package: release.debian.org control: affects -1 + src:curl x-debbugs-cc: [email protected] user: [email protected] usertags: pu tags: bookworm severity: normal
[ reason ] curl upstream has reached out to report a memory-leak affecting the version we ship in bookworm [0]. This problem was inadvertently fixed for trixie on a refactor of the affected code. I suspect this problem also affects bullseye but I have not looked into it yet, for now I'd like to fix it in bookworm. [ impact ] This is fixing a memory-leak. The leak is small, within the bytes range, and likely to not be noticed by a lot of users, but there was a request to fix it and the patch is simple. [ tests ] curl has an extensive testsuite and all tests passed, curl also contains a lot of reverse-dependencies in the archive and their debci results will reduce the likelihood of regressions. [ risks ] Given the patch is freeing a buffer instead of resetting it, there's a risk of introducing an UAF. I have analyzed the code and have not spotted any problems with it, on top of this, Daniel Stenberg also acked the patch [0]. [ checklist ] [x] *all* changes are documented in the d/changelog [x] i reviewed all changes and i approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ changes ] There's a single change which is adding a patch vetted by the upstream developer. The patch modifies a single line of code to free a buffer instead of resetting it and keeping the allocation. [ other info ] Discussion in GitHub: https://github.com/curl/curl/issues/17749 [0] https://curl.se/mail/distros-2025-07/0001.html -- Samuel Henrique <samueloph>
diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog --- curl-7.88.1/debian/changelog 2025-06-17 01:56:01.000000000 +0200 +++ curl-7.88.1/debian/changelog 2025-07-19 21:04:59.000000000 +0200 @@ -1,3 +1,11 @@ +curl (7.88.1-10+deb12u14) bookworm; urgency=medium + + * d/p/0001-http_chunks-reset...: New patch to fix memory leak: + - Thanks to Daniel Stenberg and dheerajsangamkar for reporting the issue + and writing a patch + + -- Samuel Henrique <[email protected]> Sat, 19 Jul 2025 21:04:59 +0200 + curl (7.88.1-10+deb12u13) bookworm; urgency=medium * Team upload. diff -Nru curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch --- curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch 1970-01-01 01:00:00.000000000 +0100 +++ curl-7.88.1/debian/patches/0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch 2025-07-19 21:04:59.000000000 +0200 @@ -0,0 +1,31 @@ +From 18426669b329f63ff4798275a427f605e42576a6 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <[email protected]> +Date: Tue, 15 Jul 2025 08:37:03 +0200 +Subject: [PATCH] http_chunks: reset the trailer to avoid memory leak + +Brought-by: dheerajsangamkar on github +URL: https://github.com/curl/curl/issues/17749 +--- + lib/http_chunks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/http_chunks.c b/lib/http_chunks.c +index bda00d3833..867a8b4fbf 100644 +--- a/lib/http_chunks.c ++++ b/lib/http_chunks.c +@@ -228,11 +228,11 @@ CHUNKcode Curl_httpchunk_read(struct Curl_easy *data, + if(result) { + *extrap = result; + return CHUNKE_PASSTHRU_ERROR; + } + } +- Curl_dyn_reset(&conn->trailer); ++ Curl_dyn_free(&conn->trailer); + ch->state = CHUNK_TRAILER_CR; + if(*datap == 0x0a) + /* already on the LF */ + break; + } +-- +2.50.0 + diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series --- curl-7.88.1/debian/patches/series 2025-06-17 01:56:01.000000000 +0200 +++ curl-7.88.1/debian/patches/series 2025-07-19 21:04:59.000000000 +0200 @@ -68,6 +68,10 @@ fix-CVE-2023-27534-regression-1.patch fix-CVE-2023-27534-regression-2.patch +# Fix memory leak reported at https://github.com/curl/curl/issues/17749 and +# https://curl.se/mail/distros-2025-07/0001.html +0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch + # Do not add patches below. # Used to generate packages for the other crypto libraries. 90_gnutls.patch
