Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:r-cran-gh User: [email protected] Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ Reason ] The package is affected by CVE-2025-54956. The HTTP response is delivered in a data structure that includes the Authorization header from the corresponding HTTP request. This upload fixes this issue. [ Impact ] If not approved, users contionue to be vulnerable to CVE-2025-54956. [ Tests ] The testsuite runs successful. A few tests have been adjusted to the new behavior. Their success is an indication that the changed code works and nothing has been broken. [ Risks ] The main risks are regressions or breakages. But the test suite runs successful and the code changes are not too complicated. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The changes remove the request headers that were originally stored in the response object. Instead, the sensitive information is passed explicitely. [ Other info ] n/a -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmklOloACgkQS80FZ8KW 0F1lbA//TBCtauvVgXB4O42PHh1mPNjAvEEQ9AHk4U/rwqq1+DsZ0JitZw2eZYcM igXbj2RRDOSaSu6aWXPqf33/YFM3VgRQHuDplJei7iOzHnTKllDI4lqK1B/19lPQ kMm9F8yC+YOXgWYTICoypXZBjgBUaPMiRW/HmSvCCSIeaqIzkAzZkMTym+lu4UMn PHCEWdYmN6eJTKo949H2iI3CrRP8Ma884HLfXDWo43v2NQaHV1LvP/aFxSfgsDs3 YtnI/DnBpAHjABIngRVirEy71Ifhwwbn7zL3MxvcpJoj9cHd0pDqd+Awt7Q25Mkr JFy9VBO/N43BOjnvR8tU/36ssDUReQnwnz/B1BzpPzQfmOy0eOFX7bYDOQMdURkJ VSkghYQtqfYzAIrjCOR6wpLnAJJ/+WbICBB4CxTcrw71q9szSuQG0Cp1OnNyWWVg LTtTUOFBAEEPlKGdglk/xvG7PinHLne8sIhpj5/QqbHcOSuJiDaPHv20KeSRrVBz HgS90sujXHXywsQuMBQrtplsLU/ZWdcU2wxwn3a+hMWsTLFyc/A5+grNN360X/Iu feYBMsD4IshsctsI7RLJv0PPxWZ5YKwFGU+BifCDpWZZ6OT6oDgjCU51H9Oe4EHH OZOzSkRSqHRCcvAvAAviw8rGY00K0gBCL/ve+yXv5PhYQnF9THk= =BFsX -----END PGP SIGNATURE-----
diff -Nru r-cran-gh-1.4.0/debian/changelog r-cran-gh-1.4.0/debian/changelog --- r-cran-gh-1.4.0/debian/changelog 2023-02-26 10:24:41.000000000 +0100 +++ r-cran-gh-1.4.0/debian/changelog 2025-11-25 05:48:19.000000000 +0100 @@ -1,3 +1,13 @@ +r-cran-gh (1.4.0-1+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload by the Debian LTS team. + * d/patches/CVE-2025-54956.patch: Add patch to fix CVE-2025-54956. + - The HTTP response is delivered in a data structure that + includes the Authorization header from the corresponding HTTP + request (closes: #1110481). + + -- Daniel Leidert <[email protected]> Tue, 25 Nov 2025 05:48:19 +0100 + r-cran-gh (1.4.0-1) unstable; urgency=medium * Team upload. diff -Nru r-cran-gh-1.4.0/debian/gbp.conf r-cran-gh-1.4.0/debian/gbp.conf --- r-cran-gh-1.4.0/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ r-cran-gh-1.4.0/debian/gbp.conf 2025-11-25 05:48:19.000000000 +0100 @@ -0,0 +1,4 @@ +[DEFAULT] +debian-branch = debian/bookworm +upstream-branch = upstream +pristine-tar = True diff -Nru r-cran-gh-1.4.0/debian/patches/CVE-2025-54956.patch.patch r-cran-gh-1.4.0/debian/patches/CVE-2025-54956.patch.patch --- r-cran-gh-1.4.0/debian/patches/CVE-2025-54956.patch.patch 1970-01-01 01:00:00.000000000 +0100 +++ r-cran-gh-1.4.0/debian/patches/CVE-2025-54956.patch.patch 2025-11-25 05:48:19.000000000 +0100 @@ -0,0 +1,190 @@ +From: =?UTF-8?q?G=C3=A1bor=20Cs=C3=A1rdi?