[R-pkg-team] Bug#1121384: trixie-pu: package r-cran-gh/1.4.1-1+deb13u1

Daniel Leidert dleidert at debian.org
Tue Nov 25 17:41:52 GMT 2025 

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: r-cran-gh at packages.debian.org
Control: affects -1 + src:r-cran-gh
User: release.debian.org at packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[ Reason ]

The package is affected by CVE-2025-54956. The HTTP response is delivered in a
data structure that includes the Authorization header from the corresponding
HTTP request. This upload fixes this issue.

[ Impact ]

If not approved, users contionue to be vulnerable to CVE-2025-54956.

[ Tests ]

The testsuite runs successful. I had to run it manually, though, due to
#1121090. A few tests have been adjusted by upstream to the new behavior. Their
successful execution is an indication that the changed code works and nothing
has been broken.

[ Risks ]

The main risks are regressions or breakages. But the test suite runs successful
and the code changes are not too complicated.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

The changes remove the request headers that were originally stored in the
response object. Instead, the sensitive information is passed explicitely.

[ Other info ]

n/a

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmkl6l8ACgkQS80FZ8KW
0F3arxAAl5VOQZVY+v8RLZJhiK89aA22AZyrVmVpnmfmuiONVC3AmEw6AWsT87K4
m4ZdMGz4x31UIUg9GhsWQdd1nSVnQZIKFq36UPRZbNvCxTaa6Vx+sE8+bSgZEvpE
jQJ2kQd2ai5OR2Gbojl3xbWYvQ8oK+mnof+P8T/Lt3vMK9Tdhq3uxJ3GrTFlzPz4
gzrutCqvJvbrId4LmsyyNv4S4xKy/q0xsnXmOD/IzcNY0cCr6l2NQjRIvz0w4jfb
6jZZrgccCDEkwx5H/ja9xTBhB8Fm0mw7TGyAjgXTHKScJk71oYr2bPJxbRgNqnL9
yL57LfLqY9DLAtP1ABQYhGPGaLyji8KcAOx0ErjZ/eZcGfvosP2rX4stgT+PCVIe
mEtppajWYSUHqT43UjYC9Fda0qLnCpiE/cTz1KdurUXx4wkcG6FggtizXLMzUdTP
R2V+F8ds6nWA/F0780YNcAyutzEDZ5K78gD3Xs9dDPL3M7pTeMXDYjudzP2Zf3Qp
vp7UGHw59/cmS9I5NDKD+wRcDvFBj7U2j8GjjNlfJ+eOBDU0VwsiRK6EkDFUAX1l
at1U8jD+7LrsSx8VtYFrDbktf1nRlakTTZvSXLrzuP2k2Op0ETioXl6+CcVPGp1+
4QZIQOa6iBOaD2abaFGZYAMiFyI7bG19630qtzlaSAICD+vrvSA=
=Vy2H
-----END PGP SIGNATURE-----
-------------- next part --------------
diff -Nru r-cran-gh-1.4.1/debian/changelog r-cran-gh-1.4.1/debian/changelog
--- r-cran-gh-1.4.1/debian/changelog	2024-06-10 01:58:24.000000000 +0200
+++ r-cran-gh-1.4.1/debian/changelog	2025-11-25 06:44:32.000000000 +0100
@@ -1,3 +1,13 @@
+r-cran-gh (1.4.1-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS team.
+  * d/patches/CVE-2025-54956.patch: Add patch to fix CVE-2025-54956.
+    - The HTTP response is delivered in a data structure that
+      includes the Authorization header from the corresponding HTTP
+      request (closes: #1110481).
+
+ -- Daniel Leidert <dleidert at debian.org>  Tue, 25 Nov 2025 06:44:32 +0100
+
 r-cran-gh (1.4.1-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru r-cran-gh-1.4.1/debian/gbp.conf r-cran-gh-1.4.1/debian/gbp.conf
--- r-cran-gh-1.4.1/debian/gbp.conf	1970-01-01 01:00:00.000000000 +0100
+++ r-cran-gh-1.4.1/debian/gbp.conf	2025-11-25 06:44:32.000000000 +0100
@@ -0,0 +1,4 @@
+[DEFAULT]
+debian-branch = debian/trixie
+upstream-branch = upstream
+pristine-tar = True
diff -Nru r-cran-gh-1.4.1/debian/patches/CVE-2025-54956.patch r-cran-gh-1.4.1/debian/patches/CVE-2025-54956.patch
--- r-cran-gh-1.4.1/debian/patches/CVE-2025-54956.patch	1970-01-01 01:00:00.000000000 +0100
+++ r-cran-gh-1.4.1/debian/patches/CVE-2025-54956.patch	2025-11-25 06:44:32.000000000 +0100
@@ -0,0 +1,189 @@
+From: =?UTF-8?q?G=C3=A1bor=20Cs=C3=A1rdi?= <csardi.gabor at gmail.com>
+Date: Mon, 26 May 2025 09:36:45 +0200
+Subject: [PATCH] Do not save request headers in the return value
+
+Closes #222.
+
+Reviewed-By: Daniel Leidert <dleidert at debian.org>
+Origin: https://github.com/r-lib/gh/commit/b575d488c71318449cc6c8c989c617db29275848
+Bug: https://github.com/r-lib/gh/issues/222
+Bug-Debian: https://bugs.debian.org/1110481
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-54956
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2025-54956
+---
+ R/gh.R                            |  2 +-
+ R/gh_response.R                   | 10 +++++-----
+ R/pagination.R                    | 26 +++++++++++++++++++-------
+ man/gh_next.Rd                    | 15 +++++++++++----
+ tests/testthat/test-gh_response.R |  4 ----
+ tests/testthat/test-pagination.R  |  2 +-
+ 6 files changed, 37 insertions(+), 22 deletions(-)
+
+diff --git a/R/gh.R b/R/gh.R
+index af46a20..b449f1b 100644
+--- a/R/gh.R
++++ b/R/gh.R
+@@ -216,7 +216,7 @@ gh <- function(endpoint,
+   }
+ 
+   while (!is.null(.limit) && len < .limit && gh_has_next(res)) {
+-    res2 <- gh_next(res)
++    res2 <- gh_next(res, .token = .token, .send_headers = .send_headers)
+     len <- len + gh_response_length(res2)
+     if (.progress) cli::cli_progress_update()
+ 
+diff --git a/R/gh_response.R b/R/gh_response.R
+index 7943f1b..9763d0f 100644
+--- a/R/gh_response.R
++++ b/R/gh_response.R
+@@ -27,11 +27,7 @@ gh_process_response <- function(resp, gh_req) {
+   }
+ 
+   attr(res, "response") <- httr2::resp_headers(resp)
+-  attr(res, "request") <- gh_req
+-
+-  # for backward compatibility
+-  attr(res, "method") <- resp$method
+-  attr(res, ".send_headers") <- httr2::last_request()$headers
++  attr(res, "request") <- remove_headers(gh_req)
+ 
+   if (is_ondisk) {
+     class(res) <- c("gh_response", "path")
+@@ -42,3 +38,7 @@ gh_process_response <- function(resp, gh_req) {
+   }
+   res
+ }
++
++remove_headers <- function(x) {
++  x[names(x) != "headers"]
++}
+diff --git a/R/pagination.R b/R/pagination.R
+index cb2c02b..c98289f 100644
+--- a/R/pagination.R
++++ b/R/pagination.R
+@@ -33,7 +33,7 @@ gh_has_next <- function(gh_response) {
+   gh_has(gh_response, "next")
+ }
+ 
+-gh_link_request <- function(gh_response, link) {
++gh_link_request <- function(gh_response, link, .token, .send_headers) {
+   stopifnot(inherits(gh_response, "gh_response"))
+ 
+   url <- extract_link(gh_response, link)
+@@ -44,11 +44,14 @@ gh_link_request <- function(gh_response, link) {
+   req$query <- purl$query
+   purl$query <- NULL
+   req$url <- httr2::url_build(purl)
++  req$token <- .token
++  req$send_headers <- .send_headers
++  req <- gh_set_headers(req)
+   req
+ }
+ 
+-gh_link <- function(gh_response, link) {
+-  req <- gh_link_request(gh_response, link)
++gh_link <- function(gh_response, link, .token, .send_headers) {
++  req <- gh_link_request(gh_response, link, .token, .send_headers)
+   raw <- gh_make_request(req)
+   gh_process_response(raw, req)
+ }
+@@ -71,6 +74,7 @@ gh_extract_pages <- function(gh_response) {
+ #' If the requested page does not exist, an error is thrown.
+ #'
+ #' @param gh_response An object returned by a [gh()] call.
++#' @inheritParams gh
+ #' @return Answer from the API.
+ #'
+ #' @seealso The `.limit` argument to [gh()] supports fetching more than
+@@ -83,19 +87,27 @@ gh_extract_pages <- function(gh_response) {
+ #' vapply(x, "[[", character(1), "login")
+ #' x2 <- gh_next(x)
