[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1001398: marked as done (bullseye-pu: package privoxy/3.0.32-2)

Your message dated Sat, 18 Dec 2021 20:57:56 +0000
with message-id <7c5e58422d4fd1d02cfae36eca731d5d90ba0743.camel@adam-barratt.org.uk>
and subject line Closing bugs for p-u requests included in 11.2 (part the deux)
has caused the Debian Bug report #1001398,
regarding bullseye-pu: package privoxy/3.0.32-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1001398: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001398
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

This fixes CVE-2021-44540, CVE-2021-44541, CVE-2021-44542, and
CVE-2021-44543.
Since all are tagged "minor issue" in the security-tracer, I tend to
send this into the next point release of bullseye.

Salsa-CI passed:
https://salsa.debian.org/debian/privoxy/-/pipelines/325715

Attached you'll find a diff against 3.0.32-2.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Greetings
Roland

diff -Nru privoxy-3.0.32/debian/changelog privoxy-3.0.32/debian/changelog
--- privoxy-3.0.32/debian/changelog	2021-04-03 11:17:39.000000000 +0200
+++ privoxy-3.0.32/debian/changelog	2021-12-07 19:59:33.000000000 +0100
@@ -1,3 +1,16 @@
+privoxy (3.0.32-2+deb11u1) bullseye; urgency=medium
+
+  * 53_CVE-2021-44540: get_url_spec_param(): Free memory of compiled
+    pattern spec before bailing (CVE-2021-44540).
+  * 54_CVE-2021-44541: process_encrypted_request_headers(): Free header
+    memory when failing to get the request destination (CVE-2021-44541).
+  * 55_CVE-2021-44542: send_http_request(): Prevent memory leaks when
+    handling errors (CVE-2021-44542).
+  * 56_CVE-2021-44543: cgi_error_no_template(): Encode the template name
+    to prevent XSS (CVE-2021-44543).
+
+ -- Roland Rosenfeld <roland@debian.org>  Tue, 07 Dec 2021 19:59:33 +0100
+
 privoxy (3.0.32-2) unstable; urgency=medium
 
