Bug#981665: marked as done (stretch-pu: package privoxy/3.0.26-3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 02 Feb 2021 18:28:23 +0000
with message-id <23064e4f0efbec640f23f5622a7fbdf2c836eaab.camel@adam-barratt.org.uk>
and subject line Re: Bug#981665: stretch-pu: package privoxy/3.0.26-3
has caused the Debian Bug report #981665,
regarding stretch-pu: package privoxy/3.0.26-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
981665: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981665
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: stretch-pu: package privoxy/3.0.26-3
• From: Roland Rosenfeld <roland@spinnaker.de>
• Date: Tue, 2 Feb 2021 19:17:23 +0100
• Message-id: <[🔎] 20210202181723.GA6760@dinghy.sail.spinnaker.de>

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

This fixes CVE-2021-20216 and CVE-2021-20217.
Since both are tagged "<no-dsa> (Minor issue)" in security tracker, I
tend to send this into the next point release of stretch.

Salsa-CI passed: https://salsa.debian.org/debian/privoxy/-/pipelines/226263

Attached you'll find a diff against 3.0.26-3.

Greetings
Roland

diff -Nru privoxy-3.0.26/debian/changelog privoxy-3.0.26/debian/changelog
--- privoxy-3.0.26/debian/changelog	2017-01-11 22:24:55.000000000 +0100
+++ privoxy-3.0.26/debian/changelog	2021-02-02 18:52:00.000000000 +0100
@@ -1,3 +1,12 @@
+privoxy (3.0.26-3+deb9u1) stretch; urgency=medium
+
+  * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
+    (CVE-2021-20217).
+  * 39_decompress_iob: Fix detection of insufficient data.
+  * 40_CVE-2021-20216: Fix a memory leak (CVE-2021-20216).
+
+ -- Roland Rosenfeld <roland@debian.org>  Tue, 02 Feb 2021 18:52:00 +0100
+
 privoxy (3.0.26-3) unstable; urgency=medium
 
