[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1041074: bookworm-pu: package cpp-httplib/0.11.4+ds-1+deb12u1

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cpp-httplib@packages.debian.org
Control: affects -1 + src:cpp-httplib

Hi all, I'd like to push a stable update for cpp-httplib fixing a security
vulnerability. Since the vulnerability is not that serious (no-dsa) the
security team advised me to send it here instead of pushing it to bookworm-
security.

[ Reason ]
This fixes a security vulnerability (CRLF Injection).

[ Impact ]
cpp-httplib will have a security vulnerability in bookworm.

[ Tests ]
Upstream CI, autopkgtest, lintian, manual review.

[ Risks ]
This should be completely risk free.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
cpp-httplib (0.11.4+ds-1+deb12u1) bookworm; urgency=medium

  * d/gbp.conf: adjust branch names for bookworm
  * d/patches: fix fox CVE-2023-26130.
    Backport of the security fix for CVE-2023-26130, a CRLF Injection, from
    upstream commit 5b397d455d25a391ba346863830c1949627b4d08 included in
    upstream release 0.12.4 and newer. (Closes: #1037100)

 -- Andrea Pappacoda <andrea@pappacoda.it>  Thu, 13 Jul 2023 00:26:06 +0200

[ Other info ]
That's it. This is a small update.

diff -Nru cpp-httplib-0.11.4+ds/debian/changelog cpp-httplib-0.11.4+ds/debian/changelog
--- cpp-httplib-0.11.4+ds/debian/changelog	2023-01-12 16:39:07.000000000 +0100
+++ cpp-httplib-0.11.4+ds/debian/changelog	2023-07-13 00:26:06.000000000 +0200
@@ -1,3 +1,13 @@
+cpp-httplib (0.11.4+ds-1+deb12u1) bookworm; urgency=medium
+
+  * d/gbp.conf: adjust branch names for bookworm
+  * d/patches: fix fox CVE-2023-26130.
+    Backport of the security fix for CVE-2023-26130, a CRLF Injection, from
+    upstream commit 5b397d455d25a391ba346863830c1949627b4d08 included in
+    upstream release 0.12.4 and newer. (Closes: #1037100)
+
+ -- Andrea Pappacoda <andrea@pappacoda.it>  Thu, 13 Jul 2023 00:26:06 +0200
+
 cpp-httplib (0.11.4+ds-1) unstable; urgency=medium
 
   * New upstream version 0.11.4+ds
diff -Nru cpp-httplib-0.11.4+ds/debian/gbp.conf cpp-httplib-0.11.4+ds/debian/gbp.conf
--- cpp-httplib-0.11.4+ds/debian/gbp.conf	2023-01-12 16:39:07.000000000 +0100
+++ cpp-httplib-0.11.4+ds/debian/gbp.conf	2023-07-13 00:26:06.000000000 +0200
@@ -1,8 +1,8 @@
 [DEFAULT]
 
