1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1110259: unblock: libhtp/1:0.5.51-1

    From Sascha Steinbiss@21:1/5 to All on Sat Aug 2 12:40:01 2025
    XPost: linux.debian.devel.release

    This is a multi-part MIME message sent by reportbug.


    Package: release.debian.org
    Severity: normal
    User: [email protected]
    Usertags: unblock
    X-Debbugs-Cc: [email protected]
    Control: affects -1 + src:libhtp

    Please unblock package libhtp

    In order to fix CVE-2025-53537 (i.e. #1109838) [1] I would like to
    upload the upstream version that fixes this to unstable and have it
    granted into testing to be included in trixie.
    The fix is very small, see [2]. The upstream version does not introduce
    any new features besides fixes, this one and another small fix.
    This is why I ask for the new upstream version to be allowed instead of
    fixing the issue by backporting to 0.5.50.

    Please let me know once I can upload the code to unstable.

    [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109838
    [2] https://github.com/OISF/libhtp/security/advisories/GHSA-v3qq-h8mh-vph7
    [3] https://github.com/OISF/libhtp/commit/9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7

    [ Reason ]
    Fix a security bug in a library used by the Suricata IDS.

    [ Impact ]
    A security issue would remain in a package in trixie, in which a
    traffic induced memory leak can starve the process of memory,
    leading to loss of visibility.

    [ Tests ]
    The Issue was found via OSS-fuzz [4] and is verified as fixed there.
    libhtp in its fixed version was tested using GitHub actions upstream [5]

    [4] https://issues.oss-fuzz.com/issues/425041683?pli=1
    [5] https://github.com/OISF/libhtp/actions

    [ Risks ]
    Low risk. Code fix is small and targeted, and comes from the main
    developers.

    [ Checklist ]
    [X] all changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in testing

    unblock libhtp/1:0.5.51-1

    diff -Nru libhtp-0.5.50/ChangeLog libhtp-0.5.51/ChangeLog
    --- libhtp-0.5.50/ChangeLog 2025-03-18 06:53:49.000000000 +0100
    +++ libhtp-0.5.51/ChangeLog 2025-07-07 08:34:10.000000000 +0200
    @@ -1,3 +1,10 @@
    +0.5.51 (07 July 2025)
    +---------------------
    +
    +- decompressors: fix leak in lzma error case
    +
    +- request: do not fully error on data after HTTP/0.9
    +
    0.5.50 (18 March 2025)
    ----------------------

    diff -Nru libhtp-0.5.50/debian/changelog libhtp-0.5.51/debian/changelog
    --- libhtp-0.5.50/debian/changelog 2025-03-18 09:04:23.000000000 +0100
    +++ libhtp-0.5.51/debian/changelog 2025-08-02 11:55:15.000000000 +0200
    @@ -1,3 +1,12 @@
    +libhtp (1:0.5.51-1) unstable; urgency=medium
    +
    + * New upstream release fixing security issue CVE-2025-53537.
    + See https://redmine.openinfosecfoundation.org/issues/7766.
    + This is just a very minor bugfix release with no additional features.
    + Closes: #1109838
    +
    + -- Sascha Steinbiss <[email protected]> Sat, 02 Aug 2025 11:55:15 +0200
    +
    libhtp (1:0.5.50-1) unstable; urgency=medium

    * New upstream rel