Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
This fixes CVE-2021-20216 and CVE-2021-20217. Since both are tagged "<no-dsa> (Minor issue)" in security tracker, I tend to send this into the next point release of stretch. Salsa-CI passed: https://salsa.debian.org/debian/privoxy/-/pipelines/226263 Attached you'll find a diff against 3.0.26-3. Greetings Roland
diff -Nru privoxy-3.0.26/debian/changelog privoxy-3.0.26/debian/changelog --- privoxy-3.0.26/debian/changelog 2017-01-11 22:24:55.000000000 +0100 +++ privoxy-3.0.26/debian/changelog 2021-02-02 18:52:00.000000000 +0100 @@ -1,3 +1,12 @@ +privoxy (3.0.26-3+deb9u1) stretch; urgency=medium + + * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request + (CVE-2021-20217). + * 39_decompress_iob: Fix detection of insufficient data. + * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216). + + -- Roland Rosenfeld <rol...@debian.org> Tue, 02 Feb 2021 18:52:00 +0100 + privoxy (3.0.26-3) unstable; urgency=medium * Add da debconf translation. Thanks to Joe Dalton (Closes: #850876). diff -Nru privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch --- privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch 2021-02-02 18:52:00.000000000 +0100 @@ -0,0 +1,34 @@ +commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a +Author: Fabian Keil <f...@fabiankeil.de> +Date: Sat Jan 30 15:04:17 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b +Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217) + + parse_cgi_parameters(): Make sure the maximum number of segments is large enough + + ... for ssplit() to succeed. + + Prevents an assertion from getting triggered. OVE-20210130-0001. + + Reported by: Joshua Rogers (Opera) + +--- a/cgi.c ++++ b/cgi.c +@@ -628,16 +628,7 @@ static struct map *parse_cgi_parameters( + * The same hack is used in get_last_url() so it looks like + * a real solution is needed. + */ +- size_t max_segments = strlen(argstring) / 2; +- if (max_segments == 0) +- { +- /* +- * XXX: If the argstring is empty, there's really +- * no point in creating a param list, but currently +- * other parts of Privoxy depend on the list's existence. +- */ +- max_segments = 1; +- } ++ size_t max_segments = strlen(argstring) / 2 + 1; + vector = malloc_or_die(max_segments * sizeof(char *)); + + cgi_params = new_map(); diff -Nru privoxy-3.0.26/debian/patches/39_decompress_iob.patch privoxy-3.0.26/debian/patches/39_decompress_iob.patch --- privoxy-3.0.26/debian/patches/39_decompress_iob.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.26/debian/patches/39_decompress_iob.patch 2021-02-02 18:52:00.000000000 +0100 @@ -0,0 +1,22 @@ +commit f5c1a886b7ae20da7eafb77926252eb521260728 +Author: Fabian Keil <f...@fabiankeil.de> +Date: Thu Jan 28 16:26:45 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f5c1a +Subject: decompress_iob(): Fix detection of insufficient data + + Instead of checking the size of the iob we have to + check the size of the actual data. + + Previously Privoxy could try to work on uninitialized data. + +--- a/parsers.c ++++ b/parsers.c +@@ -430,7 +430,7 @@ jb_err decompress_iob(struct client_stat + + cur = csp->iob->cur; + +- if (bufsize < (size_t)10) ++ if (old_size < (size_t)10) + { + /* + * This is to protect the parsing of gzipped data, diff -Nru privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch --- privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch 2021-02-02 18:52:00.000000000 +0100 @@ -0,0 +1,21 @@ +commit f431d61740cc03c1c5f6b7f9c7a4a8d0bedd70dd +Author: Fabian Keil <f...@fabiankeil.de> +Date: Thu Jan 28 18:02:56 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f431d +Subject: Fix a memory leak (CVE-2021-20216) + decompress_iob(): Fix a memory leak + + ... when decompression fails "unexpectedly". + + OVE-20210128-0001. + +--- a/parsers.c ++++ b/parsers.c +@@ -698,6 +698,7 @@ jb_err decompress_iob(struct client_stat + log_error(LOG_LEVEL_ERROR, + "Unexpected error while decompressing to the buffer (iob): %s", + zstr.msg); ++ freez(buf); + return JB_ERR_COMPRESS; + } + diff -Nru privoxy-3.0.26/debian/patches/series privoxy-3.0.26/debian/patches/series --- privoxy-3.0.26/debian/patches/series 2017-01-11 22:24:55.000000000 +0100 +++ privoxy-3.0.26/debian/patches/series 2021-02-02 18:52:00.000000000 +0100 @@ -11,3 +11,6 @@ 35_man-spelling.patch 36_openspopenjade.patch 37_adventofcode.patch +38_CVE-2021-20217.patch +39_decompress_iob.patch +40_CVE-2021-20216.patch diff -Nru privoxy-3.0.26/debian/salsa-ci.yml privoxy-3.0.26/debian/salsa-ci.yml --- privoxy-3.0.26/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.26/debian/salsa-ci.yml 2021-02-02 18:52:00.000000000 +0100 @@ -0,0 +1,6 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'stretch'
