diff mbox series

[meta-security,scarthgap] libhtp: fix CVE-2025-53537

Message ID 20250902055838.29035-1-hprajapati@mvista.com
State New
Headers show
Series [meta-security,scarthgap] libhtp: fix CVE-2025-53537 | expand

Commit Message

Hitendra Prajapati Sept. 2, 2025, 5:58 a.m. UTC 
Upstream-Status: Backport from
https://github.com/OISF/libhtp/commit/226580d502ae98c148aaecc4846f78694b5e253c && https://github.com/OISF/libhtp/commit/9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 .../suricata/files/CVE-2025-53537-001.patch   | 79 +++++++++++++++++++
 .../suricata/files/CVE-2025-53537-002.patch   | 31 ++++++++
 recipes-ids/suricata/libhtp_0.5.45.bb         |  2 +
 3 files changed, 112 insertions(+)
 create mode 100644 recipes-ids/suricata/files/CVE-2025-53537-001.patch
 create mode 100644 recipes-ids/suricata/files/CVE-2025-53537-002.patch
diff mbox series

Patch

diff --git a/recipes-ids/suricata/files/CVE-2025-53537-001.patch b/recipes-ids/suricata/files/CVE-2025-53537-001.patch
new file mode 100644
index 0000000..e16a59a
--- /dev/null
+++ b/recipes-ids/suricata/files/CVE-2025-53537-001.patch
@@ -0,0 +1,79 @@ 
+From 226580d502ae98c148aaecc4846f78694b5e253c Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <contact@catenacyber.fr>
+Date: Tue, 11 Mar 2025 16:45:35 +0100
+Subject: [PATCH] decompressors: do not take data after end
+
+
+CVE: CVE-2025-53537
+Upstream-Status: Backport [https://github.com/OISF/libhtp/commit/226580d502ae98c148aaecc4846f78694b5e253c]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ htp/htp_core.h          |  5 ++++-
+ htp/htp_decompressors.c | 21 ++++++++++++---------
+ 2 files changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/htp/htp_core.h b/htp/htp_core.h
+index 7c23212..fb142c9 100644
+--- a/htp/htp_core.h
++++ b/htp/htp_core.h
+@@ -161,7 +161,10 @@ enum htp_content_encoding_t {
+     HTP_COMPRESSION_DEFLATE = 3,
+ 
+     /** LZMA compression. */
+-    HTP_COMPRESSION_LZMA = 4
++    HTP_COMPRESSION_LZMA = 4,
++
++    /** No more data. */
++    HTP_COMPRESSION_OVER = 5
+ };
+ 
+ /**
+diff --git a/htp/htp_decompressors.c b/htp/htp_decompressors.c
+index 19950df..0d94c30 100644
+--- a/htp/htp_decompressors.c
++++ b/htp/htp_decompressors.c
+@@ -203,6 +203,8 @@ htp_status_t htp_gzip_decompressor_decompress(htp_decompressor_t *drec1, htp_tx_
+         }
+ 
+         return HTP_OK;
++    } else if (drec->zlib_initialized == HTP_COMPRESSION_OVER) {
++        return HTP_ERROR;
+     }
+ 
+     if (d->data == NULL) {
+@@ -316,15 +318,9 @@ restart:
+             // no initialization means previous error on stream
+             return HTP_ERROR;
+         }
+-        if (GZIP_BUF_SIZE > drec->stream.avail_out) {
+-            if (rc == Z_DATA_ERROR) {
+-                // There is data even if there is an error
+-                // So use this data and log a warning
+-                htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc);
+-                rc = Z_STREAM_END;
+-            }
+-        }
+-        if (rc == Z_STREAM_END) {
++
++	int error_after_data = (rc == Z_DATA_ERROR && drec->restart == 0 && GZIP_BUF_SIZE > drec->stream.avail_out);
++        if (rc == Z_STREAM_END || error_after_data) {
+             // How many bytes do we have?
+             size_t len = GZIP_BUF_SIZE - drec->stream.avail_out;
+ 
+@@ -351,6 +347,13 @@ restart:
+             drec->stream.next_out = drec->buffer;
+             // TODO Handle trailer.
+ 
++            if (error_after_data) {
++                // There is data even if there is an error
++                // So use this data and log a warning
++                htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc);
++                drec->zlib_initialized = HTP_COMPRESSION_OVER;
++                return HTP_ERROR;
++            }
+             return HTP_OK;
+         }
+         else if (rc != Z_OK) {
+-- 
+2.50.1
+
diff --git a/recipes-ids/suricata/files/CVE-2025-53537-002.patch b/recipes-ids/suricata/files/CVE-2025-53537-002.patch
new file mode 100644
index 0000000..ff4f1a0
--- /dev/null
+++ b/recipes-ids/suricata/files/CVE-2025-53537-002.patch
@@ -0,0 +1,31 @@ 
+From 9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7 Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <contact@catenacyber.fr>
+Date: Tue, 17 Jun 2025 10:12:47 +0200
+Subject: [PATCH] decompressors: fix leak in lzma error case
+
+Ticket: 7766
+
+CVE: CVE-2025-53537
+Upstream-Status: Backport [https://github.com/OISF/libhtp/commit/9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ htp/htp_decompressors.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/htp/htp_decompressors.c b/htp/htp_decompressors.c
+index 0d94c30..ce6cfe1 100644
+--- a/htp/htp_decompressors.c
++++ b/htp/htp_decompressors.c
+@@ -351,6 +351,9 @@ restart:
+                 // There is data even if there is an error
+                 // So use this data and log a warning
+                 htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc);
++                if (drec->zlib_initialized == HTP_COMPRESSION_LZMA) {
++                    LzmaDec_Free(&drec->state, &lzma_Alloc);
++                }
+                 drec->zlib_initialized = HTP_COMPRESSION_OVER;
+                 return HTP_ERROR;
+             }
+-- 
+2.50.1
+
diff --git a/recipes-ids/suricata/libhtp_0.5.45.bb b/recipes-ids/suricata/libhtp_0.5.45.bb
index 604a0ca..b87db35 100644
--- a/recipes-ids/suricata/libhtp_0.5.45.bb
+++ b/recipes-ids/suricata/libhtp_0.5.45.bb
@@ -6,6 +6,8 @@  LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e
 
 SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x \
            file://CVE-2024-45797.patch \
+           file://CVE-2025-53537-001.patch \
+           file://CVE-2025-53537-002.patch \
           "
 SRCREV = "8bdfe7b9d04e5e948c8fbaa7472e14d884cc00af"