44542.patch
+56_CVE-2021-44543.patch
diff -Nru privoxy-3.0.32/debian/salsa-ci.yml privoxy-3.0.32/debian/salsa-ci.yml
--- privoxy-3.0.32/debian/salsa-ci.yml 2021-04-03 11:17:39.000000000 +0200
+++ privoxy-3.0.32/debian/salsa-ci.yml 2021-12-07 19:59:33.000000000 +0100
@@ -1,3 +1,6 @@
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'bullseye'
Attachment:
signature.asc
Description: PGP signature