Bug#1121384: marked as done (trixie-pu: package r-cran-gh/1.4.1-1+deb13u1)

Sat, 10 Jan 2026 04:00:11 -0800 

Your message dated Sat, 10 Jan 2026 11:52:34 +0000
with message-id <[email protected]>
and subject line Released with 13.3
has caused the Debian Bug report #1121384,
regarding trixie-pu: package r-cran-gh/1.4.1-1+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1121384: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121384
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:r-cran-gh
User: [email protected]
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[ Reason ]

The package is affected by CVE-2025-54956. The HTTP response is delivered in a
data structure that includes the Authorization header from the corresponding
HTTP request. This upload fixes this issue.

[ Impact ]

If not approved, users contionue to be vulnerable to CVE-2025-54956.

[ Tests ]

The testsuite runs successful. I had to run it manually, though, due to
#1121090. A few tests have been adjusted by upstream to the new behavior. Their
successful execution is an indication that the changed code works and nothing
has been broken.

[ Risks ]

The main risks are regressions or breakages. But the test suite runs successful
and the code changes are not too complicated.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

The changes remove the request headers that were originally stored in the
response object. Instead, the sensitive information is passed explicitely.

[ Other info ]

n/a

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmkl6l8ACgkQS80FZ8KW
0F3arxAAl5VOQZVY+v8RLZJhiK89aA22AZyrVmVpnmfmuiONVC3AmEw6AWsT87K4
m4ZdMGz4x31UIUg9GhsWQdd1nSVnQZIKFq36UPRZbNvCxTaa6Vx+sE8+bSgZEvpE
jQJ2kQd2ai5OR2Gbojl3xbWYvQ8oK+mnof+P8T/Lt3vMK9Tdhq3uxJ3GrTFlzPz4
gzrutCqvJvbrId4LmsyyNv4S4xKy/q0xsnXmOD/IzcNY0cCr6l2NQjRIvz0w4jfb
6jZZrgccCDEkwx5H/ja9xTBhB8Fm0mw7TGyAjgXTHKScJk71oYr2bPJxbRgNqnL9
yL57LfLqY9DLAtP1ABQYhGPGaLyji8KcAOx0ErjZ/eZcGfvosP2rX4stgT+PCVIe
mEtppajWYSUHqT43UjYC9Fda0qLnCpiE/cTz1KdurUXx4wkcG6FggtizXLMzUdTP
R2V+F8ds6nWA/F0780YNcAyutzEDZ5K78gD3Xs9dDPL3M7pTeMXDYjudzP2Zf3Qp
vp7UGHw59/cmS9I5NDKD+wRcDvFBj7U2j8GjjNlfJ+eOBDU0VwsiRK6EkDFUAX1l
at1U8jD+7LrsSx8VtYFrDbktf1nRlakTTZvSXLrzuP2k2Op0ETioXl6+CcVPGp1+
4QZIQOa6iBOaD2abaFGZYAMiFyI7bG19630qtzlaSAICD+vrvSA=
=Vy2H
-----END PGP SIGNATURE-----

diff -Nru r-cran-gh-1.4.1/debian/changelog r-cran-gh-1.4.1/debian/changelog
--- r-cran-gh-1.4.1/debian/changelog    2024-06-10 01:58:24.000000000 +0200
+++ r-cran-gh-1.4.1/debian/changelog    2025-11-25 06:44:32.000000000 +0100
@@ -1,3 +1,13 @@
+r-cran-gh (1.4.1-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS team.
+  * d/patches/CVE-2025-54956.patch: Add patch to fix CVE-2025-54956.
+    - The HTTP response is delivered in a data structure that
+      includes the Authorization header from the corresponding HTTP
+      request (closes: #1110481).
+
+ -- Daniel Leidert <[email protected]>  Tue, 25 Nov 2025 06:44:32 +0100
+
 r-cran-gh (1.4.1-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru r-cran-gh-1.4.1/debian/gbp.conf r-cran-gh-1.4.1/debian/gbp.conf
--- r-cran-gh-1.4.1/debian/gbp.conf     1970-01-01 01:00:00.000000000 +0100
+++ r-cran-gh-1.4.1/debian/gbp.conf     2025-11-25 06:44:32.000000000 +0100
@@ -0,0 +1,4 @@
+[DEFAULT]
+debian-branch = debian/trixie
+upstream-branch = upstream
+pristine-tar = True
diff -Nru r-cran-gh-1.4.1/debian/patches/CVE-2025-54956.patch 
r-cran-gh-1.4.1/debian/patches/CVE-2025-54956.patch
--- r-cran-gh-1.4.1/debian/patches/CVE-2025-54956.patch 1970-01-01 
01:00:00.000000000 +0100
+++ r-cran-gh-1.4.1/debian/patches/CVE-2025-54956.patch 2025-11-25 
06:44:32.000000000 +0100
@@ -0,0 +1,189 @@
+From: =?UTF-8?q?G=C3=A1bor=20Cs=C3=A1rdi?= <[email protected]>
+Date: Mon, 26 May 2025 09:36:45 +0200
+Subject: [PATCH] Do not save request headers in the return value
+
+Closes #222.
+
+Reviewed-By: Daniel Leidert <[email protected]>
+Origin: 
https://github.com/r-lib/gh/commit/b575d488c71318449cc6c8c989c617db29275848
+Bug: https://github.com/r-lib/gh/issues/222
+Bug-Debian: https://bugs.debian.org/1110481
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-54956
+Bug-Freexian-Security: 
https://deb.freexian.com/extended-lts/tracker/CVE-2025-54956
+---
+ R/gh.R                            |  2 +-
+ R/gh_response.R                   | 10 +++++-----
+ R/pagination.R                    | 26 +++++++++++++++++++-------
+ man/gh_next.Rd                    | 15 +++++++++++----
+ tests/testthat/test-gh_response.R |  4 ----
+ tests/testthat/test-pagination.R  |  2 +-
+ 6 files changed, 37 insertions(+), 22 deletions(-)
+
+diff --git a/R/gh.R b/R/gh.R
+index af46a20..b449f1b 100644
+--- a/R/gh.R
++++ b/R/gh.R
+@@ -216,7 +216,7 @@ gh <- function(endpoint,
+   }
+ 
+   while (!is.null(.limit) && len < .limit && gh_has_next(res)) {
+-    res2 <- gh_next(res)
++    res2 <- gh_next(res, .token = .token, .send_headers = .send_headers)
+     len <- len + gh_response_length(res2)
+     if (.progress) cli::cli_progress_update()
+ 
+diff --git a/R/gh_response.R b/R/gh_response.R
+index 7943f1b..9763d0f 100644
+--- a/R/gh_response.R
++++ b/R/gh_response.R
+@@ -27,11 +27,7 @@ gh_process_response <- function(resp, gh_req) {
+   }
+ 
+   attr(res, "response") <- httr2::resp_headers(resp)
+-  attr(res, "request") <- gh_req
+-
+-  # for backward compatibility
+-  attr(res, "method") <- resp$method
+-  attr(res, ".send_headers") <- httr2::last_request()$headers
++  attr(res, "request") <- remove_headers(gh_req)
+ 
+   if (is_ondisk) {
+     class(res) <- c("gh_response", "path")
+@@ -42,3 +38,7 @@ gh_process_response <- function(resp, gh_req) {
+   }
+   res
+ }
++
++remove_headers <- function(x) {
++  x[names(x) != "headers"]
++}
+diff --git a/R/pagination.R b/R/pagination.R
+index cb2c02b..c98289f 100644
+--- a/R/pagination.R
++++ b/R/pagination.R
+@@ -33,7 +33,7 @@ gh_has_next <- function(gh_response) {
+   gh_has(gh_response, "next")
+ }
+ 
+-gh_link_request <- function(gh_response, link) {
++gh_link_request <- function(gh_response, link, .token, .send_headers) {
+   stopifnot(inherits(gh_response, "gh_response"))
+ 
+   url <- extract_link(gh_response, link)
+@@ -44,11 +44,14 @@ gh_link_request <- function(gh_response, link) {
+   req$query <- purl$query
+   purl$query <- NULL
+   req$url <- httr2::url_build(purl)
++  req$token <- .token
++  req$send_headers <- .send_headers
++  req <- gh_set_headers(req)
+   req
+ }
+ 
+-gh_link <- function(gh_response, link) {
+-  req <- gh_link_request(gh_response, link)
