Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 829051 (CVE-2021-44540, CVE-2021-44541, CVE-2021-44542, CVE-2021-44543) - <net-proxy/privoxy-3.0.33: Multiple vulnerabilities
Summary: <net-proxy/privoxy-3.0.33: Multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-44540, CVE-2021-44541, CVE-2021-44542, CVE-2021-44543
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 829893
Blocks: 769557
  Show dependency tree
 
Reported: 2021-12-13 07:13 UTC by Sam James
Modified: 2021-12-26 17:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-13 07:13:17 UTC
"Privoxy 3.0.33 fixes an XSS issue, multiple DoS issues and a
couple of other bugs. The issues also affect earlier Privoxy releases.
Privoxy 3.0.33 also comes with a couple of general improvements and
new features.

--------------------------------------------------------------------
ChangeLog for Privoxy 3.0.33
--------------------------------------------------------------------
- Security/Reliability:
  - cgi_error_no_template(): Encode the template name to prevent
    XSS (cross-site scripting) when Privoxy is configured to servce
    the user-manual itself.
    Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543.
    Reported by: Artem Ivanov
  - get_url_spec_param(): Free memory of compiled pattern spec
    before bailing.
    Reported by Joshua Rogers (Opera) who also provided the fix.
    Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540.
  - process_encrypted_request_headers(): Free header memory when
    failing to get the request destination.
    Reported by Joshua Rogers (Opera) who also provided the fix.
    Commit 0509c58045. OVE-20211201-0002. CVE-2021-44541.
  - send_http_request(): Prevent memory leaks when handling errors
    Reported by Joshua Rogers (Opera) who also provided the fix.
    Commit c48d1d6d08. OVE-20211201-0001. CVE-2021-44542."
Comment 1 Larry the Git Cow gentoo-dev 2021-12-13 16:59:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6eccdbb6b0a53e812fcac7766898d31b756d96e2

commit 6eccdbb6b0a53e812fcac7766898d31b756d96e2
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2021-12-13 16:57:54 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2021-12-13 16:58:57 +0000

    net-proxy/privoxy: update to 3.0.33
    
    - Version bump to 3.0.33
    Fixes: CVE-2021-44540, CVE-2021-44541, CVE-2021-44542, CVE-2021-44543
    - Add new USE flags: jit (for PCRE), sanitize
    - REQUIRED_USE: extended-statistics depends on threads
    
    Bug: https://bugs.gentoo.org/769557
    Bug: https://bugs.gentoo.org/829051
    Package-Manager: Portage-3.0.29, Repoman-3.0.3
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 net-proxy/privoxy/Manifest                         |   1 +
 .../files/privoxy-3.0.33-configure-msan.patch      |  13 ++
 net-proxy/privoxy/metadata.xml                     |   3 +
 net-proxy/privoxy/privoxy-3.0.33.ebuild            | 158 +++++++++++++++++++++
 4 files changed, 175 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2021-12-24 03:50:21 UTC
Ugh, sorry for missing this.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-24 04:57:37 UTC
Please cleanup, thanks!
Comment 4 Larry the Git Cow gentoo-dev 2021-12-26 12:20:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb8d247de762a6666b86e2302ebd1ee797f5aa58

commit cb8d247de762a6666b86e2302ebd1ee797f5aa58
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2021-12-26 12:19:48 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2021-12-26 12:20:39 +0000

    net-proxy/privoxy: remove old
    
    Affected by multiple CVEs, see bug for details.
    
    Bug: https://bugs.gentoo.org/829051
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 net-proxy/privoxy/Manifest                 |   1 -
 net-proxy/privoxy/privoxy-3.0.32-r1.ebuild | 148 -----------------------------
 2 files changed, 149 deletions(-)