Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock X-Debbugs-Cc: [email protected] Control: affects -1 + src:libhtp
Please unblock package libhtp In order to fix CVE-2025-53537 (i.e. #1109838) [1] I would like to upload the upstream version that fixes this to unstable and have it granted into testing to be included in trixie. The fix is very small, see [2]. The upstream version does not introduce any new features besides fixes, this one and another small fix. This is why I ask for the new upstream version to be allowed instead of fixing the issue by backporting to 0.5.50. Please let me know once I can upload the code to unstable. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109838 [2] https://github.com/OISF/libhtp/security/advisories/GHSA-v3qq-h8mh-vph7 [3] https://github.com/OISF/libhtp/commit/9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7 [ Reason ] Fix a security bug in a library used by the Suricata IDS. [ Impact ] A security issue would remain in a package in trixie, in which a traffic induced memory leak can starve the process of memory, leading to loss of visibility. [ Tests ] The Issue was found via OSS-fuzz [4] and is verified as fixed there. libhtp in its fixed version was tested using GitHub actions upstream [5] [4] https://issues.oss-fuzz.com/issues/425041683?pli=1 [5] https://github.com/OISF/libhtp/actions [ Risks ] Low risk. Code fix is small and targeted, and comes from the main developers. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock libhtp/1:0.5.51-1
diff -Nru libhtp-0.5.50/ChangeLog libhtp-0.5.51/ChangeLog --- libhtp-0.5.50/ChangeLog 2025-03-18 06:53:49.000000000 +0100 +++ libhtp-0.5.51/ChangeLog 2025-07-07 08:34:10.000000000 +0200 @@ -1,3 +1,10 @@ +0.5.51 (07 July 2025) +--------------------- + +- decompressors: fix leak in lzma error case + +- request: do not fully error on data after HTTP/0.9 + 0.5.50 (18 March 2025) ---------------------- diff -Nru libhtp-0.5.50/debian/changelog libhtp-0.5.51/debian/changelog --- libhtp-0.5.50/debian/changelog 2025-03-18 09:04:23.000000000 +0100 +++ libhtp-0.5.51/debian/changelog 2025-08-02 11:55:15.000000000 +0200 @@ -1,3 +1,12 @@ +libhtp (1:0.5.51-1) unstable; urgency=medium + + * New upstream release fixing security issue CVE-2025-53537. + See https://redmine.openinfosecfoundation.org/issues/7766. + This is just a very minor bugfix release with no additional features. + Closes: #1109838 + + -- Sascha Steinbiss <[email protected]> Sat, 02 Aug 2025 11:55:15 +0200 + libhtp (1:0.5.50-1) unstable; urgency=medium * New upstream release. diff -Nru libhtp-0.5.50/htp/htp_decompressors.c libhtp-0.5.51/htp/htp_decompressors.c --- libhtp-0.5.50/htp/htp_decompressors.c 2025-03-18 06:53:49.000000000 +0100 +++ libhtp-0.5.51/htp/htp_decompressors.c 2025-07-07 08:34:10.000000000 +0200 @@ -350,6 +350,9 @@ // There is data even if there is an error // So use this data and log a warning htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc); + if (drec->zlib_initialized == HTP_COMPRESSION_LZMA) { + LzmaDec_Free(&drec->state, &lzma_Alloc); + } drec->zlib_initialized = HTP_COMPRESSION_OVER; return HTP_ERROR; } diff -Nru libhtp-0.5.50/htp/htp_request.c libhtp-0.5.51/htp/htp_request.c --- libhtp-0.5.50/htp/htp_request.c 2025-03-18 06:53:49.000000000 +0100 +++ libhtp-0.5.51/htp/htp_request.c 2025-07-07 08:34:10.000000000 +0200 @@ -1006,7 +1006,8 @@ } // Sanity check: we must have a transaction pointer if the state is not IDLE (no inbound transaction) - if ((connp->in_tx == NULL)&&(connp->in_state != htp_connp_REQ_IDLE)) { + if ((connp->in_tx == NULL)&& + (connp->in_state != htp_connp_REQ_IDLE && connp->in_state != htp_connp_REQ_IGNORE_DATA_AFTER_HTTP_0_9)) { connp->in_status = HTP_STREAM_ERROR; htp_log(connp, HTP_LOG_MARK, HTP_LOG_ERROR, 0, "Missing inbound transaction data"); diff -Nru libhtp-0.5.50/VERSION libhtp-0.5.51/VERSION --- libhtp-0.5.50/VERSION 2025-03-18 06:53:49.000000000 +0100 +++ libhtp-0.5.51/VERSION 2025-07-07 08:34:10.000000000 +0200 @@ -1,2 +1,2 @@ # This file is intended to be sourced by sh -PKG_VERSION=0.5.50 +PKG_VERSION=0.5.51
