[med-svn] [Git][med-team/civetweb][master] 4 commits: debian/rules: Set cmake minimum version to 3.5

Alexandre Detiste (@detiste-guest) gitlab at salsa.debian.org
Sat Sep 27 00:06:00 BST 2025 


Alexandre Detiste pushed to branch master at Debian Med / civetweb


Commits:
5fc25592 by Andreas Henriksson at 2025-09-01T11:14:41+00:00
debian/rules: Set cmake minimum version to 3.5

This works around the deprecation of previous versions. Without
setting this we get:

```
dh_auto_configure -- -DCMAKE_BUILD_TYPE=None -DCIVETWEB_BUILD_TESTING=OFF -DCIVETWEB_SOVERSION=1 -DCIVETWEB_ENABLE_CXX=ON -DBUILD_SHARED_LIBS=ON -DCIVETWEB_ENABLE_WEBSOCKETS=ON
	cd obj-aarch64-linux-gnu && DEB_PYTHON_INSTALL_LAYOUT=deb PKG_CONFIG=/usr/bin/pkg-config cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=None -DCMAKE_INSTALL_SYSCONFDIR=/etc -DCMAKE_INSTALL_LOCALSTATEDIR=/var -DCMAKE_EXPORT_NO_PACKAGE_REGISTRY=ON -DCMAKE_FIND_USE_PACKAGE_REGISTRY=OFF -DCMAKE_FIND_PACKAGE_NO_PACKAGE_REGISTRY=ON -DFETCHCONTENT_FULLY_DISCONNECTED=ON -DCMAKE_INSTALL_RUNSTATEDIR=/run -DCMAKE_SKIP_INSTALL_ALL_DEPENDENCY=ON "-GUnix Makefiles" -DCMAKE_VERBOSE_MAKEFILE=ON -DCMAKE_INSTALL_LIBDIR=lib/aarch64-linux-gnu -DCMAKE_BUILD_TYPE=None -DCIVETWEB_BUILD_TESTING=OFF -DCIVETWEB_SOVERSION=1 -DCIVETWEB_ENABLE_CXX=ON -DBUILD_SHARED_LIBS=ON -DCIVETWEB_ENABLE_WEBSOCKETS=ON ..
CMake Error at CMakeLists.txt:2 (cmake_minimum_required):
  Compatibility with CMake < 3.5 has been removed from CMake.

  Update the VERSION argument <min> value.  Or, use the <min>...<max> syntax
  to tell CMake that the project requires at least <min> but has been updated
  to work with policies introduced by <max> or earlier.

  Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.

-- Configuring incomplete, errors occurred!

```

This commit can be reverted once CMakeLists.txt has been updated
to set the minimum to be compatible with cmake >= 4.x.

- - - - -
3c5852c0 by Andreas Henriksson at 2025-09-02T19:08:48+02:00
Cherry-pick proposed patch for CVE-2025-55763

PoC:
https://github.com/krispybyte/CVE-2025-55763

MR:
https://github.com/civetweb/civetweb/pull/1347

- - - - -
91da4ac2 by Andreas Henriksson at 2025-09-02T19:08:48+02:00
Update debian/changelog

- - - - -
e0d99b5a by Alexandre Detiste at 2025-09-27T01:05:55+02:00
Merge branch 'CVE-2025-55763' into 'master'

Address CVE-2025-55763 and fix cmake build problem

See merge request med-team/civetweb!1
- - - - -


4 changed files:

- debian/changelog
- + debian/patches/CVE-2025-55763.patch
- debian/patches/series
- debian/rules


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+civetweb (1.16+dfsg-3) UNRELEASED; urgency=medium
+
+  * debian/rules: Set cmake minimum version to 3.5
+  * Cherry-pick proposed patch for CVE-2025-55763
+
+ -- Andreas Henriksson <andreas at fatal.se>  Mon, 01 Sep 2025 11:23:44 +0000
+
 civetweb (1.16+dfsg-2) unstable; urgency=medium
 
   * Unfuzz patches.


