Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id
<736c7150dc08501cc89945035c406eaf9688e144.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1114684,
regarding trixie-pu: package libhtp/1:0.5.50-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1114684: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114684
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libhtp
User: [email protected]
Usertags: pu
* CVE-2025-53537: memory leak with LZMA (Closes: #1109838)
diffstat for libhtp-0.5.50 libhtp-0.5.50
changelog | 7 ++
patches/0001-decompressors-fix-leak-in-lzma-error-case.patch | 27 +++++++++++
patches/series | 1
3 files changed, 35 insertions(+)
diff -Nru libhtp-0.5.50/debian/changelog libhtp-0.5.50/debian/changelog
--- libhtp-0.5.50/debian/changelog 2025-03-18 10:04:23.000000000 +0200
+++ libhtp-0.5.50/debian/changelog 2025-09-08 15:03:54.000000000 +0300
@@ -1,3 +1,10 @@
+libhtp (1:0.5.50-1+deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-53537: memory leak with LZMA (Closes: #1109838)
+
+ -- Adrian Bunk <[email protected]> Mon, 08 Sep 2025 15:03:54 +0300
+
libhtp (1:0.5.50-1) unstable; urgency=medium
* New upstream release.
diff -Nru
libhtp-0.5.50/debian/patches/0001-decompressors-fix-leak-in-lzma-error-case.patch
libhtp-0.5.50/debian/patches/0001-decompressors-fix-leak-in-lzma-error-case.patch
---
libhtp-0.5.50/debian/patches/0001-decompressors-fix-leak-in-lzma-error-case.patch
1970-01-01 02:00:00.000000000 +0200
+++
libhtp-0.5.50/debian/patches/0001-decompressors-fix-leak-in-lzma-error-case.patch
2025-09-08 15:03:54.000000000 +0300
@@ -0,0 +1,27 @@
+From e49cc779e0b4333354057b40c25c453af6aef61f Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <[email protected]>
+Date: Tue, 17 Jun 2025 10:12:47 +0200
+Subject: decompressors: fix leak in lzma error case
+
+Ticket: 7766
+---
+ htp/htp_decompressors.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/htp/htp_decompressors.c b/htp/htp_decompressors.c
+index d66b6e8..02afd37 100644
+--- a/htp/htp_decompressors.c
++++ b/htp/htp_decompressors.c
+@@ -350,6 +350,9 @@ restart:
+ // There is data even if there is an error
+ // So use this data and log a warning
+ htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip
decompressor: inflate failed with %d", rc);
++ if (drec->zlib_initialized == HTP_COMPRESSION_LZMA) {
++ LzmaDec_Free(&drec->state, &lzma_Alloc);
++ }
+ drec->zlib_initialized = HTP_COMPRESSION_OVER;
+ return HTP_ERROR;
+ }
+--
+2.30.2
+
diff -Nru libhtp-0.5.50/debian/patches/series
libhtp-0.5.50/debian/patches/series
--- libhtp-0.5.50/debian/patches/series 1970-01-01 02:00:00.000000000 +0200
+++ libhtp-0.5.50/debian/patches/series 2025-09-08 15:03:54.000000000 +0300
@@ -0,0 +1 @@
+0001-decompressors-fix-leak-in-lzma-error-case.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.2
Hi,
The updates referenced in each of these bugs were included in today's
13.2 trixie point release.
Regards,
Adam
--- End Message ---
