[R-pkg-team] Bug#1121357: bookworm-pu: package r-cran-gh/1.4.0-1+deb12u1

Daniel Leidert dleidert at debian.org
Tue Nov 25 05:10:50 GMT 2025 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: r-cran-gh at packages.debian.org
Control: affects -1 + src:r-cran-gh
User: release.debian.org at packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[ Reason ]

The package is affected by CVE-2025-54956. The HTTP response is delivered in a
data structure that includes the Authorization header from the corresponding
HTTP request. This upload fixes this issue.

[ Impact ]

If not approved, users contionue to be vulnerable to CVE-2025-54956.

[ Tests ]

The testsuite runs successful. A few tests have been adjusted to the new
behavior. Their success is an indication that the changed code works and
nothing has been broken.

[ Risks ]

The main risks are regressions or breakages. But the test suite runs successful
and the code changes are not too complicated.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

The changes remove the request headers that were originally stored in the
response object. Instead, the sensitive information is passed explicitely.

[ Other info ]

n/a


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmklOloACgkQS80FZ8KW
0F1lbA//TBCtauvVgXB4O42PHh1mPNjAvEEQ9AHk4U/rwqq1+DsZ0JitZw2eZYcM
igXbj2RRDOSaSu6aWXPqf33/YFM3VgRQHuDplJei7iOzHnTKllDI4lqK1B/19lPQ
kMm9F8yC+YOXgWYTICoypXZBjgBUaPMiRW/HmSvCCSIeaqIzkAzZkMTym+lu4UMn
PHCEWdYmN6eJTKo949H2iI3CrRP8Ma884HLfXDWo43v2NQaHV1LvP/aFxSfgsDs3
YtnI/DnBpAHjABIngRVirEy71Ifhwwbn7zL3MxvcpJoj9cHd0pDqd+Awt7Q25Mkr
JFy9VBO/N43BOjnvR8tU/36ssDUReQnwnz/B1BzpPzQfmOy0eOFX7bYDOQMdURkJ
VSkghYQtqfYzAIrjCOR6wpLnAJJ/+WbICBB4CxTcrw71q9szSuQG0Cp1OnNyWWVg
LTtTUOFBAEEPlKGdglk/xvG7PinHLne8sIhpj5/QqbHcOSuJiDaPHv20KeSRrVBz
HgS90sujXHXywsQuMBQrtplsLU/ZWdcU2wxwn3a+hMWsTLFyc/A5+grNN360X/Iu
feYBMsD4IshsctsI7RLJv0PPxWZ5YKwFGU+BifCDpWZZ6OT6oDgjCU51H9Oe4EHH
OZOzSkRSqHRCcvAvAAviw8rGY00K0gBCL/ve+yXv5PhYQnF9THk=
=BFsX
-----END PGP SIGNATURE-----
-------------- next part --------------
diff -Nru r-cran-gh-1.4.0/debian/changelog r-cran-gh-1.4.0/debian/changelog
--- r-cran-gh-1.4.0/debian/changelog	2023-02-26 10:24:41.000000000 +0100
+++ r-cran-gh-1.4.0/debian/changelog	2025-11-25 05:48:19.000000000 +0100
@@ -1,3 +1,13 @@
+r-cran-gh (1.4.0-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS team.
+  * d/patches/CVE-2025-54956.patch: Add patch to fix CVE-2025-54956.
+    - The HTTP response is delivered in a data structure that
+      includes the Authorization header from the corresponding HTTP
+      request (closes: #1110481).
+
+ -- Daniel Leidert <dleidert at debian.org>  Tue, 25 Nov 2025 05:48:19 +0100
+
 r-cran-gh (1.4.0-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru r-cran-gh-1.4.0/debian/gbp.conf r-cran-gh-1.4.0/debian/gbp.conf
--- r-cran-gh-1.4.0/debian/gbp.conf	1970-01-01 01:00:00.000000000 +0100
+++ r-cran-gh-1.4.0/debian/gbp.conf	2025-11-25 05:48:19.000000000 +0100
@@ -0,0 +1,4 @@
+[DEFAULT]
+debian-branch = debian/bookworm
+upstream-branch = upstream
+pristine-tar = True
diff -Nru r-cran-gh-1.4.0/debian/patches/CVE-2025-54956.patch.patch r-cran-gh-1.4.0/debian/patches/CVE-2025-54956.patch.patch
--- r-cran-gh-1.4.0/debian/patches/CVE-2025-54956.patch.patch	1970-01-01 01:00:00.000000000 +0100
+++ r-cran-gh-1.4.0/debian/patches/CVE-2025-54956.patch.patch	2025-11-25 05:48:19.000000000 +0100
@@ -0,0 +1,190 @@
+From: =?UTF-8?q?G=C3=A1bor=20Cs=C3=A1rdi?= <csardi.gabor at gmail.com>
