Bug#1037100: cpp-httplib: CVE-2023-26130

[Salvatore Bonaccorso]

Source: cpp-httplib
Version: 0.11.4+ds-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>

Hi,

The following vulnerability was published for cpp-httplib.

CVE-2023-26130[0]:
| Versions of the package yhirose/cpp-httplib before 0.12.4 are
| vulnerable to CRLF Injection when untrusted user input is used to set
| the content-type header in the HTTP .Patch, .Post, .Put and .Delete
| requests. This can lead to logical errors and other misbehaviors.
| **Note:** This issue is present due to an incomplete fix for
| [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-
| YHIROSECPPHTTPLIB-2366507).

The related CVE-2020-11709 was fixed before the initial upload to
Debian.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-26130
https://www.cve.org/CVERecord?id=CVE-2023-26130
[1] https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194
[2] https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

[Andrea Pappacoda]

Hi Salvatore, thanks for your report.

Il giorno dom 4 giu 2023 alle 21:13:04 +02:00:00, Salvatore Bonaccorso
<car...@debian.org> ha scritto:

> The following vulnerability was published for cpp-httplib.
>
> CVE-2023-26130[0]:
> | Versions of the package yhirose/cpp-httplib before 0.12.4 are
> | vulnerable to CRLF Injection when untrusted user input is used to
> set
> | the content-type header in the HTTP .Patch, .Post, .Put and .Delete
> | requests. This can lead to logical errors and other misbehaviors.
> | **Note:** This issue is present due to an incomplete fix for
> | [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-
> | YHIROSECPPHTTPLIB-2366507).
>
> The related CVE-2020-11709 was fixed before the initial upload to
> Debian.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Fixing this in stable shouldn't be hard, but since I've little
experience in backporting security fixes to stable I'm not sure how I
should act. Should I simply push the updated package to
bookworm-security? I'm only a Debian Maintainer, can I still do it? If
not, could you please sponsor my upload?

Thanks again :D

[Andrea Pappacoda]

On Mon, 12 Jun 2023 17:50:25 +0200 Bastian Germann <ba...@debian.org>
wrote:
> Hi Andrea,
>
> As there was no upload to unstable after the bookworm version, just
upload an unstable 0.11.4+ds-2 with the upstream
> patch (excluding or backporting the test) and mentioning the CVE in
the changelog. Then add a bookworm-security
> changelog entry and debdiff the resulting package to 0.11.4+ds-1.
You send the debdiff to the security team to operate on.
>
> See also
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security

Hi Bastian, sorry for not replying earlier but I did not receive your
email (it was sent to 1037100-...@bugs.d.o).

I've uploaded an updated version of cpp-httplib to Mentors, because of
soname changes (and a need to upload to NEW).

As for fixing the version in bookworm, I'll do it as soon as possible.

Thanks for the continuous help!

--
OpenPGP key: 66DE F152 8299 0C21 99EF A801 A8A1 28A8 AB1C EE49

[Bastian Germann]

Am 12.07.23 um 11:31 schrieb Andrea Pappacoda:

> On Mon, 12 Jun 2023 17:50:25 +0200 Bastian Germann <ba...@debian.org> wrote:
> > Hi Andrea,
> >
> > As there was no upload to unstable after the bookworm version, just
> upload an unstable 0.11.4+ds-2 with the upstream
> > patch (excluding or backporting the test) and mentioning the CVE in
> the changelog. Then add a bookworm-security
> > changelog entry and debdiff the resulting package to 0.11.4+ds-1. You
> send the debdiff to the security team to operate on.
> >
> > See also
> https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security
>
> Hi Bastian, sorry for not replying earlier but I did not receive your
> email (it was sent to 1037100-...@bugs.d.o).
>
> I've uploaded an updated version of cpp-httplib to Mentors, because of
> soname changes (and a need to upload to NEW).
>
> As for fixing the version in bookworm, I'll do it as soon as possible.

When you fix the unstable version via a patch and later upgrade to a new
upstream version there is almost no additional work. So please go that
route. Your new version still has an experimental 0.12 in the changelog
that was never uploaded.

[Andrea Pappacoda]

Il giorno mer 12 lug 2023 alle 14:19:34 +02:00:00, Bastian Germann
<ba...@debian.org> ha scritto:

> When you fix the unstable version via a patch and later upgrade to a
> new upstream version there is almost no additional work. So please go
> that route.

Yeah but this time I had already upgraded to a new upstream version
(for experimental and now unstable), so it was easier for me to just
create a new debian/bookworm git branch and backport the fix there.

> Your new version still has an experimental 0.12 in the changelog that
> was never uploaded.

I'd prefer not to remove the experimental 0.12 from the changelog,
since I have already uploaded everything to git and mentors. It's also
something that actually happened, but I simply didn't find a sponsor in
time and a new unstable release was prepared before uploading the
experimental one. Unless I really _must_ remove the experimental entry
from the changelog and git history I'd prefer to keep everything as is;
it just looks like wasted effort to me, and I'd like to spend my time
packaging a new yuzu version instead :)

I've uploaded the bookworm-security branch on Git, see
<https://salsa.debian.org/debian/cpp-httplib/-/compare/debian%2F0.11.4+ds-1...debian%2F0.11.4+ds-1+deb12u1?from_project_id=65963>.
I'm unable to upload it to mentors because bookworm-security hasn't
been added to the site yet.

