[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1011943: marked as done (buster-pu: package php-guzzlehttp-psr7/1.4.2-0.1+deb10u1)

Your message dated Sat, 10 Sep 2022 13:40:55 +0100
with message-id <2cfc9645343bdb910fe19c07bddfec2c428346a3.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 10.13
has caused the Debian Bug report #1011943,
regarding buster-pu: package php-guzzlehttp-psr7/1.4.2-0.1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1011943: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011943
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-php-pear@lists.alioth.debian.org


[ Reason ]
The security team asked me to address #1008236 [CVE-2022-24775] via a
point release, so here I am.

[ Tests ]
I did not test the package extensively, sorry about that. The patches
were pretty straightforward, but contrarily to Bullseye, the version
currently in Buster was pushed via NMU that removed the testsuite… It is
only used by the movim ecosystem in Buster.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards

David

diff --git a/debian/changelog b/debian/changelog
index cb9f8a1..3fe276d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+php-guzzlehttp-psr7 (1.4.2-0.1+deb10u1) buster; urgency=medium
+
+  * Track Buster
+  * Backport fixes for improper header parsing [CVE-2022-24775]
+    (Closes: #1008236)
+
+ -- David Prévot <taffit@debian.org>  Fri, 27 May 2022 13:33:28 +0200
+
 php-guzzlehttp-psr7 (1.4.2-0.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..6b83341
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,9 @@
+[DEFAULT]
+pristine-tar = True
+pristine-tar-commit = True
+debian-branch = debian/buster
+
+## Once --filter support gets added to gbp import-ref, we should be able
+## to simplify the workflow and ignore the upstream branch.
+# filter = [ '.gitattributes' ]
+# upstream-tag = %(version%~%-)s
diff --git a/debian/patches/0001-Release-1.8.4-486.patch b/debian/patches/0001-Release-1.8.4-486.patch
new file mode 100644
index 0000000..9f72423
--- /dev/null
+++ b/debian/patches/0001-Release-1.8.4-486.patch
@@ -0,0 +1,108 @@
+From: Graham Campbell <GrahamCampbell@users.noreply.github.com>
+Date: Sun, 20 Mar 2022 13:44:44 +0000
+Subject: Release 1.8.4 (#486)
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Tim Düsterhus <tim@bastelstu.be>
+
+Origin: backport, https://github.com/guzzle/psr7/commit/902db15a551a4a415e732b622282e21ce1b508b4
+---
+ src/MessageTrait.php | 56 +++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 49 insertions(+), 7 deletions(-)
+
+diff --git a/src/MessageTrait.php b/src/MessageTrait.php
+index 1e4da64..f5f61db 100644
+--- a/src/MessageTrait.php
++++ b/src/MessageTrait.php
+@@ -70,7 +70,7 @@ trait MessageTrait
+             $value = [$value];
+         }
+ 
+-        $value = $this->trimHeaderValues($value);
++        $value = $this->trimAndValidateHeaderValues($value);
+         $normalized = strtolower($header);
+ 
+         $new = clone $this;
+@@ -89,7 +89,7 @@ trait MessageTrait
+             $value = [$value];
+         }
+ 
+-        $value = $this->trimHeaderValues($value);
++        $value = $this->trimAndValidateHeaderValues($value);
+         $normalized = strtolower($header);
+ 
+         $new = clone $this;
+@@ -148,7 +148,7 @@ trait MessageTrait
+                 $value = [$value];
+             }
+ 
+-            $value = $this->trimHeaderValues($value);
++            $value = $this->trimAndValidateHeaderValues($value);
+             $normalized = strtolower($header);
+             if (isset($this->headerNames[$normalized])) {
+                 $header = $this->headerNames[$normalized];
+@@ -168,16 +168,58 @@ trait MessageTrait
+      * header-field = field-name ":" OWS field-value OWS
+      * OWS          = *( SP / HTAB )
+      *
+-     * @param string[] $values Header values
++     * @param mixed[] $values Header values
+      *
+      * @return string[] Trimmed header values
+      *
+      * @see https://tools.ietf.org/html/rfc7230#section-3.2.4
+      */
+-    private function trimHeaderValues(array $values)
++    private function trimAndValidateHeaderValues(array $values)
+     {
+         return array_map(function ($value) {
+-            return trim($value, " \t");
+-        }, $values);
++            if (!is_scalar($value) && null !== $value) {
++                throw new \InvalidArgumentException(sprintf(
++                    'Header value must be scalar or null but %s provided.',
++                    is_object($value) ? get_class($value) : gettype($value)
++                ));
++            }
++
++            $trimmed = trim((string) $value, " \t");
++            $this->assertValue($trimmed);
++
++            return $trimmed;
++        }, array_values($values));
++    }
++
++    /**
++     * @param string $value
++     *
++     * @return void
++     *
++     * @see https://tools.ietf.org/html/rfc7230#section-3.2
++     *
++     * field-value    = *( field-content / obs-fold )
++     * field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
++     * field-vchar    = VCHAR / obs-text
++     * VCHAR          = %x21-7E
++     * obs-text       = %x80-FF
++     * obs-fold       = CRLF 1*( SP / HTAB )
++     */
++    private function assertValue($value)
++    {
++        // The regular expression intentionally does not support the obs-fold production, because as
++        // per RFC 7230#3.2.4:
++        //
++        // A sender MUST NOT generate a message that includes
++        // line folding (i.e., that has any field-value that contains a match to
++        // the obs-fold rule) unless the message is intended for packaging
++        // within the message/http media type.
++        //
++        // Clients must not send a request with line folding and a server sending folded headers is
++        // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting
++        // folding is not likely to break any legitimate use case.
++        if (! preg_match('/^(?:[\x21-\x7E\x80-\xFF](?:[\x20\x09]+[\x21-\x7E\x80-\xFF])?)*$/', $value)) {
++            throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value));
++        }
+     }
+ }
diff --git a/debian/patches/0002-Release-1.8.5-491.patch b/debian/patches/0002-Release-1.8.5-491.patch
new file mode 100644
index 0000000..b837caf
--- /dev/null
+++ b/debian/patches/0002-Release-1.8.5-491.patch
@@ -0,0 +1,22 @@
+From: Graham Campbell <GrahamCampbell@users.noreply.github.com>
+Date: Sun, 20 Mar 2022 21:51:18 +0000
+Subject: Release 1.8.5 (#491)
+
+Origin: backport, https://github.com/guzzle/psr7/commit/337e3ad8e5716c15f9657bd214d16cc5e69df268
+---
+ src/MessageTrait.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/MessageTrait.php b/src/MessageTrait.php
+index f5f61db..4ac4687 100644
+--- a/src/MessageTrait.php
++++ b/src/MessageTrait.php
+@@ -218,7 +218,7 @@ trait MessageTrait
+         // Clients must not send a request with line folding and a server sending folded headers is
+         // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting
+         // folding is not likely to break any legitimate use case.
+-        if (! preg_match('/^(?:[\x21-\x7E\x80-\xFF](?:[\x20\x09]+[\x21-\x7E\x80-\xFF])?)*$/', $value)) {
++        if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/', $value)) {
+             throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value));
+         }
+     }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..2ba908a
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+0001-Release-1.8.4-486.patch
+0002-Release-1.8.5-491.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.13

Hi,

Each of the updates referenced in these bugs was included in today's
10.13 point release.

Regards,

Adam

--- End Message ---
Reply to: