Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-php-p...@lists.alioth.debian.org
[ Reason ]
The security team asked me to address #1008236 [CVE-2022-24775] via a
point release, so here I am.
[ Tests ]
I did not test the package extensively, sorry about that. The patches
were pretty straightforward, but contrarily to Bullseye, the version
currently in Buster was pushed via NMU that removed the testsuite… It is
only used by the movim ecosystem in Buster.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Regards
David
diff --git a/debian/changelog b/debian/changelog
index cb9f8a1..3fe276d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+php-guzzlehttp-psr7 (1.4.2-0.1+deb10u1) buster; urgency=medium
+
+ * Track Buster
+ * Backport fixes for improper header parsing [CVE-2022-24775]
+(Closes: #1008236)
+
+ -- David Prévot Fri, 27 May 2022 13:33:28 +0200
+
php-guzzlehttp-psr7 (1.4.2-0.1) unstable; urgency=medium
* Non-maintainer upload.
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..6b83341
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,9 @@
+[DEFAULT]
+pristine-tar = True
+pristine-tar-commit = True
+debian-branch = debian/buster
+
+## Once --filter support gets added to gbp import-ref, we should be able
+## to simplify the workflow and ignore the upstream branch.
+# filter = [ '.gitattributes' ]
+# upstream-tag = %(version%~%-)s
diff --git a/debian/patches/0001-Release-1.8.4-486.patch b/debian/patches/0001-Release-1.8.4-486.patch
new file mode 100644
index 000..9f72423
--- /dev/null
+++ b/debian/patches/0001-Release-1.8.4-486.patch
@@ -0,0 +1,108 @@
+From: Graham Campbell
+Date: Sun, 20 Mar 2022 13:44:44 +
+Subject: Release 1.8.4 (#486)
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Tim Düsterhus
+
+Origin: backport, https://github.com/guzzle/psr7/commit/902db15a551a4a415e732b622282e21ce1b508b4
+---
+ src/MessageTrait.php | 56 +---
+ 1 file changed, 49 insertions(+), 7 deletions(-)
+
+diff --git a/src/MessageTrait.php b/src/MessageTrait.php
+index 1e4da64..f5f61db 100644
+--- a/src/MessageTrait.php
b/src/MessageTrait.php
+@@ -70,7 +70,7 @@ trait MessageTrait
+ $value = [$value];
+ }
+
+-$value = $this->trimHeaderValues($value);
++$value = $this->trimAndValidateHeaderValues($value);
+ $normalized = strtolower($header);
+
+ $new = clone $this;
+@@ -89,7 +89,7 @@ trait MessageTrait
+ $value = [$value];
+ }
+
+-$value = $this->trimHeaderValues($value);
++$value = $this->trimAndValidateHeaderValues($value);
+ $normalized = strtolower($header);
+
+ $new = clone $this;
+@@ -148,7 +148,7 @@ trait MessageTrait
+ $value = [$value];
+ }
+
+-$value = $this->trimHeaderValues($value);
++$value = $this->trimAndValidateHeaderValues($value);
+ $normalized = strtolower($header);
+ if (isset($this->headerNames[$normalized])) {
+ $header = $this->headerNames[$normalized];
+@@ -168,16 +168,58 @@ trait MessageTrait
+ * header-field = field-name ":" OWS field-value OWS
+ * OWS = *( SP / HTAB )
+ *
+- * @param string[] $values Header values
++ * @param mixed[] $values Header values
+ *
+ * @return string[] Trimmed header values
+ *
+ * @see https://tools.ietf.org/html/rfc7230#section-3.2.4
+ */
+-private function trimHeaderValues(array $values)
++private function trimAndValidateHeaderValues(array $values)
+ {
+ return array_map(function ($value) {
+-return trim($value, " \t");
+-}, $values);
++if (!is_scalar($value) && null !== $value) {
++throw new \InvalidArgumentException(sprintf(
++'Header value must be scalar or null but %s provided.',
++is_object($value) ? get_class($value) : gettype($value)
++));
++}
++
++$trimmed = trim((string) $value, " \t");
++$this->assertValue($trimmed);
++
++return $trimmed;
++}, array_values($values));
++}
++
++/**
++ * @param string $value
++ *
++ * @return void
++ *
++ * @see https://tools.ietf.org/html/rfc7230#section-3.2
++ *
++ * field-value= *( field-content / obs-fold )
++ * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
++ * field-vchar= VCHAR / obs-text
++ * VCHAR = %x21-7E
++ * obs-text = %x80-FF
++ * obs-fold
