--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package privoxy/3.0.28-2+deb10u1
- From: Roland Rosenfeld <roland@debian.org>
- Date: Fri, 10 Dec 2021 13:00:46 +0100
- Message-id: <YbNBbt18BYz5dpXX@dinghy.sail.spinnaker.de>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
This fixes CVE-2021-44540 and CVE-2021-44543.
Since all are tagged "minor issue" in the security-tracer, I tend to
send this into the next point release of buster.
Salsa-CI passed:
https://salsa.debian.org/debian/privoxy/-/pipelines/325726
Attached you'll find a diff against 3.0.28-2+deb10u1.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Greetings
Roland
diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog
--- privoxy-3.0.28/debian/changelog 2021-03-08 13:57:15.000000000 +0100
+++ privoxy-3.0.28/debian/changelog 2021-12-07 19:59:33.000000000 +0100
@@ -1,3 +1,12 @@
+privoxy (3.0.28-2+deb10u2) buster; urgency=medium
+
+ * 53_CVE-2021-44540: get_url_spec_param(): Free memory of compiled
+ pattern spec before bailing (CVE-2021-44540).
+ * 56_CVE-2021-44543: cgi_error_no_template(): Encode the template name
+ to prevent XSS (CVE-2021-44543).
+
+ -- Roland Rosenfeld <roland@debian.org> Tue, 07 Dec 2021 19:59:33 +0100
+
privoxy (3.0.28-2+deb10u1) buster; urgency=medium
* 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
diff -Nru privoxy-3.0.28/debian/patches/53_CVE-2021-44540.patch privoxy-3.0.28/debian/patches/53_CVE-2021-44540.patch
--- privoxy-3.0.28/debian/patches/53_CVE-2021-44540.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/53_CVE-2021-44540.patch 2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,39 @@
+From 652b4b7cb07592c0912cf938a50fcd009fa29a0a Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <jrogers@opera.com>
+Date: Fri, 19 Nov 2021 17:32:23 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=652b4b7c
+Subject: get_url_spec_param(): Free memory of compiled pattern spec before
+ bailing
+
+OVE-20211201-0003. CVE-2021-44540.
+
+--- a/cgiedit.c
++++ b/cgiedit.c
+@@ -1853,12 +1853,12 @@ static jb_err get_url_spec_param(struct
+ }
+ err = create_pattern_spec(compiled, s);
+ free(s);
++ free_pattern_spec(compiled);
+ if (err)
+ {
+ free(param);
+ return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS;
+ }
+- free_pattern_spec(compiled);
+
+ if (param[strlen(param) - 1] == '\\')
+ {
+@@ -1889,12 +1889,12 @@ static jb_err get_url_spec_param(struct
+ }
+ err = create_pattern_spec(compiled, s);
+ free(s);
++ free_pattern_spec(compiled);
+ if (err)
+ {
+ free(param);
+ return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS;
+ }
+- free_pattern_spec(compiled);
+ }
+
+ *pvalue = param;
diff -Nru privoxy-3.0.28/debian/patches/56_CVE-2021-44543.patch privoxy-3.0.28/debian/patches/56_CVE-2021-44543.patch
--- privoxy-3.0.28/debian/patches/56_CVE-2021-44543.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/56_CVE-2021-44543.patch 2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,41 @@
+From 0e668e9409cbf4ab8bf2d79be204bd4e81a00d85 Mon Sep 17 00:00:00 2001
+From: Fabian Keil <fk@fabiankeil.de>
+Date: Tue, 2 Nov 2021 12:11:37 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=0e668e94
+Subject: cgi_error_no_template(): Encode the template name to prevent XSS
+
+OVE-20211102-0001. CVE-2021-44543.
+
+Reported by: Artem Ivanov
+
+--- a/cgi.c
++++ b/cgi.c
+@@ -1175,7 +1175,8 @@ jb_err cgi_error_no_template(const struc
+ ").</p>\n"
+ "</body>\n"
+ "</html>\n";
+- const size_t body_size = strlen(body_prefix) + strlen(template_name) + strlen(body_suffix) + 1;
++ size_t body_size = strlen(body_prefix) + strlen(body_suffix) + 1;
++ const char *encoded_template_name;
+
+ assert(csp);
+ assert(rsp);
+@@ -1189,9 +1190,17 @@ jb_err cgi_error_no_template(const struc
+ rsp->head_length = 0;
+ rsp->is_static = 0;
+
++ encoded_template_name = html_encode(template_name);
++ if (encoded_template_name == NULL)
++ {
++ return JB_ERR_MEMORY;
++ }
++
++ body_size += strlen(encoded_template_name);
+ rsp->body = malloc_or_die(body_size);
+ strlcpy(rsp->body, body_prefix, body_size);
+- strlcat(rsp->body, template_name, body_size);
++ strlcat(rsp->body, encoded_template_name, body_size);
++ freez(encoded_template_name);
+ strlcat(rsp->body, body_suffix, body_size);
+
+ rsp->status = strdup(status);
diff -Nru privoxy-3.0.28/debian/patches/series privoxy-3.0.28/debian/patches/series
--- privoxy-3.0.28/debian/patches/series 2021-03-08 13:57:15.000000000 +0100
+++ privoxy-3.0.28/debian/patches/series 2021-12-07 19:59:33.000000000 +0100
@@ -25,3 +25,5 @@
50_CVE-2021-20273.patch
51_CVE-2021-20275.patch
52_CVE-2021-20276.patch
+53_CVE-2021-44540.patch
+56_CVE-2021-44543.patch
--- End Message ---