Hi release team! In the meantime privoxy 3.0.32 was released, which contains five more CVEs, I applied four of them to 3.0.28-2+deb10u1.patch-v4 now, while CVE-2021-20274 applies to code, that was introduced in 3.0.29, so doesn't affect buster.
An updated version of my patch is attached. Greetings Roland
diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog --- privoxy-3.0.28/debian/changelog 2019-01-06 13:07:14.000000000 +0100 +++ privoxy-3.0.28/debian/changelog 2021-03-08 13:57:15.000000000 +0100 @@ -1,3 +1,41 @@ +privoxy (3.0.28-2+deb10u1) buster; urgency=medium + + * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request + (CVE-2021-20217). + * 39_decompress_iob: Fix detection of insufficient data. + * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216). + * 41_CVE-2020-35502: Fixed memory leaks when a response is buffered and + the buffer limit is reached or Privoxy is running out of memory + (CVE-2020-35502). + * 42_CVE-2021-20209: Fixed a memory leak in the show-status CGI handler + when no action files are configured (CVE-2021-20209). + * 43_CVE-2021-20210: Fixed a memory leak in the show-status CGI handler + when no filter files are configured (CVE-2021-20210). + * 44_CVE-2021-20211: Fixes a memory leak when client tags are active + (CVE-2021-20211). + * 45_CVE-2021-20212: Fixed a memory leak if multiple filters are + executed and the last one is skipped due to a pcre error (CVE-2021-20212). + * 46_CVE-2021-20213: Prevent an unlikely dereference of a NULL-pointer + that could result in a crash if accept-intercepted-requests was + enabled, Privoxy failed to get the request destination from the Host + header and a memory allocation failed (CVE-2021-20213). + * 47_CVE-2021-20214: Fixed memory leaks in the client-tags CGI handler + when client tags are configured and memory allocations fail + (CVE-2021-20214). + * 48_CVE-2021-20215: Fixed memory leaks in the show-status CGI handler + when memory allocations fail (CVE-2021-20215). + * 49_CVE-2021-20272: ssplit(): Remove an assertion that could be + triggered with a crafted CGI request (CVE-2021-20272). + * 50_CVE-2021-20273: cgi_send_banner(): Overrule invalid image types. + Prevents a crash with a crafted CGI request if Privoxy is toggled off + (CVE-2021-20273). + * 51_CVE-2021-20275: chunked_body_is_complete(): Prevent invalid read of + size two (CVE-2021-20275). + * 52_CVE-2021-20276: Obsolete pcre: Prevent invalid memory accesses + (CVE-2021-20276). + + -- Roland Rosenfeld <rol...@debian.org> Mon, 08 Mar 2021 13:57:15 +0100 + privoxy (3.0.28-2) unstable; urgency=medium * d/tests/privoxy-regression-test: Remove tmpdir on exit. diff -Nru privoxy-3.0.28/debian/gitlab-ci.yml privoxy-3.0.28/debian/gitlab-ci.yml --- privoxy-3.0.28/debian/gitlab-ci.yml 2019-01-06 13:07:14.000000000 +0100 +++ privoxy-3.0.28/debian/gitlab-ci.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,16 +0,0 @@ -include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - -build: - extends: .build-unstable - -reprotest: - extends: .test-reprotest - -lintian: - extends: .test-lintian - -autopkgtest: - extends: .test-autopkgtest - -piuparts: - extends: .test-piuparts diff -Nru privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch --- privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/38_CVE-2021-20217.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,34 @@ +commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a +Author: Fabian Keil <f...@fabiankeil.de> +Date: Sat Jan 30 15:04:17 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b +Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217) + + parse_cgi_parameters(): Make sure the maximum number of segments is large enough + + ... for ssplit() to succeed. + + Prevents an assertion from getting triggered. OVE-20210130-0001. + + Reported by: Joshua Rogers (Opera) + +--- a/cgi.c ++++ b/cgi.c +@@ -645,16 +645,7 @@ static struct map *parse_cgi_parameters( + * The same hack is used in get_last_url() so it looks like + * a real solution is needed. + */ +- size_t max_segments = strlen(argstring) / 2; +- if (max_segments == 0) +- { +- /* +- * XXX: If the argstring is empty, there's really +- * no point in creating a param list, but currently +- * other parts of Privoxy depend on the list's existence. +- */ +- max_segments = 1; +- } ++ size_t max_segments = strlen(argstring) / 2 + 1; + vector = malloc_or_die(max_segments * sizeof(char *)); + + cgi_params = new_map(); diff -Nru privoxy-3.0.28/debian/patches/39_decompress_iob.patch privoxy-3.0.28/debian/patches/39_decompress_iob.patch --- privoxy-3.0.28/debian/patches/39_decompress_iob.