+Date: Mon, 26 May 2025 09:36:45 +0200
+Subject: [PATCH] Do not save request headers in the return value
+
+Closes #222.
+
+Reviewed-By: Daniel Leidert <dleidert at debian.org>
+Origin: https://github.com/r-lib/gh/commit/b575d488c71318449cc6c8c989c617db29275848
+Bug: https://github.com/r-lib/gh/issues/222
+Bug-Debian: https://bugs.debian.org/1110481
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-54956
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2025-54956
+---
+ R/gh.R                            |  2 +-
+ R/gh_response.R                   | 10 +++++-----
+ R/pagination.R                    | 26 +++++++++++++++++++-------
+ man/gh_next.Rd                    | 15 +++++++++++----
+ tests/testthat/test-gh_response.R |  4 ----
+ tests/testthat/test-pagination.R  |  2 +-
+ 6 files changed, 37 insertions(+), 22 deletions(-)
+
+diff --git a/R/gh.R b/R/gh.R
+index 3a4d2d7..313eda9 100644
+--- a/R/gh.R
++++ b/R/gh.R
+@@ -196,7 +196,7 @@ gh <- function(endpoint,
+ 
+   while (!is.null(.limit) && len < .limit && gh_has_next(res)) {
+     if (.progress) update_progress_bar(prbr, res)
+-    res2 <- gh_next(res)
++    res2 <- gh_next(res, .token = .token, .send_headers = .send_headers)
+ 
+     if (!is.null(names(res2)) && identical(names(res), names(res2))) {
+       res3 <- mapply( # Handle named array case
+diff --git a/R/gh_response.R b/R/gh_response.R
+index 4ded3a7..65c24f8 100644
+--- a/R/gh_response.R
++++ b/R/gh_response.R
+@@ -25,11 +25,7 @@ gh_process_response <- function(resp, gh_req) {
+   }
+ 
+   attr(res, "response") <- httr2::resp_headers(resp)
+-  attr(res, "request") <- gh_req
+-
+-  # for backward compatibility
+-  attr(res, "method") <- resp$method
+-  attr(res, ".send_headers") <- httr2::last_request()$headers
++  attr(res, "request") <- remove_headers(gh_req)
+ 
+   if (is_ondisk) {
+     class(res) <- c("gh_response", "path")
+@@ -40,3 +36,7 @@ gh_process_response <- function(resp, gh_req) {
+   }
+   res
+ }
++
++remove_headers <- function(x) {
++  x[names(x) != "headers"]
++}
+diff --git a/R/pagination.R b/R/pagination.R
+index 7fc827e..aaed6fe 100644
+--- a/R/pagination.R
++++ b/R/pagination.R
+@@ -33,7 +33,7 @@ gh_has_next <- function(gh_response) {
+   gh_has(gh_response, "next")
+ }
+ 
+-gh_link_request <- function(gh_response, link) {
++gh_link_request <- function(gh_response, link, .token, .send_headers) {
+   stopifnot(inherits(gh_response, "gh_response"))
+ 
+   url <- extract_link(gh_response, link)
+@@ -41,11 +41,14 @@ gh_link_request <- function(gh_response, link) {
+ 
+   req <- attr(gh_response, "request")
+   req$url <- url
++  req$token <- .token
++  req$send_headers <- .send_headers
++  req <- gh_set_headers(req)
+   req
+ }
+ 
+-gh_link <- function(gh_response, link) {
+-  req <- gh_link_request(gh_response, link)
++gh_link <- function(gh_response, link, .token, .send_headers) {
++  req <- gh_link_request(gh_response, link, .token, .send_headers)
+   raw <- gh_make_request(req)
+   gh_process_response(raw, req)
+ }
+@@ -68,6 +71,7 @@ gh_extract_pages <- function(gh_response) {
+ #' If the requested page does not exist, an error is thrown.
+ #'
+ #' @param gh_response An object returned by a [gh()] call.
++#' @inheritParams gh
+ #' @return Answer from the API.
+ #'
+ #' @seealso The `.limit` argument to [gh()] supports fetching more than
+@@ -80,22 +84,30 @@ gh_extract_pages <- function(gh_response) {
+ #' vapply(x, "[[", character(1), "login")
+ #' x2 <- gh_next(x)