 dist = DEP14
-debian-branch = debian/latest
-upstream-branch = upstream/latest
+debian-branch = debian/bookworm
+upstream-branch = upstream/0.11.x
 pristine-tar = True
 pristine-tar-commit = True
 sign-tags = True
diff -Nru cpp-httplib-0.11.4+ds/debian/patches/cve-2023-26130.patch cpp-httplib-0.11.4+ds/debian/patches/cve-2023-26130.patch
--- cpp-httplib-0.11.4+ds/debian/patches/cve-2023-26130.patch	1970-01-01 01:00:00.000000000 +0100
+++ cpp-httplib-0.11.4+ds/debian/patches/cve-2023-26130.patch	2023-07-13 00:26:06.000000000 +0200
@@ -0,0 +1,173 @@
+Description: Fix for CVE-2023-26130
+Author: Andrea Pappacoda <andrea@pappacoda.it>
+Origin: backport, https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08
+Bug-Debian: https://bugs.debian.org/1037100
+Last-Update: 2023-07-12
+
+--- cpp-httplib-0.11.4+ds.orig/httplib.h
++++ cpp-httplib-0.11.4+ds/httplib.h
+@@ -5707,8 +5707,8 @@ inline void Server::apply_ranges(const R
+       res.headers.erase(it);
+     }
+ 
+-    res.headers.emplace("Content-Type",
+-                        "multipart/byteranges; boundary=" + boundary);
++    res.set_header("Content-Type",
++                   "multipart/byteranges; boundary=" + boundary);
+   }
+ 
+   auto type = detail::encoding_type(req, res);
+@@ -6385,32 +6385,32 @@ inline bool ClientImpl::write_request(St
+   // Prepare additional headers
+   if (close_connection) {
+     if (!req.has_header("Connection")) {
+-      req.headers.emplace("Connection", "close");
++      req.set_header("Connection", "close");
+     }
+   }
+ 
+   if (!req.has_header("Host")) {
+     if (is_ssl()) {
+       if (port_ == 443) {
+-        req.headers.emplace("Host", host_);
++        req.set_header("Host", host_);
+       } else {
+-        req.headers.emplace("Host", host_and_port_);
++        req.set_header("Host", host_and_port_);
+       }
+     } else {
+       if (port_ == 80) {
+-        req.headers.emplace("Host", host_);
++        req.set_header("Host", host_);
+       } else {
+-        req.headers.emplace("Host", host_and_port_);
++        req.set_header("Host", host_and_port_);
+       }
+     }
+   }
+ 
+-  if (!req.has_header("Accept")) { req.headers.emplace("Accept", "*/*"); }
++  if (!req.has_header("Accept")) { req.set_header("Accept", "*/*"); }
+ 
+ #ifndef CPPHTTPLIB_NO_DEFAULT_USER_AGENT
+   if (!req.has_header("User-Agent")) {
+     auto agent = std::string("cpp-httplib/") + CPPHTTPLIB_VERSION;
+-    req.headers.emplace("User-Agent", agent);
++    req.set_header("User-Agent", agent);
+   }
+ #endif
+ 
+@@ -6419,23 +6419,23 @@ inline bool ClientImpl::write_request(St
+       if (!req.is_chunked_content_provider_) {
+         if (!req.has_header("Content-Length")) {
+           auto length = std::to_string(req.content_length_);
+-          req.headers.emplace("Content-Length", length);
++          req.set_header("Content-Length", length);
+         }
+       }
+     } else {
+       if (req.method == "POST" || req.method == "PUT" ||
+           req.method == "PATCH") {
+-        req.headers.emplace("Content-Length", "0");
++        req.set_header("Content-Length", "0");
+       }
+     }
+   } else {
+     if (!req.has_header("Content-Type")) {
+-      req.headers.emplace("Content-Type", "text/plain");
++      req.set_header("Content-Type", "text/plain");
+     }
+ 
+     if (!req.has_header("Content-Length")) {
+       auto length = std::to_string(req.body.size());
+-      req.headers.emplace("Content-Length", length);
++      req.set_header("Content-Length", length);
+     }
+   }
+ 
+@@ -6503,12 +6503,10 @@ inline std::unique_ptr<Response> ClientI
+     ContentProvider content_provider,
+     ContentProviderWithoutLength content_provider_without_length,
+     const std::string &content_type, Error &error) {
+-  if (!content_type.empty()) {
+-    req.headers.emplace("Content-Type", content_type);
+-  }
++  if (!content_type.empty()) { req.set_header("Content-Type", content_type); }
+ 
+ #ifdef CPPHTTPLIB_ZLIB_SUPPORT
+-  if (compress_) { req.headers.emplace("Content-Encoding", "gzip"); }
++  if (compress_) { req.set_header("Content-Encoding", "gzip"); }
+ #endif
+ 
+ #ifdef CPPHTTPLIB_ZLIB_SUPPORT
+@@ -6571,7 +6569,7 @@ inline std::unique_ptr<Response> ClientI
+       req.content_provider_ = detail::ContentProviderAdapter(
+           std::move(content_provider_without_length));
+       req.is_chunked_content_provider_ = true;
+-      req.headers.emplace("Transfer-Encoding", "chunked");
++      req.set_header("Transfer-Encoding", "chunked");
+     } else {
+       req.body.assign(body, content_length);
+       ;
+@@ -7181,9 +7179,7 @@ inline Result ClientImpl::Delete(const s
+   req.headers = headers;
+   req.path = path;
+ 
+-  if (!content_type.empty()) {
+-    req.headers.emplace("Content-Type", content_type);
+-  }
++  if (!content_type.empty()) { req.set_header("Content-Type", content_type); }
+   req.body.assign(body, content_length);
+ 
+   return send_(std::move(req));
+--- cpp-httplib-0.11.4+ds.orig/test/test.cc
++++ cpp-httplib-0.11.4+ds/test/test.cc
+@@ -5795,3 +5795,48 @@ TEST(TaskQueueTest, IncreaseAtomicIntege
+   EXPECT_NO_THROW(task_queue->shutdown());
+   EXPECT_EQ(number_of_task, count.load());
+ }
++
++TEST(VulnerabilityTest, CRLFInjection) {
++  Server svr;
++
++  svr.Post("/test1", [](const Request &/*req*/, Response &res) {
++    res.set_content("Hello 1", "text/plain");
++  });
++
++  svr.Delete("/test2", [](const Request &/*req*/, Response &res) {
++    res.set_content("Hello 2", "text/plain");
++  });
++
++  svr.Put("/test3", [](const Request &/*req*/, Response &res) {
++    res.set_content("Hello 3", "text/plain");
++  });
++
++  svr.Patch("/test4", [](const Request &/*req*/, Response &res) {
++    res.set_content("Hello 4", "text/plain");
++  });
++
++  svr.set_logger([](const Request &req, const Response & /*res*/) {
++    for (const auto &x : req.headers) {
++      auto key = x.first;
++      EXPECT_STRNE("evil", key.c_str());
++    }
++  });
++
++  auto thread = std::thread([&]() { svr.listen(HOST, PORT); });
++
++  std::this_thread::sleep_for(std::chrono::seconds(1));
++
++  {
++    Client cli(HOST, PORT);
++
++    cli.Post("/test1", "A=B",
++             "application/x-www-form-urlencoded\r\nevil: hello1");
++    cli.Delete("/test2", "A=B", "text/plain\r\nevil: hello2");
++    cli.Put("/test3", "text", "text/plain\r\nevil: hello3");
++    cli.Patch("/test4", "content", "text/plain\r\nevil: hello4");
++  }
++
++  svr.stop();
++  thread.join();
++  ASSERT_FALSE(svr.is_running());
++}
diff -Nru cpp-httplib-0.11.4+ds/debian/patches/series cpp-httplib-0.11.4+ds/debian/patches/series
--- cpp-httplib-0.11.4+ds/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ cpp-httplib-0.11.4+ds/debian/patches/series	2023-07-13 00:26:06.000000000 +0200
@@ -0,0 +1 @@
+cve-2023-26130.patch
Reply to: