Bug#1110259: marked as done (unblock: libhtp/1:0.5.51-1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 14 Aug 2025 13:52:43 +0200
with message-id <906e549b-f761-4c21-b196-54e704c4bee0@debian.org>
and subject line close all open unblock requests, the trixie release happened
has caused the Debian Bug report #1110259,
regarding unblock: libhtp/1:0.5.51-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1110259: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110259
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libhtp/1:0.5.51-1
• From: Sascha Steinbiss <satta@debian.org>
• Date: Sat, 02 Aug 2025 12:32:49 +0200
• Message-id: <[🔎] 175413076950.1919572.8969924626678281163.reportbug@BLN04NB0421>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libhtp@packages.debian.org
Control: affects -1 + src:libhtp

Please unblock package libhtp

In order to fix CVE-2025-53537 (i.e. #1109838) [1] I would like to
upload the upstream version that fixes this to unstable and have it
granted into testing to be included in trixie.
The fix is very small, see [2]. The upstream version does not introduce
any new features besides fixes, this one and another small fix.
This is why I ask for the new upstream version to be allowed instead of
fixing the issue by backporting to 0.5.50.

Please let me know once I can upload the code to unstable.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109838
[2] https://github.com/OISF/libhtp/security/advisories/GHSA-v3qq-h8mh-vph7
[3] https://github.com/OISF/libhtp/commit/9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7

[ Reason ]
Fix a security bug in a library used by the Suricata IDS.

[ Impact ]
A security issue would remain in a package in trixie, in which a 
traffic induced memory leak can starve the process of memory,
leading to loss of visibility.

[ Tests ]
The Issue was found via OSS-fuzz [4] and is verified as fixed there.
libhtp in its fixed version was tested using GitHub actions upstream [5]

[4] https://issues.oss-fuzz.com/issues/425041683?pli=1
[5] https://github.com/OISF/libhtp/actions

[ Risks ]
Low risk. Code fix is small and targeted, and comes from the main
developers.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock libhtp/1:0.5.51-1

diff -Nru libhtp-0.5.50/ChangeLog libhtp-0.5.51/ChangeLog
--- libhtp-0.5.50/ChangeLog	2025-03-18 06:53:49.000000000 +0100
+++ libhtp-0.5.51/ChangeLog	2025-07-07 08:34:10.000000000 +0200
@@ -1,3 +1,10 @@
+0.5.51 (07 July 2025)
+---------------------
+
+- decompressors: fix leak in lzma error case
+
+- request: do not fully error on data after HTTP/0.9
+
 0.5.50 (18 March 2025)
 ----------------------
 
diff -Nru libhtp-0.5.50/debian/changelog libhtp-0.5.51/debian/changelog
--- libhtp-0.5.50/debian/changelog	2025-03-18 09:04:23.000000000 +0100
+++ libhtp-0.5.51/debian/changelog	2025-08-02 11:55:15.000000000 +0200
@@ -1,3 +1,12 @@
+libhtp (1:0.5.51-1) unstable; urgency=medium
+
+  * New upstream release fixing security issue CVE-2025-53537.
+    See https://redmine.openinfosecfoundation.org/issues/7766.
+    This is just a very minor bugfix release with no additional features.
+    Closes: #1109838
+
+ -- Sascha Steinbiss <satta@debian.org>  Sat, 02 Aug 2025 11:55:15 +0200
+
 libhtp (1:0.5.50-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libhtp-0.5.50/htp/htp_decompressors.c libhtp-0.5.51/htp/htp_decompressors.c
--- libhtp-0.5.50/htp/htp_decompressors.c	2025-03-18 06:53:49.000000000 +0100
+++ libhtp-0.5.51/htp/htp_decompressors.c	2025-07-07 08:34:10.000000000 +0200
@@ -350,6 +350,9 @@
                 // There is data even if there is an error
                 // So use this data and log a warning
                 htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc);
+                if (drec->zlib_initialized == HTP_COMPRESSION_LZMA) {
+                    LzmaDec_Free(&drec->state, &lzma_Alloc);
+                }
                 drec->zlib_initialized = HTP_COMPRESSION_OVER;
                 return HTP_ERROR;
             }
diff -Nru libhtp-0.5.50/htp/htp_request.c libhtp-0.5.51/htp/htp_request.c
--- libhtp-0.5.50/htp/htp_request.c	2025-03-18 06:53:49.000000000 +0100
+++ libhtp-0.5.51/htp/htp_request.c	2025-07-07 08:34:10.000000000 +0200
@@ -1006,7 +1006,8 @@
     }
 
     // Sanity check: we must have a transaction pointer if the state is not IDLE (no inbound transaction)
-    if ((connp->in_tx == NULL)&&(connp->in_state != htp_connp_REQ_IDLE)) {
+    if ((connp->in_tx == NULL)&&
+        (connp->in_state != htp_connp_REQ_IDLE && connp->in_state != htp_connp_REQ_IGNORE_DATA_AFTER_HTTP_0_9)) {
         connp->in_status = HTP_STREAM_ERROR;
 
         htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Missing inbound transaction data");
diff -Nru libhtp-0.5.50/VERSION libhtp-0.5.51/VERSION
--- libhtp-0.5.50/VERSION	2025-03-18 06:53:49.000000000 +0100
+++ libhtp-0.5.51/VERSION	2025-07-07 08:34:10.000000000 +0200
@@ -1,2 +1,2 @@
 # This file is intended to be sourced by sh
-PKG_VERSION=0.5.50
+PKG_VERSION=0.5.51

--- End Message ---

--- Begin Message ---

• To: 1107884-close@bugs.debian.org, 1108984-close@bugs.debian.org, 1109180-close@bugs.debian.org, 1109211-close@bugs.debian.org, 1109260-close@bugs.debian.org, 1109532-close@bugs.debian.org, 1109533-close@bugs.debian.org, 1109534-close@bugs.debian.org, 1109535-close@bugs.debian.org, 1109786-close@bugs.debian.org, 1109789-close@bugs.debian.org, 1109894-close@bugs.debian.org, 1109996-close@bugs.debian.org, 1110018-close@bugs.debian.org, 1110092-close@bugs.debian.org, 1110104-close@bugs.debian.org, 1110207-close@bugs.debian.org, 1110259-close@bugs.debian.org, 1110302-close@bugs.debian.org, 1110315-close@bugs.debian.org, 1110338-close@bugs.debian.org, 1110471-close@bugs.debian.org, 1110518-close@bugs.debian.org, 1110538-close@bugs.debian.org, 1110539-close@bugs.debian.org
• Subject: close all open unblock requests, the trixie release happened
• From: Paul Gevers <elbrus@debian.org>
• Date: Thu, 14 Aug 2025 13:52:43 +0200
• Message-id: <906e549b-f761-4c21-b196-54e704c4bee0@debian.org>

Hi,

I'm sorry we couldn't unblock your request in time for trixie. I'm closing all open unblock requests in one go, so I'm not going into details of the particular request, but reasons are typically as follow:

- the request came after the deadline of 2025-07-30
- the request came late and we just didn't have the time to deal with it
- the request was waiting for action from the submitter (moreinfo tag)
- the request didn't appear to be in line with the freeze policy and we
  didn't have the energy to engage (sorry for that, see our FAQ [1])
- there was discussion in the unblock request but no agreement was
  reached in time for the release.

Paul

[1] https://release.debian.org/trixie/FAQ.html

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

--- End Message ---