Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: php-guzzlehttp-psr7@packages.debian.org, team@security.debian.org Control: affects -1 + src:php-guzzlehttp-psr7 Hi, [ Reason ] I’d like to fix an improper input validation [CVE-2023-29197] filed as #1034581. This is a follow up from [CVE-2022-24775] filed as #1008236 that was fixed via a previous point release. The security team filed those bugs with a non-RC severity, so I assume they don’t expect to release a DSA for it (as for the previous main issue), anyway the team is X-D-Cc. [ Impact ] It’a security flaw. [ Tests ] The (extended for this fix) upstream testsuite is run at build time and debci. [ Risks ] The code change is fairly trivial, and was cherry-picked from upstream (their fix for the 1.9 branch). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] It’s just a stricter validation regex. [ Other info ] Thanks a lot for your work! Cheers taffit
diff --git a/debian/changelog b/debian/changelog
index 8635876..0093037 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+php-guzzlehttp-psr7 (1.7.0-1+deb11u2) bullseye; urgency=medium
+
+ * Fix improper input validation [CVE-2023-29197] (Closes: #1034581)
+
+ -- David Prévot <taffit@debian.org> Sat, 22 Apr 2023 11:41:36 +0200
+
php-guzzlehttp-psr7 (1.7.0-1+deb11u1) bullseye; urgency=medium
* Track Bullseye
diff --git a/debian/patches/0004-Patch-header-validation-issue.patch b/debian/patches/0004-Patch-header-validation-issue.patch
new file mode 100644
index 0000000..84b4ad9
--- /dev/null
+++ b/debian/patches/0004-Patch-header-validation-issue.patch
@@ -0,0 +1,87 @@
+From: Graham Campbell <hello@gjcampbell.co.uk>
+Date: Mon, 17 Apr 2023 16:33:27 +0100
+Subject: Patch header validation issue
+
+Origin: upstream, https://github.com/guzzle/psr7/commit/18fd8915823bd9ca4156e84849e18970057dc7e4
+Bug-Debian: https://bugs.debian.org/1034581 https://security-tracker.debian.org/tracker/CVE-2023-29197
+---
+ src/MessageTrait.php | 13 ++++++-------
+ tests/RequestTest.php | 5 +++++
+ tests/ResponseTest.php | 9 +++++++++
+ 3 files changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/src/MessageTrait.php b/src/MessageTrait.php
+index 0ac8663..0bbd63e 100644
+--- a/src/MessageTrait.php
++++ b/src/MessageTrait.php
+@@ -226,12 +226,9 @@ trait MessageTrait
+ throw new \InvalidArgumentException('Header name can not be empty.');
+ }
+
+- if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/', $header)) {
++ if (! preg_match('/^[a-zA-Z0-9\'`#$%&*+.^_|~!-]+$/D', $header)) {
+ throw new \InvalidArgumentException(
+- sprintf(
+- '"%s" is not valid header name',
+- $header
+- )
++ sprintf('"%s" is not valid header name.', $header)
+ );
+ }
+ }
+@@ -263,8 +260,10 @@ trait MessageTrait
+ // Clients must not send a request with line folding and a server sending folded headers is
+ // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting
+ // folding is not likely to break any legitimate use case.
+- if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/', $value)) {
+- throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value));
++ if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/D', $value)) {
++ throw new \InvalidArgumentException(
++ sprintf('"%s" is not valid header value.', $value)
++ );
+ }
+ }
+ }
+diff --git a/tests/RequestTest.php b/tests/RequestTest.php
+index 10ac92a..7dca806 100644
+--- a/tests/RequestTest.php
++++ b/tests/RequestTest.php
+@@ -269,6 +269,10 @@ class RequestTest extends BaseTest
+ // Line folding is technically allowed, but deprecated.
+ // We don't support it.
+ ["new\r\n line"],
++ ["newline\n"],
++ ["\nnewline"],
++ ["newline\r\n"],
++ ["\r\nnewline"],
+ ];
+
+ for ($i = 0; $i <= 0xff; $i++) {
+@@ -286,6 +290,7 @@ class RequestTest extends BaseTest
+ }
+
+ $tests[] = ["foo" . \chr($i) . "bar"];
++ $tests[] = ["foo" . \chr($i)];
+ }
+
+ return $tests;
+diff --git a/tests/ResponseTest.php b/tests/ResponseTest.php
+index 0b6be02..30e106b 100644
+--- a/tests/ResponseTest.php
++++ b/tests/ResponseTest.php
+@@ -284,6 +284,15 @@ class ResponseTest extends BaseTest
+ [[], 'foo', 'Header name must be a string but array provided.'],
+ [false, 'foo', 'Header name must be a string but boolean provided.'],
+ [new \stdClass(), 'foo', 'Header name must be a string but stdClass provided.'],
++ ["", 'foo', "Header name can not be empty."],
++ ["Content-Type\r\n\r\n", 'foo', "\"Content-Type\r\n\r\n\" is not valid header name."],
++ ["Content-Type\r\n", 'foo', "\"Content-Type\r\n\" is not valid header name."],
++ ["Content-Type\n", 'foo', "\"Content-Type\n\" is not valid header name."],
++ ["\r\nContent-Type", 'foo', "\"\r\nContent-Type\" is not valid header name."],
++ ["\nContent-Type", 'foo', "\"\nContent-Type\" is not valid header name."],
++ ["\n", 'foo', "\"\n\" is not valid header name."],
++ ["\r\n", 'foo', "\"\r\n\" is not valid header name."],
++ ["\t", 'foo', "\"\t\" is not valid header name."],
+ ]);
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 3301656..af8456e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
0002-Fixed-bad-test-355.patch
0002-Release-1.8.4-486.patch
0003-Release-1.8.5-491.patch
+0004-Patch-header-validation-issue.patch
Attachment:
signature.asc
Description: PGP signature