Your message dated Sat, 18 Dec 2021 20:57:56 +0000 with message-id <7c5e58422d4fd1d02cfae36eca731d5d90ba0743.camel@adam-barratt.org.uk> and subject line Closing bugs for p-u requests included in 11.2 (part the deux) has caused the Debian Bug report #1001398, regarding bullseye-pu: package privoxy/3.0.32-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1001398: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001398 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package privoxy/3.0.32-2
- From: Roland Rosenfeld <roland@debian.org>
- Date: Thu, 9 Dec 2021 16:11:18 +0100
- Message-id: <[🔎] YbIcloyf0uKv80J6@dinghy.sail.spinnaker.de>
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu This fixes CVE-2021-44540, CVE-2021-44541, CVE-2021-44542, and CVE-2021-44543. Since all are tagged "minor issue" in the security-tracer, I tend to send this into the next point release of bullseye. Salsa-CI passed: https://salsa.debian.org/debian/privoxy/-/pipelines/325715 Attached you'll find a diff against 3.0.32-2. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Greetings Rolanddiff -Nru privoxy-3.0.32/debian/changelog privoxy-3.0.32/debian/changelog --- privoxy-3.0.32/debian/changelog 2021-04-03 11:17:39.000000000 +0200 +++ privoxy-3.0.32/debian/changelog 2021-12-07 19:59:33.000000000 +0100 @@ -1,3 +1,16 @@ +privoxy (3.0.32-2+deb11u1) bullseye; urgency=medium + + * 53_CVE-2021-44540: get_url_spec_param(): Free memory of compiled + pattern spec before bailing (CVE-2021-44540). + * 54_CVE-2021-44541: process_encrypted_request_headers(): Free header + memory when failing to get the request destination (CVE-2021-44541). + * 55_CVE-2021-44542: send_http_request(): Prevent memory leaks when + handling errors (CVE-2021-44542). + * 56_CVE-2021-44543: cgi_error_no_template(): Encode the template name + to prevent XSS (CVE-2021-44543). + + -- Roland Rosenfeld <roland@debian.org> Tue, 07 Dec 2021 19:59:33 +0100 + privoxy (3.0.32-2) unstable; urgency=medium * Work around apparmor failure in testsuite (Closes: #986258). diff -Nru privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch --- privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch 2021-12-07 19:59:33.000000000 +0100 @@ -0,0 +1,39 @@ +From 652b4b7cb07592c0912cf938a50fcd009fa29a0a Mon Sep 17 00:00:00 2001 +From: Joshua Rogers <jrogers@opera.com> +Date: Fri, 19 Nov 2021 17:32:23 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=652b4b7c +Subject: get_url_spec_param(): Free memory of compiled pattern spec before + bailing + +OVE-20211201-0003. CVE-2021-44540. + +--- a/cgiedit.c ++++ b/cgiedit.c +@@ -1869,12 +1869,12 @@ static jb_err get_url_spec_param(struct + } + err = create_pattern_spec(compiled, s); + free(s); ++ free_pattern_spec(compiled); + if (err) + { + free(param); + return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS; + } +- free_pattern_spec(compiled); + + if (param[strlen(param) - 1] == '\\') + { +@@ -1905,12 +1905,12 @@ static jb_err get_url_spec_param(struct + } + err = create_pattern_spec(compiled, s); + free(s); ++ free_pattern_spec(compiled); + if (err) + { + free(param); + return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS; + } +- free_pattern_spec(compiled); + } + + *pvalue = param; diff -Nru privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch --- privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch 2021-12-07 19:59:33.000000000 +0100 @@ -0,0 +1,20 @@ +From 0509c58045b26463844188e07c5e87c74ea21044 Mon Sep 17 00:00:00 2001 +From: Joshua Rogers <jrogers@opera.com> +Date: Fri, 19 Nov 2021 18:31:59 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=0509c580 +Subject: process_encrypted_request_headers(): Free header memory when + failing to get the request destination. + +OVE-20211201-0002. CVE-2021-44541. + +--- a/jcc.c ++++ b/jcc.c +@@ -2775,6 +2775,8 @@ static jb_err process_encrypted_request( + "Failed to get the encrypted request destination"); + ssl_send_data_delayed(&(csp->ssl_client_attr), + (const unsigned char *)CHEADER, strlen(CHEADER), get_write_delay(csp)); ++ destroy_list(headers); ++ + return JB_ERR_PARSE; + } + diff -Nru privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch --- privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch 2021-12-07 19:59:33.000000000 +0100 @@ -0,0 +1,29 @@ +From