Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu
I prepared a patch against privoxy 3.0.19-2+deb7u3, which closes the
CVE-2013-2503, see
https://security-tracker.debian.org/tracker/CVE-2013-2503
The patch is attached.
The security team asked me to place it here, since it's a minor issue
and no DSA is required.
Please tell me, if I'm allowed to upload
Tschoeeee
Roland
diff -Nru privoxy-3.0.19/debian/changelog privoxy-3.0.19/debian/changelog
--- privoxy-3.0.19/debian/changelog 2016-01-22 17:51:41.000000000 +0100
+++ privoxy-3.0.19/debian/changelog 2016-03-09 14:56:58.000000000 +0100
@@ -1,3 +1,12 @@
+privoxy (3.0.19-2+deb7u4) stable; urgency=high
+
+ * 42_CVE-2013-2503: Proxy authentication headers are removed unless the
+ new directive enable-proxy-authentication-forwarding is used.
+ Forwarding the headers potentionally allows malicious sites to trick
+ the user into providing it with login information (Closes: #702896).
+
+ -- Roland Rosenfeld <rol...@debian.org> Tue, 08 Mar 2016 08:52:26 +0100
+
privoxy (3.0.19-2+deb7u3) wheezy-security; urgency=high
* 40_CVE-2016-1982: Prevent invalid reads in case of corrupt
diff -Nru privoxy-3.0.19/debian/patches/42_CVE-2013-2503.patch privoxy-3.0.19/debian/patches/42_CVE-2013-2503.patch
--- privoxy-3.0.19/debian/patches/42_CVE-2013-2503.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.19/debian/patches/42_CVE-2013-2503.patch 2016-03-09 14:56:58.000000000 +0100
@@ -0,0 +1,238 @@
+Author: Fabian Keil <f...@fabiankeil.de>
+Description: CVE-2013-2503: Proxy authentication headers are removed
+ unless the new directive enable-proxy-authentication-forwarding is
+ used. Forwarding the headers potentionally allows malicious sites to
+ trick the user into providing it with login information.
+Origin: upstream, picked from CVS
+--- a/config
++++ b/config
+@@ -1125,6 +1125,46 @@ enforce-blocks 0
+ #
+ buffer-limit 4096
+ #
++# 4.9. enable-proxy-authentication-forwarding
++# ============================================
++#
++# Specifies:
++#
++# Whether or not proxy authentication through Privoxy should
++# work.
++#
++# Type of value:
++#
++# 0 or 1
++#
++# Default value:
++#
++# 0
++#
++# Effect if unset:
++#
++# Proxy authentication headers are removed.
++#
++# Notes:
++#
++# Privoxy itself does not support proxy authentication, but can
++# allow clients to authenticate against Privoxy's parent proxy.
++#
++# By default Privoxy (3.0.21 and later) don't do that and remove
++# Proxy-Authorization headers in requests and Proxy-Authenticate
++# headers in responses to make it harder for malicious sites to
++# trick inexperienced users into providing login information.
++#
++# If this option is enabled the headers are forwarded.
++#
++# Enabling this option is not recommended if there is no parent
++# proxy that requires authentication or if the local network
++# between Privoxy and the parent proxy isn't trustworthy. If
++# proxy authentication is only required for some requests, it is
++# recommended to use a client header filter to remove the
++# authentication headers for requests where they aren't needed.
++#
++enable-proxy-authentication-forwarding 0
+ #
+ # 5. FORWARDING
+ # ==============
+--- a/doc/source/p-config.sgml
++++ b/doc/source/p-config.sgml
+@@ -1888,6 +1888,67 @@ ACLs: permit-access and deny-access</tit
+ <![%config-file;[<literallayout>@@buffer-limit 4096</literallayout>]]>
+ </sect3>
+
++<!-- ~~~~~ New section ~~~~~ -->
++<sect3 renderas="sect4" id="enable-proxy-authentication-forwarding"><title>enable-proxy-authentication-forwarding</title>
++<variablelist>
++ <varlistentry>
++ <term>Specifies:</term>
++ <listitem>
++ <para>
++ Whether or not proxy authentication through &my-app; should work.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>Type of value:</term>
++ <listitem>
++ <para>0 or 1</para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>Default value:</term>
++ <listitem>
++ <para>0</para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>Effect if unset:</term>
++ <listitem>
++ <para>
++ Proxy authentication headers are removed.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>Notes:</term>
++ <listitem>
++ <para>
++ Privoxy itself does not support proxy authentication, but can
++ allow clients to authenticate against Privoxy's parent proxy.
++ </para>
++ <para>
++ By default Privoxy (3.0.21 and later) don't do that and remove
++ Proxy-Authorization headers in requests and Proxy-Authenticate
++ headers in responses to make it harder for malicious sites to
++ trick inexperienced users into providing login information.
++ </para>
++ <para>
++ If this option is enabled the headers are forwarded.
++ </para>
++ <para>
++ Enabling this option is <emphasis>not recommended</emphasis> if there is
++ no parent proxy that requires authentication or if the local network between
++ Privoxy and the parent proxy isn't trustworthy. If proxy authentication is
++ only required for some requests, it is recommended to use a client header filter
++ to remove the authentication headers for requests where they aren't needed.
