diff --git a/backport-0001-CVE-2024-52532.patch b/backport-0001-CVE-2024-52532.patch index e8bd4598aa3bc883a5c4faedf95a0529d5b8fff9..a2115c12443411fd36c4eef516e53a8d6353d134 100644 --- a/backport-0001-CVE-2024-52532.patch +++ b/backport-0001-CVE-2024-52532.patch @@ -9,26 +9,28 @@ validating the data until the all the data was read. Fixes #391 Conflict: context adapt and libsoup/websocket/soup-websocket-connection.c -> libsoup/soup-websocket-connection.c -Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be ---- - libsoup/soup-websocket-connection.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c -index a4095e1..9d5f4f8 100644 ---- a/libsoup/soup-websocket-connection.c -+++ b/libsoup/soup-websocket-connection.c -@@ -1140,9 +1140,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self) - } - - pv->incoming->len = len + count; -- } while (count > 0); - -- process_incoming (self); -+ process_incoming (self); -+ } while (count > 0 && !pv->close_sent && !pv->io_closing); - - if (end) { - if (!pv->close_sent || !pv->close_received) { --- -2.33.0 +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be + +--- + libsoup/soup-websocket-connection.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c +index a4095e1..ed54e6b 100644 +--- a/libsoup/soup-websocket-connection.c ++++ b/libsoup/soup-websocket-connection.c +@@ -1140,9 +1140,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self) + } + + pv->incoming->len = len + count; +- } while (count > 0); + +- process_incoming (self); ++ process_incoming (self); ++ } while (count > 0 && !pv->close_sent && !pv->io_closing); + + if (end) { + if (!pv->close_sent || !pv->close_received) { +-- +2.46.0 + diff --git a/backport-0001-CVE-2025-32053.patch b/backport-0001-CVE-2025-32053.patch new file mode 100644 index 0000000000000000000000000000000000000000..fb91212e01cebcc56c2f866b97e7a5e46f9daccf --- /dev/null +++ b/backport-0001-CVE-2025-32053.patch @@ -0,0 +1,38 @@ +From eaed42ca8d40cd9ab63764e3d63641180505f40a Mon Sep 17 00:00:00 2001 +From: Ar Jun +Date: Mon, 18 Nov 2024 14:59:51 -0600 +Subject: [PATCH] Fix heap buffer overflow in + soup-content-sniffer.c:sniff_feed_or_html() + +Conflict: Modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/eaed42ca8d40cd9ab63764e3d63641180505f40a + +--- + libsoup/soup-content-sniffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index b62e4888..5a181ff1 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -641,7 +641,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length) + (resource[*pos] == '\x0D')) { + *pos = *pos + 1; + +- if (*pos > resource_length) ++ if (*pos >= resource_length) + return TRUE; + } + +@@ -704,7 +704,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer) + do { + pos++; + +- if (pos > resource_length) ++ if ((pos + 1) > resource_length) + goto text_html; + } while (resource[pos] != '>'); + +-- +GitLab + diff --git a/backport-0002-CVE-2024-52532.patch b/backport-0002-CVE-2024-52532.patch index 5012f06f5c2450636e34f5d89f0da6a40685b672..41520689fc03d4c0ba09e9516df8496e623e7b4e 100644 --- a/backport-0002-CVE-2024-52532.patch +++ b/backport-0002-CVE-2024-52532.patch @@ -1,23 +1,24 @@ -From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001 -From: Ignacio Casal Quinteiro -Date: Wed, 2 Oct 2024 11:17:19 +0200 -Subject: [PATCH] websocket-test: disconnect error copy after the test ends - -Otherwise the server will have already sent a few more wrong -bytes and the client will continue getting errors to copy -but the error is already != NULL and it will assert - -Conflict: NA +From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Wed, 2 Oct 2024 11:17:19 +0200 +Subject: [PATCH] websocket-test: disconnect error copy after the test ends + +Otherwise the server will have already sent a few more wrong +bytes and the client will continue getting errors to copy +but the error is already != NULL and it will assert + +Conflict: NA Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c + --- tests/websocket-test.