c48d1d6d08996116cbcea55cd3fc6c2a558e499a Mon Sep 17 00:00:00 2001 +From: Joshua Rogers <jrogers@opera.com> +Date: Fri, 19 Nov 2021 18:57:26 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=c48d1d6d0 +Subject: send_http_request(): Prevent memory leaks when handling errors + +OVE-20211201-0001. CVE-2021-44542. + +--- a/jcc.c ++++ b/jcc.c +@@ -2182,6 +2182,7 @@ static int send_http_request(struct clie + update_client_headers(csp, to_send_len)) + { + log_error(LOG_LEVEL_HEADER, "Error updating client headers"); ++ freez(to_send); + return 1; + } + csp->expected_client_content_length = 0; +@@ -2206,6 +2207,10 @@ static int send_http_request(struct clie + { + log_error(LOG_LEVEL_CONNECT, "Failed sending request headers to: %s: %E", + csp->http->hostport); ++ if (filter_client_body) ++ { ++ freez(to_send); ++ } + return 1; + } + diff -Nru privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch --- privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch 2021-12-07 19:59:33.000000000 +0100 @@ -0,0 +1,41 @@ +From 0e668e9409cbf4ab8bf2d79be204bd4e81a00d85 Mon Sep 17 00:00:00 2001 +From: Fabian Keil <fk@fabiankeil.de> +Date: Tue, 2 Nov 2021 12:11:37 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=0e668e94 +Subject: cgi_error_no_template(): Encode the template name to prevent XSS + +OVE-20211102-0001. CVE-2021-44543. + +Reported by: Artem Ivanov + +--- a/cgi.c ++++ b/cgi.c +@@ -1196,7 +1196,8 @@ jb_err cgi_error_no_template(const struc + ").</p>\n" + "</body>\n" + "</html>\n"; +- const size_t body_size = strlen(body_prefix) + strlen(template_name) + strlen(body_suffix) + 1; ++ size_t body_size = strlen(body_prefix) + strlen(body_suffix) + 1; ++ const char *encoded_template_name; + + assert(csp); + assert(rsp); +@@ -1210,9 +1211,17 @@ jb_err cgi_error_no_template(const struc + rsp->head_length = 0; + rsp->is_static = 0; + ++ encoded_template_name = html_encode(template_name); ++ if (encoded_template_name == NULL) ++ { ++ return JB_ERR_MEMORY; ++ } ++ ++ body_size += strlen(encoded_template_name); + rsp->body = malloc_or_die(body_size); + strlcpy(rsp->body, body_prefix, body_size); +- strlcat(rsp->body, template_name, body_size); ++ strlcat(rsp->body, encoded_template_name, body_size); ++ freez(encoded_template_name); + strlcat(rsp->body, body_suffix, body_size); + + rsp->status = strdup(status); diff -Nru privoxy-3.0.32/debian/patches/series privoxy-3.0.32/debian/patches/series --- privoxy-3.0.32/debian/patches/series 2021-04-03 11:17:39.000000000 +0200 +++ privoxy-3.0.32/debian/patches/series 2021-12-07 19:59:33.000000000 +0100 @@ -5,3 +5,7 @@ 32_bind_fixup.patch 33_manpage_hyphen.patch 34_system-docbook2man.patch +53_CVE-2021-44540.patch +54_CVE-2021-44541.patch +55_CVE-2021-44542.patch +56_CVE-2021-44543.patch diff -Nru privoxy-3.0.32/debian/salsa-ci.yml privoxy-3.0.32/debian/salsa-ci.yml --- privoxy-3.0.32/debian/salsa-ci.yml 2021-04-03 11:17:39.000000000 +0200 +++ privoxy-3.0.32/debian/salsa-ci.yml 2021-12-07 19:59:33.000000000 +0100 @@ -1,3 +1,6 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bullseye'Attachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1000377-done@bugs.debian.org, 1000448-done@bugs.debian.org, 1000454-done@bugs.debian.org, 1000458-done@bugs.debian.org, 1000472-done@bugs.debian.org, 1000477-done@bugs.debian.org, 1000485-done@bugs.debian.org, 1000511-done@bugs.debian.org, 1000607-done@bugs.debian.org, 1000707-done@bugs.debian.org, 1000785-done@bugs.debian.org, 1000811-done@bugs.debian.org, 1000973-done@bugs.debian.org, 1001100-done@bugs.debian.org, 1001115-done@bugs.debian.org, 1001148-done@bugs.debian.org, 1001180-done@bugs.debian.org, 1001279-done@bugs.debian.org, 1001285-done@bugs.debian.org, 1001388-done@bugs.debian.org, 1001389-done@bugs.debian.org, 1001398-done@bugs.debian.org, 1001474-done@bugs.debian.org
- Subject: Closing bugs for p-u requests included in 11.2 (part the deux)
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 18 Dec 2021 20:57:56 +0000
- Message-id: <7c5e58422d4fd1d02cfae36eca731d5d90ba0743.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 11.2 Hi, Each of the updates referenced by these requests was included in today's bullseye point release, but my original closure mail failed to correctly handle 7-digit bug numbers. Fixing that omission now. Regards, Adam
--- End Message ---