Bug#1121357: marked as done (bookworm-pu: package r-cran-gh/1.4.0-1+deb12u1)

Sat, 10 Jan 2026 04:12:18 -0800 

Your message dated Sat, 10 Jan 2026 11:59:46 +0000
with message-id <[email protected]>
and subject line Released with 12.13
has caused the Debian Bug report #1121357,
regarding bookworm-pu: package r-cran-gh/1.4.0-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1121357: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121357
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:r-cran-gh
User: [email protected]
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[ Reason ]

The package is affected by CVE-2025-54956. The HTTP response is delivered in a
data structure that includes the Authorization header from the corresponding
HTTP request. This upload fixes this issue.

[ Impact ]

If not approved, users contionue to be vulnerable to CVE-2025-54956.

[ Tests ]

The testsuite runs successful. A few tests have been adjusted to the new
behavior. Their success is an indication that the changed code works and
nothing has been broken.

[ Risks ]

The main risks are regressions or breakages. But the test suite runs successful
and the code changes are not too complicated.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

The changes remove the request headers that were originally stored in the
response object. Instead, the sensitive information is passed explicitely.

[ Other info ]

n/a


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmklOloACgkQS80FZ8KW
0F1lbA//TBCtauvVgXB4O42PHh1mPNjAvEEQ9AHk4U/rwqq1+DsZ0JitZw2eZYcM
igXbj2RRDOSaSu6aWXPqf33/YFM3VgRQHuDplJei7iOzHnTKllDI4lqK1B/19lPQ
kMm9F8yC+YOXgWYTICoypXZBjgBUaPMiRW/HmSvCCSIeaqIzkAzZkMTym+lu4UMn
PHCEWdYmN6eJTKo949H2iI3CrRP8Ma884HLfXDWo43v2NQaHV1LvP/aFxSfgsDs3
YtnI/DnBpAHjABIngRVirEy71Ifhwwbn7zL3MxvcpJoj9cHd0pDqd+Awt7Q25Mkr
JFy9VBO/N43BOjnvR8tU/36ssDUReQnwnz/B1BzpPzQfmOy0eOFX7bYDOQMdURkJ
VSkghYQtqfYzAIrjCOR6wpLnAJJ/+WbICBB4CxTcrw71q9szSuQG0Cp1OnNyWWVg
LTtTUOFBAEEPlKGdglk/xvG7PinHLne8sIhpj5/QqbHcOSuJiDaPHv20KeSRrVBz
HgS90sujXHXywsQuMBQrtplsLU/ZWdcU2wxwn3a+hMWsTLFyc/A5+grNN360X/Iu
feYBMsD4IshsctsI7RLJv0PPxWZ5YKwFGU+BifCDpWZZ6OT6oDgjCU51H9Oe4EHH
OZOzSkRSqHRCcvAvAAviw8rGY00K0gBCL/ve+yXv5PhYQnF9THk=
=BFsX
-----END PGP SIGNATURE-----

