Bug#1041074: bookworm-pu: package cpp-httplib/0.11.4+ds-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cpp-httplib@packages.debian.org
Control: affects -1 + src:cpp-httplib
Hi all, I'd like to push a stable update for cpp-httplib fixing a security
vulnerability. Since the vulnerability is not that serious (no-dsa) the
security team advised me to send it here instead of pushing it to bookworm-
security.
[ Reason ]
This fixes a security vulnerability (CRLF Injection).
[ Impact ]
cpp-httplib will have a security vulnerability in bookworm.
[ Tests ]
Upstream CI, autopkgtest, lintian, manual review.
[ Risks ]
This should be completely risk free.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
cpp-httplib (0.11.4+ds-1+deb12u1) bookworm; urgency=medium
* d/gbp.conf: adjust branch names for bookworm
* d/patches: fix fox CVE-2023-26130.
Backport of the security fix for CVE-2023-26130, a CRLF Injection, from
upstream commit 5b397d455d25a391ba346863830c1949627b4d08 included in
upstream release 0.12.4 and newer. (Closes: #1037100)
-- Andrea Pappacoda <andrea@pappacoda.it> Thu, 13 Jul 2023 00:26:06 +0200
[ Other info ]
That's it. This is a small update.
diff -Nru cpp-httplib-0.11.4+ds/debian/changelog cpp-httplib-0.11.4+ds/debian/changelog
--- cpp-httplib-0.11.4+ds/debian/changelog 2023-01-12 16:39:07.000000000 +0100
+++ cpp-httplib-0.11.4+ds/debian/changelog 2023-07-13 00:26:06.000000000 +0200
@@ -1,3 +1,13 @@
+cpp-httplib (0.11.4+ds-1+deb12u1) bookworm; urgency=medium
+
+ * d/gbp.conf: adjust branch names for bookworm
+ * d/patches: fix fox CVE-2023-26130.
+ Backport of the security fix for CVE-2023-26130, a CRLF Injection, from
+ upstream commit 5b397d455d25a391ba346863830c1949627b4d08 included in
+ upstream release 0.12.4 and newer. (Closes: #1037100)
+
+ -- Andrea Pappacoda <andrea@pappacoda.it> Thu, 13 Jul 2023 00:26:06 +0200
+
cpp-httplib (0.11.4+ds-1) unstable; urgency=medium
* New upstream version 0.11.4+ds
diff -Nru cpp-httplib-0.11.4+ds/debian/gbp.conf cpp-httplib-0.11.4+ds/debian/gbp.conf
--- cpp-httplib-0.11.4+ds/debian/gbp.conf 2023-01-12 16:39:07.000000000 +0100
+++ cpp-httplib-0.11.4+ds/debian/gbp.conf 2023-07-13 00:26:06.000000000 +0200
@@ -1,8 +1,8 @@
[DEFAULT]
dist = DEP14
-debian-branch = debian/latest
-upstream-branch = upstream/latest
+debian-branch = debian/bookworm
+upstream-branch = upstream/0.11.x
pristine-tar = True
pristine-tar-commit = True
sign-tags = True
diff -Nru cpp-httplib-0.11.4+ds/debian/patches/cve-2023-26130.patch cpp-httplib-0.11.4+ds/debian/patches/cve-2023-26130.patch
--- cpp-httplib-0.11.4+ds/debian/patches/cve-2023-26130.patch 1970-01-01 01:00:00.000000000 +0100
+++ cpp-httplib-0.11.4+ds/debian/patches/cve-2023-26130.patch 2023-07-13 00:26:06.000000000 +0200
@@ -0,0 +1,173 @@
+Description: Fix for CVE-2023-26130
+Author: Andrea Pappacoda <andrea@pappacoda.it>
+Origin: backport, https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08
+Bug-Debian: https://bugs.debian.org/1037100
+Last-Update: 2023-07-12
+
+--- cpp-httplib-0.11.4+ds.orig/httplib.h
++++ cpp-httplib-0.11.4+ds/httplib.h
+@@ -5707,8 +5707,8 @@ inline void Server::apply_ranges(const R
+ res.headers.erase(it);
+ }
+
+- res.headers.emplace("Content-Type",
+- "multipart/byteranges; boundary=" + boundary);
++ res.set_header("Content-Type",
++ "multipart/byteranges; boundary=" + boundary);
+ }
+
+ auto type = detail::encoding_type(req, res);
+@@ -6385,32 +6385,32 @@ inline bool ClientImpl::write_request(St
+ // Prepare additional headers
+ if (close_connection) {
+ if (!req.has_header("Connection")) {
+- req.headers.emplace("Connection", "close");
++ req.set_header("Connection", "close");
+ }
+ }
+
+ if (!req.has_header("Host")) {
+ if (is_ssl()) {
+ if (port_ == 443) {
+- req.headers.emplace("Host", host_);
++ req.set_header("Host", host_);
+ } else {
+- req.headers.emplace("Host", host_and_port_);
++ req.set_header("Host", host_and_port_);
+ }
+ } else {
+ if (port_ == 80) {
+- req.headers.emplace("Host", host_);
++ req.set_header("Host", host_);
+ } else {
+- req.headers.emplace("Host", host_and_port_);
++ req.set_header("Host", host_and_port_);
+ }
+ }
+ }
+
+- if (!req.has_header("Accept")) { req.headers.emplace("Accept", "*/*"); }
++ if (!req.has_header("Accept")) { req.set_header("Accept", "*/*"); }
