1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109545: bookworm-pu: package curl/7.88.1-10+deb12u13

    From Samuel Henrique@21:1/5 to All on Sat Jul 19 22:10:01 2025
    XPost: linux.debian.devel.release

    package: release.debian.org
    control: affects -1 + src:curl
    x-debbugs-cc: [email protected]
    user: [email protected]
    usertags: pu
    tags: bookworm
    severity: normal

    [ reason ]
    curl upstream has reached out to report a memory-leak affecting the version we ship in bookworm [0].

    This problem was inadvertently fixed for trixie on a refactor of the affected code.

    I suspect this problem also affects bullseye but I have not looked into it yet, for now I'd like to fix it in bookworm.

    [ impact ]
    This is fixing a memory-leak.

    The leak is small, within the bytes range, and likely to not be noticed by a lot of users, but there was a request to fix it and the patch is simple.

    [ tests ]
    curl has an extensive testsuite and all tests passed, curl also contains a lot of reverse-dependencies in the archive and their debci results will reduce the likelihood of regressions.

    [ risks ]
    Given the patch is freeing a buffer instead of resetting it, there's a risk of introducing an UAF.

    I have analyzed the code and have not spotted any problems with it, on top of this, Daniel Stenberg also acked the patch [0].

    [ checklist ]
    � [x] *all* changes are documented in the d/changelog
    � [x] i reviewed all changes and i approve them
    � [x] attach debdiff against the package in (old)stable
    � [x] the issue is verified as fixed in unstable

    [ changes ]
    There's a single change which is adding a patch vetted by the upstream developer.

    The patch modifies a single line of code to free a buffer instead of resetting it and keeping the allocation.

    [ other info ]
    Discussion in GitHub:
    https://github.com/curl/curl/issues/17749

    [0] https://curl.se/mail/distros-2025-07/0001.html

    --
    Samuel Henrique <samueloph>

    diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog
    --- curl-7.88.1/debian/changelog 2025-06-17 01:56:01.000000000 +0200
    +++ curl-7.88.1/debian/changelog 2025-07-19 21:04:59.000000000 +0200
    @@ -1,3 +1,11 @@
    +curl (7.88.1-10+deb12u14) bookworm; urgency=medium
    +
    + * d/p/0001-http_chunks-reset...: New patch to fix memory leak:
    + - Thanks to Daniel Stenberg and dheerajsangamkar for reporting the issue
    + and writing a patch
    +
    + -- Samuel Henrique <[email protected]> Sat, 19 Jul 2025 21:04:59 +0200
    +
    curl (7.88.1-10+deb12u13) bookworm; urgency=medium

    * Team upload.
    diff -Nru curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch
    --- curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch 1970-01-01 01:00:00.000000000 +0100
    +++ curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch 2025-07-19 21:04:59.000000000 +0200
    @@ -0,0 +1,31 @@
    +From 18426