I think that everything is ok, but Lintian is giving me this error:

E: cpp-httplib changes: bad-distribution-in-changes-file
bookworm-security
N:
N: You've specified an unknown target distribution for your upload
in the
N: debian/changelog file. It is possible that you are uploading for
a
N: different distribution than the one Lintian is checking for. In
that case,
N: passing --profile $VENDOR may fix this warning.
N:
N: Note that the distributions non-free and contrib are no longer
valid.
N: You'll have to use distribution unstable and Section:
non-free/xxx or
N: Section: contrib/xxx instead.
N:
N: Please refer to Distribution (Section 5.6.14) in the Debian
Policy Manual
N: for details.
N:
N: Visibility: error
N: Show-Always: no
N: Check: fields/distribution

If you think that this is a false positive, I can continue with the
process.

Thanks :D

[Bastian Germann]

Am 13.07.23 um 00:40 schrieb Andrea Pappacoda:

> I'd prefer not to remove the experimental 0.12 from the changelog, since
> I have already uploaded everything to git and mentors. It's also
> something that actually happened, but I simply didn't find a sponsor in
> time and a new unstable release was prepared before uploading the
> experimental one. Unless I really _must_ remove the experimental entry
> from the changelog and git history I'd prefer to keep everything as is;
> it just looks like wasted effort to me, and I'd like to spend my time

> packaging a new yuzu version instead 😄

The wasted effort is writing this paragraph. If you want me to sponsor
the upload you _must_ eliminate the unpublished revision.

> I've uploaded the bookworm-security branch on Git, see
> <https://salsa.debian.org/debian/cpp-httplib/-/compare/debian%2F0.11.4+ds-1...debian%2F0.11.4+ds-1+deb12u1?from_project_id=65963>. I'm unable to upload it to mentors because bookworm-security hasn't been added to the site yet.

You do not need to upload to mentors. But with the new upstream version,
please wait for it to pass NEW before posting the security fix to the
security team. That is the major drawback and in case of a more serious
bug that would have beend unacceptable.

> I think that everything is ok, but Lintian is giving me this error:

I guess that is okay.

[Andrea Pappacoda]

Il giorno gio 13 lug 2023 alle 08:46:47 +02:00:00, Bastian Germann
<ba...@debian.org> ha scritto:

> The wasted effort is writing this paragraph. If you want me to
> sponsor the upload you _must_ eliminate the unpublished revision.

Yesterday night I was pretty tired and lazy, but yeah, I'll do it now.

> You do not need to upload to mentors. But with the new upstream
> version, please wait for it to pass NEW before posting the security
> fix to the security team. That is the major drawback and in case of a
> more serious bug that would have beend unacceptable.

Oh okay, now I got it. I didn't quite understand what you were trying
to explain to be before, but now I got it. Having a security fix wait
in NEW is not ideal. Thanks for making me realize it.

>> Lintian is giving me this error:
>
> I guess that is okay.

Perfect.

I'll re-do the updates more appropriately, roughly in this order:

1. Backport the fix in unstable, and push it to the archive
2. Backport the fix in bookworm-security, and push it to the archive
3. Package the latest upstream version, and push it to mentors

Does this look ok to you?

[Bastian Germann]

Am 13.07.23 um 12:06 schrieb Andrea Pappacoda:

> I'll re-do the updates more appropriately, roughly in this order:
>
> 1. Backport the fix in unstable, and push it to the archive
> 2. Backport the fix in bookworm-security, and push it to the archive

2.: Please email the security team with the debdiff instead.

[Bastian Germann]

Am 13.07.23 um 12:09 schrieb Andrea Pappacoda:
> Il giorno gio 13 lug 2023 alle 12:08:28 +02:00:00, Bastian Germann
> <ba...@debian.org> ha scritto:

>> 2.: Please email the security team with the debdiff instead.
>

> Ok, so they'll push it to the archive for me? Perfect!

They will tell you what to do. Sometimes they say to hand in a stable
update (for point release) instead.

[Andrea Pappacoda]

Il giorno gio 13 lug 2023 alle 12:08:28 +02:00:00, Bastian Germann
<ba...@debian.org> ha scritto:

> 2.: Please email the security team with the debdiff instead.

Ok, so they'll push it to the archive for me? Perfect!

[Salvatore Bonaccorso]

Hi Andrea,

The issue (CVE-2023-26130) in fact does not warrant a DSA, cf. as well
already the status in
https://security-tracker.debian.org/tracker/CVE-2023-26130 .

Can you fix it please via an upcoming point release? If you are fast
enough it can make it as well even for the 12.1 release.

Regards,
Salvatore

[Andrea Pappacoda]

Il giorno gio 13 lug 2023 alle 19:07:28 +02:00:00, Salvatore Bonaccorso
<car...@debian.org> ha scritto:

> The issue (CVE-2023-26130) in fact does not warrant a DSA, cf. as well
> already the status in
> https://security-tracker.debian.org/tracker/CVE-2023-26130 .
>
> Can you fix it please via an upcoming point release? If you are fast
> enough it can make it as well even for the 12.1 release.

Hi Salvatore, thanks for the suggestion.

I've prepared the stable upload (see
<https://salsa.debian.org/debian/cpp-httplib/-/tree/debian/bookworm>)
and just filled a bug on release.debian.org. You can find the bug at
<https://bugs.debian.org/1041074>.

Bastian: could you please have a look at the new cpp-httplib I have
posted on Mentors, please?

Thanks all!