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/39_decompress_iob.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,22 @@ +commit f5c1a886b7ae20da7eafb77926252eb521260728 +Author: Fabian Keil <f...@fabiankeil.de> +Date: Thu Jan 28 16:26:45 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f5c1a +Subject: decompress_iob(): Fix detection of insufficient data + + Instead of checking the size of the iob we have to + check the size of the actual data. + + Previously Privoxy could try to work on uninitialized data. + +--- a/parsers.c ++++ b/parsers.c +@@ -433,7 +433,7 @@ jb_err decompress_iob(struct client_stat + + cur = csp->iob->cur; + +- if (bufsize < (size_t)10) ++ if (old_size < (size_t)10) + { + /* + * This is to protect the parsing of gzipped data, diff -Nru privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch --- privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/40_CVE-2021-20216.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,21 @@ +commit f431d61740cc03c1c5f6b7f9c7a4a8d0bedd70dd +Author: Fabian Keil <f...@fabiankeil.de> +Date: Thu Jan 28 18:02:56 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f431d +Subject: Fix a memory leak (CVE-2021-20216) + decompress_iob(): Fix a memory leak + + ... when decompression fails "unexpectedly". + + OVE-20210128-0001. + +--- a/parsers.c ++++ b/parsers.c +@@ -701,6 +701,7 @@ jb_err decompress_iob(struct client_stat + log_error(LOG_LEVEL_ERROR, + "Unexpected error while decompressing to the buffer (iob): %s", + zstr.msg); ++ freez(buf); + return JB_ERR_COMPRESS; + } + diff -Nru privoxy-3.0.28/debian/patches/41_CVE-2020-35502.patch privoxy-3.0.28/debian/patches/41_CVE-2020-35502.patch --- privoxy-3.0.28/debian/patches/41_CVE-2020-35502.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/41_CVE-2020-35502.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,25 @@ +Author: Fabian Keil <f...@fabiankeil.de> +Date: Mon Mar 2 18:14:29 2020 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=4490d451f9b, https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=bbd53f1010b +Subject: Fixed memory leaks when a response is buffered and the buffer limit + is reached or Privoxy is running out of memory (CVE-2020-35502) + +--- a/parsers.c ++++ b/parsers.c +@@ -633,6 +633,8 @@ jb_err decompress_iob(struct client_stat + if (bufsize >= csp->config->buffer_limit) + { + log_error(LOG_LEVEL_ERROR, "Buffer limit reached while decompressing iob"); ++ freez(buf); ++ inflateEnd(&zstr); + return JB_ERR_MEMORY; + } + +@@ -651,6 +653,7 @@ jb_err decompress_iob(struct client_stat + { + log_error(LOG_LEVEL_ERROR, "Out of memory decompressing iob"); + freez(buf); ++ inflateEnd(&zstr); + return JB_ERR_MEMORY; + } + else diff -Nru privoxy-3.0.28/debian/patches/42_CVE-2021-20209.patch privoxy-3.0.28/debian/patches/42_CVE-2021-20209.patch --- privoxy-3.0.28/debian/patches/42_CVE-2021-20209.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/42_CVE-2021-20209.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,17 @@ +commit c62254a686dcd40e3b6e5753d0c7c0308209a7b6 +Author: Fabian Keil <f...@fabiankeil.de> +Date: Sun Aug 30 09:25:47 2020 +0200 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=c62254a686 +Subject: Fixed a memory leak in the show-status CGI handler when + no action files are configured. CVE-2021-20209. + +--- a/cgisimple.c ++++ b/cgisimple.c +@@ -1190,6 +1190,7 @@ jb_err cgi_show_status(struct client_sta + else + { + if (!err) err = map(exports, "actions-filenames", 1, "<tr><td>None specified</td></tr>", 1); ++ freez(s); + } + + /* diff -Nru privoxy-3.0.28/debian/patches/43_CVE-2021-20210.patch privoxy-3.0.28/debian/patches/43_CVE-2021-20210.patch --- privoxy-3.0.28/debian/patches/43_CVE-2021-20210.