Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
This fixes CVE-2021-20216 and CVE-2021-20217. Since both are tagged "<no-dsa> (Minor issue)" in security tracker, I tend to send this into the next point release of buster. Salsa-CI passed: https://salsa.debian.org/debian/privoxy/-/pipelines/226257 Attached you'll find a diff against 3.0.28-2. Greetings Roland
diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog --- privoxy-3.0.28/debian/changelog 2019-01-06 13:07:14.000000000 +0100 +++ privoxy-3.0.28/debian/changelog 2021-02-02 18:03:02.000000000 +0100 @@ -1,3 +1,12 @@ +privoxy (3.0.28-2+deb10u1) buster; urgency=medium + + * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request + (CVE-2021-20217). + * 39_decompress_iob: Fix detection of insufficient data. + * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216). + + -- Roland Rosenfeld <rol...@debian.org> Tue, 02 Feb 2021 18:03:02 +0100 + privoxy (3.0.28-2) unstable; urgency=medium * d/tests/privoxy-regression-test: Remove tmpdir on exit. diff -Nru privoxy-3.0.28/debian/gitlab-ci.yml privoxy-3.0.28/debian/gitlab-ci.yml --- privoxy-3.0.28/debian/gitlab-ci.yml 2019-01-06 13:07:14.000000000 +0100 +++ privoxy-3.0.28/debian/gitlab-ci.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,16 +0,0 @@ -include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - -build: - extends: .build-unstable - -reprotest: - extends: .test-reprotest - -lintian: - extends: .test-lintian - -autopkgtest: - extends: .test-autopkgtest - -piuparts: - extends: .test-piuparts diff -Nru privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch --- privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 2021-02-02 18:03:02.000000000 +0100 @@ -0,0 +1,34 @@ +commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a +Author: Fabian Keil <f...@fabiankeil.de> +Date: Sat Jan 30 15:04:17 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b +Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217) + + parse_cgi_parameters(): Make sure the maximum number of segments is large enough + + ... for ssplit() to succeed. + + Prevents an assertion from getting triggered. OVE-20210130-0001. + + Reported by: Joshua Rogers (Opera) + +--- a/cgi.c ++++ b/cgi.c +@@ -645,16 +645,7 @@ static struct map *parse_cgi_parameters( + * The same hack is used in get_last_url() so it looks like + * a real solution is needed. + */ +- size_t max_segments = strlen(argstring) / 2; +- if (max_segments == 0) +- { +- /* +- * XXX: If the argstring is empty, there's really +- * no point in creating a param list, but currently +- * other parts of Privoxy depend on the list's existence. +- */ +- max_segments = 1; +- } ++ size_t max_segments = strlen(argstring) / 2 + 1; + vector = malloc_or_die(max_segments * sizeof(char *)); + + cgi_params = new_map(); diff -Nru privoxy-3.0.28/debian/patches/39_decompress_iob.patch privoxy-3.0.28/debian/patches/39_decompress_iob.patch --- privoxy-3.0.28/debian/patches/39_decompress_iob.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/39_decompress_iob.patch 2021-02-02 18:03:02.000000000 +0100 @@ -0,0 +1,22 @@ +commit f5c1a886b7ae20da7eafb77926252eb521260728 +Author: Fabian Keil <f...@fabiankeil.de> +Date: Thu Jan 28 16:26:45 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f5c1a +Subject: decompress_iob(): Fix detection of insufficient data + + Instead of checking the size of the iob we have to + check the size of the actual data. + + Previously Privoxy could try to work on uninitialized data. + +--- a/parsers.c ++++ b/parsers.c +@@ -433,7 +433,7 @@ jb_err decompress_iob(struct client_stat + + cur = csp->iob->cur; + +- if (bufsize < (size_t)10) ++ if (old_size < (size_t)10) + { + /* + * This is to protect the parsing of gzipped data, diff -Nru privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch --- privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch 2021-02-02 18:03:02.000000000 +0100 @@ -0,0 +1,21 @@ +commit f431d61740cc03c1c5f6b7f9c7a4a8d0bedd70dd +Author: Fabian Keil <f...@fabiankeil.de> +Date: Thu Jan 28 18:02:56 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f431d +Subject: Fix a memory leak (CVE-2021-20216) + decompress_iob(): Fix a memory leak + + ... when decompression fails "unexpectedly". + + OVE-20210128-0001. + +--- a/parsers.c ++++ b/parsers.c +@@ -701,6 +701,7 @@ jb_err decompress_iob(struct client_stat + log_error(LOG_LEVEL_ERROR, + "Unexpected error while decompressing to the buffer (iob): %s", + zstr.msg); ++ freez(buf); + return JB_ERR_COMPRESS; + } + diff -Nru privoxy-3.0.28/debian/patches/series privoxy-3.0.28/debian/patches/series --- privoxy-3.0.28/debian/patches/series 2019-01-06 13:07:14.000000000 +0100 +++ privoxy-3.0.28/debian/patches/series 2021-02-02 18:03:02.000000000 +0100 @@ -10,3 +10,6 @@ 35_man-spelling.patch 36_trusted-cgi-referer-example.patch 37_ppedit-tests403.patch +38_CVE-2021-20217.patch +39_decompress_iob.patch +40_CVE-2021-20216.patch diff -Nru privoxy-3.0.28/debian/salsa-ci.yml privoxy-3.0.28/debian/salsa-ci.yml --- privoxy-3.0.28/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/salsa-ci.yml 2021-02-02 18:03:02.000000000 +0100 @@ -0,0 +1,6 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'buster'
