From f4bdf06ef916802085f4eae78a91a6a866b02173 Mon Sep 17 00:00:00 2001 From: zppzhangpan Date: Wed, 28 May 2025 19:20:32 +0800 Subject: [PATCH] fix CVE-2025-4476 CVE-2025-4948 CVE-2025-4969 --- backport-CVE-2025-4476.patch | 37 ++++++++++++++ backport-CVE-2025-4948.patch | 98 ++++++++++++++++++++++++++++++++++++ backport-CVE-2025-4969.patch | 82 ++++++++++++++++++++++++++++++ libsoup.spec | 11 +++- 4 files changed, 227 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-4476.patch create mode 100644 backport-CVE-2025-4948.patch create mode 100644 backport-CVE-2025-4969.patch diff --git a/backport-CVE-2025-4476.patch b/backport-CVE-2025-4476.patch new file mode 100644 index 0000000..9bdb988 --- /dev/null +++ b/backport-CVE-2025-4476.patch @@ -0,0 +1,37 @@ +From e64c221f9c7d09b48b610c5626b3b8c400f0907c Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 8 May 2025 09:27:01 -0500 +Subject: [PATCH] auth-digest: fix crash in + soup_auth_digest_get_protection_space() + +We need to validate the Domain parameter in the WWW-Authenticate header. + +Unfortunately this crash only occurs when listening on default ports 80 +and 443, so there's no good way to test for this. The test would require +running as root. + +Fixes #440 + +Conflict: Context Adaptation and g_uri_get_host (uri)->uri->host,g_uri_get_host (source_uri)->source_uri->host and Modify file path adaptation:libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c + +--- + libsoup/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 318ebe2..efc84e9 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -213,7 +213,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, SoupURI *source_uri) + uri = soup_uri_new (d); + if (uri && uri->scheme == source_uri->scheme && + uri->port == source_uri->port && +- !strcmp (uri->host, source_uri->host)) ++ !g_strcmp0 (uri->host, source_uri->host)) + dir = g_strdup (uri->path); + else + dir = NULL; +-- +2.27.0 + diff --git a/backport-CVE-2025-4948.patch b/backport-CVE-2025-4948.patch new file mode 100644 index 0000000..a36d311 --- /dev/null +++ b/backport-CVE-2025-4948.patch @@ -0,0 +1,98 @@ +From 66521f00e9f87f709d8ad9138f19052db933cf06 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Thu, 15 May 2025 17:49:11 +0200 +Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body + +It could happen that the boundary started at a place which resulted into +a negative number, which in an unsigned integer is a very large value. +Check the body size is not a negative value before setting it. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 + +Conflict: Context Adaptation and Test Case Adaptation +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/66521f00e9f87f709d8ad9138f19052db933cf06 + +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 45 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 46 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index dd93973..ce2fc10 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -214,7 +214,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + */ + part_body = soup_buffer_new_subbuffer (flattened, + split - flattened->data, +- end - 2 - split); ++ end - 2 >= split ? end - 2 - split : 0); + g_ptr_array_add (multipart->bodies, part_body); + + start = end; +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index 07f0b2b..c3705bf 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -540,6 +540,50 @@ test_multipart_bounds_bad (void) + soup_buffer_free (part_body); + } + ++static void ++test_multipart_too_large (void) ++{ ++ const char *raw_body = ++ "-------------------\r\n" ++ "-\n" ++ "Cont\"\r\n" ++ "Content-Tynt----e:n\x8erQK\r\n" ++ "Content-Disposition: name= form-; name=\"file\"; filename=\"ype:i/ -d; ----\xae\r\n" ++ "Content-Typimag\x01/png--\\\n" ++ "\r\n" ++ "---:\n\r\n" ++ "\r\n" ++ "-------------------------------------\r\n" ++ "---------\r\n" ++ "----------------------"; ++ GBytes *body; ++ GHashTable *params; ++ SoupMessageHeaders *headers; ++ SoupMultipart *multipart; ++ ++ params = g_hash_table_new (g_str_hash, g_str_equal); ++ g_hash_table_insert (params, (gpointer) "boundary", (gpointer) "-----------------"); ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_set_content_type (headers, "multipart/form-data", params); ++ g_hash_table_unref (params); ++ ++ body = g_bytes_new_static (raw_body, strlen (raw_body)); ++ SoupMessageBody *message_body = soup_message_body_new (); ++ SoupBuffer *part_body = soup_buffer_new (SOUP_MEMORY_COPY, raw_body, strlen(raw_body)); ++ soup_message_body_append_buffer (message_body, part_body); ++ multipart = soup_multipart_new_from_message (headers, message_body); ++ soup_message_headers_free (headers); ++ g_bytes_unref (body); ++ ++ g_assert_nonnull (multipart); ++ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1); ++ g_assert_true (soup_multipart_get_part (multipart, 0, &headers, &body)); ++ g_assert_cmpint (g_bytes_get_size (body), ==, 0); ++ soup_multipart_free (multipart); ++ soup_message_body_free (message_body); ++ soup_buffer_free (part_body); ++} ++ + int + main (int argc, char **argv) + { +@@ -571,6 +615,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); ++ g_test_add_func ("/multipart/too-large", test_multipart_too_large); + + ret = g_test_run (); + +-- +2.33.0 + diff --git a/backport-CVE-2025-4969.patch b/backport-CVE-2025-4969.patch new file mode 100644 index 0000000..35f1dcf --- /dev/null +++ b/backport-CVE-2025-4969.patch @@ -0,0 +1,82 @@ +From 07b94e27afafebf31ef3cd868866a1e383750086 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Mon, 19 May 2025 17:48:27 +0200 +Subject: [PATCH] soup-multipart: Verify array bounds before accessing its + members + +The boundary could be at a place which, calculated, pointed +before the beginning of the array. Check the bounds, to avoid +read out of the array bounds. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 + +Conflict: Test Case Adaptation +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/07b94e27afafebf31ef3cd868866a1e383750086 + +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 28 ++++++++++++++++++++++++++++ + 2 files changed, 29 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index ce2fc10..a29cdf0 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -108,7 +108,7 @@ find_boundary (const char *start, const char *end, + continue; + + /* Check that it's at start of line */ +- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r'))) ++ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r'))) + continue; + + /* Check for "--" or "\r\n" after boundary */ +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index c3705bf..8cb0cbd 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -584,6 +584,33 @@ test_multipart_too_large (void) + soup_buffer_free (part_body); + } + ++static void ++test_multipart_bounds_bad_2 (void) ++{ ++ SoupMultipart *multipart; ++ SoupMessageHeaders *headers; ++ GBytes *bytes; ++ const char *raw_data = "\n--123\r\nline\r\n--123--\r"; ++ ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); ++ ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); ++ ++ SoupMessageBody *message_body = soup_message_body_new (); ++ SoupBuffer *part_body = soup_buffer_new (SOUP_MEMORY_COPY, raw_data, strlen(raw_data)); ++ soup_message_body_append_buffer (message_body, part_body); ++ multipart = soup_multipart_new_from_message (headers, message_body); ++ ++ g_assert_nonnull (multipart); ++ ++ soup_multipart_free (multipart); ++ soup_message_headers_free (headers); ++ g_bytes_unref (bytes); ++ soup_message_body_free (message_body); ++ soup_buffer_free (part_body); ++} ++ + int + main (int argc, char **argv) + { +@@ -616,6 +643,7 @@ main (int argc, char **argv) + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); + g_test_add_func ("/multipart/too-large", test_multipart_too_large); ++ g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2); + + ret = g_test_run (); + +-- +2.33.0 + diff --git a/libsoup.spec b/libsoup.spec index a021c17..ccc19e6 100644 --- a/libsoup.spec +++ b/libsoup.spec @@ -2,7 +2,7 @@ Name: libsoup Version: 2.74.3 -Release: 9 +Release: 10 Summary: An HTTP library implementation License: LGPL-2.0-only URL: https://wiki.gnome.org/Projects/libsoup @@ -37,6 +37,9 @@ Patch6025: backport-CVE-2025-32914.patch Patch6026: backport-CVE-2025-32907.patch Patch6027: backport-CVE-2025-46420.patch Patch6028: backport-CVE-2025-46421.patch +Patch6029: backport-CVE-2025-4476.patch +Patch6030: backport-CVE-2025-4948.patch +Patch6031: backport-CVE-2025-4969.patch BuildRequires: meson >= 0.50 BuildRequires: pkgconfig(gio-2.0) >= 2.58 @@ -110,6 +113,12 @@ sed -i 's/idm[0-9]\{5,32\}/idm12345678912345/g' %{buildroot}%{_datadir}/gtk-doc/ %{_datadir}/gtk-doc/html/libsoup-2.4 %changelog +* Thu May 29 2025 zhangpan - 2.74.3-10 +- Type:cves +- ID:CVE-2025-4476 CVE-2025-4948 CVE-2025-4969 +- SUG:NA +- DESC:fix CVE-2025-4476 CVE-2025-4948 CVE-2025-4969 + * Tue Apr 29 2025 zhangpan - 2.74.3-9 - Type:cves - ID:CVE-2025-46420 CVE-2025-46421 -- Gitee