++ </para>
++ </listitem>
++ </varlistentry>
++</variablelist>
++
++<![%config-file;[<literallayout>@@enable-proxy-authentication-forwarding 0</literallayout>]]>
++</sect3>
++
+ </sect2>
+
+ <!-- ~ End section ~ -->
+--- a/loadcfg.c
++++ b/loadcfg.c
+@@ -141,6 +141,7 @@ static struct file_list *current_configf
+ #define hash_deny_access 1227333715ul /* "deny-access" */
+ #define hash_enable_edit_actions 2517097536ul /* "enable-edit-actions" */
+ #define hash_enable_compression 3943696946ul /* "enable-compression" */
++#define hash_enable_proxy_authentication_forwarding 4040610791ul /* enable-proxy-authentication-forwarding */
+ #define hash_enable_remote_toggle 2979744683ul /* "enable-remote-toggle" */
+ #define hash_enable_remote_http_toggle 110543988ul /* "enable-remote-http-toggle" */
+ #define hash_enforce_blocks 1862427469ul /* "enforce-blocks" */
+@@ -414,6 +415,7 @@ struct configuration_spec * load_config(
+ config->feature_flags &= ~RUNTIME_FEATURE_SPLIT_LARGE_FORMS;
+ config->feature_flags &= ~RUNTIME_FEATURE_ACCEPT_INTERCEPTED_REQUESTS;
+ config->feature_flags &= ~RUNTIME_FEATURE_EMPTY_DOC_RETURNS_OK;
++ config->feature_flags &= ~RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS;
+ #ifdef FEATURE_COMPRESSION
+ config->feature_flags &= ~RUNTIME_FEATURE_COMPRESSION;
+ /*
+@@ -742,6 +744,19 @@ struct configuration_spec * load_config(
+ break;
+ #endif /* def FEATURE_COMPRESSION */
+
++/* *************************************************************************
++ * enable-proxy-authentication-forwarding 0|1
++ * *************************************************************************/
++ case hash_enable_proxy_authentication_forwarding:
++ if (parse_toggle_state(cmd, arg) == 1)
++ {
++ config->feature_flags |= RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS;
++ }
++ else
++ {
++ config->feature_flags &= ~RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS;
++ }
++ break;
+
+ /* *************************************************************************
+ * enable-remote-toggle 0|1
+--- a/parsers.c
++++ b/parsers.c
+@@ -173,6 +173,7 @@ static jb_err server_connection_adder(st
+ #ifdef FEATURE_CONNECTION_KEEP_ALIVE
+ static jb_err server_proxy_connection_adder(struct client_state *csp);
+ #endif /* def FEATURE_CONNECTION_KEEP_ALIVE */
++static jb_err proxy_authentication(struct client_state *csp, char **header);
+
+ static jb_err create_forged_referrer(char **header, const char *hostport);
+ static jb_err create_fake_referrer(char **header, const char *fake_referrer);
+@@ -222,6 +223,7 @@ static const struct parsers client_patte
+ { "Request-Range:", 14, client_range },
+ { "If-Range:", 9, client_range },
+ { "X-Filter:", 9, client_x_filter },
++ { "Proxy-Authorization:", 20, proxy_authentication },
+ { "*", 0, crunch_client_header },
+ { "*", 0, filter_header },
+ { NULL, 0, NULL }
+@@ -244,6 +246,7 @@ static const struct parsers server_patte
+ { "Transfer-Encoding:", 18, server_transfer_coding },
+ { "content-disposition:", 20, server_content_disposition },
+ { "Last-Modified:", 14, server_last_modified },
++ { "Proxy-Authenticate:", 19, proxy_authentication },
+ { "*", 0, crunch_server_header },
+ { "*", 0, filter_header },
+ { NULL, 0, NULL }
+@@ -1688,6 +1691,36 @@ static jb_err server_proxy_connection(st
+ return JB_ERR_OK;
+ }
+
++
++/*********************************************************************
++ *
++ * Function : proxy_authentication
++ *
++ * Description : Removes headers that are relevant for proxy
++ * authentication unless forwarding them has
++ * been explicitly requested.
++ *
++ * Parameters :
++ * 1 : csp = Current client state (buffers, headers, etc...)
++ * 2 : header = On input, pointer to header to modify.
++ * On output, pointer to the modified header, or NULL
++ * to remove the header. This function frees the
++ * original string if necessary.
++ *
++ * Returns : JB_ERR_OK.
++ *
++ *********************************************************************/
++static jb_err proxy_authentication(struct client_state *csp, char **header)
++{
++ if ((csp->config->feature_flags &
++ RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS) == 0) {
++ log_error(LOG_LEVEL_HEADER,
++ "Forwarding proxy authentication headers is disabled. Crunching: %s", *header);
++ freez(*header);
++ }
++ return JB_ERR_OK;
++}
++
+
+ /*********************************************************************
+ *
+--- a/project.h
++++ b/project.h
+@@ -1199,6 +1199,9 @@ struct access_control_list
+ /** configuration_spec::feature_flags: Buffered content is sent compressed if the client supports it. */
+ #define RUNTIME_FEATURE_COMPRESSION 1024U
+
++/** configuration_spec::feature_flags: Proxy authentication headers are forwarded instead of removed. */
++#define RUNTIME_FEATURE_FORWARD_PROXY_AUTHENTICATION_HEADERS 4096U
++
+ /**
+ * Data loaded from the configuration file.
+ *
diff -Nru privoxy-3.0.19/debian/patches/series privoxy-3.0.19/debian/patches/series
--- privoxy-3.0.19/debian/patches/series 2016-01-22 17:50:51.000000000 +0100
+++ privoxy-3.0.19/debian/patches/series 2016-03-09 14:56:58.000000000 +0100
@@ -14,3 +14,4 @@
39_CVE-2015-1382.patch
40_CVE-2016-1982.patch
41_CVE-2016-1983.patch
+42_CVE-2013-2503.patch
