Bug#1034714: [pkg-php-pear] Bug#1034714: bullseye-pu: package php-nyholm-psr7/1.3.2-2+deb11u1

Sat, 22 Apr 2023 04:42:14 -0700 

Hi,

Le 22/04/2023 à 12:59, David Prévot a écrit :
[…]

   [x] attach debdiff against the package in stable


For real now.
diff --git a/debian/changelog b/debian/changelog
index bd0b1d7..a0c6ab8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-nyholm-psr7 (1.3.2-2+deb11u1) bullseye; urgency=medium
+
+  * Fix improper input validation [CVE-2023-29197] (Closes: #1034597)
+  * Use debian/bullseye branch
+
+ -- David Prévot <taf...@debian.org>  Sat, 22 Apr 2023 12:22:36 +0200
+
 php-nyholm-psr7 (1.3.2-2) unstable; urgency=medium
 
   * Fix d/clean
diff --git a/debian/control b/debian/control
index 263202a..79c9ad0 100644
--- a/debian/control
+++ b/debian/control
@@ -13,7 +13,7 @@ Build-Depends: debhelper-compat (= 13),
                pkg-php-tools
 Standards-Version: 4.5.1
 Homepage: https://github.com/Nyholm/psr7
-Vcs-Git: https://salsa.debian.org/php-team/pear/php-nyholm-psr7.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/php-team/pear/php-nyholm-psr7.git -b debian/bullseye
 Vcs-Browser: https://salsa.debian.org/php-team/pear/php-nyholm-psr7
 Rules-Requires-Root: no
 
diff --git a/debian/gbp.conf b/debian/gbp.conf
index eb7a2c8..bd2dada 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bullseye
 pristine-tar = True
 pristine-tar-commit = True
 
diff --git a/debian/patches/0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch b/debian/patches/0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch
new file mode 100644
index 0000000..85e246f
--- /dev/null
+++ b/debian/patches/0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch
@@ -0,0 +1,131 @@
+From: Tobias Nyholm <tobias.nyh...@gmail.com>
+Date: Mon, 17 Apr 2023 18:00:04 +0200
+Subject: Merge pull request from GHSA-wjfc-pgfp-pv9c
+
+Improper Input Validation in headers
+
+Origin: backport, https://github.com/Nyholm/psr7/commit/1029a2671cbdd3e075a21952082c2be7c8018426
+Bug-Debian: https://bugs.debian.org/1034597 https://security-tracker.debian.org/tracker/CVE-2023-29197
+---
+ src/MessageTrait.php   |  4 ++--
+ tests/RequestTest.php  | 46 ++++++++++++++++++++++++++++++++++++++++++++++
+ tests/ResponseTest.php | 31 +++++++++++++++++++++++++++++++
+ 3 files changed, 79 insertions(+), 2 deletions(-)
+
+diff --git a/src/MessageTrait.php b/src/MessageTrait.php
+index 2da949d..4977583 100644
+--- a/src/MessageTrait.php
++++ b/src/MessageTrait.php
+@@ -177,7 +177,7 @@ trait MessageTrait
+      */
+     private function validateAndTrimHeader($header, $values): array
+     {
+-        if (!\is_string($header) || 1 !== \preg_match("@^[!#$%&'*+.^_`|~0-9A-Za-z-]+$@", $header)) {
++        if (!\is_string($header) || 1 !== \preg_match("@^[!#$%&'*+.^_`|~0-9A-Za-z-]+$@D", $header)) {
+             throw new \InvalidArgumentException('Header name must be an RFC 7230 compatible string.');
+         }
+ 
+@@ -197,7 +197,7 @@ trait MessageTrait
+         // Assert Non empty array
+         $returnValues = [];
+         foreach ($values as $v) {
+-            if ((!\is_numeric($v) && !\is_string($v)) || 1 !== \preg_match("@^[ \t\x21-\x7E\x80-\xFF]*$@", (string) $v)) {
++            if ((!\is_numeric($v) && !\is_string($v)) || 1 !== \preg_match("@^[ \t\x21-\x7E\x80-\xFF]*$@D", (string) $v)) {
+                 throw new \InvalidArgumentException('Header values must be RFC 7230 compatible strings.');
+             }
+ 
+diff --git a/tests/RequestTest.php b/tests/RequestTest.php
+index ddac6d2..8d5d53e 100644
+--- a/tests/RequestTest.php
++++ b/tests/RequestTest.php
+@@ -294,4 +294,50 @@ class RequestTest extends TestCase
+         $request = $request->withUri(new Uri('https://nyholm.tech:443'));
+         $this->assertEquals('nyholm.tech', $request->getHeaderLine('Host'));
+     }
++
++    /**
++     * @dataProvider provideHeaderValuesContainingNotAllowedChars
++     */
++    public function testCannotHaveHeaderWithInvalidValue(string $name)
++    {
++        $this->expectException(\InvalidArgumentException::class);
++        $this->expectExceptionMessage('Header name must be an RFC 7230 compatible string');
++        $r = new Request('GET', 'https://example.com/');
++        $r->withHeader($name, 'Bar');
++    }
++
++    public static function provideHeaderValuesContainingNotAllowedChars(): array
++    {
++        // Explicit tests for newlines as the most common exploit vector.
++        $tests = [
++            ["new\nline"],
++            ["new\r\nline"],
++            ["new\rline"],
++            ["new\r\n line"],
++            ["newline\n"],
++            ["\nnewline"],
++            ["newline\r\n"],
++            ["\n\rnewline"],
++        ];
++
++        for ($i = 0; $i <= 0xFF; ++$i) {
++            if ("\t" == \chr($i)) {
++                continue;
++            }
++            if (' ' == \chr($i)) {
++                continue;
++            }
++            if ($i >= 0x21 && $i <= 0x7E) {
++                continue;
++            }
++            if ($i >= 0x80) {
++                continue;
++            }
++
++            $tests[] = ['foo' . \chr($i) . 'bar'];
++            $tests[] = ['foo' . \chr($i)];
++        }
++
++        return $tests;
++    }
+ }
+diff --git a/tests/ResponseTest.php b/tests/ResponseTest.php
+index e6e109e..effc81d 100644
+--- a/tests/ResponseTest.php
++++ b/tests/ResponseTest.php
+@@ -266,4 +266,35 @@ class ResponseTest extends TestCase
+         $this->assertSame('Foo', $r->getHeaderLine('OWS'));
+         $this->assertSame(['Foo'], $r->getHeader('OWS'));
+     }
++
++    /**
++     * @dataProvider invalidWithHeaderProvider
++     */
++    public function testWithInvalidHeader($header, $headerValue, $expectedMessage): void
++    {
++        $r = new Response();
++        $this->expectException(\InvalidArgumentException::class);
++        $this->expectExceptionMessage($expectedMessage);
++        $r->withHeader($header, $headerValue);
++    }
++
++    public function invalidWithHeaderProvider(): iterable
++    {
++        return [
++            ['foo', [], 'Header values must be a string or an array of strings, empty array given'],
++            ['foo', new \stdClass(),  'Header values must be RFC 7230 compatible strings'],
++            [[], 'foo', 'Header name must be an RFC 7230 compatible string'],
++            [false, 'foo', 'Header name must be an RFC 7230 compatible string'],
++            [new \stdClass(), 'foo', 'Header name must be an RFC 7230 compatible string'],
++            ['', 'foo', 'Header name must be an RFC 7230 compatible string'],
++            ["Content-Type\r\n\r\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
++            ["Content-Type\r\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
++            ["Content-Type\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
++            ["\r\nContent-Type", 'foo', 'Header name must be an RFC 7230 compatible string'],
++            ["\nContent-Type", 'foo', 'Header name must be an RFC 7230 compatible string'],
++            ["\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
++            ["\r\n", 'foo', 'Header name must be an RFC 7230 compatible string'],
++            ["\t", 'foo', 'Header name must be an RFC 7230 compatible string'],
++        ];
++    }
+ }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..f797cf4
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-Merge-pull-request-from-GHSA-wjfc-pgfp-pv9c.patch






















					Reply via email to