Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
This fixes CVE-2021-44540 and CVE-2021-44543. Since all are tagged "minor issue" in the security-tracer, I tend to send this into the next point release of buster. Salsa-CI passed: https://salsa.debian.org/debian/privoxy/-/pipelines/325726 Attached you'll find a diff against 3.0.28-2+deb10u1. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Greetings Roland
diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog --- privoxy-3.0.28/debian/changelog 2021-03-08 13:57:15.000000000 +0100 +++ privoxy-3.0.28/debian/changelog 2021-12-07 19:59:33.000000000 +0100 @@ -1,3 +1,12 @@ +privoxy (3.0.28-2+deb10u2) buster; urgency=medium + + * 53_CVE-2021-44540: get_url_spec_param(): Free memory of compiled + pattern spec before bailing (CVE-2021-44540). + * 56_CVE-2021-44543: cgi_error_no_template(): Encode the template name + to prevent XSS (CVE-2021-44543). + + -- Roland Rosenfeld <rol...@debian.org> Tue, 07 Dec 2021 19:59:33 +0100 + privoxy (3.0.28-2+deb10u1) buster; urgency=medium * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request diff -Nru privoxy-3.0.28/debian/patches/53_CVE-2021-44540.patch privoxy-3.0.28/debian/patches/53_CVE-2021-44540.patch --- privoxy-3.0.28/debian/patches/53_CVE-2021-44540.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/53_CVE-2021-44540.patch 2021-12-07 19:59:33.000000000 +0100 @@ -0,0 +1,39 @@ +From 652b4b7cb07592c0912cf938a50fcd009fa29a0a Mon Sep 17 00:00:00 2001 +From: Joshua Rogers <jrog...@opera.com> +Date: Fri, 19 Nov 2021 17:32:23 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=652b4b7c +Subject: get_url_spec_param(): Free memory of compiled pattern spec before + bailing + +OVE-20211201-0003. CVE-2021-44540. + +--- a/cgiedit.c ++++ b/cgiedit.c +@@ -1853,12 +1853,12 @@ static jb_err get_url_spec_param(struct + } + err = create_pattern_spec(compiled, s); + free(s); ++ free_pattern_spec(compiled); + if (err) + { + free(param); + return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS; + } +- free_pattern_spec(compiled); + + if (param[strlen(param) - 1] == '\\') + { +@@ -1889,12 +1889,12 @@ static jb_err get_url_spec_param(struct + } + err = create_pattern_spec(compiled, s); + free(s); ++ free_pattern_spec(compiled); + if (err) + { + free(param); + return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS; + } +- free_pattern_spec(compiled); + } + + *pvalue = param; diff -Nru privoxy-3.0.28/debian/patches/56_CVE-2021-44543.patch privoxy-3.0.28/debian/patches/56_CVE-2021-44543.patch --- privoxy-3.0.28/debian/patches/56_CVE-2021-44543.patch 1970-01-01 01:00:00.000000000 +0100 +++ privoxy-3.0.28/debian/patches/56_CVE-2021-44543.patch 2021-12-07 19:59:33.000000000 +0100 @@ -0,0 +1,41 @@ +From 0e668e9409cbf4ab8bf2d79be204bd4e81a00d85 Mon Sep 17 00:00:00 2001 +From: Fabian Keil <f...@fabiankeil.de> +Date: Tue, 2 Nov 2021 12:11:37 +0100 +Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=0e668e94 +Subject: cgi_error_no_template(): Encode the template name to prevent XSS + +OVE-20211102-0001. CVE-2021-44543. + +Reported by: Artem Ivanov + +--- a/cgi.c ++++ b/cgi.c +@@ -1175,7 +1175,8 @@ jb_err cgi_error_no_template(const struc + ").</p>\n" + "</body>\n" + "</html>\n"; +- const size_t body_size = strlen(body_prefix) + strlen(template_name) + strlen(body_suffix) + 1; ++ size_t body_size = strlen(body_prefix) + strlen(body_suffix) + 1; ++ const char *encoded_template_name; + + assert(csp); + assert(rsp); +@@ -1189,9 +1190,17 @@ jb_err cgi_error_no_template(const struc + rsp->head_length = 0; + rsp->is_static = 0; + ++ encoded_template_name = html_encode(template_name); ++ if (encoded_template_name == NULL) ++ { ++ return JB_ERR_MEMORY; ++ } ++ ++ body_size += strlen(encoded_template_name); + rsp->body = malloc_or_die(body_size); + strlcpy(rsp->body, body_prefix, body_size); +- strlcat(rsp->body, template_name, body_size); ++ strlcat(rsp->body, encoded_template_name, body_size); ++ freez(encoded_template_name); + strlcat(rsp->body, body_suffix, body_size); + + rsp->status = strdup(status); diff -Nru privoxy-3.0.28/debian/patches/series privoxy-3.0.28/debian/patches/series --- privoxy-3.0.28/debian/patches/series 2021-03-08 13:57:15.000000000 +0100 +++ privoxy-3.0.28/debian/patches/series 2021-12-07 19:59:33.000000000 +0100 @@ -25,3 +25,5 @@ 50_CVE-2021-20273.patch 51_CVE-2021-20275.patch 52_CVE-2021-20276.patch +53_CVE-2021-44540.patch +56_CVE-2021-44543.patch
