oss-sec mailing list archives

Re: Multiple memory leaks fixed in Privoxy 3.0.29 stable

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Tue, 23 Mar 2021 10:13:48 -0700

It looks like Red Hat has assigned CVE ids for these issues now, but
not yet told Mitre to publish them:

CVE-2020-35502 privoxy: memory leaks when a response is buffered
https://bugzilla.redhat.com/show_bug.cgi?id=1928749

CVE-2021-20209 privoxy: memory leak in the show-status CGI handler when no
action files are configured
https://bugzilla.redhat.com/show_bug.cgi?id=1928726

CVE-2021-20210 privoxy: memory leak in the show-status CGI handler when no
filter files are configured
https://bugzilla.redhat.com/show_bug.cgi?id=1928729

CVE-2021-20211 privoxy: memory leak when client tags are active
https://bugzilla.redhat.com/show_bug.cgi?id=1928733

CVE-2021-20212 privoxy: memory leak if multiple filters are executed and the
last one is skipped due to a pcre error
https://bugzilla.redhat.com/show_bug.cgi?id=1928736

CVE-2021-20213 privoxy: dereference of a NULL-pointer that could result in a
crash if accept-intercepted-requests was enabled
https://bugzilla.redhat.com/show_bug.cgi?id=1928740

CVE-2021-20214 privoxy: memory leak in the client-tags CGI handler when
client tags are configured
https://bugzilla.redhat.com/show_bug.cgi?id=1928743

CVE-2021-20215 privoxy: memory leaks in the show-status CGI handler when
memory allocations fail
https://bugzilla.redhat.com/show_bug.cgi?id=1928747

        -Alan Coopersmith-               alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/alanc



On 11/29/20 7:53 AM, Fabian Keil wrote:

                Announcing Privoxy 3.0.29 stable
--------------------------------------------------------------------

Privoxy 3.0.29 stable fixes a couple of memory leaks and introduces
https inspection which allows to filter encrypted requests and
responses.

--------------------------------------------------------------------
ChangeLog for Privoxy 3.0.29
--------------------------------------------------------------------

- Security/Reliability:
   - Fixed memory leaks when a response is buffered and the buffer
     limit is reached or Privoxy is running out of memory.
     Commits bbd53f1010b and 4490d451f9b. OVE-20201118-0001.
     Sponsored by: Robert Klemme
   - Fixed a memory leak in the show-status CGI handler when
     no action files are configured. Commit c62254a686.
     OVE-20201118-0002.
     Sponsored by: Robert Klemme
   - Fixed a memory leak in the show-status CGI handler when
     no filter files are configured. Commit 1b1370f7a8a.
     OVE-20201118-0003.
     Sponsored by: Robert Klemme
   - Fixes a memory leak when client tags are active.
     Commit 245e1cf32. OVE-20201118-0004.
     Sponsored by: Robert Klemme
   - Fixed a memory leak if multiple filters are executed
     and the last one is skipped due to a pcre error.
     Commit 5cfb7bc8fe. OVE-20201118-0005.
   - Prevent an unlikely dereference of a NULL-pointer that
     could result in a crash if accept-intercepted-requests
     was enabled, Privoxy failed to get the request destination
     from the Host header and a memory allocation failed.
     Commit 7530132349. CID 267165. OVE-20201118-0006.
   - Fixed memory leaks in the client-tags CGI handler when
     client tags are configured and memory allocations fail.
     Commit cf5640eb2a. CID 267168. OVE-20201118-0007.
   - Fixed memory leaks in the show-status CGI handler when memory
     allocations fail. Commit 064eac5fd0 and commit fdee85c0bf3.
     CID 305233. OVE-20201118-0008.

- General improvements:
[...]

-----------------------------------------------------------------
About Privoxy:
-----------------------------------------------------------------

Privoxy is a non-caching web proxy with advanced filtering capabilities for
enhancing privacy, modifying web page data and HTTP headers, controlling
access, and removing ads and other obnoxious Internet junk. Privoxy has a
flexible configuration and can be customized to suit individual needs and
tastes. It has application for both stand-alone systems and multi-user
networks.

Privoxy is Free Software and licensed under the GNU GPLv2.

[...]

Home Page:
    https://www.privoxy.org/

Current thread:

Re: Multiple memory leaks fixed in Privoxy 3.0.29 stable Fabian Keil (Feb 03)
- <Possible follow-ups>
- Re: Multiple memory leaks fixed in Privoxy 3.0.29 stable Alan Coopersmith (Mar 23)
  - Re: Multiple memory leaks fixed in Privoxy 3.0.29 stable Fabian Keil (Mar 23)