Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
This fixes CVE-2021-44540, CVE-2021-44541, CVE-2021-44542, and CVE-2021-44543. Since all are tagged "minor issue" in the security-tracer, I tend to send this into the next point release of bullseye. Salsa-CI passed: https://salsa.debian.org/debian/privoxy/-/pipelines/325715 Attached you'll find a diff against 3.0.32-2. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Greetings Roland
diff -Nru privoxy-3.0.32/debian/changelog privoxy-3.0.32/debian/changelog --- privoxy-3.0.32/debian/changelog 2021-04-03 11:17:39.000000000 +0200 +++ privoxy-3.0.32/debian/changelog 2021-12-07 19:59:33.000000000 +0100 @@ -1,3 +1,16 @@ +privoxy (3.0.32-2+deb11u1) bullseye; urgency=medium + + * 53_CVE-2021-44540: get_url_spec_param(): Free memory of compiled + pattern spec before bailing (CVE-2021-44540). + * 54_CVE-2021-44541: process_encrypted_request_headers(): Free header + memory when failing to get the request destination (CVE-2021-44541). + * 55_CVE-2021-44542: send_http_request(): Prevent memory leaks when + handling errors (CVE-2021-44542). + * 56_CVE-2021-44543: cgi_error_no_template(): Encode the template name + to prevent XSS (CVE-2021-44543). + + -- Roland Rosenfeld <rol...@debian.org> Tue, 07 Dec 2021 19:59:33 +0100 + privoxy (3.0.32-2) unstable; urgency=medium * Work around apparmor failure in testsuite (Closes: #986258). diff -Nru privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch --- privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.32/debian/patches/53_CVE-2021-44540.patch 2021-12-07 19:59:33.000000000 +0100 @@ -0,0 +1,39 @@ +From 652b4b7cb07592c0912cf938a50fcd009fa29a0a Mon Sep 17 00:00:00 2001 +From: Joshua Rogers <jrog...@opera.com> +Date: Fri, 19 Nov 2021 17:32:23 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=652b4b7c +Subject: get_url_spec_param(): Free memory of compiled pattern spec before + bailing + +OVE-20211201-0003. CVE-2021-44540. + +--- a/cgiedit.c ++++ b/cgiedit.c +@@ -1869,12 +1869,12 @@ static jb_err get_url_spec_param(struct + } + err = create_pattern_spec(compiled, s); + free(s); ++ free_pattern_spec(compiled); + if (err) + { + free(param); + return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS; + } +- free_pattern_spec(compiled); + + if (param[strlen(param) - 1] == '\\') + { +@@ -1905,12 +1905,12 @@ static jb_err get_url_spec_param(struct + } + err = create_pattern_spec(compiled, s); + free(s); ++ free_pattern_spec(compiled); + if (err) + { + free(param); + return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS; + } +- free_pattern_spec(compiled); + } + + *pvalue = param; diff -Nru privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch --- privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.32/debian/patches/54_CVE-2021-44541.patch 2021-12-07 19:59:33.000000000 +0100 @@ -0,0 +1,20 @@ +From 0509c58045b26463844188e07c5e87c74ea21044 Mon Sep 17 00:00:00 2001 +From: Joshua Rogers <jrog...@opera.com> +Date: Fri, 19 Nov 2021 18:31:59 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=0509c580 +Subject: process_encrypted_request_headers(): Free header memory when + failing to get the request destination. + +OVE-20211201-0002. CVE-2021-44541. + +--- a/jcc.c ++++ b/jcc.c +@@ -2775,6 +2775,8 @@ static jb_err process_encrypted_request( + "Failed to get the encrypted request destination"); + ssl_send_data_delayed(&(csp->ssl_client_attr), + (const unsigned char *)CHEADER, strlen(CHEADER), get_write_delay(csp)); ++ destroy_list(headers); ++ + return JB_ERR_PARSE; + } + diff -Nru privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch --- privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.32/debian/patches/55_CVE-2021-44542.patch 2021-12-07 19:59:33.000000000 +0100 @@ -0,0 +1,29 @@ +From c48d1d6d08996116cbcea55cd3fc6c2a558e499a Mon Sep 17 00:00:00 2001 +From: Joshua Rogers <jrog...@opera.com> +Date: Fri, 19 Nov 2021 18:57:26 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=c48d1d6d0 +Subject: send_http_request(): Prevent memory leaks when handling errors + +OVE-20211201-0001. CVE-2021-44542. + +--- a/jcc.c ++++ b/jcc.c +@@ -2182,6 +2182,7 @@ static int send_http_request(struct clie + update_client_headers(csp, to_send_len)) + { + log_error(LOG_LEVEL_HEADER, "Error updating client headers"); ++ freez(to_send); + return 1; + } + csp->expected_client_content_length = 0; +@@ -2206,6 +2207,10 @@ static int send_http_request(struct clie + { + log_error(LOG_LEVEL_CONNECT, "Failed sending request headers to: %s: %E", + csp->http->hostport); ++ if (filter_client_body) ++ { ++ freez(to_send); ++ } + return 1; + } + diff -Nru privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch --- privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.32/debian/patches/56_CVE-2021-44543.patch 2021-12-07 19:59:33.000000000 +0100 @@ -0,0 +1,41 @@ +From 0e668e9409cbf4ab8bf2d79be204bd4e81a00d85 Mon Sep 17 00:00:00 2001 +From: Fabian Keil <f...@fabiankeil.de> +Date: Tue, 2 Nov 2021 12:11:37 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=0e668e94 +Subject: cgi_error_no_template(): Encode the template name to prevent XSS + +OVE-20211102-0001. CVE-2021-44543. + +Reported by: Artem Ivanov + +--- a/cgi.c ++++ b/cgi.c +@@ -1196,7 +1196,8 @@ jb_err cgi_error_no_template(const struc + ").</p>\n" + "</body>\n" + "</html>\n"; +- const size_t body_size = strlen(body_prefix) + strlen(template_name) + strlen(body_suffix) + 1; ++ size_t body_size = strlen(body_prefix) + strlen(body_suffix) + 1; ++ const char *encoded_template_name; + + assert(csp); + assert(rsp); +@@ -1210,9 +1211,17 @@ jb_err cgi_error_no_template(const struc + rsp->head_length = 0; + rsp->is_static = 0; + ++ encoded_template_name = html_encode(template_name); ++ if (encoded_template_name == NULL) ++ { ++ return JB_ERR_MEMORY; ++ } ++ ++ body_size += strlen(encoded_template_name); + rsp->body = malloc_or_die(body_size); + strlcpy(rsp->body, body_prefix, body_size); +- strlcat(rsp->body, template_name, body_size); ++ strlcat(rsp->body, encoded_template_name, body_size); ++ freez(encoded_template_name); + strlcat(rsp->body, body_suffix, body_size); + + rsp->status = strdup(status); diff -Nru privoxy-3.0.32/debian/patches/series privoxy-3.0.32/debian/patches/series --- privoxy-3.0.32/debian/patches/series 2021-04-03 11:17:39.000000000 +0200 +++ privoxy-3.0.32/debian/patches/series 2021-12-07 19:59:33.000000000 +0100 @@ -5,3 +5,7 @@ 32_bind_fixup.patch 33_manpage_hyphen.patch 34_system-docbook2man.patch +53_CVE-2021-44540.patch +54_CVE-2021-44541.patch +55_CVE-2021-44542.patch +56_CVE-2021-44543.patch diff -Nru privoxy-3.0.32/debian/salsa-ci.yml privoxy-3.0.32/debian/salsa-ci.yml --- privoxy-3.0.32/debian/salsa-ci.yml 2021-04-03 11:17:39.000000000 +0200 +++ privoxy-3.0.32/debian/salsa-ci.yml 2021-12-07 19:59:33.000000000 +0100 @@ -1,3 +1,6 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bullseye'
signature.asc
Description: PGP signature
