oss-sec mailing list archives

Re: Multiple memory leaks fixed in Privoxy 3.0.29 stable

From: Fabian Keil <freebsd-listen () fabiankeil de>
Date: Wed, 3 Feb 2021 12:05:55 +0100

Fabian Keil <freebsd-listen () fabiankeil de> wrote on 2020-11-29:

               Announcing Privoxy 3.0.29 stable
--------------------------------------------------------------------

Privoxy 3.0.29 stable fixes a couple of memory leaks and introduces
https inspection which allows to filter encrypted requests and
responses.

--------------------------------------------------------------------
ChangeLog for Privoxy 3.0.29
--------------------------------------------------------------------


Here are the updated ChangeLog entries with CVEs:

- Security/Reliability:
  - Fixed memory leaks when a response is buffered and the buffer
    limit is reached or Privoxy is running out of memory.
    Commits bbd53f1010b and 4490d451f9b. OVE-20201118-0001.
    CVE-2020-35502.
    Sponsored by: Robert Klemme
  - Fixed a memory leak in the show-status CGI handler when
    no action files are configured. Commit c62254a686.
    OVE-20201118-0002. CVE-2021-20209.
    Sponsored by: Robert Klemme
  - Fixed a memory leak in the show-status CGI handler when
    no filter files are configured. Commit 1b1370f7a8a.
    OVE-20201118-0003. CVE-2021-20210.
    Sponsored by: Robert Klemme
  - Fixes a memory leak when client tags are active.
    Commit 245e1cf32. OVE-20201118-0004. CVE-2021-20211.
    Sponsored by: Robert Klemme
  - Fixed a memory leak if multiple filters are executed
    and the last one is skipped due to a pcre error.
    Commit 5cfb7bc8fe. OVE-20201118-0005. CVE-2021-20212.
  - Prevent an unlikely dereference of a NULL-pointer that
    could result in a crash if accept-intercepted-requests
    was enabled, Privoxy failed to get the request destination
    from the Host header and a memory allocation failed.
    Commit 7530132349. CID 267165. OVE-20201118-0006. CVE-2021-20213.
  - Fixed memory leaks in the client-tags CGI handler when
    client tags are configured and memory allocations fail.
    Commit cf5640eb2a. CID 267168. OVE-20201118-0007. CVE-2021-20214.
  - Fixed memory leaks in the show-status CGI handler when memory
    allocations fail. Commit 064eac5fd0 and commit fdee85c0bf3.
    CID 305233. OVE-20201118-0008. CVE-2021-20215.

Fabian

Attachment: _bin
Description: OpenPGP digital signature

Current thread:

Re: Multiple memory leaks fixed in Privoxy 3.0.29 stable Fabian Keil (Feb 03)
- <Possible follow-ups>
- Re: Multiple memory leaks fixed in Privoxy 3.0.29 stable Alan Coopersmith (Mar 23)
  - Re: Multiple memory leaks fixed in Privoxy 3.0.29 stable Fabian Keil (Mar 23)