oss-security - CVE request for Privoxy 3.0.24

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Thu, 21 Jan 2016 15:46:50 +0100
From: Fabian Keil <fk@...iankeil.de>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: CVE request for Privoxy 3.0.24

Privoxy is a non-caching web proxy with advanced filtering capabilities
for enhancing privacy, modifying web page data and HTTP headers, controlling
access, and removing ads and other obnoxious Internet junk. For details see:
http://www.privoxy.org/ or http://jvauzb4sb3bwlsnc.onion/

A couple of invalid reads were fixed in Privoxy 3.0.24 whose
release is scheduled for this weekend.

Two of them are security issues (remote DoS when built with ASAN),
please assign CVEs:

- Prevent invalid reads in case of corrupt chunk-encoded content.
  http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/filters.c?r1=1.196&r2=1.197

- Remove empty Host headers in client requests.
  Previously they would result in invalid reads.
  http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/parsers.c?r1=1.302&r2=1.303

The issues were found with afl-fuzz and AddressSanitizer.

Fabian

Content of type "application/pgp-signature" skipped

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.