   * Add da debconf translation.  Thanks to Joe Dalton (Closes: #850876).
diff -Nru privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch
--- privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/38_CVE-2021-20217.patch	2021-02-02 18:52:00.000000000 +0100
@@ -0,0 +1,34 @@
+commit 5bba5b89193fa2eeea51aa39fb6525c47b59a82a
+Author: Fabian Keil <fk@fabiankeil.de>
+Date:   Sat Jan 30 15:04:17 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=5bba5b
+Subject: Prevent an assertion by a crafted CGI request (CVE-2021-20217)
+
+    parse_cgi_parameters(): Make sure the maximum number of segments is large enough
+    
+    ... for ssplit() to succeed.
+    
+    Prevents an assertion from getting triggered. OVE-20210130-0001.
+    
+    Reported by: Joshua Rogers (Opera)
+
+--- a/cgi.c
++++ b/cgi.c
+@@ -628,16 +628,7 @@ static struct map *parse_cgi_parameters(
+     *      The same hack is used in get_last_url() so it looks like
+     *      a real solution is needed.
+     */
+-   size_t max_segments = strlen(argstring) / 2;
+-   if (max_segments == 0)
+-   {
+-      /*
+-       * XXX: If the argstring is empty, there's really
+-       *      no point in creating a param list, but currently
+-       *      other parts of Privoxy depend on the list's existence.
+-       */
+-      max_segments = 1;
+-   }
++   size_t max_segments = strlen(argstring) / 2 + 1;
+    vector = malloc_or_die(max_segments * sizeof(char *));
+ 
+    cgi_params = new_map();
diff -Nru privoxy-3.0.26/debian/patches/39_decompress_iob.patch privoxy-3.0.26/debian/patches/39_decompress_iob.patch
--- privoxy-3.0.26/debian/patches/39_decompress_iob.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/39_decompress_iob.patch	2021-02-02 18:52:00.000000000 +0100
@@ -0,0 +1,22 @@
+commit f5c1a886b7ae20da7eafb77926252eb521260728
+Author: Fabian Keil <fk@fabiankeil.de>
+Date:   Thu Jan 28 16:26:45 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f5c1a
+Subject: decompress_iob(): Fix detection of insufficient data
+    
+    Instead of checking the size of the iob we have to
+    check the size of the actual data.
+    
+    Previously Privoxy could try to work on uninitialized data.
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -430,7 +430,7 @@ jb_err decompress_iob(struct client_stat
+ 
+    cur = csp->iob->cur;
+ 
+-   if (bufsize < (size_t)10)
++   if (old_size < (size_t)10)
+    {
+       /*
+        * This is to protect the parsing of gzipped data,
diff -Nru privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch
--- privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/patches/40_CVE-2021-20216.patch	2021-02-02 18:52:00.000000000 +0100
@@ -0,0 +1,21 @@
+commit f431d61740cc03c1c5f6b7f9c7a4a8d0bedd70dd
+Author: Fabian Keil <fk@fabiankeil.de>
+Date:   Thu Jan 28 18:02:56 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f431d
+Subject: Fix a memory leak (CVE-2021-20216)
+ decompress_iob(): Fix a memory leak
+    
+    ... when decompression fails "unexpectedly".
+    
+    OVE-20210128-0001.
+
+--- a/parsers.c
++++ b/parsers.c
+@@ -698,6 +698,7 @@ jb_err decompress_iob(struct client_stat
+       log_error(LOG_LEVEL_ERROR,
+          "Unexpected error while decompressing to the buffer (iob): %s",
+          zstr.msg);
++      freez(buf);
+       return JB_ERR_COMPRESS;
+    }
+ 
diff -Nru privoxy-3.0.26/debian/patches/series privoxy-3.0.26/debian/patches/series
--- privoxy-3.0.26/debian/patches/series	2017-01-11 22:24:55.000000000 +0100
+++ privoxy-3.0.26/debian/patches/series	2021-02-02 18:52:00.000000000 +0100
@@ -11,3 +11,6 @@
 35_man-spelling.patch
 36_openspopenjade.patch
 37_adventofcode.patch
+38_CVE-2021-20217.patch
+39_decompress_iob.patch
+40_CVE-2021-20216.patch
diff -Nru privoxy-3.0.26/debian/salsa-ci.yml privoxy-3.0.26/debian/salsa-ci.yml
--- privoxy-3.0.26/debian/salsa-ci.yml	1970-01-01 01:00:00.000000000 +0100
+++ privoxy-3.0.26/debian/salsa-ci.yml	2021-02-02 18:52:00.000000000 +0100
@@ -0,0 +1,6 @@
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'stretch'

--- End Message ---

--- Begin Message ---

• To: Roland Rosenfeld <roland@spinnaker.de>, 981665-done@bugs.debian.org
• Subject: Re: Bug#981665: stretch-pu: package privoxy/3.0.26-3
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Tue, 02 Feb 2021 18:28:23 +0000
• Message-id: <23064e4f0efbec640f23f5622a7fbdf2c836eaab.camel@adam-barratt.org.uk>
• In-reply-to: <[🔎] 20210202181723.GA6760@dinghy.sail.spinnaker.de>
• References: <[🔎] 20210202181723.GA6760@dinghy.sail.spinnaker.de>

Hi,

On Tue, 2021-02-02 at 19:17 +0100, Roland Rosenfeld wrote:
> This fixes CVE-2021-20216 and CVE-2021-20217.
> Since both are tagged "<no-dsa> (Minor issue)" in security tracker, I
> tend to send this into the next point release of stretch.
> 

There haven't been point releases - or any other updates managed by the
Release Team - for stretch for about 9 months now, as it's moved to LTS
support instead. Please see https://wiki.debian.org/LTS and co-ordinate 
with the LTS Team.

Regards,

Adam

--- End Message ---