Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 531292 (CVE-2015-1030) - <net-proxy/privoxy-3.0.22: multiple vulnerabilities (CVE-2015-{1030,1031,1201})
Summary: <net-proxy/privoxy-3.0.22: multiple vulnerabilities (CVE-2015-{1030,1031,1201})
Status: RESOLVED FIXED
Alias: CVE-2015-1030
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on: CVE-2015-1380
Blocks: 536082
  Show dependency tree
 
Reported: 2014-12-01 09:15 UTC by Agostino Sarubbo
Modified: 2015-03-01 14:11 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-01 09:15:30 UTC
From ${URL} :

The 3.0.22 release of Privoxy fixes the following potential flaws:

""
Fixed a memory leak when rejecting client connections due to
the socket limit being reached (CID 66382). This affected
Privoxy 3.0.21 when compiled with IPv6 support (on most
platforms this is the default).

Fixed an immediate-use-after-free bug (CID 66394) and two
additional unconfirmed use-after-free complaints made by
Coverity scan (CID 66391, CID 66376).
""


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Robert Schedel 2014-12-30 14:24:28 UTC
Copying over "privoxy-3.0.21-r2.ebuild" to "privoxy-3.0.22.ebuild" already seems to allow building new v3.0.22.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-01-07 01:55:42 UTC
In contact with upstream about CVE, if not requested will request one.
Comment 3 Andrew Savchenko gentoo-dev 2015-01-08 16:11:10 UTC
Privoxy-3.0.22 is in tree now.
Comment 4 Justin Lecher (RETIRED) gentoo-dev 2015-01-08 16:27:51 UTC
(In reply to Andrew Savchenko from comment #3)
> Privoxy-3.0.22 is in tree now.

Does this mean version 3.0.22 fixes the issue?

If so, are all vulnerable unstable ebuilds dropped? Do we need to stabilize any version?
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-01-08 17:02:02 UTC
(In reply to Justin Lecher from comment #4)
> (In reply to Andrew Savchenko from comment #3)
> > Privoxy-3.0.22 is in tree now.
> 
> Does this mean version 3.0.22 fixes the issue?
> 
> If so, are all vulnerable unstable ebuilds dropped? Do we need to stabilize
> any version?

we should mark 3.0.22 stable and then drop all ebuilds prior 3.0.22.
Comment 6 Andrew Savchenko gentoo-dev 2015-01-08 17:12:27 UTC
(In reply to Justin Lecher from comment #4)
> (In reply to Andrew Savchenko from comment #3)
> > Privoxy-3.0.22 is in tree now.
> 
> Does this mean version 3.0.22 fixes the issue?

Yes, it fixes. See comment 1 (a snippet from 3.0.22 changelog).

> If so, are all vulnerable unstable ebuilds dropped?

Yes.

(In reply to Mikle Kolyada from comment #5)
> we should mark 3.0.22 stable and then drop all ebuilds prior 3.0.22.

Ok.
Comment 7 octoploid 2015-01-09 06:17:40 UTC
 * Applying privoxy-3.0.19-gentoo.patch ...                                                                                                                            [ ok ]
 * Applying privoxy-3.0.22-force.patch ...

 * Failed Patch: privoxy-3.0.22-force.patch !
 *  ( /portage/net-proxy/privoxy/files/privoxy-3.0.22-force.patch )
 * 
 * Include in your bugreport the contents of:
 * 
 *   /var/tmp/portage/net-proxy/privoxy-3.0.22/temp/privoxy-3.0.22-force.patch.out

 * ERROR: net-proxy/privoxy-3.0.22::gentoo failed (prepare phase):
 *   Failed Patch: privoxy-3.0.22-force.patch!

x4 ~ # cat /var/tmp/portage/net-proxy/privoxy-3.0.22/temp/privoxy-3.0.22-force.patch.out
***** privoxy-3.0.22-force.patch *****
PWD: /var/tmp/portage/net-proxy/privoxy-3.0.22/work/privoxy-3.0.22-stable

======================================

PATCH COMMAND:  patch -p0 -g0 -E --no-backup-if-mismatch  < '/portage/net-proxy/privoxy/files/privoxy-3.0.22-force.patch'

======================================
checking file project.h
Hunk #1 FAILED at 1.
1 out of 2 hunks FAILED
...
Comment 8 Vint 2015-01-09 07:47:28 UTC
patch failed!

the version string should be the source file (project.h), not the patch file name (privoxy-3.0.22-force.patch). you diffed on the patch...
Comment 9 Andrew Savchenko gentoo-dev 2015-01-09 13:45:03 UTC
(In reply to vintniv from comment #8)
> you diffed on the patch...

No, this issue was more delicate: CVS mangled patch, because it contained CVS header, here is original upstream patch: 
http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/project.h?r1=1.208&r2=1.209&view=patch
First chunk is removed now, as it is unneeded to fix --disable-force issue.
Comment 10 Andreas Schürch gentoo-dev 2015-01-11 14:59:58 UTC
x86 done.
Comment 11 Agostino Sarubbo gentoo-dev 2015-01-12 10:38:32 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-01-13 10:21:03 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-01-14 13:51:35 UTC
ppc64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-01-15 08:40:27 UTC
ppc stable
Comment 15 Agostino Sarubbo gentoo-dev 2015-01-25 11:21:38 UTC
alpha stable
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2015-02-11 18:02:30 UTC
CVE-2015-1201 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1201):
  Privoxy before 3.0.22 allows remote attackers to cause a denial of service
  (file descriptor consumption) via unspecified vectors.  NOTE: the provenance
  of this information is unknown; the details are obtained solely from third
  party information.

CVE-2015-1031 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1031):
  Multiple use-after-free vulnerabilities in Privoxy before 3.0.22 allow
  remote attackers to have unspecified impact via vectors related to (1) the
  unmap function in list.c or (2) "two additional unconfirmed use-after-free
  complaints made by Coverity scan." NOTE: some of these details are obtained
  from third party information.

CVE-2015-1030 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1030):
  Memory leak in the rfc2553_connect_to function in jbsocket.c in Privoxy
  before 3.0.22 allows remote attackers to cause a denial of service (memory
  consumption) via a large number of requests that are rejected because the
  socket limit is reached.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2015-02-23 23:30:50 UTC
arm still pending stabilization. New security bug is being stabilized as part of Bug 537884, setting dependency.
Comment 18 Markus Meier gentoo-dev 2015-02-26 18:46:35 UTC
arm stable, all arches done.
Comment 19 Andrew Savchenko gentoo-dev 2015-02-27 03:44:57 UTC
All vulnerable versions are removed from tree, including 3.0.22 (see bug 537884).
Comment 20 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-28 21:47:29 UTC
Arches, thank you for your work. 

GLSA Vote: No
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2015-03-01 14:11:45 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No