diff -Nru r-cran-gh-1.4.0/debian/changelog r-cran-gh-1.4.0/debian/changelog
--- r-cran-gh-1.4.0/debian/changelog    2023-02-26 10:24:41.000000000 +0100
+++ r-cran-gh-1.4.0/debian/changelog    2025-11-25 05:48:19.000000000 +0100
@@ -1,3 +1,13 @@
+r-cran-gh (1.4.0-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS team.
+  * d/patches/CVE-2025-54956.patch: Add patch to fix CVE-2025-54956.
+    - The HTTP response is delivered in a data structure that
+      includes the Authorization header from the corresponding HTTP
+      request (closes: #1110481).
+
+ -- Daniel Leidert <[email protected]>  Tue, 25 Nov 2025 05:48:19 +0100
+
 r-cran-gh (1.4.0-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru r-cran-gh-1.4.0/debian/gbp.conf r-cran-gh-1.4.0/debian/gbp.conf
--- r-cran-gh-1.4.0/debian/gbp.conf     1970-01-01 01:00:00.000000000 +0100
+++ r-cran-gh-1.4.0/debian/gbp.conf     2025-11-25 05:48:19.000000000 +0100
@@ -0,0 +1,4 @@
+[DEFAULT]
+debian-branch = debian/bookworm
+upstream-branch = upstream
+pristine-tar = True
diff -Nru r-cran-gh-1.4.0/debian/patches/CVE-2025-54956.patch.patch 
r-cran-gh-1.4.0/debian/patches/CVE-2025-54956.patch.patch
--- r-cran-gh-1.4.0/debian/patches/CVE-2025-54956.patch.patch   1970-01-01 
01:00:00.000000000 +0100
+++ r-cran-gh-1.4.0/debian/patches/CVE-2025-54956.patch.patch   2025-11-25 
05:48:19.000000000 +0100
@@ -0,0 +1,190 @@
+From: =?UTF-8?q?G=C3=A1bor=20Cs=C3=A1rdi?= <[email protected]>
+Date: Mon, 26 May 2025 09:36:45 +0200
+Subject: [PATCH] Do not save request headers in the return value
+
+Closes #222.
+
+Reviewed-By: Daniel Leidert <[email protected]>
+Origin: 
https://github.com/r-lib/gh/commit/b575d488c71318449cc6c8c989c617db29275848
+Bug: https://github.com/r-lib/gh/issues/222
+Bug-Debian: https://bugs.debian.org/1110481
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-54956
+Bug-Freexian-Security: 
https://deb.freexian.com/extended-lts/tracker/CVE-2025-54956
+---
+ R/gh.R                            |  2 +-
+ R/gh_response.R                   | 10 +++++-----
+ R/pagination.R                    | 26 +++++++++++++++++++-------
+ man/gh_next.Rd                    | 15 +++++++++++----
+ tests/testthat/test-gh_response.R |  4 ----
+ tests/testthat/test-pagination.R  |  2 +-
+ 6 files changed, 37 insertions(+), 22 deletions(-)
+
+diff --git a/R/gh.R b/R/gh.R
+index 3a4d2d7..313eda9 100644
+--- a/R/gh.R
++++ b/R/gh.R
+@@ -196,7 +196,7 @@ gh <- function(endpoint,
+ 
+   while (!is.null(.limit) && len < .limit && gh_has_next(res)) {
+     if (.progress) update_progress_bar(prbr, res)
+-    res2 <- gh_next(res)
++    res2 <- gh_next(res, .token = .token, .send_headers = .send_headers)
+ 
+     if (!is.null(names(res2)) && identical(names(res), names(res2))) {
+       res3 <- mapply( # Handle named array case
+diff --git a/R/gh_response.R b/R/gh_response.R
+index 4ded3a7..65c24f8 100644
+--- a/R/gh_response.R
++++ b/R/gh_response.R
+@@ -25,11 +25,7 @@ gh_process_response <- function(resp, gh_req) {
+   }
+ 
+   attr(res, "response") <- httr2::resp_headers(resp)
+-  attr(res, "request") <- gh_req
+-
+-  # for backward compatibility
+-  attr(res, "method") <- resp$method
+-  attr(res, ".send_headers") <- httr2::last_request()$headers
++  attr(res, "request") <- remove_headers(gh_req)
+ 
+   if (is_ondisk) {
+     class(res) <- c("gh_response", "path")
+@@ -40,3 +36,7 @@ gh_process_response <- function(resp, gh_req) {
+   }
+   res
+ }
++
++remove_headers <- function(x) {
++  x[names(x) != "headers"]
++}
+diff --git a/R/pagination.R b/R/pagination.R
+index 7fc827e..aaed6fe 100644
+--- a/R/pagination.R
++++ b/R/pagination.R
+@@ -33,7 +33,7 @@ gh_has_next <- function(gh_response) {
+   gh_has(gh_response, "next")
+ }
+ 
+-gh_link_request <- function(gh_response, link) {
++gh_link_request <- function(gh_response, link, .token, .send_headers) {
+   stopifnot(inherits(gh_response, "gh_response"))
+ 
+   url <- extract_link(gh_response, link)
+@@ -41,11 +41,14 @@ gh_link_request <- function(gh_response, link) {
+ 
+   req <- attr(gh_response, "request")
+   req$url <- url
++  req$token <- .token
++  req$send_headers <- .send_headers
++  req <- gh_set_headers(req)
+   req
+ }
+ 
+-gh_link <- function(gh_response, link) {