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/43_CVE-2021-20210.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,20 @@ +commit 1b1370f7a8a9cc5434d3e0e54dd620df1e70c873 +Author: Fabian Keil <f...@fabiankeil.de> +Date: Sun Aug 30 09:24:48 2020 +0200 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=1b1370f7a8a +Subject: Fixed a memory leak in the show-status CGI handler when no filter + files are configured (CVE-2021-20210). + cgi_show_status: Don't leak memory when no filter files are specified + + Sponsored by: Robert Klemme + +--- a/cgisimple.c ++++ b/cgisimple.c +@@ -1218,6 +1218,7 @@ jb_err cgi_show_status(struct client_sta + { + if (!err) err = map(exports, "re-filter-filenames", 1, "<tr><td>None specified</td></tr>", 1); + if (!err) err = map_block_killer(exports, "have-filterfile"); ++ freez(s); + } + + #ifdef FEATURE_TRUST diff -Nru privoxy-3.0.28/debian/patches/44_CVE-2021-20211.patch privoxy-3.0.28/debian/patches/44_CVE-2021-20211.patch --- privoxy-3.0.28/debian/patches/44_CVE-2021-20211.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/44_CVE-2021-20211.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,24 @@ +commit 245e1cf325bc957df6226c745b7ac3f67a97ea07 +Author: Fabian Keil <f...@fabiankeil.de> +Date: Mon Mar 2 13:05:13 2020 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=245e1cf32 +Subject: Fixes a memory leak when client tags are active (CVE-2021-20211). + + free_csp_resources(): Destroy csp->client_tags + + Fixes a memory leak when client tags are active. + + Sponsored by: Robert Klemme + +--- a/loaders.c ++++ b/loaders.c +@@ -113,6 +113,9 @@ void free_csp_resources(struct client_st + + destroy_list(csp->headers); + destroy_list(csp->tags); ++#ifdef FEATURE_CLIENT_TAGS ++ destroy_list(csp->client_tags); ++#endif + + free_current_action(csp->action); + } diff -Nru privoxy-3.0.28/debian/patches/45_CVE-2021-20212.patch privoxy-3.0.28/debian/patches/45_CVE-2021-20212.patch --- privoxy-3.0.28/debian/patches/45_CVE-2021-20212.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/45_CVE-2021-20212.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,26 @@ +commit 5cfb7bc8feecc82eb161450faa572abf9be19cbb +Author: Fabian Keil <f...@fabiankeil.de> +Date: Thu Sep 24 10:44:00 2020 +0200 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5cfb7bc8fe +Subject: Fixed a memory leak if multiple filters are executed and the last + one is skipped due to a pcre error (CVE-2021-20212) + pcrs_filter_response(): Free the old data if there are no hits + + ... and it's different from the data in iob and the new data. + + Fixes a memory leak if multiple filters are executed + and the last one is skipped due to a pcre error. + +--- a/filters.c ++++ b/filters.c +@@ -1664,6 +1664,10 @@ static char *pcrs_filter_response(struct + */ + if (!hits) + { ++ if (old != csp->iob->cur && old != new) ++ { ++ freez(old); ++ } + freez(new); + return(NULL); + } diff -Nru privoxy-3.0.28/debian/patches/46_CVE-2021-20213.patch privoxy-3.0.28/debian/patches/46_CVE-2021-20213.patch --- privoxy-3.0.28/debian/patches/46_CVE-2021-20213.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/46_CVE-2021-20213.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,45 @@ +commit 75301323495579ff27bdaaea67e31e2df83475fc +Author: Fabian Keil <f...@fabiankeil.de> +Date: Tue Nov 10 13:50:59 2020 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=7530132349 +Subject: Prevent an unlikely dereference of a NULL-pointer that could result + in a crash if accept-intercepted-requests was enabled, Privoxy failed to get + the request destination from the Host header and a memory allocation failed. + (CVE-2021-20213). + + get_request_destination_elsewhere(): Prevent unlikely dereference of a NULL-pointer + + ... if getting the destination fails and list_to_text() fails + as well. + + CID 267165 + +--- a/jcc.c ++++ b/jcc.c +@@ -548,8 +548,6 @@ static int client_has_unsupported_expect + *********************************************************************/ + static jb_err get_request_destination_elsewhere(struct client_state *csp, struct list *headers) + { +- char *req; +- + if (!