++gh_link <- function(gh_response, link, .token, .send_headers) {
++  req <- gh_link_request(gh_response, link, .token, .send_headers)
+   raw <- gh_make_request(req)
+   gh_process_response(raw, req)
+ }
+@@ -71,6 +74,7 @@ gh_extract_pages <- function(gh_response) {
+ #' If the requested page does not exist, an error is thrown.
+ #'
+ #' @param gh_response An object returned by a [gh()] call.
++#' @inheritParams gh
+ #' @return Answer from the API.
+ #'
+ #' @seealso The `.limit` argument to [gh()] supports fetching more than
+@@ -83,19 +87,27 @@ gh_extract_pages <- function(gh_response) {
+ #' vapply(x, "[[", character(1), "login")
+ #' x2 <- gh_next(x)
+ #' vapply(x2, "[[", character(1), "login")
+-gh_next <- function(gh_response) gh_link(gh_response, "next")
++gh_next <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "next", .token = .token, .send_headers = .send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_prev <- function(gh_response) gh_link(gh_response, "prev")
++gh_prev <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "prev", .token = .token, .send_headers = .send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_first <- function(gh_response) gh_link(gh_response, "first")
++gh_first <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "first", .token = .token, .send_headers = 
.send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_last <- function(gh_response) gh_link(gh_response, "last")
++gh_last <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "last", .token = .token, .send_headers = .send_headers)
++}
+diff --git a/man/gh_next.Rd b/man/gh_next.Rd
+index 4c4b493..a79cd3a 100644
+--- a/man/gh_next.Rd
++++ b/man/gh_next.Rd
+@@ -7,16 +7,23 @@
+ \alias{gh_last}
+ \title{Get the next, previous, first or last page of results}
+ \usage{
+-gh_next(gh_response)
++gh_next(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_prev(gh_response)
++gh_prev(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_first(gh_response)
++gh_first(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_last(gh_response)
++gh_last(gh_response, .token = NULL, .send_headers = NULL)
+ }
+ \arguments{
+ \item{gh_response}{An object returned by a \code{\link[=gh]{gh()}} call.}
++
++\item{.token}{Authentication token. Defaults to 
\code{\link[=gh_token]{gh_token()}}.}
++
++\item{.send_headers}{Named character vector of header field values
++(except \code{Authorization}, which is handled via \code{.token}). This can be
++used to override or augment the default \code{User-Agent} header:
++\code{"https://github.com/r-lib/gh"}.}
+ }
+ \value{
+ Answer from the API.
+diff --git a/tests/testthat/test-gh_response.R 
b/tests/testthat/test-gh_response.R
+index 6ae8c0d..84ea037 100644
+--- a/tests/testthat/test-gh_response.R
++++ b/tests/testthat/test-gh_response.R
+@@ -64,10 +64,6 @@ test_that("captures details to recreate request", {
+   expect_type(req, "list")
+   expect_equal(req$url, "https://api.github.com/orgs/r-lib/repos";)
+   expect_equal(req$query, list(per_page = 1))
+-
+-  # For backwards compatibility
+-  expect_equal(attr(res, "method"), "GET")
+-  expect_type(attr(res, ".send_headers"), "list")
+ })
+ 
+ test_that("output file is not overwritten on error", {
+diff --git a/tests/testthat/test-pagination.R 
b/tests/testthat/test-pagination.R
+index bc5e912..c693351 100644
+--- a/tests/testthat/test-pagination.R
++++ b/tests/testthat/test-pagination.R
+@@ -22,7 +22,7 @@ test_that("paginated request gets max_wait and max_rate", {
+   skip_on_cran()
+   gh <- gh("/orgs/tidyverse/repos", per_page = 5, .max_wait = 1, .max_rate = 
10)
+ 
+-  req <- gh_link_request(gh, "next")
++  req <- gh_link_request(gh, "next", .token = NULL, .send_headers = NULL)
+   expect_equal(req$max_wait, 1)
+   expect_equal(req$max_rate, 10)
+ 
diff -Nru r-cran-gh-1.4.1/debian/patches/series 
r-cran-gh-1.4.1/debian/patches/series
--- r-cran-gh-1.4.1/debian/patches/series       1970-01-01 01:00:00.000000000 
+0100
+++ r-cran-gh-1.4.1/debian/patches/series       2025-11-25 06:44:32.000000000 
+0100
@@ -0,0 +1 @@
+CVE-2025-54956.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org\nVersion: 13.3\n\nThis update has been released as 
part of Debian 13.3.

--- End Message ---

Reply via email to