=====================================
debian/patches/CVE-2025-55763.patch
=====================================
@@ -0,0 +1,86 @@
+From 76e222bcb77ba8452e5da4e82ae6cecd499c25e0 Mon Sep 17 00:00:00 2001
+From: krispybyte <krispybyte at proton.me>
+Date: Sat, 21 Jun 2025 23:33:50 +0300
+Subject: [PATCH 1/2] Fix heap overflow in directory URI slash redirection
+
+---
+ src/civetweb.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+Origin: https://github.com/civetweb/civetweb/commit/c584455624d9a9f6ec72839f61dd3cdb9d8435ba.patch
+Bug: https://github.com/civetweb/civetweb/pull/1347
+
+diff --git a/src/civetweb.c b/src/civetweb.c
+index bbc9aa8be..e969c939f 100644
+--- a/src/civetweb.c
++++ b/src/civetweb.c
+@@ -15579,7 +15579,6 @@ handle_request(struct mg_connection *conn)
+ 	/* 12. Directory uris should end with a slash */
+ 	if (file.stat.is_directory && ((uri_len = (int)strlen(ri->local_uri)) > 0)
+ 	    && (ri->local_uri[uri_len - 1] != '/')) {
+-
+ 		/* Path + server root */
+ 		size_t buflen = UTF8_PATH_MAX * 2 + 2;
+ 		char *new_path;
+@@ -15592,12 +15591,26 @@ handle_request(struct mg_connection *conn)
+ 			mg_send_http_error(conn, 500, "out or memory");
+ 		} else {
+ 			mg_get_request_link(conn, new_path, buflen - 1);
+-			strcat(new_path, "/");
++
++			size_t len = strlen(new_path);
++			if (len + 1 < buflen) {
++				new_path[len] = '/';
++				new_path[len + 1] = '\0';
++				len += 1;
++			}
++
+ 			if (ri->query_string) {
+-				/* Append ? and query string */
+-				strcat(new_path, "?");
+-				strcat(new_path, ri->query_string);
++				if (len + 1 < buflen) {
++					new_path[len] = '?';
++					new_path[len + 1] = '\0';
++					len += 1;
++				}
++
++				/* Append with size of space left for query string + null terminator */
++				size_t max_append = buflen - len - 1;
++				strncat(new_path, ri->query_string, max_append);
+ 			}
++
+ 			mg_send_http_redirect(conn, new_path, 301);
+ 			mg_free(new_path);
+ 		}
+
+From d5321963b1d0bc953101de91f8588bf83db73bf5 Mon Sep 17 00:00:00 2001
+From: krispybyte <krispybyte at proton.me>
+Date: Sun, 22 Jun 2025 00:23:06 +0300
+Subject: [PATCH 2/2] Fit code style
+
+---
+ src/civetweb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/civetweb.c b/src/civetweb.c
+index e969c939f..6af91f874 100644
+--- a/src/civetweb.c
++++ b/src/civetweb.c
+@@ -15596,14 +15596,14 @@ handle_request(struct mg_connection *conn)
+ 			if (len + 1 < buflen) {
+ 				new_path[len] = '/';
+ 				new_path[len + 1] = '\0';
+-				len += 1;
++				len++;
+ 			}
+ 
+ 			if (ri->query_string) {
+ 				if (len + 1 < buflen) {
+ 					new_path[len] = '?';
+ 					new_path[len + 1] = '\0';
+-					len += 1;
++					len++;
+ 				}
+ 
+ 				/* Append with size of space left for query string + null terminator */


=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
 soversion
 webdav-uploads
+CVE-2025-55763.patch


=====================================
debian/rules
=====================================
@@ -12,6 +12,7 @@ export DEB_BUILD_MAINT_OPTIONS = \
 # "CIVETWEB_SOVERSION" must match the suffix of the Debian package
 # (i.e. "libcivetweb1" => "1")
 CMAKE_EXTRA_FLAGS += \
+        -DCMAKE_POLICY_VERSION_MINIMUM=3.5 \
         -DCMAKE_BUILD_TYPE=None \
         -DCIVETWEB_BUILD_TESTING=OFF \
         -DCIVETWEB_SOVERSION=1 \



View it on GitLab: https://salsa.debian.org/med-team/civetweb/-/compare/c27a4af01a26fe5fa12821d0efbc6f5b324c96da...e0d99b5a5f6f59e5898d11c5ee05480c3f58c476

-- 
View it on GitLab: https://salsa.debian.org/med-team/civetweb/-/compare/c27a4af01a26fe5fa12821d0efbc6f5b324c96da...e0d99b5a5f6f59e5898d11c5ee05480c3f58c476
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-med-commit/attachments/20250926/56a7d12d/attachment-0001.htm>

More information about the debian-med-commit mailing list