Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 758428 (CVE-2020-35502, CVE-2021-20209, CVE-2021-20210, CVE-2021-20211, CVE-2021-20212, CVE-2021-20213, CVE-2021-20214, CVE-2021-20215)

Summary: <net-proxy/privoxy-3.0.29: various memory leaks, null pointer dereference (CVE-2020-35502, CVE-2021-{20209,20210,20211,20212,20213,20214,20215})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: bircoph
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2020/11/29/1
Whiteboard: B3 [glsa+ cve]
Package list:
Runtime testing required: No
Bug Depends on: 768096    
Bug Blocks:    

Description John Helmert III gentoo-dev Security 2020-12-04 17:27:41 UTC
See $URL for details - a number of memory leaks and a possible null pointer derefernce were fixed in Privoxy 3.0.29. Please bump, thanks!
Comment 1 Sam James archtester gentoo-dev Security 2020-12-16 07:07:09 UTC
ping bicorph
Comment 2 Andrew Savchenko gentoo-dev 2020-12-16 11:25:05 UTC
On my list within several weeks: update adds https filtering and is not trivial, and I don't have time for this stuff right now.
Comment 3 Larry the Git Cow gentoo-dev 2021-01-06 18:06:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6eaffccd00555e127e54f6a9684a7fc0b15d10f7

commit 6eaffccd00555e127e54f6a9684a7fc0b15d10f7
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2021-01-06 18:02:35 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2021-01-06 18:06:01 +0000

    net-proxy/privoxy: version bump
    
    Update to 3.0.29:
    - This fixes multiple security bugs
    - Add support for brotli compressed data
    - Add support for HTTPS inspection using either mbedtls or openssl,
      libressl is deliberately not added since it is pending removal
      from the tree.
    
    Bug: https://bugs.gentoo.org/758428
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 net-proxy/privoxy/Manifest                         |   1 +
 .../privoxy/files/privoxy-3.0.29-gentoo.patch      | 118 +++++++++++++++++
 net-proxy/privoxy/metadata.xml                     |  11 +-
 net-proxy/privoxy/privoxy-3.0.29.ebuild            | 145 +++++++++++++++++++++
 4 files changed, 272 insertions(+), 3 deletions(-)
Comment 4 John Helmert III gentoo-dev Security 2021-01-06 18:45:53 UTC
Thank you! Please proceed with stabilization when ready.
Comment 5 NATTkA bot gentoo-dev 2021-01-06 18:49:00 UTC Comment hidden (obsolete)
Comment 6 Larry the Git Cow gentoo-dev 2021-01-18 00:30:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e46d114fc8b4a39b3adfba0f4c5a0f519e646a95

commit e46d114fc8b4a39b3adfba0f4c5a0f519e646a95
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-18 00:28:39 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-18 00:30:37 +0000

    profiles/arch/sparc: stable-mask net-proxy/privoxy[mbedtls]
    
    net-libs/mbedtls isn't stable on sparc right now,
    and it doesn't make sense to block stabilisation
    for a security bug for a new dependency that's optional.
    
    We also add a package.use entry to avoid REQUIRED_USE
    conflicts for users on stable.
    
    Bug: https://bugs.gentoo.org/758428
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/arch/sparc/package.use             | 7 +++++++
 profiles/arch/sparc/package.use.stable.mask | 7 +++++++
 2 files changed, 14 insertions(+)
Comment 7 Sam James archtester gentoo-dev Security 2021-01-22 07:14:36 UTC
Ready?
Comment 8 Andrew Savchenko gentoo-dev 2021-01-24 07:35:57 UTC
Arch teams, please stabilize net-proxy/privoxy-3.0.29.
Comment 9 Sam James archtester gentoo-dev Security 2021-01-24 21:51:39 UTC
arm done
Comment 10 Sam James archtester gentoo-dev Security 2021-01-24 21:53:02 UTC
amd64 done
Comment 11 Sam James archtester gentoo-dev Security 2021-01-24 22:07:29 UTC
ppc64 done
Comment 12 Sam James archtester gentoo-dev Security 2021-01-24 22:45:37 UTC
ppc done
Comment 13 Rolf Eike Beer archtester 2021-01-26 18:19:45 UTC
sparc stable
Comment 14 John Helmert III gentoo-dev Security 2021-02-03 15:02:37 UTC
We'll need to stabilize the newer version in the dependency.
Comment 15 Thomas Deutschmann gentoo-dev Security 2021-05-31 21:48:44 UTC
New GLSA request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2021-07-08 03:38:16 UTC
This issue was resolved and addressed in
 GLSA 202107-16 at https://security.gentoo.org/glsa/202107-16
by GLSA coordinator John Helmert III (ajak).