+ #' vapply(x2, "[[", character(1), "login")
+-gh_next <- function(gh_response) gh_link(gh_response, "next")
++gh_next <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "next", .token = .token, .send_headers = .send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_prev <- function(gh_response) gh_link(gh_response, "prev")
++gh_prev <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "prev", .token = .token, .send_headers = .send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_first <- function(gh_response) gh_link(gh_response, "first")
++gh_first <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "first", .token = .token, .send_headers = .send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_last <- function(gh_response) gh_link(gh_response, "last")
++gh_last <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "last", .token = .token, .send_headers = .send_headers)
++}
+ 
+ make_progress_bar <- function(gh_request) {
+   state <- new.env(parent = emptyenv())
+diff --git a/man/gh_next.Rd b/man/gh_next.Rd
+index 4c4b493..a79cd3a 100644
+--- a/man/gh_next.Rd
++++ b/man/gh_next.Rd
+@@ -7,16 +7,23 @@
+ \alias{gh_last}
+ \title{Get the next, previous, first or last page of results}
+ \usage{
+-gh_next(gh_response)
++gh_next(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_prev(gh_response)
++gh_prev(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_first(gh_response)
++gh_first(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_last(gh_response)
++gh_last(gh_response, .token = NULL, .send_headers = NULL)
+ }
+ \arguments{
+ \item{gh_response}{An object returned by a \code{\link[=gh]{gh()}} call.}
++
++\item{.token}{Authentication token. Defaults to \code{\link[=gh_token]{gh_token()}}.}
++
++\item{.send_headers}{Named character vector of header field values
++(except \code{Authorization}, which is handled via \code{.token}). This can be
++used to override or augment the default \code{User-Agent} header:
++\code{"https://github.com/r-lib/gh"}.}
+ }
+ \value{
+ Answer from the API.
+diff --git a/tests/testthat/test-gh_response.R b/tests/testthat/test-gh_response.R
+index dacaf0a..1aa1aa2 100644
+--- a/tests/testthat/test-gh_response.R
++++ b/tests/testthat/test-gh_response.R
+@@ -62,8 +62,4 @@ test_that("captures details to recreate request", {
+   expect_type(req, "list")
+   expect_equal(req$url, "https://api.github.com/orgs/r-lib/repos")
+   expect_equal(req$query, list(.per_page = 1))
+-
+-  # For backwards compatibility
+-  expect_equal(attr(res, "method"), "GET")
+-  expect_type(attr(res, ".send_headers"), "list")
+ })
+diff --git a/tests/testthat/test-pagination.R b/tests/testthat/test-pagination.R
+index d9f6e7f..a76d5e0 100644
+--- a/tests/testthat/test-pagination.R
++++ b/tests/testthat/test-pagination.R
+@@ -1,7 +1,7 @@
+ test_that("paginated request gets max_wait and max_rate", {
+   gh <- gh("/orgs/tidyverse/repos", per_page = 5, .max_wait = 1, .max_rate = 10)
+ 
+-  req <- gh_link_request(gh, "next")
++  req <- gh_link_request(gh, "next", .token = NULL, .send_headers = NULL)
+   expect_equal(req$max_wait, 1)
+   expect_equal(req$max_rate, 10)
+ 
diff -Nru r-cran-gh-1.4.0/debian/patches/series r-cran-gh-1.4.0/debian/patches/series
--- r-cran-gh-1.4.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ r-cran-gh-1.4.0/debian/patches/series	2025-11-25 05:48:19.000000000 +0100
@@ -0,0 +1 @@
+CVE-2025-54956.patch.patch

More information about the R-pkg-team mailing list