[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1109545: marked as done (bookworm-pu: package curl/7.88.1-10+deb12u14)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1109545,
regarding bookworm-pu: package curl/7.88.1-10+deb12u14
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1109545: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109545
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
package: release.debian.org
control: affects -1 + src:curl
x-debbugs-cc: curl@packages.debian.org
user: release.debian.org@packages.debian.org
usertags: pu
tags: bookworm
severity: normal

[ reason ]
curl upstream has reached out to report a memory-leak affecting the version we
ship in bookworm [0].

This problem was inadvertently fixed for trixie on a refactor of the affected
code.

I suspect this problem also affects bullseye but I have not looked into it yet,
for now I'd like to fix it in bookworm.

[ impact ]
This is fixing a memory-leak.

The leak is small, within the bytes range, and likely to not be noticed by a
lot of users, but there was a request to fix it and the patch is simple.

[ tests ]
curl has an extensive testsuite and all tests passed, curl also contains a lot
of reverse-dependencies in the archive and their debci results will reduce the
likelihood of regressions.

[ risks ]
Given the patch is freeing a buffer instead of resetting it, there's a risk of
introducing an UAF.

I have analyzed the code and have not spotted any problems with it, on top of
this, Daniel Stenberg also acked the patch [0].

[ checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] i reviewed all changes and i approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ changes ]
There's a single change which is adding a patch vetted by the upstream
developer.

The patch modifies a single line of code to free a buffer instead of resetting
it and keeping the allocation.

[ other info ]
Discussion in GitHub:
https://github.com/curl/curl/issues/17749

[0] https://curl.se/mail/distros-2025-07/0001.html

-- 
Samuel Henrique <samueloph>

diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog
--- curl-7.88.1/debian/changelog	2025-06-17 01:56:01.000000000 +0200
+++ curl-7.88.1/debian/changelog	2025-07-19 21:04:59.000000000 +0200
@@ -1,3 +1,11 @@
+curl (7.88.1-10+deb12u14) bookworm; urgency=medium
+
+  * d/p/0001-http_chunks-reset...: New patch to fix memory leak:
+    - Thanks to Daniel Stenberg and dheerajsangamkar for reporting the issue
+      and writing a patch
+
+ -- Samuel Henrique <samueloph@debian.org>  Sat, 19 Jul 2025 21:04:59 +0200
+
 curl (7.88.1-10+deb12u13) bookworm; urgency=medium
 
   * Team upload.
diff -Nru curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch
--- curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch	2025-07-19 21:04:59.000000000 +0200
@@ -0,0 +1,31 @@
+From 18426669b329f63ff4798275a427f605e42576a6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 15 Jul 2025 08:37:03 +0200
+Subject: [PATCH] http_chunks: reset the trailer to avoid memory leak
+
+Brought-by: dheerajsangamkar on github
+URL: https://github.com/curl/curl/issues/17749
+---
+ lib/http_chunks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/http_chunks.c b/lib/http_chunks.c
+index bda00d3833..867a8b4fbf 100644
+--- a/lib/http_chunks.c
++++ b/lib/http_chunks.c
+@@ -228,11 +228,11 @@ CHUNKcode Curl_httpchunk_read(struct Curl_easy *data,
+             if(result) {
+               *extrap = result;
+               return CHUNKE_PASSTHRU_ERROR;
+             }
+           }
+-          Curl_dyn_reset(&conn->trailer);
++          Curl_dyn_free(&conn->trailer);
+           ch->state = CHUNK_TRAILER_CR;
+           if(*datap == 0x0a)
+             /* already on the LF */
+             break;
+         }
+-- 
+2.50.0
+
diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series
--- curl-7.88.1/debian/patches/series	2025-06-17 01:56:01.000000000 +0200
+++ curl-7.88.1/debian/patches/series	2025-07-19 21:04:59.000000000 +0200
@@ -68,6 +68,10 @@
 fix-CVE-2023-27534-regression-1.patch
 fix-CVE-2023-27534-regression-2.patch
 
+# Fix memory leak reported at https://github.com/curl/curl/issues/17749 and
+# https://curl.se/mail/distros-2025-07/0001.html
+0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch
+
 # Do not add patches below.
 # Used to generate packages for the other crypto libraries.
 90_gnutls.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: