Bug#1135858: trixie-pu: package starlet/0.31-2+deb13u1
gregor herrmann
gregoa at debian.org
Wed May 6 18:29:55 BST 2026
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: starlet at packages.debian.org
Control: affects -1 + src:starlet
User: release.debian.org at packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
In coordination with the security team, I've uploaded
starlet/0.31-2+deb13u1 to trixie in order to fix
https://security-tracker.debian.org/tracker/CVE-2026-40561
aka #1135584
| Starlet versions through 0.31 for Perl allows HTTP Request Smuggling
| via Improper Header Precedence. Starlet incorrectly prioritizes
| "Content-Length" over "Transfer-Encoding: chunked" when both headers
| are present in an HTTP request. …
The fix is in a quilt patch, which is taken from an upstream commit,
and is already uploaded to unstable.
The commit contains two tests, the actual code changes are small and
well-documented.
Find attached the complete debdiff against the version in trixie.
Thanks in advance,
gregor
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmn7epNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgYYeA/8DP50vKs0vG0vnFkWHNl7MquOyYLiAWgFmQ6IPFsEM2hF63/xCcvmFR/Q
mTrQb9XwL+8Vyavlmh8W7zZp3uZMWmwiNFpPEXTQpZCJOUDdqWW0oH5vBPJEPCpg
LHZSCg2K+TruyfKAWgJCwxXY1vGGiLyokLCO6lBZXNE20dpTJVvZTCPMCk61rW7R
ZzBADwwYe3HhTyt9EDgIOM+2k8IFtuVIpvUH4EiRZCLAf2g1gbnnPoNH2I2kMtzN
otlcXBiZVVjr1CBHdsyxeApiKnb1WE6q9/KOlG96LR0tSFV0XWHYEnhpgUAYQW1t
tF5h2EHv5jWOtmaur8VefS0VIhJT6c1tVH80+doUKG6kUr5BtyT4WUp97HdnTsW3
dQOgJ72wnkO9jOED5MH/jeE/IFr7QHosE6ebofvw+3C+8aG4WcogEFT1k5PiBtR6
kDYeb9NI/o0IKFGF+z5y49gNekJDmswrQVH2eae3BH0KN9T9mTN8Mh7p6LZQm2jm
EqQfC/swb3GC5KXmBU+kVhUOvs1YELSM4PNmia+ms1WsXxY5htlpq+0LL1INUIBp
kq875OJ30GzS0A6nyHkM/LCaFYxGI/3rnXyCROmch61I/u1gsBDjpjlZnEzO7QTB
OMuuoyHdH38pl3++WqZKFks96aXL7W4f7xtDducnjtfqlHsCaTA=
=iCfQ
-----END PGP SIGNATURE-----
-------------- next part --------------
diff -Nru starlet-0.31/debian/changelog starlet-0.31/debian/changelog
--- starlet-0.31/debian/changelog 2022-06-29 00:47:29.000000000 +0200
+++ starlet-0.31/debian/changelog 2026-05-06 17:21:29.000000000 +0200
@@ -1,3 +1,10 @@
+starlet (0.31-2+deb13u1) trixie; urgency=medium
+
+ * Add patch from upstream Git to prevent HTTP Smuggling.
+ Fixes CVE-2026-40561. (Closes: #1135584)
+
+ -- gregor herrmann <gregoa at debian.org> Wed, 06 May 2026 17:21:29 +0200
+
starlet (0.31-2) unstable; urgency=medium
[ Salvatore Bonaccorso ]
diff -Nru starlet-0.31/debian/patches/0001-Prevent-HTTP-Smuggling.patch starlet-0.31/debian/patches/0001-Prevent-HTTP-Smuggling.patch
--- starlet-0.31/debian/patches/0001-Prevent-HTTP-Smuggling.patch 1970-01-01 01:00:00.000000000 +0100
+++ starlet-0.31/debian/patches/0001-Prevent-HTTP-Smuggling.patch 2026-05-06 17:21:29.000000000 +0200
@@ -0,0 +1,185 @@
+From a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0 Mon Sep 17 00:00:00 2001
+From: Tokuhiro Matsuno <tokuhirom at gmail.com>
+Date: Tue, 19 Nov 2019 19:19:17 +0900
+Subject: [PATCH] Prevent HTTP Smuggling.
+
+- Deny request contains both `transfer-encoding` and `content-length`
+ headers.
+- Deny request contains non-digits in `content-length` header.
+
+
+Bugs-Debian: https://bugs.debian.org/1135584
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40561
+
+---
+ lib/Starlet/Server.pm | 15 +++++
+ ...ing-content-length-and-transfer-encoding.t | 59 +++++++++++++++++++
+ ...smuggling-multiple-content-length-header.t | 57 ++++++++++++++++++
+ 3 files changed, 131 insertions(+)
+ create mode 100644 t/15smuggling-content-length-and-transfer-encoding.t
+ create mode 100644 t/16smuggling-multiple-content-length-header.t
+
+diff --git a/lib/Starlet/Server.pm b/lib/Starlet/Server.pm
+index 0513a42..d68d02a 100644
+--- a/lib/Starlet/Server.pm
++++ b/lib/Starlet/Server.pm
+@@ -296,6 +296,17 @@ sub handle_connection {
+ $buf = substr $buf, $reqlen;
+ my $chunked = do { no warnings; lc delete $env->{HTTP_TRANSFER_ENCODING} eq 'chunked' };
+
++ # If a message is received with both a Transfer-Encoding and a
++ # Content-Length header field, the Transfer-Encoding overrides the
++ # Content-Length. Such a message might indicate an attempt to
++ # perform request smuggling (Section 9.5) or response splitting
++ # (Section 9.4) and ought to be handled as an error. A sender MUST
++ # remove the received Content-Length field prior to forwarding such
++ # a message downstream.
++ if ($chunked && $env->{CONTENT_LENGTH}) {
++ last; # Return bad response.
++ }
++
+ if ( $env->{HTTP_EXPECT} ) {
+ if ( lc $env->{HTTP_EXPECT} eq '100-continue' ) {
+ $self->write_all($conn, "HTTP/1.1 100 Continue\015\012\015\012")
+@@ -307,6 +318,10 @@ sub handle_connection {
+ }
+
+ if (my $cl = $env->{CONTENT_LENGTH}) {
++ if ($cl !~ /^[0-9]+$/) { # content-length header must be digits.
++ last; # Return bad response
++ }
++
+ my $buffer = Plack::TempBuffer->new($cl);
+ while ($cl > 0) {
+ my $chunk;
+diff --git a/t/15smuggling-content-length-and-transfer-encoding.t b/t/15smuggling-content-length-and-transfer-encoding.t
+new file mode 100644
+index 0000000..c6a0645
+--- /dev/null
++++ b/t/15smuggling-content-length-and-transfer-encoding.t
+@@ -0,0 +1,59 @@
++use strict;
++use Test::TCP;
++use Plack::Test;
++use HTTP::Request;
++use HTTP::Message::PSGI;
++use Test::More;
++use Digest::MD5;
++use Plack::Test::Server;
++use Test::TCP;
++use IO::Socket::INET;
++
++$ENV{PLACK_SERVER} = 'Starlet';
++
++my $app = sub {
++ my $env = shift;
++ my $body;
++ my $clen = $env->{CONTENT_LENGTH};
++ while ($clen > 0) {
++ $env->{'psgi.input'}->read(my $buf, $clen) or last;
++ $clen -= length $buf;
++ $body .= $buf;
++ }
++ return [ 200, [ 'Content-Type', 'text/plain', 'X-Content-Length', $env->{CONTENT_LENGTH} ], [ $body ] ];
++};
++
++my $server = Test::TCP->new(
++ code => sub {
++ my $sock_or_port = shift;
++ my $server = Plack::Loader->auto(
++ port => $sock_or_port,
++ host => '127.0.0.1'
++ );
++ $server->run($app);
++ exit;
++ },
++);
++
++my $sock = IO::Socket::INET->new(
++ PeerAddr => '127.0.0.1',
++ PeerPort => $server->port,
++ Proto => 'tcp',
++);
++
++print {$sock} (
++ "GET / HTTP/1.1\015\012"
++ . "content-length: 3\015\012"
++ . "Transfer-Encoding: chunked\015\012"
++ . "connection: close\015\012"
++ . "\015\012"
++ . "8\015\012"
++ . "SMUGGLED\015\012"
++ . "0\015\012"
++);
++
++my $res_str = do { local $/; <$sock> };
++my ($status_line, ) = split /\015\012/, $res_str;
++is $status_line, 'HTTP/1.1 400 Bad Request';
++
++done_testing;
+diff --git a/t/16smuggling-multiple-content-length-header.t b/t/16smuggling-multiple-content-length-header.t
+new file mode 100644
+index 0000000..55e69db
+--- /dev/null
++++ b/t/16smuggling-multiple-content-length-header.t
+@@ -0,0 +1,57 @@
++use strict;
++use Test::TCP;
++use Plack::Test;
++use HTTP::Request;
++use HTTP::Message::PSGI;
++use Test::More;
++use Digest::MD5;
++use Plack::Test::Server;
++use Test::TCP;
++use IO::Socket::INET;
++
++$ENV{PLACK_SERVER} = 'Starlet';
++
++my $app = sub {
++ my $env = shift;
++ my $body;
++ my $clen = $env->{CONTENT_LENGTH};
++ while ($clen > 0) {
++ $env->{'psgi.input'}->read(my $buf, $clen) or last;
++ $clen -= length $buf;
++ $body .= $buf;
++ }
++ return [ 200, [ 'Content-Type', 'text/plain', 'X-Content-Length', $env->{CONTENT_LENGTH} ], [ $body ] ];
++};
++
++my $server = Test::TCP->new(
++ code => sub {
++ my $sock_or_port = shift;
++ my $server = Plack::Loader->auto(
++ port => $sock_or_port,
++ host => '127.0.0.1'
++ );
++ $server->run($app);
++ exit;
++ },
++);
++
++my $sock = IO::Socket::INET->new(
++ PeerAddr => '127.0.0.1',
++ PeerPort => $server->port,
++ Proto => 'tcp',
++);
++
++print {$sock} (
++ "GET / HTTP/1.1\015\012"
++ . "content-length: 3\015\012"
++ . "content-length: 9\015\012"
++ . "connection: close\015\012"
++ . "\015\012"
++ . "123456789"
++);
++
++my $res_str = do { local $/; <$sock> };
++my ($status_line, ) = split /\015\012/, $res_str;
++is $status_line, 'HTTP/1.1 400 Bad Request';
++
++done_testing;
+--
+2.53.0
+
diff -Nru starlet-0.31/debian/patches/series starlet-0.31/debian/patches/series
--- starlet-0.31/debian/patches/series 2022-06-29 00:47:29.000000000 +0200
+++ starlet-0.31/debian/patches/series 2026-05-06 17:21:29.000000000 +0200
@@ -1 +1,2 @@
calculate-baybridge.jpg.patch
+0001-Prevent-HTTP-Smuggling.patch
More information about the pkg-perl-maintainers
mailing list