Bug#1109545: bookworm-pu: package curl/7.88.1-10+deb12u13

To: submit@bugs.debian.org
Subject: Bug#1109545: bookworm-pu: package curl/7.88.1-10+deb12u13
From: Samuel Henrique <samueloph@debian.org>
Date: Sat, 19 Jul 2025 21:58:40 +0200
Message-id: <[🔎] byxpjuedyvqw5fhaz5wczbz22snnvqrerj3nqw4szqh3wquup7@nnle4jqqhkip>
Reply-to: Samuel Henrique <samueloph@debian.org>, 1109545@bugs.debian.org

package: release.debian.org
control: affects -1 + src:curl
x-debbugs-cc: curl@packages.debian.org
user: release.debian.org@packages.debian.org
usertags: pu
tags: bookworm
severity: normal

[ reason ]
curl upstream has reached out to report a memory-leak affecting the version we
ship in bookworm [0].

This problem was inadvertently fixed for trixie on a refactor of the affected
code.

I suspect this problem also affects bullseye but I have not looked into it yet,
for now I'd like to fix it in bookworm.

[ impact ]
This is fixing a memory-leak.

The leak is small, within the bytes range, and likely to not be noticed by a
lot of users, but there was a request to fix it and the patch is simple.

[ tests ]
curl has an extensive testsuite and all tests passed, curl also contains a lot
of reverse-dependencies in the archive and their debci results will reduce the
likelihood of regressions.

[ risks ]
Given the patch is freeing a buffer instead of resetting it, there's a risk of
introducing an UAF.

I have analyzed the code and have not spotted any problems with it, on top of
this, Daniel Stenberg also acked the patch [0].

[ checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] i reviewed all changes and i approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ changes ]
There's a single change which is adding a patch vetted by the upstream
developer.

The patch modifies a single line of code to free a buffer instead of resetting
it and keeping the allocation.

[ other info ]
Discussion in GitHub:
https://github.com/curl/curl/issues/17749

[0] https://curl.se/mail/distros-2025-07/0001.html

-- 
Samuel Henrique <samueloph>

diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog
--- curl-7.88.1/debian/changelog	2025-06-17 01:56:01.000000000 +0200
+++ curl-7.88.1/debian/changelog	2025-07-19 21:04:59.000000000 +0200
@@ -1,3 +1,11 @@
+curl (7.88.1-10+deb12u14) bookworm; urgency=medium
+
+  * d/p/0001-http_chunks-reset...: New patch to fix memory leak:
+    - Thanks to Daniel Stenberg and dheerajsangamkar for reporting the issue
+      and writing a patch
+
+ -- Samuel Henrique <samueloph@debian.org>  Sat, 19 Jul 2025 21:04:59 +0200
+
 curl (7.88.1-10+deb12u13) bookworm; urgency=medium
 
   * Team upload.
diff -Nru curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch
--- curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch	2025-07-19 21:04:59.000000000 +0200
@@ -0,0 +1,31 @@
+From 18426669b329f63ff4798275a427f605e42576a6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 15 Jul 2025 08:37:03 +0200
+Subject: [PATCH] http_chunks: reset the trailer to avoid memory leak
+
+Brought-by: dheerajsangamkar on github
+URL: https://github.com/curl/curl/issues/17749
+---
+ lib/http_chunks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/http_chunks.c b/lib/http_chunks.c
+index bda00d3833..867a8b4fbf 100644
+--- a/lib/http_chunks.c
++++ b/lib/http_chunks.c
+@@ -228,11 +228,11 @@ CHUNKcode Curl_httpchunk_read(struct Curl_easy *data,
+             if(result) {
+               *extrap = result;
+               return CHUNKE_PASSTHRU_ERROR;
+             }
+           }
+-          Curl_dyn_reset(&conn->trailer);
++          Curl_dyn_free(&conn->trailer);
+           ch->state = CHUNK_TRAILER_CR;
+           if(*datap == 0x0a)
+             /* already on the LF */
+             break;
+         }
+-- 
+2.50.0
+
diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series
--- curl-7.88.1/debian/patches/series	2025-06-17 01:56:01.000000000 +0200
+++ curl-7.88.1/debian/patches/series	2025-07-19 21:04:59.000000000 +0200
@@ -68,6 +68,10 @@
 fix-CVE-2023-27534-regression-1.patch
 fix-CVE-2023-27534-regression-2.patch
 
+# Fix memory leak reported at https://github.com/curl/curl/issues/17749 and
+# https://curl.se/mail/distros-2025-07/0001.html
+0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch
+
 # Do not add patches below.
 # Used to generate packages for the other crypto libraries.
 90_gnutls.patch

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package curl/7.88.1-10+deb12u13
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1109545: bookworm-pu: package curl/7.88.1-10+deb12u13
  - From: Jonathan Wiltshire <jmw@debian.org>
- Processed: Re: Bug#1109545: bookworm-pu: package curl/7.88.1-10+deb12u13
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1109545: curl 7.88.1-10+deb12u14 flagged for acceptance
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: Processed: bookworm-pu: package curl/7.88.1-10+deb12u13
Next by Date: Processed: bookworm-pu: package angular.js/1.8.3-1+deb12u1
Previous by thread: Bug#1109543: marked as done (unblock: dolfinx-mpc/0.9.1-2)
Next by thread: Processed: bookworm-pu: package curl/7.88.1-10+deb12u13
Index(es):
- Date
- Thread