Bug#1114684: trixie-pu: package libhtp/1:0.5.50-1+deb13u1

[Adrian Bunk <bunk@debian.org>]

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: libhtp@packages.debian.org, security@debian.org
Control: affects -1 + src:libhtp
User: release.debian.org@packages.debian.org
Usertags: pu

  * CVE-2025-53537: memory leak with LZMA (Closes: #1109838)

diffstat for libhtp-0.5.50 libhtp-0.5.50

 changelog                                                    |    7 ++
 patches/0001-decompressors-fix-leak-in-lzma-error-case.patch |   27 +++++++++++
 patches/series                                               |    1 
 3 files changed, 35 insertions(+)

diff -Nru libhtp-0.5.50/debian/changelog libhtp-0.5.50/debian/changelog
--- libhtp-0.5.50/debian/changelog	2025-03-18 10:04:23.000000000 +0200
+++ libhtp-0.5.50/debian/changelog	2025-09-08 15:03:54.000000000 +0300
@@ -1,3 +1,10 @@
+libhtp (1:0.5.50-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-53537: memory leak with LZMA (Closes: #1109838)
+
+ -- Adrian Bunk <bunk@debian.org>  Mon, 08 Sep 2025 15:03:54 +0300
+
 libhtp (1:0.5.50-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libhtp-0.5.50/debian/patches/0001-decompressors-fix-leak-in-lzma-error-case.patch libhtp-0.5.50/debian/patches/0001-decompressors-fix-leak-in-lzma-error-case.patch
--- libhtp-0.5.50/debian/patches/0001-decompressors-fix-leak-in-lzma-error-case.patch	1970-01-01 02:00:00.000000000 +0200
+++ libhtp-0.5.50/debian/patches/0001-decompressors-fix-leak-in-lzma-error-case.patch	2025-09-08 15:03:54.000000000 +0300
@@ -0,0 +1,27 @@
+From e49cc779e0b4333354057b40c25c453af6aef61f Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <contact@catenacyber.fr>
+Date: Tue, 17 Jun 2025 10:12:47 +0200
+Subject: decompressors: fix leak in lzma error case
+
+Ticket: 7766
+---
+ htp/htp_decompressors.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/htp/htp_decompressors.c b/htp/htp_decompressors.c
+index d66b6e8..02afd37 100644
+--- a/htp/htp_decompressors.c
++++ b/htp/htp_decompressors.c
+@@ -350,6 +350,9 @@ restart:
+                 // There is data even if there is an error
+                 // So use this data and log a warning
+                 htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc);
++                if (drec->zlib_initialized == HTP_COMPRESSION_LZMA) {
++                    LzmaDec_Free(&drec->state, &lzma_Alloc);
++                }
+                 drec->zlib_initialized = HTP_COMPRESSION_OVER;
+                 return HTP_ERROR;
+             }
+-- 
+2.30.2
+
diff -Nru libhtp-0.5.50/debian/patches/series libhtp-0.5.50/debian/patches/series
--- libhtp-0.5.50/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ libhtp-0.5.50/debian/patches/series	2025-09-08 15:03:54.000000000 +0300
@@ -0,0 +1 @@
+0001-decompressors-fix-leak-in-lzma-error-case.patch