Bug#1011943: buster-pu: package php-guzzlehttp-psr7/1.4.2-0.1+deb10u1

[David Prévot <taffit@debian.org>]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-php-pear@lists.alioth.debian.org


[ Reason ]
The security team asked me to address #1008236 [CVE-2022-24775] via a
point release, so here I am.

[ Tests ]
I did not test the package extensively, sorry about that. The patches
were pretty straightforward, but contrarily to Bullseye, the version
currently in Buster was pushed via NMU that removed the testsuite… It is
only used by the movim ecosystem in Buster.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards

David

diff --git a/debian/changelog b/debian/changelog
index cb9f8a1..3fe276d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+php-guzzlehttp-psr7 (1.4.2-0.1+deb10u1) buster; urgency=medium
+
+  * Track Buster
+  * Backport fixes for improper header parsing [CVE-2022-24775]
+    (Closes: #1008236)
+
+ -- David Prévot <taffit@debian.org>  Fri, 27 May 2022 13:33:28 +0200
+
 php-guzzlehttp-psr7 (1.4.2-0.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..6b83341
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,9 @@
+[DEFAULT]
+pristine-tar = True
+pristine-tar-commit = True
+debian-branch = debian/buster
+
+## Once --filter support gets added to gbp import-ref, we should be able
+## to simplify the workflow and ignore the upstream branch.
+# filter = [ '.gitattributes' ]
+# upstream-tag = %(version%~%-)s
diff --git a/debian/patches/0001-Release-1.8.4-486.patch b/debian/patches/0001-Release-1.8.4-486.patch
new file mode 100644
index 0000000..9f72423
--- /dev/null
+++ b/debian/patches/0001-Release-1.8.4-486.patch
@@ -0,0 +1,108 @@
+From: Graham Campbell <GrahamCampbell@users.noreply.github.com>
+Date: Sun, 20 Mar 2022 13:44:44 +0000
+Subject: Release 1.8.4 (#486)
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Tim Düsterhus <tim@bastelstu.be>
+
+Origin: backport, https://github.com/guzzle/psr7/commit/902db15a551a4a415e732b622282e21ce1b508b4
+---
+ src/MessageTrait.php | 56 +++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 49 insertions(+), 7 deletions(-)
+
+diff --git a/src/MessageTrait.php b/src/MessageTrait.php
+index 1e4da64..f5f61db 100644
+--- a/src/MessageTrait.php
++++ b/src/MessageTrait.php
+@@ -70,7 +70,7 @@ trait MessageTrait
+             $value = [$value];
+         }
+ 
+-        $value = $this->trimHeaderValues($value);
++        $value = $this->trimAndValidateHeaderValues($value);
+         $normalized = strtolower($header);
+ 
+         $new = clone $this;
+@@ -89,7 +89,7 @@ trait MessageTrait
+             $value = [$value];
+         }
+ 
+-        $value = $this->trimHeaderValues($value);
++        $value = $this->trimAndValidateHeaderValues($value);
+         $normalized = strtolower($header);
+ 
+         $new = clone $this;
+@@ -148,7 +148,7 @@ trait MessageTrait
+                 $value = [$value];
+             }
+ 
+-            $value = $this->trimHeaderValues($value);
++            $value = $this->trimAndValidateHeaderValues($value);
+             $normalized = strtolower($header);
+             if (isset($this->headerNames[$normalized])) {
+                 $header = $this->headerNames[$normalized];
+@@ -168,16 +168,58 @@ trait MessageTrait
+      * header-field = field-name ":" OWS field-value OWS
+      * OWS          = *( SP / HTAB )
+      *
+-     * @param string[] $values Header values
++     * @param mixed[] $values Header values
+      *
+      * @return string[] Trimmed header values
+      *
+      * @see https://tools.ietf.org/html/rfc7230#section-3.2.4
+      */
+-    private function trimHeaderValues(array $values)
++    private function trimAndValidateHeaderValues(array $values)
+     {
+         return array_map(function ($value) {
+-            return trim($value, " \t");
+-        }, $values);
++            if (!is_scalar($value) && null !== $value) {
++                throw new \InvalidArgumentException(sprintf(
++                    'Header value must be scalar or null but %s provided.',
++                    is_object($value) ? get_class($value) : gettype($value)
++                ));
++            }
++
++            $trimmed = trim((string) $value, " \t");
++            $this->assertValue($trimmed);
++
++            return $trimmed;
++        }, array_values($values));
++    }
++
++    /**
++     * @param string $value
++     *
++     * @return void
++     *
++     * @see https://tools.ietf.org/html/rfc7230#section-3.2
++     *
++     * field-value    = *( field-content / obs-fold )
++     * field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
++     * field-vchar    = VCHAR / obs-text
++     * VCHAR          = %x21-7E
++     * obs-text       = %x80-FF
++     * obs-fold       = CRLF 1*( SP / HTAB )
++     */
++    private function assertValue($value)
++    {
++        // The regular expression intentionally does not support the obs-fold production, because as
++        // per RFC 7230#3.2.4:
++        //
++        // A sender MUST NOT generate a message that includes
++        // line folding (i.e., that has any field-value that contains a match to
++        // the obs-fold rule) unless the message is intended for packaging
++        // within the message/http media type.
++        //
++        // Clients must not send a request with line folding and a server sending folded headers is
++        // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting
++        // folding is not likely to break any legitimate use case.
++        if (! preg_match('/^(?:[\x21-\x7E\x80-\xFF](?:[\x20\x09]+[\x21-\x7E\x80-\xFF])?)*$/', $value)) {
++            throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value));
++        }
+     }
+ }
diff --git a/debian/patches/0002-Release-1.8.5-491.patch b/debian/patches/0002-Release-1.8.5-491.patch
new file mode 100644
index 0000000..b837caf
--- /dev/null
+++ b/debian/patches/0002-Release-1.8.5-491.patch
@@ -0,0 +1,22 @@
+From: Graham Campbell <GrahamCampbell@users.noreply.github.com>
+Date: Sun, 20 Mar 2022 21:51:18 +0000
+Subject: Release 1.8.5 (#491)
+
+Origin: backport, https://github.com/guzzle/psr7/commit/337e3ad8e5716c15f9657bd214d16cc5e69df268
+---
+ src/MessageTrait.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/MessageTrait.php b/src/MessageTrait.php
+index f5f61db..4ac4687 100644
+--- a/src/MessageTrait.php
++++ b/src/MessageTrait.php
+@@ -218,7 +218,7 @@ trait MessageTrait
+         // Clients must not send a request with line folding and a server sending folded headers is
+         // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting
+         // folding is not likely to break any legitimate use case.
+-        if (! preg_match('/^(?:[\x21-\x7E\x80-\xFF](?:[\x20\x09]+[\x21-\x7E\x80-\xFF])?)*$/', $value)) {
++        if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/', $value)) {
+             throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value));
+         }
+     }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..2ba908a
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+0001-Release-1.8.4-486.patch
+0002-Release-1.8.5-491.patch

Attachment: signature.asc
Description: PGP signature