Bug#1041074: marked as done (bookworm-pu: package cpp-httplib/0.11.4+ds-1+deb12u1)

To: Jonathan Wiltshire <jmw@coccia.debian.org>
Subject: Bug#1041074: marked as done (bookworm-pu: package cpp-httplib/0.11.4+ds-1+deb12u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 22 Jul 2023 13:23:56 +0000
Message-id: <[🔎] handler.1041074.D1041074.16900319882792834.ackdone@bugs.debian.org>
Reply-to: 1041074@bugs.debian.org
References: <E1qNCWN-005ru9-Uf@coccia.debian.org> <[🔎] 168935397923.64529.14781878944573513070.reportbug@satellite.pappacoda.it>

Your message dated Sat, 22 Jul 2023 13:19:43 +0000
with message-id <E1qNCWN-005ru9-Uf@coccia.debian.org>
and subject line Released with 12.1
has caused the Debian Bug report #1041074,
regarding bookworm-pu: package cpp-httplib/0.11.4+ds-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1041074: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041074
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bookworm-pu: package cpp-httplib/0.11.4+ds-1+deb12u1
From: Andrea Pappacoda <andrea@pappacoda.it>
Date: Fri, 14 Jul 2023 18:59:39 +0200
Message-id: <[🔎] 168935397923.64529.14781878944573513070.reportbug@satellite.pappacoda.it>

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cpp-httplib@packages.debian.org
Control: affects -1 + src:cpp-httplib

Hi all, I'd like to push a stable update for cpp-httplib fixing a security
vulnerability. Since the vulnerability is not that serious (no-dsa) the
security team advised me to send it here instead of pushing it to bookworm-
security.

[ Reason ]
This fixes a security vulnerability (CRLF Injection).

[ Impact ]
cpp-httplib will have a security vulnerability in bookworm.

[ Tests ]
Upstream CI, autopkgtest, lintian, manual review.

[ Risks ]
This should be completely risk free.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
cpp-httplib (0.11.4+ds-1+deb12u1) bookworm; urgency=medium

  * d/gbp.conf: adjust branch names for bookworm
  * d/patches: fix fox CVE-2023-26130.
    Backport of the security fix for CVE-2023-26130, a CRLF Injection, from
    upstream commit 5b397d455d25a391ba346863830c1949627b4d08 included in
    upstream release 0.12.4 and newer. (Closes: #1037100)

 -- Andrea Pappacoda <andrea@pappacoda.it>  Thu, 13 Jul 2023 00:26:06 +0200

[ Other info ]
That's it. This is a small update.

diff -Nru cpp-httplib-0.11.4+ds/debian/changelog cpp-httplib-0.11.4+ds/debian/changelog
--- cpp-httplib-0.11.4+ds/debian/changelog	2023-01-12 16:39:07.000000000 +0100
+++ cpp-httplib-0.11.4+ds/debian/changelog	2023-07-13 00:26:06.000000000 +0200
@@ -1,3 +1,13 @@
+cpp-httplib (0.11.4+ds-1+deb12u1) bookworm; urgency=medium
+
+  * d/gbp.conf: adjust branch names for bookworm
+  * d/patches: fix fox CVE-2023-26130.
+    Backport of the security fix for CVE-2023-26130, a CRLF Injection, from
+    upstream commit 5b397d455d25a391ba346863830c1949627b4d08 included in
+    upstream release 0.12.4 and newer. (Closes: #1037100)
+
+ -- Andrea Pappacoda <andrea@pappacoda.it>  Thu, 13 Jul 2023 00:26:06 +0200
+
 cpp-httplib (0.11.4+ds-1) unstable; urgency=medium
 
   * New upstream version 0.11.4+ds
diff -Nru cpp-httplib-0.11.4+ds/debian/gbp.conf cpp-httplib-0.11.4+ds/debian/gbp.conf
--- cpp-httplib-0.11.4+ds/debian/gbp.conf	2023-01-12 16:39:07.000000000 +0100
+++ cpp-httplib-0.11.4+ds/debian/gbp.conf	2023-07-13 00:26:06.000000000 +0200
@@ -1,8 +1,8 @@
 [DEFAULT]
 
 dist = DEP14
-debian-branch = debian/latest
-upstream-branch = upstream/latest
+debian-branch = debian/bookworm
+upstream-branch = upstream/0.11.x
 pristine-tar = True
 pristine-tar-commit = True
 sign-tags = True
diff -Nru cpp-httplib-0.11.4+ds/debian/patches/cve-2023-26130.patch cpp-httplib-0.11.4+ds/debian/patches/cve-2023-26130.patch
--- cpp-httplib-0.11.4+ds/debian/patches/cve-2023-26130.patch	1970-01-01 01:00:00.000000000 +0100
+++ cpp-httplib-0.11.4+ds/debian/patches/cve-2023-26130.patch	2023-07-13 00:26:06.000000000 +0200
@@ -0,0 +1,173 @@
+Description: Fix for CVE-2023-26130
+Author: Andrea Pappacoda <andrea@pappacoda.it>
+Origin: backport, https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08
+Bug-Debian: https://bugs.debian.org/1037100
+Last-Update: 2023-07-12
+
+--- cpp-httplib-0.11.4+ds.orig/httplib.h
++++ cpp-httplib-0.11.4+ds/httplib.h
+@@ -5707,8 +5707,8 @@ inline void Server::apply_ranges(const R
+       res.headers.erase(it);
+     }
+ 
+-    res.headers.emplace("Content-Type",
+-                        "multipart/byteranges; boundary=" + boundary);
++    res.set_header("Content-Type",
++                   "multipart/byteranges; boundary=" + boundary);
+   }
+ 
+   auto type = detail::encoding_type(req, res);
+@@ -6385,32 +6385,32 @@ inline bool ClientImpl::write_request(St
+   // Prepare additional headers
+   if (close_connection) {
+     if (!req.has_header("Connection")) {
+-      req.headers.emplace("Connection", "close");
++      req.set_header("Connection", "close");
+     }
+   }
+ 
+   if (!req.has_header("Host")) {
+     if (is_ssl()) {
+       if (port_ == 443) {
+-        req.headers.emplace("Host", host_);
++        req.set_header("Host", host_);
+       } else {
+-        req.headers.emplace("Host", host_and_port_);
++        req.set_header("Host", host_and_port_);
+       }
+     } else {
+       if (port_ == 80) {
+-        req.headers.emplace("Host", host_);
++        req.set_header("Host", host_);
+       } else {
+-        req.headers.emplace("Host", host_and_port_);
++        req.set_header("Host", host_and_port_);
+       }
+     }
+   }
+ 
+-  if (!req.has_header("Accept")) { req.headers.emplace("Accept", "*/*"); }
++  if (!req.has_header("Accept")) { req.set_header("Accept", "*/*"); }
+ 
+ #ifndef CPPHTTPLIB_NO_DEFAULT_USER_AGENT
+   if (!req.has_header("User-Agent")) {
+     auto agent = std::string("cpp-httplib/") + CPPHTTPLIB_VERSION;
+-    req.headers.emplace("User-Agent", agent);
++    req.set_header("User-Agent", agent);
+   }
+ #endif
+ 
+@@ -6419,23 +6419,23 @@ inline bool ClientImpl::write_request(St
+       if (!req.is_chunked_content_provider_) {
+         if (!req.has_header("Content-Length")) {
+           auto length = std::to_string(req.content_length_);
+-          req.headers.emplace("Content-Length", length);
++          req.set_header("Content-Length", length);
+         }
+       }
+     } else {
+       if (req.method == "POST" || req.method == "PUT" ||
+           req.method == "PATCH") {
+-        req.headers.emplace("Content-Length", "0");
++        req.set_header("Content-Length", "0");
+       }
+     }
+   } else {
+     if (!req.has_header("Content-Type")) {
+-      req.headers.emplace("Content-Type", "text/plain");
++      req.set_header("Content-Type", "text/plain");
+     }
+ 
+     if (!req.has_header("Content-Length")) {
+       auto length = std::to_string(req.body.size());
+-      req.headers.emplace("Content-Length", length);
++      req.set_header("Content-Length", length);
+     }
+   }
+ 
+@@ -6503,12 +6503,10 @@ inline std::unique_ptr<Response> ClientI
+     ContentProvider content_provider,
+     ContentProviderWithoutLength content_provider_without_length,
+     const std::string &content_type, Error &error) {
+-  if (!content_type.empty()) {
+-    req.headers.emplace("Content-Type", content_type);
+-  }
++  if (!content_type.empty()) { req.set_header("Content-Type", content_type); }
+ 
+ #ifdef CPPHTTPLIB_ZLIB_SUPPORT
+-  if (compress_) { req.headers.emplace("Content-Encoding", "gzip"); }
++  if (compress_) { req.set_header("Content-Encoding", "gzip"); }
+ #endif
+ 
+ #ifdef CPPHTTPLIB_ZLIB_SUPPORT
+@@ -6571,7 +6569,7 @@ inline std::unique_ptr<Response> ClientI
+       req.content_provider_ = detail::ContentProviderAdapter(
+           std::move(content_provider_without_length));
+       req.is_chunked_content_provider_ = true;
+-      req.headers.emplace("Transfer-Encoding", "chunked");
++      req.set_header("Transfer-Encoding", "chunked");
+     } else {
+       req.body.assign(body, content_length);
+       ;
+@@ -7181,9 +7179,7 @@ inline Result ClientImpl::Delete(const s
+   req.headers = headers;
+   req.path = path;
+ 
+-  if (!content_type.empty()) {
+-    req.headers.emplace("Content-Type", content_type);
+-  }
++  if (!content_type.empty()) { req.set_header("Content-Type", content_type); }
+   req.body.assign(body, content_length);
+ 
+   return send_(std::move(req));
+--- cpp-httplib-0.11.4+ds.orig/test/test.cc
++++ cpp-httplib-0.11.4+ds/test/test.cc
+@@ -5795,3 +5795,48 @@ TEST(TaskQueueTest, IncreaseAtomicIntege
+   EXPECT_NO_THROW(task_queue->shutdown());
+   EXPECT_EQ(number_of_task, count.load());
+ }
++
++TEST(VulnerabilityTest, CRLFInjection) {
++  Server svr;
++
++  svr.Post("/test1", [](const Request &/*req*/, Response &res) {
++    res.set_content("Hello 1", "text/plain");
++  });
++
++  svr.Delete("/test2", [](const Request &/*req*/, Response &res) {
++    res.set_content("Hello 2", "text/plain");
++  });
++
++  svr.Put("/test3", [](const Request &/*req*/, Response &res) {
++    res.set_content("Hello 3", "text/plain");
++  });
++
++  svr.Patch("/test4", [](const Request &/*req*/, Response &res) {
++    res.set_content("Hello 4", "text/plain");
++  });
++
++  svr.set_logger([](const Request &req, const Response & /*res*/) {
++    for (const auto &x : req.headers) {
++      auto key = x.first;
++      EXPECT_STRNE("evil", key.c_str());
++    }
++  });
++
++  auto thread = std::thread([&]() { svr.listen(HOST, PORT); });
++
++  std::this_thread::sleep_for(std::chrono::seconds(1));
++
++  {
++    Client cli(HOST, PORT);
++
++    cli.Post("/test1", "A=B",
++             "application/x-www-form-urlencoded\r\nevil: hello1");
++    cli.Delete("/test2", "A=B", "text/plain\r\nevil: hello2");
++    cli.Put("/test3", "text", "text/plain\r\nevil: hello3");
++    cli.Patch("/test4", "content", "text/plain\r\nevil: hello4");
++  }
++
++  svr.stop();
++  thread.join();
++  ASSERT_FALSE(svr.is_running());
++}
diff -Nru cpp-httplib-0.11.4+ds/debian/patches/series cpp-httplib-0.11.4+ds/debian/patches/series
--- cpp-httplib-0.11.4+ds/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ cpp-httplib-0.11.4+ds/debian/patches/series	2023-07-13 00:26:06.000000000 +0200
@@ -0,0 +1 @@
+cve-2023-26130.patch

--- End Message ---

--- Begin Message ---

To: 1041074-done@bugs.debian.org

Subject: Released with 12.1

From: Jonathan Wiltshire <jmw@coccia.debian.org>

Date: Sat, 22 Jul 2023 13:19:43 +0000

Message-id: <E1qNCWN-005ru9-Uf@coccia.debian.org>
Version: 12.1

The upload requested in this bug has been released as part of 12.1.
--- End Message ---

Reply to:

References:
- Bug#1041074: bookworm-pu: package cpp-httplib/0.11.4+ds-1+deb12u1
  - From: Andrea Pappacoda <andrea@pappacoda.it>

Prev by Date: Bug#1041163: marked as done (bookworm-pu: package crowdsec/1.4.6-6~deb12u1)
Next by Date: Processed: Re: Bug#1040206: bullseye-pu: package debianutils/5.7-0.5~deb12u1
Previous by thread: Processed: cpp-httplib 0.11.4+ds-1+deb12u1 flagged for acceptance
Next by thread: Bug#1036904: libreoffice 7.4.7-1 flagged for acceptance
Index(es):
- Date
- Thread