+-  req <- gh_link_request(gh_response, link)
++gh_link <- function(gh_response, link, .token, .send_headers) {
++  req <- gh_link_request(gh_response, link, .token, .send_headers)
+   raw <- gh_make_request(req)
+   gh_process_response(raw, req)
+ }
+@@ -68,6 +71,7 @@ gh_extract_pages <- function(gh_response) {
+ #' If the requested page does not exist, an error is thrown.
+ #'
+ #' @param gh_response An object returned by a [gh()] call.
++#' @inheritParams gh
+ #' @return Answer from the API.
+ #'
+ #' @seealso The `.limit` argument to [gh()] supports fetching more than
+@@ -80,22 +84,30 @@ gh_extract_pages <- function(gh_response) {
+ #' vapply(x, "[[", character(1), "login")
+ #' x2 <- gh_next(x)
+ #' vapply(x2, "[[", character(1), "login")
+-gh_next <- function(gh_response) gh_link(gh_response, "next")
++gh_next <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "next", .token = .token, .send_headers = .send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_prev <- function(gh_response) gh_link(gh_response, "prev")
++gh_prev <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "prev", .token = .token, .send_headers = .send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_first <- function(gh_response) gh_link(gh_response, "first")
++gh_first <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "first", .token = .token, .send_headers = 
.send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_last <- function(gh_response) gh_link(gh_response, "last")
++gh_last <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "last", .token = .token, .send_headers = .send_headers)
++}
+ 
+ make_progress_bar <- function(gh_request) {
+   state <- new.env(parent = emptyenv())
+diff --git a/man/gh_next.Rd b/man/gh_next.Rd
+index 4c4b493..a79cd3a 100644
+--- a/man/gh_next.Rd
++++ b/man/gh_next.Rd
+@@ -7,16 +7,23 @@
+ \alias{gh_last}
+ \title{Get the next, previous, first or last page of results}
+ \usage{
+-gh_next(gh_response)
++gh_next(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_prev(gh_response)
++gh_prev(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_first(gh_response)
++gh_first(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_last(gh_response)
++gh_last(gh_response, .token = NULL, .send_headers = NULL)
+ }
+ \arguments{
+ \item{gh_response}{An object returned by a \code{\link[=gh]{gh()}} call.}
++
++\item{.token}{Authentication token. Defaults to 
\code{\link[=gh_token]{gh_token()}}.}
++
++\item{.send_headers}{Named character vector of header field values
++(except \code{Authorization}, which is handled via \code{.token}). This can be
++used to override or augment the default \code{User-Agent} header:
++\code{"https://github.com/r-lib/gh"}.}
+ }
+ \value{
+ Answer from the API.
+diff --git a/tests/testthat/test-gh_response.R 
b/tests/testthat/test-gh_response.R
+index dacaf0a..1aa1aa2 100644
+--- a/tests/testthat/test-gh_response.R
++++ b/tests/testthat/test-gh_response.R
+@@ -62,8 +62,4 @@ test_that("captures details to recreate request", {
+   expect_type(req, "list")
+   expect_equal(req$url, "https://api.github.com/orgs/r-lib/repos";)
+   expect_equal(req$query, list(.per_page = 1))
+-
+-  # For backwards compatibility
+-  expect_equal(attr(res, "method"), "GET")
+-  expect_type(attr(res, ".send_headers"), "list")
+ })
+diff --git a/tests/testthat/test-pagination.R 
b/tests/testthat/test-pagination.R
+index d9f6e7f..a76d5e0 100644
+--- a/tests/testthat/test-pagination.R
++++ b/tests/testthat/test-pagination.R
+@@ -1,7 +1,7 @@
+ test_that("paginated request gets max_wait and max_rate", {
+   gh <- gh("/orgs/tidyverse/repos", per_page = 5, .max_wait = 1, .max_rate = 
10)
+ 
+-  req <- gh_link_request(gh, "next")
++  req <- gh_link_request(gh, "next", .token = NULL, .send_headers = NULL)
+   expect_equal(req$max_wait, 1)
+   expect_equal(req$max_rate, 10)
+ 
diff -Nru r-cran-gh-1.4.0/debian/patches/series 
r-cran-gh-1.4.0/debian/patches/series
--- r-cran-gh-1.4.0/debian/patches/series       1970-01-01 01:00:00.000000000 
+0100
+++ r-cran-gh-1.4.0/debian/patches/series       2025-11-25 05:48:19.000000000 
+0100
@@ -0,0 +1 @@
+CVE-2025-54956.patch.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as 
part of Debian 12.13.

--- End Message ---

Reply via email to