Version in base suite: 1.4.2-0.1 Base version: php-guzzlehttp-psr7_1.4.2-0.1 Target version: php-guzzlehttp-psr7_1.4.2-0.1+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-guzzlehttp-psr7/php-guzzlehttp-psr7_1.4.2-0.1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-guzzlehttp-psr7/php-guzzlehttp-psr7_1.4.2-0.1+deb10u1.dsc changelog | 8 ++ gbp.conf | 9 ++ patches/0001-Release-1.8.4-486.patch | 108 +++++++++++++++++++++++++++++++++++ patches/0002-Release-1.8.5-491.patch | 22 +++++++ patches/series | 2 5 files changed, 149 insertions(+) gpgv: Signature made Sun Dec 2 17:49:55 2018 UTC gpgv: using RSA key 3C9D54A47575C026FB17FD26B79A3C16A0C4F296 gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on /srv/release.debian.org/tmp/tmpx7k86gin/php-guzzlehttp-psr7_1.4.2-0.1.dsc diff -Nru php-guzzlehttp-psr7-1.4.2/debian/changelog php-guzzlehttp-psr7-1.4.2/debian/changelog --- php-guzzlehttp-psr7-1.4.2/debian/changelog 2018-12-02 17:42:00.000000000 +0000 +++ php-guzzlehttp-psr7-1.4.2/debian/changelog 2022-05-27 11:33:28.000000000 +0000 @@ -1,3 +1,11 @@ +php-guzzlehttp-psr7 (1.4.2-0.1+deb10u1) buster; urgency=medium + + * Track Buster + * Backport fixes for improper header parsing [CVE-2022-24775] + (Closes: #1008236) + + -- David Prévot Fri, 27 May 2022 13:33:28 +0200 + php-guzzlehttp-psr7 (1.4.2-0.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru php-guzzlehttp-psr7-1.4.2/debian/gbp.conf php-guzzlehttp-psr7-1.4.2/debian/gbp.conf --- php-guzzlehttp-psr7-1.4.2/debian/gbp.conf 1970-01-01 00:00:00.000000000 +0000 +++ php-guzzlehttp-psr7-1.4.2/debian/gbp.conf 2022-05-27 11:33:14.000000000 +0000 @@ -0,0 +1,9 @@ +[DEFAULT] +pristine-tar = True +pristine-tar-commit = True +debian-branch = debian/buster + +## Once --filter support gets added to gbp import-ref, we should be able +## to simplify the workflow and ignore the upstream branch. +# filter = [ '.gitattributes' ] +# upstream-tag = %(version%~%-)s diff -Nru php-guzzlehttp-psr7-1.4.2/debian/patches/0001-Release-1.8.4-486.patch php-guzzlehttp-psr7-1.4.2/debian/patches/0001-Release-1.8.4-486.patch --- php-guzzlehttp-psr7-1.4.2/debian/patches/0001-Release-1.8.4-486.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-guzzlehttp-psr7-1.4.2/debian/patches/0001-Release-1.8.4-486.patch 2022-05-27 11:33:14.000000000 +0000 @@ -0,0 +1,108 @@ +From: Graham Campbell +Date: Sun, 20 Mar 2022 13:44:44 +0000 +Subject: Release 1.8.4 (#486) +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Co-authored-by: Tim Düsterhus + +Origin: backport, https://github.com/guzzle/psr7/commit/902db15a551a4a415e732b622282e21ce1b508b4 +--- + src/MessageTrait.php | 56 +++++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 49 insertions(+), 7 deletions(-) + +diff --git a/src/MessageTrait.php b/src/MessageTrait.php +index 1e4da64..f5f61db 100644 +--- a/src/MessageTrait.php ++++ b/src/MessageTrait.php +@@ -70,7 +70,7 @@ trait MessageTrait + $value = [$value]; + } + +- $value = $this->trimHeaderValues($value); ++ $value = $this->trimAndValidateHeaderValues($value); + $normalized = strtolower($header); + + $new = clone $this; +@@ -89,7 +89,7 @@ trait MessageTrait + $value = [$value]; + } + +- $value = $this->trimHeaderValues($value); ++ $value = $this->trimAndValidateHeaderValues($value); + $normalized = strtolower($header); + + $new = clone $this; +@@ -148,7 +148,7 @@ trait MessageTrait + $value = [$value]; + } + +- $value = $this->trimHeaderValues($value); ++ $value = $this->trimAndValidateHeaderValues($value); + $normalized = strtolower($header); + if (isset($this->headerNames[$normalized])) { + $header = $this->headerNames[$normalized]; +@@ -168,16 +168,58 @@ trait MessageTrait + * header-field = field-name ":" OWS field-value OWS + * OWS = *( SP / HTAB ) + * +- * @param string[] $values Header values ++ * @param mixed[] $values Header values + * + * @return string[] Trimmed header values + * + * @see https://tools.ietf.org/html/rfc7230#section-3.2.4 + */ +- private function trimHeaderValues(array $values) ++ private function trimAndValidateHeaderValues(array $values) + { + return array_map(function ($value) { +- return trim($value, " \t"); +- }, $values); ++ if (!is_scalar($value) && null !== $value) { ++ throw new \InvalidArgumentException(sprintf( ++ 'Header value must be scalar or null but %s provided.', ++ is_object($value) ? get_class($value) : gettype($value) ++ )); ++ } ++ ++ $trimmed = trim((string) $value, " \t"); ++ $this->assertValue($trimmed); ++ ++ return $trimmed; ++ }, array_values($values)); ++ } ++ ++ /** ++ * @param string $value ++ * ++ * @return void ++ * ++ * @see https://tools.ietf.org/html/rfc7230#section-3.2 ++ * ++ * field-value = *( field-content / obs-fold ) ++ * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] ++ * field-vchar = VCHAR / obs-text ++ * VCHAR = %x21-7E ++ * obs-text = %x80-FF ++ * obs-fold = CRLF 1*( SP / HTAB ) ++ */ ++ private function assertValue($value) ++ { ++ // The regular expression intentionally does not support the obs-fold production, because as ++ // per RFC 7230#3.2.4: ++ // ++ // A sender MUST NOT generate a message that includes ++ // line folding (i.e., that has any field-value that contains a match to ++ // the obs-fold rule) unless the message is intended for packaging ++ // within the message/http media type. ++ // ++ // Clients must not send a request with line folding and a server sending folded headers is ++ // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting ++ // folding is not likely to break any legitimate use case. ++ if (! preg_match('/^(?:[\x21-\x7E\x80-\xFF](?:[\x20\x09]+[\x21-\x7E\x80-\xFF])?)*$/', $value)) { ++ throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value)); ++ } + } + } diff -Nru php-guzzlehttp-psr7-1.4.2/debian/patches/0002-Release-1.8.5-491.patch php-guzzlehttp-psr7-1.4.2/debian/patches/0002-Release-1.8.5-491.patch --- php-guzzlehttp-psr7-1.4.2/debian/patches/0002-Release-1.8.5-491.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-guzzlehttp-psr7-1.4.2/debian/patches/0002-Release-1.8.5-491.patch 2022-05-27 11:33:14.000000000 +0000 @@ -0,0 +1,22 @@ +From: Graham Campbell +Date: Sun, 20 Mar 2022 21:51:18 +0000 +Subject: Release 1.8.5 (#491) + +Origin: backport, https://github.com/guzzle/psr7/commit/337e3ad8e5716c15f9657bd214d16cc5e69df268 +--- + src/MessageTrait.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/MessageTrait.php b/src/MessageTrait.php +index f5f61db..4ac4687 100644 +--- a/src/MessageTrait.php ++++ b/src/MessageTrait.php +@@ -218,7 +218,7 @@ trait MessageTrait + // Clients must not send a request with line folding and a server sending folded headers is + // likely very rare. Line folding is a fairly obscure feature of HTTP/1.1 and thus not accepting + // folding is not likely to break any legitimate use case. +- if (! preg_match('/^(?:[\x21-\x7E\x80-\xFF](?:[\x20\x09]+[\x21-\x7E\x80-\xFF])?)*$/', $value)) { ++ if (! preg_match('/^[\x20\x09\x21-\x7E\x80-\xFF]*$/', $value)) { + throw new \InvalidArgumentException(sprintf('"%s" is not valid header value', $value)); + } + } diff -Nru php-guzzlehttp-psr7-1.4.2/debian/patches/series php-guzzlehttp-psr7-1.4.2/debian/patches/series --- php-guzzlehttp-psr7-1.4.2/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ php-guzzlehttp-psr7-1.4.2/debian/patches/series 2022-05-27 11:33:14.000000000 +0000 @@ -0,0 +1,2 @@ +0001-Release-1.8.4-486.patch +0002-Release-1.8.5-491.patch