   * Work around apparmor failure in testsuite (Closes: #986258).
diff -Nru privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch
--- privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch	2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,39 @@
+From 652b4b7cb07592c0912cf938a50fcd009fa29a0a Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <jrogers@opera.com>
+Date: Fri, 19 Nov 2021 17:32:23 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=652b4b7c
+Subject: get_url_spec_param(): Free memory of compiled pattern spec before
+ bailing
+
+OVE-20211201-0003. CVE-2021-44540.
+
+--- a/cgiedit.c
++++ b/cgiedit.c
+@@ -1869,12 +1869,12 @@ static jb_err get_url_spec_param(struct
+    }
+    err = create_pattern_spec(compiled, s);
+    free(s);
++   free_pattern_spec(compiled);
+    if (err)
+    {
+       free(param);
+       return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS;
+    }
+-   free_pattern_spec(compiled);
+ 
+    if (param[strlen(param) - 1] == '\\')
+    {
+@@ -1905,12 +1905,12 @@ static jb_err get_url_spec_param(struct
+       }
+       err = create_pattern_spec(compiled, s);
+       free(s);
++      free_pattern_spec(compiled);
+       if (err)
+       {
+          free(param);
+          return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS;
+       }
+-      free_pattern_spec(compiled);
+    }
+ 
+    *pvalue = param;
diff -Nru privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch
--- privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch	2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,20 @@
+From 0509c58045b26463844188e07c5e87c74ea21044 Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <jrogers@opera.com>
+Date: Fri, 19 Nov 2021 18:31:59 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=0509c580
+Subject: process_encrypted_request_headers(): Free header memory when
+ failing to get the request destination.
+
+OVE-20211201-0002. CVE-2021-44541.
+
+--- a/jcc.c
++++ b/jcc.c
+@@ -2775,6 +2775,8 @@ static jb_err process_encrypted_request(
+          "Failed to get the encrypted request destination");
+       ssl_send_data_delayed(&(csp->ssl_client_attr),
+          (const unsigned char *)CHEADER, strlen(CHEADER), get_write_delay(csp));
++      destroy_list(headers);
++
+       return JB_ERR_PARSE;
+    }
+ 
diff -Nru privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch
--- privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch	2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,29 @@
+From c48d1d6d08996116cbcea55cd3fc6c2a558e499a Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <jrogers@opera.com>
+Date: Fri, 19 Nov 2021 18:57:26 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=c48d1d6d0
+Subject: send_http_request(): Prevent memory leaks when handling errors
+
+OVE-20211201-0001. CVE-2021-44542.
+
+--- a/jcc.c
++++ b/jcc.c
+@@ -2182,6 +2182,7 @@ static int send_http_request(struct clie
+          update_client_headers(csp, to_send_len))
+       {
+          log_error(LOG_LEVEL_HEADER, "Error updating client headers");
++         freez(to_send);
+          return 1;
+       }
+       csp->expected_client_content_length = 0;
+@@ -2206,6 +2207,10 @@ static int send_http_request(struct clie
+    {
+       log_error(LOG_LEVEL_CONNECT, "Failed sending request headers to: %s: %E",
+          csp->http->hostport);
++      if (filter_client_body)
++      {
++         freez(to_send);
++      }
+       return 1;
+    }
+ 
diff -Nru privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch
--- privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch	2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,41 @@
+From 0e668e9409cbf4ab8bf2d79be204bd4e81a00d85 Mon Sep 17 00:00:00 2001
+From: Fabian Keil <fk@fabiankeil.de>
+Date: Tue, 2 Nov 2021 12:11:37 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=0e668e94
+Subject: cgi_error_no_template(): Encode the template name to prevent XSS
+
+OVE-20211102-0001. CVE-2021-44543.
+
+Reported by: Artem Ivanov
+
+--- a/cgi.c
++++ b/cgi.c
+@@ -1196,7 +1196,8 @@ jb_err cgi_error_no_template(const struc
+       ").</p>\n"
+       "</body>\n"
+       "</html>\n";
+-   const size_t body_size = strlen(body_prefix) + strlen(template_name) + strlen(body_suffix) + 1;
++   size_t body_size = strlen(body_prefix) + strlen(body_suffix) + 1;
++   const char *encoded_template_name;
+ 
+    assert(csp);
+    assert(rsp);
+@@ -1210,9 +1211,17 @@ jb_err cgi_error_no_template(const struc
+    rsp->head_length = 0;
+    rsp->is_static = 0;
+ 
++   encoded_template_name = html_encode(template_name);
++   if (encoded_template_name == NULL)
++   {
++      return JB_ERR_MEMORY;
++   }
++
++   body_size += strlen(encoded_template_name);
+    rsp->body = malloc_or_die(body_size);
+    strlcpy(rsp->body, body_prefix, body_size);
+-   strlcat(rsp->body, template_name, body_size);
++   strlcat(rsp->body, encoded_template_name, body_size);
++   freez(encoded_template_name);
+    strlcat(rsp->body, body_suffix, body_size);
+ 
+    rsp->status = strdup(status);
diff -Nru privoxy-3.0.32/debian/patches/series privoxy-3.0.32/debian/patches/series
--- privoxy-3.0.32/debian/patches/series	2021-04-03 11:17:39.000000000 +0200
+++ privoxy-3.0.32/debian/patches/series	2021-12-07 19:59:33.000000000 +0100
@@ -5,3 +5,7 @@
 32_bind_fixup.patch
 33_manpage_hyphen.patch
 34_system-docbook2man.patch
+53_CVE-2021-44540.patch
+54_CVE-2021-44541.patch
+55_CVE-2021-44542.patch
+56_CVE-2021-44543.patch
diff -Nru privoxy-3.0.32/debian/salsa-ci.yml privoxy-3.0.32/debian/salsa-ci.yml
--- privoxy-3.0.32/debian/salsa-ci.yml	2021-04-03 11:17:39.000000000 +0200
+++ privoxy-3.0.32/debian/salsa-ci.yml	2021-12-07 19:59:33.000000000 +0100
@@ -1,3 +1,6 @@
 include:
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'bullseye'

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.2

Hi,

Each of the updates referenced by these requests was included in
today's bullseye point release, but my original closure mail failed to
correctly handle 7-digit bug numbers. Fixing that omission now.

Regards,

Adam

--- End Message ---
Reply to: