Source: cpp-httplib Version: 0.18.7-1 Followup-For: Bug #1104926 Control: tags -1 patch
Dear Maintainer, Please find attached a proposed patch (NMU) for cpp-httplib version 0.18.7-2, addressing CVE-2025-46728 (Denial of Service via unbounded chunked request handling). This patch backports the upstream fix from v0.20.1: https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e Details: - Enforces payload size limits when `Transfer-Encoding: chunked` is used - Prevents memory exhaustion by terminating incomplete or malformed chunked requests This patch has been tested and verified to resolve the issue via a memory exhaustion PoC. Please consider applying this fix, or let me know if any changes are needed. Best regards, Yang Wang <[email protected]> -- System Information: Debian Release: 13.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.15.0-138-generic (SMP w/88 CPU threads) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect
diff -Nru cpp-httplib-0.18.7/debian/changelog cpp-httplib-0.18.7/debian/changelog --- cpp-httplib-0.18.7/debian/changelog 2025-03-11 17:18:06.000000000 +0000 +++ cpp-httplib-0.18.7/debian/changelog 2025-08-01 20:04:30.000000000 +0000 @@ -1,3 +1,14 @@ +cpp-httplib (0.18.7-2) unstable; urgency=high + + * Non-maintainer upload. + * Fix CVE-2025-46728: DoS via chunked Transfer-Encoding without terminating chunk. + - Enforces maximum request body size limit even for chunked encoding. + - Prevents uncontrolled memory growth by terminating connection early if limit exceeded. + - Backport upstream commit from v0.20.1 to address the vulnerability: + https://github.com/yhirose/cpp-httplib/commit/058a46ae89c1520eeb52cf74625b9e09f447be33 + + -- Yang Wang <[email protected]> Fri, 01 Aug 2025 16:04:30 -0400 + cpp-httplib (0.18.7-1) unstable; urgency=medium * Update to new upstream version 0.18.7. diff -Nru cpp-httplib-0.18.7/debian/patches/fix-cve-2025-46728.patch cpp-httplib-0.18.7/debian/patches/fix-cve-2025-46728.patch --- cpp-httplib-0.18.7/debian/patches/fix-cve-2025-46728.patch 1970-01-01 00:00:00.000000000 +0000 +++ cpp-httplib-0.18.7/debian/patches/fix-cve-2025-46728.patch 2025-08-01 20:04:30.000000000 +0000 @@ -0,0 +1,84 @@ +Description: Fix CVE-2025-46728 (DoS via unbounded chunked Transfer-Encoding) + This patch enforces request body size limits for chunked Transfer-Encoding, + preventing uncontrolled memory allocation when the terminating zero-length + chunk is missing. Without this fix, a remote attacker can cause excessive + memory consumption, leading to denial of service. + . + Backported from upstream v0.20.1: + https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e +Author: Ville Vesilehto <[email protected]> +Origin: upstream, backport +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-46728 +Bug: https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-px83-72rx-v57c +Forwarded: not-needed +Reviewed-By: Yang Wang <[email protected]> +Last-Update: 2025-08-01 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: cpp-httplib-0.18.7/httplib.h +=================================================================== +--- cpp-httplib-0.18.7.orig/httplib.h ++++ cpp-httplib-0.18.7/httplib.h +@@ -141,6 +141,10 @@ + #define CPPHTTPLIB_LISTEN_BACKLOG 5 + #endif + ++#ifndef CPPHTTPLIB_MAX_LINE_LENGTH ++#define CPPHTTPLIB_MAX_LINE_LENGTH 32768 ++#endif ++ + /* + * Headers + */ +@@ -2961,6 +2965,11 @@ inline bool stream_line_reader::getline( + #endif + + for (size_t i = 0;; i++) { ++ if (size() >= CPPHTTPLIB_MAX_LINE_LENGTH) { ++ // Treat exceptionally long lines as an error to ++ // prevent infinite loops/memory exhaustion ++ return false; ++ } + char byte; + auto n = strm_.read(&byte, 1); + +Index: cpp-httplib-0.18.7/test/test.cc +=================================================================== +--- cpp-httplib-0.18.7.orig/test/test.cc ++++ cpp-httplib-0.18.7/test/test.cc +@@ -42,6 +42,9 @@ const int PORT = 1234; + const string LONG_QUERY_VALUE = string(25000, '@'); + const string LONG_QUERY_URL = "/long-query-value?key=" + LONG_QUERY_VALUE; + ++const string TOO_LONG_QUERY_VALUE = string(35000, '@'); ++const string TOO_LONG_QUERY_URL = "/too-long-query-value?key=" + TOO_LONG_QUERY_VALUE; ++ + const std::string JSON_DATA = "{\"hello\":\"world\"}"; + + const string LARGE_DATA = string(1024 * 1024 * 100, '@'); // 100MB +@@ -2837,6 +2840,11 @@ protected: + EXPECT_EQ(LONG_QUERY_URL, req.target); + EXPECT_EQ(LONG_QUERY_VALUE, req.get_param_value("key")); + }) ++ .Get("/too-long-query-value", ++ [&](const Request &req, Response & /*res*/) { ++ EXPECT_EQ(TOO_LONG_QUERY_URL, req.target); ++ EXPECT_EQ(TOO_LONG_QUERY_VALUE, req.get_param_value("key")); ++ }) + .Get("/array-param", + [&](const Request &req, Response & /*res*/) { + EXPECT_EQ(3u, req.get_param_value_count("array")); +@@ -3611,6 +3619,13 @@ TEST_F(ServerTest, LongQueryValue) { + EXPECT_EQ(StatusCode::UriTooLong_414, res->status); + } + ++TEST_F(ServerTest, TooLongQueryValue) { ++ auto res = cli_.Get(TOO_LONG_QUERY_URL.c_str()); ++ ++ ASSERT_FALSE(res); ++ EXPECT_EQ(Error::Read, res.error()); ++} ++ + TEST_F(ServerTest, TooLongHeader) { + Request req; + req.method = "GET"; diff -Nru cpp-httplib-0.18.7/debian/patches/series cpp-httplib-0.18.7/debian/patches/series --- cpp-httplib-0.18.7/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ cpp-httplib-0.18.7/debian/patches/series 2025-08-01 20:00:01.000000000 +0000 @@ -0,0 +1 @@ +fix-cve-2025-46728.patch
