Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 768096 (CVE-2021-20216, CVE-2021-20217)

Summary: <net-proxy/privoxy-3.0.31: Multiple vulnerabilities (CVE-2021-{20216,20217})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: bircoph
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.privoxy.org/announce.txt
Whiteboard: B3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 758428    

Description John Helmert III gentoo-dev Security 2021-01-31 19:04:40 UTC
From URL:

--------------------------------------------------------------------
ChangeLog for Privoxy 3.0.31
--------------------------------------------------------------------
- Security/Reliability:
  - Prevent an assertion from getting triggered by a crafted CGI request.
    Commit 5bba5b89193fa. OVE-20210130-0001.
    Reported by: Joshua Rogers (Opera)
  - Fixed a memory leak when decompression fails "unexpectedly".
    Commit f431d61740cc0. OVE-20210128-0001.


Please bump to 3.0.31.
Comment 1 Andrew Savchenko gentoo-dev 2021-01-31 20:24:32 UTC
(In reply to John Helmert III (ajak) from comment #0)
> Please bump to 3.0.31.

???
3.0.31 is already in the tree. Please fix your scripts.
Comment 2 Sam James archtester gentoo-dev Security 2021-01-31 20:25:19 UTC
(In reply to Andrew Savchenko from comment #1)
> (In reply to John Helmert III (ajak) from comment #0)
> > Please bump to 3.0.31.
> 
> ???
> 3.0.31 is already in the tree. Please fix your scripts.

Obviously it was a mistake. I've updated the bug accordingly already.

Could you please remember to file security bugs if you notice an issue in your package (or other's)?
Comment 3 John Helmert III gentoo-dev Security 2021-01-31 20:33:53 UTC
(In reply to Sam James from comment #2)
> (In reply to Andrew Savchenko from comment #1)
> > (In reply to John Helmert III (ajak) from comment #0)
> > > Please bump to 3.0.31.
> > 
> > ???
> > 3.0.31 is already in the tree. Please fix your scripts.
> 
> Obviously it was a mistake. I've updated the bug accordingly already.

Yep, sorry about that, I filed the bug before doing my morning sync and skim of #gentoo-commits, so I missed that it was already added.
Comment 4 Andrew Savchenko gentoo-dev 2021-01-31 20:41:00 UTC
(In reply to Sam James from comment #2)
> Could you please remember to file security bugs if you notice an issue in
> your package (or other's)?

I thought this should be done only if problem is not yet fixed. Looks like I misunderstood current policy.

Just to avoid misunderstanding: should bugs be filed about any security-related issue (e.g. invalid memory access) or only about those with CVE / OVE assigned to them?
Comment 5 John Helmert III gentoo-dev Security 2021-02-03 15:06:43 UTC
(In reply to Andrew Savchenko from comment #4)
> (In reply to Sam James from comment #2)
> > Could you please remember to file security bugs if you notice an issue in
> > your package (or other's)?
> 
> I thought this should be done only if problem is not yet fixed. Looks like I
> misunderstood current policy.
> 
> Just to avoid misunderstanding: should bugs be filed about any
> security-related issue (e.g. invalid memory access) or only about those with
> CVE / OVE assigned to them?

If there are security issues in a package in tree, it can't hurt to file a bug for it. If a problem is not fixed upstream it is still good for us to keep track of it so we can remember to check for a fix. Or we can decide the package needs to be treecleaned, if it is vulnerable and no one is fixing it.
Comment 6 Andrew Savchenko gentoo-dev 2021-02-06 09:34:33 UTC
Arch teams, please proceed with net-proxy/privoxy-3.0.31 stabilization.
Comment 7 Rolf Eike Beer archtester 2021-02-08 17:08:50 UTC
sparc stable. Build errors will be reported separately.
Comment 8 Sam James archtester gentoo-dev Security 2021-02-08 17:25:25 UTC
amd64 done
Comment 9 Sam James archtester gentoo-dev Security 2021-02-08 17:26:56 UTC
x86 done
Comment 10 Sam James archtester gentoo-dev Security 2021-02-09 22:53:25 UTC
ppc done
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2021-02-11 23:37:45 UTC
ppc64 stable
Comment 12 John Helmert III gentoo-dev Security 2021-02-13 14:50:02 UTC
arm looks good