(csp->config->feature_flags & RUNTIME_FEATURE_ACCEPT_INTERCEPTED_REQUESTS)) + { + log_error(LOG_LEVEL_ERROR, "%s's request: \'%s\' is invalid." +@@ -578,15 +576,12 @@ static jb_err get_request_destination_el + { + /* We can't work without destination. Go spread the news.*/ + +- req = list_to_text(headers); +- chomp(req); + /* XXX: Use correct size */ + log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 400 0", + csp->ip_addr_str, csp->http->cmd); + log_error(LOG_LEVEL_ERROR, +- "Privoxy was unable to get the destination for %s's request:\n%s\n%s", +- csp->ip_addr_str, csp->http->cmd, req); +- freez(req); ++ "Privoxy was unable to get the destination for %s's request: %s", ++ csp->ip_addr_str, csp->http->cmd); + + write_socket_delayed(csp->cfd, MISSING_DESTINATION_RESPONSE, + strlen(MISSING_DESTINATION_RESPONSE), get_write_delay(csp)); diff -Nru privoxy-3.0.28/debian/patches/47_CVE-2021-20214.patch privoxy-3.0.28/debian/patches/47_CVE-2021-20214.patch --- privoxy-3.0.28/debian/patches/47_CVE-2021-20214.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/47_CVE-2021-20214.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,29 @@ +commit cf5640eb2a57197717758e225ad6e11cbaab1d6c +Author: Fabian Keil <f...@fabiankeil.de> +Date: Tue Nov 10 12:33:53 2020 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=cf5640eb2a +Subject: Fixed memory leaks in the client-tags CGI handler when client tags + are configured and memory allocations fail (CVE-2021-20214). + + cgi_show_client_tags(): Plug memory leaks + + CID 267168 + +--- a/cgisimple.c ++++ b/cgisimple.c +@@ -404,6 +404,7 @@ jb_err cgi_show_client_tags(struct clien + snprintf(buf, sizeof(buf), "%d", csp->config->client_tag_lifetime); + if (map(exports, "refresh-delay", 1, buf, 1)) + { ++ freez(client_tag_status); + free_map(exports); + return JB_ERR_MEMORY; + } +@@ -413,6 +414,7 @@ jb_err cgi_show_client_tags(struct clien + err = map_block_killer(exports, "tags-expire"); + if (err != JB_ERR_OK) + { ++ freez(client_tag_status); + return err; + } + } diff -Nru privoxy-3.0.28/debian/patches/48_CVE-2021-20215.patch privoxy-3.0.28/debian/patches/48_CVE-2021-20215.patch --- privoxy-3.0.28/debian/patches/48_CVE-2021-20215.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/48_CVE-2021-20215.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,38 @@ +commit fdee85c0bf3e2dbd7722ddc45e9ed912f02a2136 +Author: Fabian Keil <f...@fabiankeil.de> +Date: Tue Nov 10 11:47:18 2020 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=064eac5fd0 + https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=fdee85c0bf3 +Subject: Fixed memory leaks in the show-status CGI handler when memory + allocations fail (CVE-2021-20215). + + Plug memory leak in cgi_show_status() + + CID 305233 + +--- a/cgisimple.c ++++ b/cgisimple.c +@@ -1185,9 +1185,9 @@ jb_err cgi_show_status(struct client_sta + if (!err) err = string_append(&s, "</td></tr>\n"); + } + } +- if (*s != '\0') ++ if (!err && *s != '\0') + { +- if (!err) err = map(exports, "actions-filenames", 1, s, 0); ++ err = map(exports, "actions-filenames", 1, s, 0); + } + else + { +@@ -1212,9 +1212,9 @@ jb_err cgi_show_status(struct client_sta + if (!err) err = string_append(&s, "</td></tr>\n"); + } + } +- if (*s != '\0') ++ if (!err && *s != '\0') + { +- if (!err) err = map(exports, "re-filter-filenames", 1, s, 0); ++ err = map(exports, "re-filter-filenames", 1, s, 0); + } + else + { diff -Nru privoxy-3.0.28/debian/patches/49_CVE-2021-20272.patch privoxy-3.0.28/debian/patches/49_CVE-2021-20272.patch --- privoxy-3.0.28/debian/patches/49_CVE-2021-20272.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/49_CVE-2021-20272.