Your message dated Thu, 14 Aug 2025 13:52:43 +0200
with message-id <[email protected]>
and subject line close all open unblock requests, the trixie release happened
has caused the Debian Bug report #1110259,
regarding unblock: libhtp/1:0.5.51-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1110259: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110259
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:libhtp
Please unblock package libhtp
In order to fix CVE-2025-53537 (i.e. #1109838) [1] I would like to
upload the upstream version that fixes this to unstable and have it
granted into testing to be included in trixie.
The fix is very small, see [2]. The upstream version does not introduce
any new features besides fixes, this one and another small fix.
This is why I ask for the new upstream version to be allowed instead of
fixing the issue by backporting to 0.5.50.
Please let me know once I can upload the code to unstable.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109838
[2] https://github.com/OISF/libhtp/security/advisories/GHSA-v3qq-h8mh-vph7
[3]
https://github.com/OISF/libhtp/commit/9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7
[ Reason ]
Fix a security bug in a library used by the Suricata IDS.
[ Impact ]
A security issue would remain in a package in trixie, in which a
traffic induced memory leak can starve the process of memory,
leading to loss of visibility.
[ Tests ]
The Issue was found via OSS-fuzz [4] and is verified as fixed there.
libhtp in its fixed version was tested using GitHub actions upstream [5]
[4] https://issues.oss-fuzz.com/issues/425041683?pli=1
[5] https://github.com/OISF/libhtp/actions
[ Risks ]
Low risk. Code fix is small and targeted, and comes from the main
developers.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock libhtp/1:0.5.51-1
diff -Nru libhtp-0.5.50/ChangeLog libhtp-0.5.51/ChangeLog
--- libhtp-0.5.50/ChangeLog 2025-03-18 06:53:49.000000000 +0100
+++ libhtp-0.5.51/ChangeLog 2025-07-07 08:34:10.000000000 +0200
@@ -1,3 +1,10 @@
+0.5.51 (07 July 2025)
+---------------------
+
+- decompressors: fix leak in lzma error case
+
+- request: do not fully error on data after HTTP/0.9
+
0.5.50 (18 March 2025)
----------------------
diff -Nru libhtp-0.5.50/debian/changelog libhtp-0.5.51/debian/changelog
--- libhtp-0.5.50/debian/changelog 2025-03-18 09:04:23.000000000 +0100
+++ libhtp-0.5.51/debian/changelog 2025-08-02 11:55:15.000000000 +0200
@@ -1,3 +1,12 @@
+libhtp (1:0.5.51-1) unstable; urgency=medium
+
+ * New upstream release fixing security issue CVE-2025-53537.
+ See https://redmine.openinfosecfoundation.org/issues/7766.
+ This is just a very minor bugfix release with no additional features.
+ Closes: #1109838
+
+ -- Sascha Steinbiss <[email protected]> Sat, 02 Aug 2025 11:55:15 +0200
+
libhtp (1:0.5.50-1) unstable; urgency=medium
* New upstream release.
diff -Nru libhtp-0.5.50/htp/htp_decompressors.c
libhtp-0.5.51/htp/htp_decompressors.c
--- libhtp-0.5.50/htp/htp_decompressors.c 2025-03-18 06:53:49.000000000
+0100
+++ libhtp-0.5.51/htp/htp_decompressors.c 2025-07-07 08:34:10.000000000
+0200
@@ -350,6 +350,9 @@
// There is data even if there is an error
// So use this data and log a warning
htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip
decompressor: inflate failed with %d", rc);
+ if (drec->zlib_initialized == HTP_COMPRESSION_LZMA) {
+ LzmaDec_Free(&drec->state, &lzma_Alloc);
+ }
drec->zlib_initialized = HTP_COMPRESSION_OVER;
return HTP_ERROR;
}
diff -Nru libhtp-0.5.50/htp/htp_request.c libhtp-0.5.51/htp/htp_request.c
--- libhtp-0.5.50/htp/htp_request.c 2025-03-18 06:53:49.000000000 +0100
+++ libhtp-0.5.51/htp/htp_request.c 2025-07-07 08:34:10.000000000 +0200
@@ -1006,7 +1006,8 @@
}
// Sanity check: we must have a transaction pointer if the state is not
IDLE (no inbound transaction)
- if ((connp->in_tx == NULL)&&(connp->in_state != htp_connp_REQ_IDLE)) {
+ if ((connp->in_tx == NULL)&&
+ (connp->in_state != htp_connp_REQ_IDLE && connp->in_state !=
htp_connp_REQ_IGNORE_DATA_AFTER_HTTP_0_9)) {
connp->in_status = HTP_STREAM_ERROR;
htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Missing inbound
transaction data");
diff -Nru libhtp-0.5.50/VERSION libhtp-0.5.51/VERSION
--- libhtp-0.5.50/VERSION 2025-03-18 06:53:49.000000000 +0100
+++ libhtp-0.5.51/VERSION 2025-07-07 08:34:10.000000000 +0200
@@ -1,2 +1,2 @@
# This file is intended to be sourced by sh
-PKG_VERSION=0.5.50
+PKG_VERSION=0.5.51
--- End Message ---
--- Begin Message ---
Hi,
I'm sorry we couldn't unblock your request in time for trixie. I'm
closing all open unblock requests in one go, so I'm not going into
details of the particular request, but reasons are typically as follow:
- the request came after the deadline of 2025-07-30
- the request came late and we just didn't have the time to deal with it
- the request was waiting for action from the submitter (moreinfo tag)
- the request didn't appear to be in line with the freeze policy and we
didn't have the energy to engage (sorry for that, see our FAQ [1])
- there was discussion in the unblock request but no agreement was
reached in time for the release.
Paul
[1] https://release.debian.org/trixie/FAQ.html
OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---