+ #' vapply(x2, "[[", character(1), "login")
+-gh_next <- function(gh_response) gh_link(gh_response, "next")
++gh_next <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "next", .token = .token, .send_headers = .send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_prev <- function(gh_response) gh_link(gh_response, "prev")
++gh_prev <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "prev", .token = .token, .send_headers = .send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_first <- function(gh_response) gh_link(gh_response, "first")
++gh_first <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "first", .token = .token, .send_headers = .send_headers)
++}
+ 
+ #' @name gh_next
+ #' @export
+ 
+-gh_last <- function(gh_response) gh_link(gh_response, "last")
++gh_last <- function(gh_response, .token = NULL, .send_headers = NULL) {
++  gh_link(gh_response, "last", .token = .token, .send_headers = .send_headers)
++}
+diff --git a/man/gh_next.Rd b/man/gh_next.Rd
+index 4c4b493..a79cd3a 100644
+--- a/man/gh_next.Rd
++++ b/man/gh_next.Rd
+@@ -7,16 +7,23 @@
+ \alias{gh_last}
+ \title{Get the next, previous, first or last page of results}
+ \usage{
+-gh_next(gh_response)
++gh_next(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_prev(gh_response)
++gh_prev(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_first(gh_response)
++gh_first(gh_response, .token = NULL, .send_headers = NULL)
+ 
+-gh_last(gh_response)
++gh_last(gh_response, .token = NULL, .send_headers = NULL)
+ }
+ \arguments{
+ \item{gh_response}{An object returned by a \code{\link[=gh]{gh()}} call.}
++
++\item{.token}{Authentication token. Defaults to \code{\link[=gh_token]{gh_token()}}.}
++
++\item{.send_headers}{Named character vector of header field values
++(except \code{Authorization}, which is handled via \code{.token}). This can be
++used to override or augment the default \code{User-Agent} header:
++\code{"https://github.com/r-lib/gh"}.}
+ }
+ \value{
+ Answer from the API.
+diff --git a/tests/testthat/test-gh_response.R b/tests/testthat/test-gh_response.R
+index 6ae8c0d..84ea037 100644
+--- a/tests/testthat/test-gh_response.R
++++ b/tests/testthat/test-gh_response.R
+@@ -64,10 +64,6 @@ test_that("captures details to recreate request", {
+   expect_type(req, "list")
+   expect_equal(req$url, "https://api.github.com/orgs/r-lib/repos")
+   expect_equal(req$query, list(per_page = 1))
+-
+-  # For backwards compatibility
+-  expect_equal(attr(res, "method"), "GET")
+-  expect_type(attr(res, ".send_headers"), "list")
+ })
+ 
+ test_that("output file is not overwritten on error", {
+diff --git a/tests/testthat/test-pagination.R b/tests/testthat/test-pagination.R
+index bc5e912..c693351 100644
+--- a/tests/testthat/test-pagination.R
++++ b/tests/testthat/test-pagination.R
+@@ -22,7 +22,7 @@ test_that("paginated request gets max_wait and max_rate", {
+   skip_on_cran()
+   gh <- gh("/orgs/tidyverse/repos", per_page = 5, .max_wait = 1, .max_rate = 10)
+ 
+-  req <- gh_link_request(gh, "next")
++  req <- gh_link_request(gh, "next", .token = NULL, .send_headers = NULL)
+   expect_equal(req$max_wait, 1)
+   expect_equal(req$max_rate, 10)
+ 
diff -Nru r-cran-gh-1.4.1/debian/patches/series r-cran-gh-1.4.1/debian/patches/series
--- r-cran-gh-1.4.1/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ r-cran-gh-1.4.1/debian/patches/series	2025-11-25 06:44:32.000000000 +0100
@@ -0,0 +1 @@
+CVE-2025-54956.patch

More information about the R-pkg-team mailing list