Your message dated Sat, 26 Mar 2022 12:02:22 +0000
with message-id
<540de30a27d37c3ff416b94b1adf7ff2a2cab257.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates in 10.12
has caused the Debian Bug report #1001454,
regarding buster-pu: package privoxy/3.0.28-2+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1001454: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001454
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
This fixes CVE-2021-44540 and CVE-2021-44543.
Since all are tagged "minor issue" in the security-tracer, I tend to
send this into the next point release of buster.
Salsa-CI passed:
https://salsa.debian.org/debian/privoxy/-/pipelines/325726
Attached you'll find a diff against 3.0.28-2+deb10u1.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Greetings
Roland
diff -Nru privoxy-3.0.28/debian/changelog privoxy-3.0.28/debian/changelog
--- privoxy-3.0.28/debian/changelog 2021-03-08 13:57:15.000000000 +0100
+++ privoxy-3.0.28/debian/changelog 2021-12-07 19:59:33.000000000 +0100
@@ -1,3 +1,12 @@
+privoxy (3.0.28-2+deb10u2) buster; urgency=medium
+
+ * 53_CVE-2021-44540: get_url_spec_param(): Free memory of compiled
+ pattern spec before bailing (CVE-2021-44540).
+ * 56_CVE-2021-44543: cgi_error_no_template(): Encode the template name
+ to prevent XSS (CVE-2021-44543).
+
+ -- Roland Rosenfeld <rol...@debian.org> Tue, 07 Dec 2021 19:59:33 +0100
+
privoxy (3.0.28-2+deb10u1) buster; urgency=medium
* 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
diff -Nru privoxy-3.0.28/debian/patches/53_CVE-2021-44540.patch privoxy-3.0.28/debian/patches/53_CVE-2021-44540.patch
--- privoxy-3.0.28/debian/patches/53_CVE-2021-44540.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/53_CVE-2021-44540.patch 2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,39 @@
+From 652b4b7cb07592c0912cf938a50fcd009fa29a0a Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <jrog...@opera.com>
+Date: Fri, 19 Nov 2021 17:32:23 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=652b4b7c
+Subject: get_url_spec_param(): Free memory of compiled pattern spec before
+ bailing
+
+OVE-20211201-0003. CVE-2021-44540.
+
+--- a/cgiedit.c
++++ b/cgiedit.c
+@@ -1853,12 +1853,12 @@ static jb_err get_url_spec_param(struct
+ }
+ err = create_pattern_spec(compiled, s);
+ free(s);
++ free_pattern_spec(compiled);
+ if (err)
+ {
+ free(param);
+ return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS;
+ }
+- free_pattern_spec(compiled);
+
+ if (param[strlen(param) - 1] == '\\')
+ {
+@@ -1889,12 +1889,12 @@ static jb_err get_url_spec_param(struct
+ }
+ err = create_pattern_spec(compiled, s);
+ free(s);
++ free_pattern_spec(compiled);
+ if (err)
+ {
+ free(param);
+ return (err == JB_ERR_MEMORY) ? JB_ERR_MEMORY : JB_ERR_CGI_PARAMS;
+ }
+- free_pattern_spec(compiled);
+ }
+
+ *pvalue = param;
diff -Nru privoxy-3.0.28/debian/patches/56_CVE-2021-44543.patch privoxy-3.0.28/debian/patches/56_CVE-2021-44543.patch
--- privoxy-3.0.28/debian/patches/56_CVE-2021-44543.patch 1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.28/debian/patches/56_CVE-2021-44543.patch 2021-12-07 19:59:33.000000000 +0100
@@ -0,0 +1,41 @@
+From 0e668e9409cbf4ab8bf2d79be204bd4e81a00d85 Mon Sep 17 00:00:00 2001
+From: Fabian Keil <f...@fabiankeil.de>
+Date: Tue, 2 Nov 2021 12:11:37 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=0e668e94
+Subject: cgi_error_no_template(): Encode the template name to prevent XSS
+
+OVE-20211102-0001. CVE-2021-44543.
+
+Reported by: Artem Ivanov
+
+--- a/cgi.c
++++ b/cgi.c
+@@ -1175,7 +1175,8 @@ jb_err cgi_error_no_template(const struc
+ ").</p>\n"
+ "</body>\n"
+ "</html>\n";
+- const size_t body_size = strlen(body_prefix) + strlen(template_name) + strlen(body_suffix) + 1;
++ size_t body_size = strlen(body_prefix) + strlen(body_suffix) + 1;
++ const char *encoded_template_name;
+
+ assert(csp);
+ assert(rsp);
+@@ -1189,9 +1190,17 @@ jb_err cgi_error_no_template(const struc
+ rsp->head_length = 0;
+ rsp->is_static = 0;
+
++ encoded_template_name = html_encode(template_name);
++ if (encoded_template_name == NULL)
++ {
++ return JB_ERR_MEMORY;
++ }
++
++ body_size += strlen(encoded_template_name);
+ rsp->body = malloc_or_die(body_size);
+ strlcpy(rsp->body, body_prefix, body_size);
+- strlcat(rsp->body, template_name, body_size);
++ strlcat(rsp->body, encoded_template_name, body_size);
++ freez(encoded_template_name);
+ strlcat(rsp->body, body_suffix, body_size);
+
+ rsp->status = strdup(status);
diff -Nru privoxy-3.0.28/debian/patches/series privoxy-3.0.28/debian/patches/series
--- privoxy-3.0.28/debian/patches/series 2021-03-08 13:57:15.000000000 +0100
+++ privoxy-3.0.28/debian/patches/series 2021-12-07 19:59:33.000000000 +0100
@@ -25,3 +25,5 @@
50_CVE-2021-20273.patch
51_CVE-2021-20275.patch
52_CVE-2021-20276.patch
+53_CVE-2021-44540.patch
+56_CVE-2021-44543.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.12
Hi,
The updates referenced in these requests were included in oldstable as
part of today's 10.12 point release.
Regards,
Adam
--- End Message ---
