Bug#1114684: marked as done (trixie-pu: package libhtp/1:0.5.50-1+deb13u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id <736c7150dc08501cc89945035c406eaf9688e144.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1114684,
regarding trixie-pu: package libhtp/1:0.5.50-1+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1114684: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114684
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: trixie-pu: package libhtp/1:0.5.50-1+deb13u1
• From: Adrian Bunk <bunk@debian.org>
• Date: Mon, 08 Sep 2025 16:37:34 +0300
• Message-id: <175733865449.1590058.15557065606872764909.reportbug@localhost>

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: libhtp@packages.debian.org, security@debian.org
Control: affects -1 + src:libhtp
User: release.debian.org@packages.debian.org
Usertags: pu

  * CVE-2025-53537: memory leak with LZMA (Closes: #1109838)

diffstat for libhtp-0.5.50 libhtp-0.5.50

 changelog                                                    |    7 ++
 patches/0001-decompressors-fix-leak-in-lzma-error-case.patch |   27 +++++++++++
 patches/series                                               |    1 
 3 files changed, 35 insertions(+)

diff -Nru libhtp-0.5.50/debian/changelog libhtp-0.5.50/debian/changelog
--- libhtp-0.5.50/debian/changelog	2025-03-18 10:04:23.000000000 +0200
+++ libhtp-0.5.50/debian/changelog	2025-09-08 15:03:54.000000000 +0300
@@ -1,3 +1,10 @@
+libhtp (1:0.5.50-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-53537: memory leak with LZMA (Closes: #1109838)
+
+ -- Adrian Bunk <bunk@debian.org>  Mon, 08 Sep 2025 15:03:54 +0300
+
 libhtp (1:0.5.50-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libhtp-0.5.50/debian/patches/0001-decompressors-fix-leak-in-lzma-error-case.patch libhtp-0.5.50/debian/patches/0001-decompressors-fix-leak-in-lzma-error-case.patch
--- libhtp-0.5.50/debian/patches/0001-decompressors-fix-leak-in-lzma-error-case.patch	1970-01-01 02:00:00.000000000 +0200
+++ libhtp-0.5.50/debian/patches/0001-decompressors-fix-leak-in-lzma-error-case.patch	2025-09-08 15:03:54.000000000 +0300
@@ -0,0 +1,27 @@
+From e49cc779e0b4333354057b40c25c453af6aef61f Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <contact@catenacyber.fr>
+Date: Tue, 17 Jun 2025 10:12:47 +0200
+Subject: decompressors: fix leak in lzma error case
+
+Ticket: 7766
+---
+ htp/htp_decompressors.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/htp/htp_decompressors.c b/htp/htp_decompressors.c
+index d66b6e8..02afd37 100644
+--- a/htp/htp_decompressors.c
++++ b/htp/htp_decompressors.c
+@@ -350,6 +350,9 @@ restart:
+                 // There is data even if there is an error
+                 // So use this data and log a warning
+                 htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc);
++                if (drec->zlib_initialized == HTP_COMPRESSION_LZMA) {
++                    LzmaDec_Free(&drec->state, &lzma_Alloc);
++                }
+                 drec->zlib_initialized = HTP_COMPRESSION_OVER;
+                 return HTP_ERROR;
+             }
+-- 
+2.30.2
+
diff -Nru libhtp-0.5.50/debian/patches/series libhtp-0.5.50/debian/patches/series
--- libhtp-0.5.50/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ libhtp-0.5.50/debian/patches/series	2025-09-08 15:03:54.000000000 +0300
@@ -0,0 +1 @@
+0001-decompressors-fix-leak-in-lzma-error-case.patch

