758428 – (CVE-2020-35502, CVE-2021-20209, CVE-2021-20210, CVE-2021-20211, CVE-2021-20212, CVE-2021-20213, CVE-2021-20214, CVE-2021-20215) <net-proxy/privoxy-3.0.29: various memory leaks, null pointer dereference (CVE-2020-35502, CVE-2021-{20209,20210,20211,20212,20213,20214,20215})

Bug 758428 (CVE-2020-35502, CVE-2021-20209, CVE-2021-20210, CVE-2021-20211, CVE-2021-20212, CVE-2021-20213, CVE-2021-20214, CVE-2021-20215) - <net-proxy/privoxy-3.0.29: various memory leaks, null pointer dereference (CVE-2020-35502, CVE-2021-{20209,20210,20211,20212,20213,20214,20215})

Summary: <net-proxy/privoxy-3.0.29: various memory leaks, null pointer dereference (CV...

Status:	RESOLVED FIXED

Alias:	CVE-2020-35502, CVE-2021-20209, CVE-2021-20210, CVE-2021-20211, CVE-2021-20212, CVE-2021-20213, CVE-2021-20214, CVE-2021-20215

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	B3 [glsa+ cve]
Keywords:

Depends on:	CVE-2021-20216, CVE-2021-20217
Blocks:
	Show dependency tree

Reported:	2020-12-04 17:27 UTC by John Helmert III
Modified:	2021-07-08 03:38 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	No

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2020-12-04 17:27:41 UTC

See $URL for details - a number of memory leaks and a possible null pointer derefernce were fixed in Privoxy 3.0.29. Please bump, thanks!

Comment 1 Sam James archtester

2020-12-16 07:07:09 UTC

ping bicorph

Comment 2 Andrew Savchenko gentoo-dev

2020-12-16 11:25:05 UTC

On my list within several weeks: update adds https filtering and is not trivial, and I don't have time for this stuff right now.

Comment 3 Larry the Git Cow gentoo-dev

2021-01-06 18:06:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6eaffccd00555e127e54f6a9684a7fc0b15d10f7

commit 6eaffccd00555e127e54f6a9684a7fc0b15d10f7
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2021-01-06 18:02:35 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2021-01-06 18:06:01 +0000

    net-proxy/privoxy: version bump
    
    Update to 3.0.29:
    - This fixes multiple security bugs
    - Add support for brotli compressed data
    - Add support for HTTPS inspection using either mbedtls or openssl,
      libressl is deliberately not added since it is pending removal
      from the tree.
    
    Bug: https://bugs.gentoo.org/758428
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 net-proxy/privoxy/Manifest                         |   1 +
 .../privoxy/files/privoxy-3.0.29-gentoo.patch      | 118 +++++++++++++++++
 net-proxy/privoxy/metadata.xml                     |  11 +-
 net-proxy/privoxy/privoxy-3.0.29.ebuild            | 145 +++++++++++++++++++++
 4 files changed, 272 insertions(+), 3 deletions(-)

Comment 4 John Helmert III archtester

2021-01-06 18:45:53 UTC

Thank you! Please proceed with stabilization when ready.

Comment 5 NATTkA bot gentoo-dev

2021-01-06 18:49:00 UTC Comment hidden (obsolete)

Sanity check failed:

> net-proxy/privoxy-3.0.29
>   depend sparc stable profile default/linux/sparc/17.0 (8 total)
>     net-libs/mbedtls
>   rdepend sparc stable profile default/linux/sparc/17.0 (8 total)
>     net-libs/mbedtls

Comment 6 Larry the Git Cow gentoo-dev

2021-01-18 00:30:39 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e46d114fc8b4a39b3adfba0f4c5a0f519e646a95

commit e46d114fc8b4a39b3adfba0f4c5a0f519e646a95
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-18 00:28:39 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-18 00:30:37 +0000

    profiles/arch/sparc: stable-mask net-proxy/privoxy[mbedtls]
    
    net-libs/mbedtls isn't stable on sparc right now,
    and it doesn't make sense to block stabilisation
    for a security bug for a new dependency that's optional.
    
    We also add a package.use entry to avoid REQUIRED_USE
    conflicts for users on stable.
    
    Bug: https://bugs.gentoo.org/758428
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/arch/sparc/package.use             | 7 +++++++
 profiles/arch/sparc/package.use.stable.mask | 7 +++++++
 2 files changed, 14 insertions(+)

Comment 7 Sam James archtester

2021-01-22 07:14:36 UTC

Ready?

Comment 8 Andrew Savchenko gentoo-dev

2021-01-24 07:35:57 UTC

Arch teams, please stabilize net-proxy/privoxy-3.0.29.

Comment 9 Sam James archtester

2021-01-24 21:51:39 UTC

arm done

Comment 10 Sam James archtester

2021-01-24 21:53:02 UTC

amd64 done

Comment 11 Sam James archtester

2021-01-24 22:07:29 UTC

ppc64 done

Comment 12 Sam James archtester

2021-01-24 22:45:37 UTC

ppc done

Comment 13 Rolf Eike Beer archtester

2021-01-26 18:19:45 UTC

sparc stable

Comment 14 John Helmert III archtester

2021-02-03 15:02:37 UTC

We'll need to stabilize the newer version in the dependency.

Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-31 21:48:44 UTC

New GLSA request filed.

Comment 16 GLSAMaker/CVETool Bot gentoo-dev

2021-07-08 03:38:16 UTC

This issue was resolved and addressed in
 GLSA 202107-16 at https://security.gentoo.org/glsa/202107-16
by GLSA coordinator John Helmert III (ajak).