USE tests started on Sat Feb 13 02:57:20 -00 2021

FEATURES=' test' USE='' succeeded for =net-proxy/privoxy-3.0.31
USE='acl -brotli client-tags -compression editor -extended-host-patterns -extended-statistics -external-filters fast-redirects -force -fuzz -graceful-termination image-blocking ipv6 lfs mbedtls -openssl png-images -ssl stats threads -toggle -tools whitelists -zlib' succeeded for =net-proxy/privoxy-3.0.31
USE='-acl brotli -client-tags -compression -editor -extended-host-patterns -extended-statistics -external-filters -fast-redirects force -fuzz -graceful-termination image-blocking -ipv6 lfs -mbedtls openssl png-images -ssl -stats threads -toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31
USE='acl -brotli client-tags -compression -editor extended-host-patterns -extended-statistics -external-filters fast-redirects force -fuzz graceful-termination image-blocking ipv6 lfs -mbedtls openssl png-images -ssl stats threads -toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31
USE='acl -brotli -client-tags -compression editor extended-host-patterns -extended-statistics external-filters fast-redirects force fuzz graceful-termination -image-blocking -ipv6 -lfs -mbedtls openssl -png-images -ssl -stats threads toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31
USE='acl brotli -client-tags -compression editor extended-host-patterns extended-statistics -external-filters -fast-redirects -force -fuzz -graceful-termination image-blocking ipv6 lfs -mbedtls openssl png-images ssl -stats threads toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31
USE='acl -brotli client-tags compression editor -extended-host-patterns -extended-statistics external-filters -fast-redirects force fuzz graceful-termination image-blocking ipv6 lfs -mbedtls -openssl -png-images -ssl stats threads toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31
USE='-acl brotli -client-tags compression editor -extended-host-patterns extended-statistics external-filters -fast-redirects force fuzz -graceful-termination image-blocking ipv6 lfs mbedtls -openssl -png-images -ssl stats threads -toggle tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31
USE='-acl brotli -client-tags compression editor -extended-host-patterns -extended-statistics -external-filters fast-redirects force fuzz graceful-termination image-blocking ipv6 lfs -mbedtls openssl -png-images ssl -stats threads toggle tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31
USE='acl -brotli -client-tags -compression editor extended-host-patterns extended-statistics external-filters fast-redirects -force -fuzz graceful-termination -image-blocking -ipv6 lfs mbedtls -openssl png-images ssl stats threads -toggle -tools whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31
USE='-acl -brotli -client-tags -compression editor extended-host-patterns extended-statistics external-filters fast-redirects force -fuzz graceful-termination -image-blocking -ipv6 lfs mbedtls -openssl png-images ssl stats threads toggle -tools whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31
USE='-acl -brotli -client-tags compression -editor extended-host-patterns extended-statistics -external-filters fast-redirects force fuzz -graceful-termination image-blocking ipv6 lfs mbedtls -openssl png-images -ssl -stats threads -toggle tools whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31
USE='acl brotli client-tags compression editor -extended-host-patterns -extended-statistics external-filters fast-redirects -force fuzz -graceful-termination -image-blocking ipv6 -lfs -mbedtls -openssl -png-images -ssl stats threads toggle tools whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31
Comment 13 Sam James archtester gentoo-dev Security 2021-02-13 18:22:11 UTC
arm done

all arches done
Comment 14 John Helmert III gentoo-dev Security 2021-02-13 20:50:42 UTC
Please cleanup.
Comment 15 Larry the Git Cow gentoo-dev 2021-02-14 14:45:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bd0a1cca8d26af615e8554e6da1582cc082c038

commit 8bd0a1cca8d26af615e8554e6da1582cc082c038
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2021-02-14 14:16:25 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2021-02-14 14:45:22 +0000

    net-proxy/privoxy: remove old and vulnerable versions
    
    Bug: https://bugs.gentoo.org/768096
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 net-proxy/privoxy/Manifest                         |   2 -
 .../privoxy/files/privoxy-3.0.19-gentoo.patch      | 114 ----------------
 net-proxy/privoxy/files/privoxy-3.0.28-chdir.patch |  15 ---
 .../files/privoxy-3.0.28-null-termination.patch    |  13 --
 .../privoxy/files/privoxy-3.0.29-pthread.patch     |  21 ---
 net-proxy/privoxy/privoxy-3.0.28-r1.ebuild         | 133 ------------------
 net-proxy/privoxy/privoxy-3.0.29.ebuild            | 150 ---------------------
 7 files changed, 448 deletions(-)
Comment 16 Thomas Deutschmann gentoo-dev Security 2021-05-31 21:49:38 UTC
Added to an existing GLSA request.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2021-07-08 03:38:20 UTC
This issue was resolved and addressed in
 GLSA 202107-16 at https://security.gentoo.org/glsa/202107-16
by GLSA coordinator John Helmert III (ajak).