Hi,
Attached is a debdiff for bookworm.
I'd like to send a PU very soon (like, tomorrow) since the deadline for
the next point release is next week-end
Notes for the bookworm PU:
Minimal backport of upstream changes, that make the HTTP client code a
bit more robust.
Later history of src/http.c was reviewed to spot possible regressions,
and follow-up fixes for 'Connection' headers is also included.
Unlike DLA-3819-1, no 'Break' header was introduced in debian/control,
as there's no particular conflict when fossil and apache2 are on the
same server. This is an issue with the fossil *client* and a remote
apache2.
Manual testing was performed by reproducing the issue with an
Apache2+CGI+Fossil setup, with or without the configuration
work-around, and with or without enabling mod_http2 which triggers
different 'Connection' headers. In all cases cloning is now fixed.
Binaries available at:
https://salsa.debian.org/lts-team/packages/fossil/-/pipelines/861000
https://salsa.debian.org/lts-team/packages/fossil/-/jobs/7535062/artifacts/browse/debian/output/
Can you review/test? :)
Cheers!
Sylvain Beucler
Debian LTS Team
diff -Nru fossil-2.21/debian/changelog fossil-2.21/debian/changelog
--- fossil-2.21/debian/changelog 2023-02-26 19:58:27.000000000 +0100
+++ fossil-2.21/debian/changelog 2025-05-04 11:12:18.000000000 +0200
@@ -1,3 +1,13 @@
+fossil (1:2.21-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Fix issue in the fossil HTTP client, related to the fix for
+ CVE-2024-24795/apache2, preventing it from cloning from a fixed
+ Apache2 server (which now strips the Content-Length response header
+ issued by the fossil CGI server). (Closes: #1070069)
+
+ -- Sylvain Beucler <b...@debian.org> Sun, 04 May 2025 11:12:18 +0200
+
fossil (1:2.21-1) unstable; urgency=medium
* Add upstream/metadata
diff -Nru fossil-2.21/debian/patches/CVE-2024-24795-regression.patch
fossil-2.21/debian/patches/CVE-2024-24795-regression.patch
--- fossil-2.21/debian/patches/CVE-2024-24795-regression.patch 1970-01-01
01:00:00.000000000 +0100
+++ fossil-2.21/debian/patches/CVE-2024-24795-regression.patch 2025-05-04
11:12:18.000000000 +0200
@@ -0,0 +1,139 @@
+Origin: https://fossil-scm.org/home/info/a8e33fb161f45b65
+Origin: https://fossil-scm.org/home/info/71919ad1b542832c
+Origin: https://fossil-scm.org/home/info/f4ffefe708793b03
+Origin: https://fossil-scm.org/home/info/5f47bb59a7846aeb
+Reviewed-by: Sylvain Beucler <b...@debian.org>
+Last-Update: 2025-05-04
+
+Only backported parts relevant to the fossil HTTP client fix,
+discarded debugging improvements.
+
+Commit: a8e33fb161f45b65167f0dfe39b6fcbad21f5844ee469131fd8fa8fc09cd5e99
+Date: 2024-04-17 12:58:08
+Author: drh
+Comment: Fix the HTTP-reply parser so that it is able to deal with replies
that lack a Content-Length header field. This resolves the issue reported by
[forum:/forumpost/12ac403fd29cfc89|forum post 12ac403fd29cfc89]. Also in this
merge: (1) Add the --xverbose option to "fossil clone". (2) Improved error
messages when web servers misbehave. See also my misguided and incorrect
[https://bz.apache.org/bugzilla/show_bug.cgi?id=68905|Apache bug 68905].
Special thanks to Apache devs for setting me straight.
+Branch: trunk
+Tags: trunk
+Phase: *MERGE*
+
+Commit: 71919ad1b542832c615df0af08999c9624ade133f48d0f39448cf87d71fa1142
+Date: 2024-04-17 13:27:34
+Author: drh
+Comment: Only process HTTP replies that lack a Content-Length header if the
connection is set to be closed. Suggested by
[https://bz.apache.org/bugzilla/show_bug.cgi?id=68905].
+Branch: trunk
+Tags: trunk
+Phase:
+
+Commit: f4ffefe708793b036dc1d4a3c3806cdb24de73362df532779d1a80375a6347ad
+Date: 2024-04-17 14:02:19
+Author: drh
+Comment: Output a warning if a client sync or clone gets back a keep-alive
HTTP reply that lacks a content-length header.
+Branch: trunk
+Tags: trunk
+Phase:
+
+Commit: 5f47bb59a7846aeb3e073ffe24629bb87809b86358c7124d9b4596817c3599d5
+Date: 2024-04-21 16:20:19
+Author: drh
+Comment: Fix parsing of the argument to the "Connection:" header of HTTP
reply messages to deal with unusual arguments added by Apache mod_cgi. See
[forum:/forumpost/ca6fc85c80f4704f|forum thread ca6fc85c80f4704f].