--- End Message ---

--- Begin Message ---

• To: 1110859-done@bugs.debian.org, 1111236-done@bugs.debian.org, 1111733-done@bugs.debian.org, 1111734-done@bugs.debian.org, 1111808-done@bugs.debian.org, 1111819-done@bugs.debian.org, 1112097-done@bugs.debian.org, 1112120-done@bugs.debian.org, 1112256-done@bugs.debian.org, 1112261-done@bugs.debian.org, 1112276-done@bugs.debian.org, 1112282-done@bugs.debian.org, 1112283-done@bugs.debian.org, 1112380-done@bugs.debian.org, 1112479-done@bugs.debian.org, 1112557-done@bugs.debian.org, 1112668-done@bugs.debian.org, 1112671-done@bugs.debian.org, 1113711-done@bugs.debian.org, 1113750-done@bugs.debian.org, 1113757-done@bugs.debian.org, 1113761-done@bugs.debian.org, 1113778-done@bugs.debian.org, 1113799-done@bugs.debian.org, 1113804-done@bugs.debian.org, 1113860-done@bugs.debian.org, 1113882-done@bugs.debian.org, 1113902-done@bugs.debian.org, 1113904-done@bugs.debian.org, 1113961-done@bugs.debian.org, 1113979-done@bugs.debian.org, 1114595-done@bugs.debian.org, 1114684-done@bugs.debian.org, 1114755-done@bugs.debian.org, 1114855-done@bugs.debian.org, 1114929-done@bugs.debian.org, 1114979-done@bugs.debian.org, 1115257-done@bugs.debian.org, 1115486-done@bugs.debian.org, 1115530-done@bugs.debian.org, 1115749-done@bugs.debian.org, 1115815-done@bugs.debian.org, 1115860-done@bugs.debian.org, 1115899-done@bugs.debian.org, 1115914-done@bugs.debian.org, 1116012-done@bugs.debian.org, 1116020-done@bugs.debian.org, 1116040-done@bugs.debian.org, 1116053-done@bugs.debian.org, 1116127-done@bugs.debian.org, 1116196-done@bugs.debian.org, 1116201-done@bugs.debian.org, 1116386-done@bugs.debian.org, 1116523-done@bugs.debian.org, 1116526-done@bugs.debian.org, 1116547-done@bugs.debian.org, 1116575-done@bugs.debian.org, 1116665-done@bugs.debian.org, 1116705-done@bugs.debian.org, 1116938-done@bugs.debian.org, 1116945-done@bugs.debian.org, 1116983-done@bugs.debian.org, 1117467-done@bugs.debian.org, 1117469-done@bugs.debian.org, 1117828-done@bugs.debian.org, 1117843-done@bugs.debian.org, 1117876-done@bugs.debian.org, 1117909-done@bugs.debian.org, 1118008-done@bugs.debian.org, 1118037-done@bugs.debian.org, 1118047-done@bugs.debian.org, 1118228-done@bugs.debian.org, 1118374-done@bugs.debian.org, 1118434-done@bugs.debian.org, 1118443-done@bugs.debian.org, 1118458-done@bugs.debian.org, 1118547-done@bugs.debian.org, 1118657-done@bugs.debian.org, 1118663-done@bugs.debian.org, 1118673-done@bugs.debian.org, 1118674-done@bugs.debian.org, 1118737-done@bugs.debian.org, 1119085-done@bugs.debian.org, 1119088-done@bugs.debian.org, 1119115-done@bugs.debian.org, 1119136-done@bugs.debian.org, 1119142-done@bugs.debian.org, 1119256-done@bugs.debian.org, 1119286-done@bugs.debian.org, 1119287-done@bugs.debian.org, 1119288-done@bugs.debian.org, 1119291-done@bugs.debian.org, 1119301-done@bugs.debian.org, 1119303-done@bugs.debian.org, 1119719-done@bugs.debian.org, 1119798-done@bugs.debian.org, 1119854-done@bugs.debian.org, 1119909-done@bugs.debian.org, 1120048-done@bugs.debian.org, 1120050-done@bugs.debian.org, 1120054-done@bugs.debian.org, 1120125-done@bugs.debian.org, 1120129-done@bugs.debian.org, 1120143-done@bugs.debian.org, 1120145-done@bugs.debian.org, 1120148-done@bugs.debian.org, 1120151-done@bugs.debian.org, 1120262-done@bugs.debian.org, 1120278-done@bugs.debian.org, 1120289-done@bugs.debian.org, 1120325-done@bugs.debian.org, 1120345-done@bugs.debian.org, 1120350-done@bugs.debian.org, 1120358-done@bugs.debian.org, 1120360-done@bugs.debian.org, 1120445-done@bugs.debian.org
• Subject: Closing requests for updates included in 13.2
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 15 Nov 2025 11:21:45 +0000
• Message-id: <736c7150dc08501cc89945035c406eaf9688e144.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 13.2

Hi,

The updates referenced in each of these bugs were included in today's
13.2 trixie point release.

Regards,

Adam

--- End Message ---