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,32 @@ +commit 2256d7b4d67dd9c364386877d5af59943433458b +Author: Fabian Keil <f...@fabiankeil.de> +Date: Wed Feb 3 19:08:20 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=2256d7b4d67 +Subject: ssplit(): Remove an assertion that could be triggered with a crafted + CGI request (CVE-2021-20272). + + This reverts dc4e311bcf. + + OVE-20210203-0001. + + Reported by: Joshua Rogers (Opera) + +--- a/ssplit.c ++++ b/ssplit.c +@@ -36,7 +36,6 @@ + + #include <string.h> + #include <stdlib.h> +-#include <assert.h> + + #include "ssplit.h" + #include "miscutil.h" +@@ -150,8 +149,6 @@ int ssplit(char *str, const char *delim, + } + } + /* null terminate the substring */ +- /* XXX: this shouldn't be necessary, so assert that it isn't. */ +- assert(*str == '\0'); + *str = '\0'; + + return(vec_count); diff -Nru privoxy-3.0.28/debian/patches/50_CVE-2021-20273.patch privoxy-3.0.28/debian/patches/50_CVE-2021-20273.patch --- privoxy-3.0.28/debian/patches/50_CVE-2021-20273.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/50_CVE-2021-20273.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,28 @@ +commit e711c505c4830ab271938d61af90a2075523f058 +Author: Fabian Keil <f...@fabiankeil.de> +Date: Sat Feb 6 20:43:06 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=e711c505c48 +Subject: cgi_send_banner(): Overrule invalid image types. Prevents a crash with + a crafted CGI request if Privoxy is toggled off.(CVE-2021-20273). + + OVE-20210206-0001. + + Reported by: Joshua Rogers (Opera) + +--- a/cgisimple.c ++++ b/cgisimple.c +@@ -536,6 +536,14 @@ jb_err cgi_send_banner(struct client_sta + { + char imagetype = lookup(parameters, "type")[0]; + ++ if (imagetype != 'a' && imagetype != 'b' && ++ imagetype != 'p' && imagetype != 't') ++ { ++ log_error(LOG_LEVEL_ERROR, "Overruling invalid image type '%c'.", ++ imagetype); ++ imagetype = 'p'; ++ } ++ + /* + * If type is auto, then determine the right thing + * to do from the set-image-blocker action diff -Nru privoxy-3.0.28/debian/patches/51_CVE-2021-20275.patch privoxy-3.0.28/debian/patches/51_CVE-2021-20275.patch --- privoxy-3.0.28/debian/patches/51_CVE-2021-20275.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/51_CVE-2021-20275.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,26 @@ +commit a912ba7bc9ce5855a810d09332e9d94566ce1521 +Author: Fabian Keil <f...@fabiankeil.de> +Date: Fri Feb 5 05:06:56 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=a912ba7bc9c +Subject: chunked_body_is_complete(): Prevent invalid read of size two + (CVE-2021-20275). + + OVE-20210205-0001. + + Reported by: Joshua Rogers (Opera) + +--- a/jcc.c ++++ b/jcc.c +@@ -1435,6 +1435,12 @@ static enum chunk_status chunked_body_is + /* Move beyond the chunkdata. */ + p += 2 + chunksize; + ++ /* Make sure we're still within the buffer and have two bytes left */ ++ if (p + 2 > iob->eod) ++ { ++ return CHUNK_STATUS_MISSING_DATA; ++ } ++ + /* There should be another "\r\n" to skip */ + if (memcmp(p, "\r\n", 2)) + { diff -Nru privoxy-3.0.28/debian/patches/52_CVE-2021-20276.patch privoxy-3.0.28/debian/patches/52_CVE-2021-20276.patch --- privoxy-3.0.28/debian/patches/52_CVE-2021-20276.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/52_CVE-2021-20276.patch 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,79 @@ +commit 28512e5b62457f0ff6f2d72e3e5c9226b9e0203d +Author: Fabian Keil <f...@fabiankeil.de> +Date: Mon Feb 22 09:17:30 2021 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=28512e5b624 +Subject: Obsolete pcre: Prevent invalid memory accesses (CVE-2021-20276) + + ... with an invalid pattern passed to pcre_compile(). + + ==22377== Invalid write of size 1 + ==22377== at 0x466E37: compile_branch (pcre.c:2001) + ==22377== by 0x45FA64: compile_regex (pcre.c:2164) + ==22377== by 0x45EE77: pcre_compile (pcre.c:3077) + ==22377== by 0x467B6D: regcomp (pcreposix.c:206) + ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667) + ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752) + ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243) + ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870) + ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587) + ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588) + ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383) + ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920) + ==22377== Address 0x7177469 is 4 bytes after a block of size 1,125 alloc'd + ==22377== at 0x4C26A44: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so) + ==22377== by 0x45ED5C: pcre_compile (pcre.c:3054) + ==22377== by 0x467B6D: regcomp (pcreposix.c:206) + ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667) + ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752) + ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243) + ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870) + ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587) + ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588) + ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383) + ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920) + ==22377== by 0x43ADDB: chat (jcc.c:4241) + + ==22377== Invalid read of size 1 + ==22377== at 0x466FCC: compile_branch (pcre.c:2053) + ==22377== by 0x45FA64: compile_regex (pcre.c:2164) + ==22377== by 0x45EE77: pcre_compile (pcre.c:3077) + ==22377== by 0x467B6D: regcomp (pcreposix.c:206) + ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667) + ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752) + ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243) + ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870) + ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587) + ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588) + ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383) + ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920) + ==22377== Address 0x7176fb1 is 0 bytes after a block of size 1,057 alloc'd + ==22377== at 0x4C26A44: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so) + ==22377== by 0x44C3F0: malloc_or_die (miscutil.c:194) + ==22377== by 0x456FBB: compile_pattern (urlmatch.c:662) + ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752) + ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243) + ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870) + ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587) + ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588) + ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383) + ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920) + ==22377== by 0x43ADDB: chat (jcc.c:4241) + ==22377== by 0x439DA5: serve (jcc.c:4778) + + OVE-20210222-0001. + + pcre 8.44 does not seem to be affected. + + Reported by: Joshua Rogers (Opera) + +--- a/pcre/pcre.c ++++ b/pcre/pcre.c +@@ -2050,7 +2050,7 @@ for (;; ptr++) + + /* This "while" is the end of the "do" above. */ + +- while (length < MAXLIT && (cd->ctypes[c = *(++ptr)] & ctype_meta) == 0); ++ while (*ptr && length < MAXLIT && (cd->ctypes[c = *(++ptr)] & ctype_meta) == 0); + + /* Update the last character and the count of literals */ + diff -Nru privoxy-3.0.28/debian/patches/series privoxy-3.0.28/debian/patches/series --- privoxy-3.0.28/debian/patches/series 2019-01-06 13:07:14.000000000 +0100 +++ privoxy-3.0.28/debian/patches/series 2021-03-08 13:57:15.000000000 +0100 @@ -10,3 +10,18 @@ 35_man-spelling.patch 36_trusted-cgi-referer-example.patch 37_ppedit-tests403.patch +38_CVE-2021-20217.patch +39_decompress_iob.patch +40_CVE-2021-20216.patch +41_CVE-2020-35502.patch +42_CVE-2021-20209.patch +43_CVE-2021-20210.patch +44_CVE-2021-20211.patch +45_CVE-2021-20212.patch +46_CVE-2021-20213.patch +47_CVE-2021-20214.patch +48_CVE-2021-20215.patch +49_CVE-2021-20272.patch +50_CVE-2021-20273.patch +51_CVE-2021-20275.patch +52_CVE-2021-20276.patch diff -Nru privoxy-3.0.28/debian/salsa-ci.yml privoxy-3.0.28/debian/salsa-ci.yml --- privoxy-3.0.28/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/salsa-ci.yml 2021-03-08 13:57:15.000000000 +0100 @@ -0,0 +1,6 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'buster'
signature.asc
Description: PGP signature