+Branch: trunk
+Tags: trunk
+Phase: *MERGE*
+
+Index: fossil-2.21/src/http.c
+===================================================================
+--- fossil-2.21.orig/src/http.c
++++ fossil-2.21/src/http.c
+@@ -294,7 +294,6 @@ int http_exchange(
+ Blob hdr; /* The HTTP request header */
+ int closeConnection; /* True to close the connection when done */
+ int iLength; /* Expected length of the reply payload */
+- int iRecvLen; /* Received length of the reply payload */
+ int rc = 0; /* Result code */
+ int iHttpVersion; /* Which version of HTTP protocol server uses */
+ char *zLine; /* A single line of the reply header */
+@@ -374,6 +373,7 @@ int http_exchange(
+ */
+ closeConnection = 1;
+ iLength = -1;
++ iHttpVersion = -1;
+ while( (zLine = transport_receive_line(&g.url))!=0 && zLine[0]!=0 ){
+ if( mHttpFlags & HTTP_VERBOSE ){
+ fossil_print("Read: [%s]\n", zLine);
+@@ -412,17 +412,15 @@ int http_exchange(
+ fossil_warning("server says: %s", &zLine[ii]);
+ goto write_err;
+ }
++ if( iHttpVersion<0 ) iHttpVersion = 1;
+ closeConnection = 0;
+ }else if( fossil_strnicmp(zLine, "content-length:", 15)==0 ){
+ for(i=15; fossil_isspace(zLine[i]); i++){}
+ iLength = atoi(&zLine[i]);
+ }else if( fossil_strnicmp(zLine, "connection:", 11)==0 ){
+- char c;
+- for(i=11; fossil_isspace(zLine[i]); i++){}
+- c = zLine[i];
+- if( c=='c' || c=='C' ){
++ if( sqlite3_strlike("%close%", &zLine[11], 0)==0 ){
+ closeConnection = 1;
+- }else if( c=='k' || c=='K' ){
++ }else if( sqlite3_strlike("%keep-alive%", &zLine[11], 0)==0 ){
+ closeConnection = 0;
+ }
+ }else if( ( rc==301 || rc==302 || rc==307 || rc==308 ) &&
+@@ -485,7 +483,7 @@ int http_exchange(
+ }
+ }
+ }
+- if( iLength<0 ){
++ if( iHttpVersion<0 ){
+ fossil_warning("server did not reply");
+ goto write_err;
+ }
+@@ -498,13 +496,40 @@ int http_exchange(
+ ** Extract the reply payload that follows the header
+ */
+ blob_zero(pReply);
+- blob_resize(pReply, iLength);
+- iRecvLen = transport_receive(&g.url, blob_buffer(pReply), iLength);
+- if( iRecvLen != iLength ){
+- fossil_warning("response truncated: got %d bytes of %d", iRecvLen,
iLength);
+- goto write_err;
++ if( iLength==0 ){
++ /* No content to read */
++ }else if( iLength>0 ){
++ /* Read content of a known length */
++ int iRecvLen; /* Received length of the reply payload */
++ blob_resize(pReply, iLength);
++ iRecvLen = transport_receive(&g.url, blob_buffer(pReply), iLength);
++ if( mHttpFlags & HTTP_VERBOSE ){
++ fossil_print("Reply received: %d of %d bytes\n", iRecvLen, iLength);
++ }
++ if( iRecvLen != iLength ){
++ fossil_warning("response truncated: got %d bytes of %d",
++ iRecvLen, iLength);
++ goto write_err;
++ }
++ }else if( closeConnection ){
++ /* Read content until end-of-file */
++ int iRecvLen; /* Received length of the reply payload */
++ unsigned int nReq = 1000;
++ unsigned int nPrior = 0;
++ do{
++ nReq *= 2;
++ blob_resize(pReply, nPrior+nReq);
++ iRecvLen = transport_receive(&g.url, &pReply->aData[nPrior], (int)nReq);
++ nPrior += iRecvLen;
++ pReply->nUsed = nPrior;
++ }while( iRecvLen==nReq && nReq<0x20000000 );
++ if( mHttpFlags & HTTP_VERBOSE ){
++ fossil_print("Reply received: %u bytes (w/o content-length)\n", nPrior);
++ }
++ }else{
++ assert( iLength<0 && !closeConnection );
++ fossil_warning("\"content-length\" missing from %d keep-alive reply", rc);
+ }
+- blob_resize(pReply, iLength);
+ if( isError ){
+ char *z;
+ int i, j;
diff -Nru fossil-2.21/debian/patches/series fossil-2.21/debian/patches/series
--- fossil-2.21/debian/patches/series 2023-02-26 19:58:27.000000000 +0100
+++ fossil-2.21/debian/patches/series 2025-05-03 21:16:09.000000000 +0200
@@ -1 +1,2 @@
debian-changes
+CVE-2024-24795-regression.patch