= <[email protected]> +Date: Mon, 26 May 2025 09:36:45 +0200 +Subject: [PATCH] Do not save request headers in the return value + +Closes #222. + +Reviewed-By: Daniel Leidert <[email protected]> +Origin: https://github.com/r-lib/gh/commit/b575d488c71318449cc6c8c989c617db29275848 +Bug: https://github.com/r-lib/gh/issues/222 +Bug-Debian: https://bugs.debian.org/1110481 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-54956 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2025-54956 +--- + R/gh.R | 2 +- + R/gh_response.R | 10 +++++----- + R/pagination.R | 26 +++++++++++++++++++------- + man/gh_next.Rd | 15 +++++++++++---- + tests/testthat/test-gh_response.R | 4 ---- + tests/testthat/test-pagination.R | 2 +- + 6 files changed, 37 insertions(+), 22 deletions(-) + +diff --git a/R/gh.R b/R/gh.R +index 3a4d2d7..313eda9 100644 +--- a/R/gh.R ++++ b/R/gh.R +@@ -196,7 +196,7 @@ gh <- function(endpoint, + + while (!is.null(.limit) && len < .limit && gh_has_next(res)) { + if (.progress) update_progress_bar(prbr, res) +- res2 <- gh_next(res) ++ res2 <- gh_next(res, .token = .token, .send_headers = .send_headers) + + if (!is.null(names(res2)) && identical(names(res), names(res2))) { + res3 <- mapply( # Handle named array case +diff --git a/R/gh_response.R b/R/gh_response.R +index 4ded3a7..65c24f8 100644 +--- a/R/gh_response.R ++++ b/R/gh_response.R +@@ -25,11 +25,7 @@ gh_process_response <- function(resp, gh_req) { + } + + attr(res, "response") <- httr2::resp_headers(resp) +- attr(res, "request") <- gh_req +- +- # for backward compatibility +- attr(res, "method") <- resp$method +- attr(res, ".send_headers") <- httr2::last_request()$headers ++ attr(res, "request") <- remove_headers(gh_req) + + if (is_ondisk) { + class(res) <- c("gh_response", "path") +@@ -40,3 +36,7 @@ gh_process_response <- function(resp, gh_req) { + } + res + } ++ ++remove_headers <- function(x) { ++ x[names(x) != "headers"] ++} +diff --git a/R/pagination.R b/R/pagination.R +index 7fc827e..aaed6fe 100644 +--- a/R/pagination.R ++++ b/R/pagination.R +@@ -33,7 +33,7 @@ gh_has_next <- function(gh_response) { + gh_has(gh_response, "next") + } + +-gh_link_request <- function(gh_response, link) { ++gh_link_request <- function(gh_response, link, .token, .send_headers) { + stopifnot(inherits(gh_response, "gh_response")) + + url <- extract_link(gh_response, link) +@@ -41,11 +41,14 @@ gh_link_request <- function(gh_response, link) { + + req <- attr(gh_response, "request") + req$url <- url ++ req$token <- .token ++ req$send_headers <- .send_headers ++ req <- gh_set_headers(req) + req + } + +-gh_link <- function(gh_response, link) { +- req <- gh_link_request(gh_response, link) ++gh_link <- function(gh_response, link, .token, .send_headers) { ++ req <- gh_link_request(gh_response, link, .token, .send_headers) + raw <- gh_make_request(req) + gh_process_response(raw, req) + } +@@ -68,6 +71,7 @@ gh_extract_pages <- function(gh_response) { + #' If the requested page does not exist, an error is thrown. + #' + #' @param gh_response An object returned by a [gh()] call. ++#' @inheritParams gh + #' @return Answer from the API. + #' + #' @seealso The `.limit` argument to [gh()] supports fetching more than +@@ -80,22 +84,30 @@ gh_extract_pages <- function(gh_response) { + #' vapply(x, "[[", character(1), "login") + #' x2 <- gh_next(x) + #' vapply(x2, "[[", character(1), "login") +-gh_next <- function(gh_response) gh_link(gh_response, "next") ++gh_next <- function(gh_response, .token = NULL, .send_headers = NULL) { ++ gh_link(gh_response, "next", .token = .token, .send_headers = .send_headers) ++} + + #' @name gh_next + #' @export + +-gh_prev <- function(gh_response) gh_link(gh_response, "prev") ++gh_prev <- function(gh_response, .token = NULL, .send_headers = NULL) { ++ gh_link(gh_response, "prev", .token = .token, .send_headers = .send_headers) ++} + + #' @name gh_next + #' @export + +-gh_first <- function(gh_response) gh_link(gh_response, "first") ++gh_first <- function(gh_response, .token = NULL, .send_headers = NULL) { ++ gh_link(gh_response, "first", .token = .token, .send_headers = .send_headers) ++} + + #' @name gh_next + #' @export + +-gh_last <- function(gh_response) gh_link(gh_response, "last") ++gh_last <- function(gh_response, .token = NULL, .send_headers = NULL) { ++ gh_link(gh_response, "last", .token = .token, .send_headers = .send_headers) ++} + + make_progress_bar <- function(gh_request) { + state <- new.env(parent = emptyenv()) +diff --git a/man/gh_next.Rd b/man/gh_next.Rd +index 4c4b493..a79cd3a 100644 +--- a/man/gh_next.Rd ++++ b/man/gh_next.Rd +@@ -7,16 +7,23 @@ + \alias{gh_last} + \title{Get the next, previous, first or last page of results} + \usage{ +-gh_next(gh_response) ++gh_next(gh_response, .token = NULL, .send_headers = NULL) + +-gh_prev(gh_response) ++gh_prev(gh_response, .token = NULL, .send_headers = NULL) + +-gh_first(gh_response) ++gh_first(gh_response, .token = NULL, .send_headers = NULL) + +-gh_last(gh_response) ++gh_last(gh_response, .token = NULL, .send_headers = NULL) + } + \arguments{ + \item{gh_response}{An object returned by a \code{\link[=gh]{gh()}} call.} ++ ++\item{.token}{Authentication token. Defaults to \code{\link[=gh_token]{gh_token()}}.} ++ ++\item{.send_headers}{Named character vector of header field values ++(except \code{Authorization}, which is handled via \code{.token}). This can be ++used to override or augment the default \code{User-Agent} header: ++\code{"https://github.com/r-lib/gh"}.} + } + \value{ + Answer from the API. +diff --git a/tests/testthat/test-gh_response.R b/tests/testthat/test-gh_response.R +index dacaf0a..1aa1aa2 100644 +--- a/tests/testthat/test-gh_response.R ++++ b/tests/testthat/test-gh_response.R +@@ -62,8 +62,4 @@ test_that("captures details to recreate request", { + expect_type(req, "list") + expect_equal(req$url, "https://api.github.com/orgs/r-lib/repos";) + expect_equal(req$query, list(.per_page = 1)) +- +- # For backwards compatibility +- expect_equal(attr(res, "method"), "GET") +- expect_type(attr(res, ".send_headers"), "list") + }) +diff --git a/tests/testthat/test-pagination.R b/tests/testthat/test-pagination.R +index d9f6e7f..a76d5e0 100644 +--- a/tests/testthat/test-pagination.R ++++ b/tests/testthat/test-pagination.R +@@ -1,7 +1,7 @@ + test_that("paginated request gets max_wait and max_rate", { + gh <- gh("/orgs/tidyverse/repos", per_page = 5, .max_wait = 1, .max_rate = 10) + +- req <- gh_link_request(gh, "next") ++ req <- gh_link_request(gh, "next", .token = NULL, .send_headers = NULL) + expect_equal(req$max_wait, 1) + expect_equal(req$max_rate, 10) + diff -Nru r-cran-gh-1.4.0/debian/patches/series r-cran-gh-1.4.0/debian/patches/series --- r-cran-gh-1.4.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ r-cran-gh-1.4.0/debian/patches/series 2025-11-25 05:48:19.000000000 +0100 @@ -0,0 +1 @@ +CVE-2025-54956.patch.patch