+
+ #ifndef CPPHTTPLIB_NO_DEFAULT_USER_AGENT
+ if (!req.has_header("User-Agent")) {
+ auto agent = std::string("cpp-httplib/") + CPPHTTPLIB_VERSION;
+- req.headers.emplace("User-Agent", agent);
++ req.set_header("User-Agent", agent);
+ }
+ #endif
+
+@@ -6419,23 +6419,23 @@ inline bool ClientImpl::write_request(St
+ if (!req.is_chunked_content_provider_) {
+ if (!req.has_header("Content-Length")) {
+ auto length = std::to_string(req.content_length_);
+- req.headers.emplace("Content-Length", length);
++ req.set_header("Content-Length", length);
+ }
+ }
+ } else {
+ if (req.method == "POST" || req.method == "PUT" ||
+ req.method == "PATCH") {
+- req.headers.emplace("Content-Length", "0");
++ req.set_header("Content-Length", "0");
+ }
+ }
+ } else {
+ if (!req.has_header("Content-Type")) {
+- req.headers.emplace("Content-Type", "text/plain");
++ req.set_header("Content-Type", "text/plain");
+ }
+
+ if (!req.has_header("Content-Length")) {
+ auto length = std::to_string(req.body.size());
+- req.headers.emplace("Content-Length", length);
++ req.set_header("Content-Length", length);
+ }
+ }
+
+@@ -6503,12 +6503,10 @@ inline std::unique_ptr<Response> ClientI
+ ContentProvider content_provider,
+ ContentProviderWithoutLength content_provider_without_length,
+ const std::string &content_type, Error &error) {
+- if (!content_type.empty()) {
+- req.headers.emplace("Content-Type", content_type);
+- }
++ if (!content_type.empty()) { req.set_header("Content-Type", content_type); }
+
+ #ifdef CPPHTTPLIB_ZLIB_SUPPORT
+- if (compress_) { req.headers.emplace("Content-Encoding", "gzip"); }
++ if (compress_) { req.set_header("Content-Encoding", "gzip"); }
+ #endif
+
+ #ifdef CPPHTTPLIB_ZLIB_SUPPORT
+@@ -6571,7 +6569,7 @@ inline std::unique_ptr<Response> ClientI
+ req.content_provider_ = detail::ContentProviderAdapter(
+ std::move(content_provider_without_length));
+ req.is_chunked_content_provider_ = true;
+- req.headers.emplace("Transfer-Encoding", "chunked");
++ req.set_header("Transfer-Encoding", "chunked");
+ } else {
+ req.body.assign(body, content_length);
+ ;
+@@ -7181,9 +7179,7 @@ inline Result ClientImpl::Delete(const s
+ req.headers = headers;
+ req.path = path;
+
+- if (!content_type.empty()) {
+- req.headers.emplace("Content-Type", content_type);
+- }
++ if (!content_type.empty()) { req.set_header("Content-Type", content_type); }
+ req.body.assign(body, content_length);
+
+ return send_(std::move(req));
+--- cpp-httplib-0.11.4+ds.orig/test/test.cc
++++ cpp-httplib-0.11.4+ds/test/test.cc
+@@ -5795,3 +5795,48 @@ TEST(TaskQueueTest, IncreaseAtomicIntege
+ EXPECT_NO_THROW(task_queue->shutdown());
+ EXPECT_EQ(number_of_task, count.load());
+ }
++
++TEST(VulnerabilityTest, CRLFInjection) {
++ Server svr;
++
++ svr.Post("/test1", [](const Request &/*req*/, Response &res) {
++ res.set_content("Hello 1", "text/plain");
++ });
++
++ svr.Delete("/test2", [](const Request &/*req*/, Response &res) {
++ res.set_content("Hello 2", "text/plain");
++ });
++
++ svr.Put("/test3", [](const Request &/*req*/, Response &res) {
++ res.set_content("Hello 3", "text/plain");
++ });
++
++ svr.Patch("/test4", [](const Request &/*req*/, Response &res) {
++ res.set_content("Hello 4", "text/plain");
++ });
++
++ svr.set_logger([](const Request &req, const Response & /*res*/) {
++ for (const auto &x : req.headers) {
++ auto key = x.first;
++ EXPECT_STRNE("evil", key.c_str());
++ }
++ });
++
++ auto thread = std::thread([&]() { svr.listen(HOST, PORT); });
++
++ std::this_thread::sleep_for(std::chrono::seconds(1));
++
++ {
++ Client cli(HOST, PORT);
++
++ cli.Post("/test1", "A=B",
++ "application/x-www-form-urlencoded\r\nevil: hello1");
++ cli.Delete("/test2", "A=B", "text/plain\r\nevil: hello2");
++ cli.Put("/test3", "text", "text/plain\r\nevil: hello3");
++ cli.Patch("/test4", "content", "text/plain\r\nevil: hello4");
++ }
++
++ svr.stop();
++ thread.join();
++ ASSERT_FALSE(svr.is_running());
++}
diff -Nru cpp-httplib-0.11.4+ds/debian/patches/series cpp-httplib-0.11.4+ds/debian/patches/series
--- cpp-httplib-0.11.4+ds/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ cpp-httplib-0.11.4+ds/debian/patches/series 2023-07-13 00:26:06.000000000 +0200
@@ -0,0 +1 @@
+cve-2023-26130.patch
Reply to: