Bug#1110259: unblock: libhtp/1:0.5.51-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1110259: unblock: libhtp/1:0.5.51-1
From: Sascha Steinbiss <satta@debian.org>
Date: Sat, 02 Aug 2025 12:32:49 +0200
Message-id: <[🔎] 175413076950.1919572.8969924626678281163.reportbug@BLN04NB0421>
Reply-to: Sascha Steinbiss <satta@debian.org>, 1110259@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libhtp@packages.debian.org
Control: affects -1 + src:libhtp

Please unblock package libhtp

In order to fix CVE-2025-53537 (i.e. #1109838) [1] I would like to
upload the upstream version that fixes this to unstable and have it
granted into testing to be included in trixie.
The fix is very small, see [2]. The upstream version does not introduce
any new features besides fixes, this one and another small fix.
This is why I ask for the new upstream version to be allowed instead of
fixing the issue by backporting to 0.5.50.

Please let me know once I can upload the code to unstable.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109838
[2] https://github.com/OISF/libhtp/security/advisories/GHSA-v3qq-h8mh-vph7
[3] https://github.com/OISF/libhtp/commit/9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7

[ Reason ]
Fix a security bug in a library used by the Suricata IDS.

[ Impact ]
A security issue would remain in a package in trixie, in which a 
traffic induced memory leak can starve the process of memory,
leading to loss of visibility.

[ Tests ]
The Issue was found via OSS-fuzz [4] and is verified as fixed there.
libhtp in its fixed version was tested using GitHub actions upstream [5]

[4] https://issues.oss-fuzz.com/issues/425041683?pli=1
[5] https://github.com/OISF/libhtp/actions

[ Risks ]
Low risk. Code fix is small and targeted, and comes from the main
developers.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock libhtp/1:0.5.51-1

diff -Nru libhtp-0.5.50/ChangeLog libhtp-0.5.51/ChangeLog
--- libhtp-0.5.50/ChangeLog	2025-03-18 06:53:49.000000000 +0100
+++ libhtp-0.5.51/ChangeLog	2025-07-07 08:34:10.000000000 +0200
@@ -1,3 +1,10 @@
+0.5.51 (07 July 2025)
+---------------------
+
+- decompressors: fix leak in lzma error case
+
+- request: do not fully error on data after HTTP/0.9
+
 0.5.50 (18 March 2025)
 ----------------------
 
diff -Nru libhtp-0.5.50/debian/changelog libhtp-0.5.51/debian/changelog
--- libhtp-0.5.50/debian/changelog	2025-03-18 09:04:23.000000000 +0100
+++ libhtp-0.5.51/debian/changelog	2025-08-02 11:55:15.000000000 +0200
@@ -1,3 +1,12 @@
+libhtp (1:0.5.51-1) unstable; urgency=medium
+
+  * New upstream release fixing security issue CVE-2025-53537.
+    See https://redmine.openinfosecfoundation.org/issues/7766.
+    This is just a very minor bugfix release with no additional features.
+    Closes: #1109838
+
+ -- Sascha Steinbiss <satta@debian.org>  Sat, 02 Aug 2025 11:55:15 +0200
+
 libhtp (1:0.5.50-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libhtp-0.5.50/htp/htp_decompressors.c libhtp-0.5.51/htp/htp_decompressors.c
--- libhtp-0.5.50/htp/htp_decompressors.c	2025-03-18 06:53:49.000000000 +0100
+++ libhtp-0.5.51/htp/htp_decompressors.c	2025-07-07 08:34:10.000000000 +0200
@@ -350,6 +350,9 @@
                 // There is data even if there is an error
                 // So use this data and log a warning
                 htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc);
+                if (drec->zlib_initialized == HTP_COMPRESSION_LZMA) {
+                    LzmaDec_Free(&drec->state, &lzma_Alloc);
+                }
                 drec->zlib_initialized = HTP_COMPRESSION_OVER;
                 return HTP_ERROR;
             }
diff -Nru libhtp-0.5.50/htp/htp_request.c libhtp-0.5.51/htp/htp_request.c
--- libhtp-0.5.50/htp/htp_request.c	2025-03-18 06:53:49.000000000 +0100
+++ libhtp-0.5.51/htp/htp_request.c	2025-07-07 08:34:10.000000000 +0200
@@ -1006,7 +1006,8 @@
     }
 
     // Sanity check: we must have a transaction pointer if the state is not IDLE (no inbound transaction)
-    if ((connp->in_tx == NULL)&&(connp->in_state != htp_connp_REQ_IDLE)) {
+    if ((connp->in_tx == NULL)&&
+        (connp->in_state != htp_connp_REQ_IDLE && connp->in_state != htp_connp_REQ_IGNORE_DATA_AFTER_HTTP_0_9)) {
         connp->in_status = HTP_STREAM_ERROR;
 
         htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Missing inbound transaction data");
diff -Nru libhtp-0.5.50/VERSION libhtp-0.5.51/VERSION
--- libhtp-0.5.50/VERSION	2025-03-18 06:53:49.000000000 +0100
+++ libhtp-0.5.51/VERSION	2025-07-07 08:34:10.000000000 +0200
@@ -1,2 +1,2 @@
 # This file is intended to be sourced by sh
-PKG_VERSION=0.5.50
+PKG_VERSION=0.5.51

Reply to:

Follow-Ups:
- Processed: unblock: libhtp/1:0.5.51-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1110259: marked as done (unblock: libhtp/1:0.5.51-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: unblock: libhtp/1:0.5.51-1
Next by Date: Bug#1110080: bookworm-pu: package rustc-web/1.85.0+dfsg3-1~deb12u1
Previous by thread: Bug#1086622: bookworm-pu: package kexec-tools/1:2.0.25-3+deb12u2
Next by thread: Processed: unblock: libhtp/1:0.5.51-1
Index(es):
- Date
- Thread