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/websocket-test.c b/tests/websocket-test.c -index 06c443bb5..6a48c1f9b 100644 +index 5e40cf3..30a1f36 100644 --- a/tests/websocket-test.c +++ b/tests/websocket-test.c -@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test, +@@ -1331,8 +1331,9 @@ test_receive_invalid_encode_length_64 (Test *test, GError *error = NULL; InvalidEncodeLengthTest context = { test, NULL }; guint i; @@ -28,7 +29,7 @@ index 06c443bb5..6a48c1f9b 100644 g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received); /* We use 127(\x7f) as payload length with 65535 extended length */ -@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test, +@@ -1345,6 +1346,7 @@ test_receive_invalid_encode_length_64 (Test *test, WAIT_UNTIL (error != NULL || received != NULL); g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR); g_clear_error (&error); @@ -37,5 +38,5 @@ index 06c443bb5..6a48c1f9b 100644 g_thread_join (thread); -- -GitLab +2.46.0 diff --git a/backport-0002-CVE-2025-32053.patch b/backport-0002-CVE-2025-32053.patch new file mode 100644 index 0000000000000000000000000000000000000000..5382bd88830e8b6b8d62b0dc68b63f592b6d0f34 --- /dev/null +++ b/backport-0002-CVE-2025-32053.patch @@ -0,0 +1,69 @@ +From 242a10fbb12dbdc12d254bd8fc8669a0ac055304 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 14:39:42 -0600 +Subject: [PATCH] sniffer: Fix potential overflow + +Conflict: Modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/242a10fbb12dbdc12d254bd8fc8669a0ac055304 + +--- + libsoup/soup-content-sniffer.c | 2 +- + tests/resources/whitespace.html | Bin 0 -> 512 bytes + tests/sniffing-test.c | 5 +++++ + tests/soup-tests.gresource.xml | 1 + + 4 files changed, 7 insertions(+), 1 deletions(-) + create mode 100644 tests/resources/whitespace.html + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index aeee2e25c..da94e60c3 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -669,7 +669,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer) + pos = 3; + + look_for_tag: +- if (pos > resource_length) ++ if (pos >= resource_length) + goto text_html; + + if (skip_insignificant_space (resource, &pos, resource_length)) +diff --git a/tests/resources/whitespace.html b/tests/resources/whitespace.html +new file mode 100644 +index 0000000000000000000000000000000000000000..7f07a0e639a102284d6f7c0c5d5560170f994553 +GIT binary patch +literal 512 +TcmcCf)YWAe1tT*Abam|ja4Z2( + +literal 0 +HcmV?d00001 + +diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c +index 6116719ae..b5428177f 100644 +--- a/tests/sniffing-test.c ++++ b/tests/sniffing-test.c +@@ -512,6 +512,11 @@ main (int argc, char **argv) + "type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8", + do_sniffing_test); + ++ /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */ ++ g_test_add_data_func ("/sniffing/whitespace", ++ "type/text_html/whitespace.html => text/html", ++ do_sniffing_test); ++ + /* Test that disabling the sniffer works correctly */ + g_test_add_data_func ("/sniffing/disabled", + "/text_or_binary/home.gif", +diff --git a/tests/soup-tests.gresource.xml b/tests/soup-tests.gresource.xml +index 9c08d170e..cbef1d402 100644 +--- a/tests/soup-tests.gresource.xml ++++ b/tests/soup-tests.gresource.xml +@@ -25,5 +25,6 @@ + resources/text.txt + resources/text_binary.txt + resources/tux.webp ++ resources/whitespace.html + + +-- +GitLab + diff --git a/backport-CVE-2025-2784.patch b/backport-CVE-2025-2784.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ec754741629932ed25200883081920436f92859 --- /dev/null +++ b/backport-CVE-2025-2784.patch @@ -0,0 +1,152 @@ +From c415ad0b6771992e66c70edf373566c6e247089d Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 18 Feb 2025 14:29:50 -0600 +Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space() + +Conflict: context adaptation and Modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/c415ad0b6771992e66c70edf373566c6e247089d + +--- + libsoup/soup-content-sniffer.c | 10 +++--- + tests/resources/whitespace.html | Bin 512 -> 0 bytes + tests/sniffing-test.c | 53 +++++++++++++++++++++++++++++--- + tests/soup-tests.gresource.xml | 1 - + 4 files changed, 53 insertions(+), 11 deletions(-) + delete mode 100644 tests/resources/whitespace.html + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index c52d2d0..3fb29ad 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -612,8 +612,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer) + } + + static gboolean +-skip_insignificant_space (const char *resource, int *pos, int resource_length) ++skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length) + { ++ if (*pos >= resource_length) ++ return TRUE; ++ + while ((resource[*pos] == '\x09') || + (resource[*pos] == '\x20') || + (resource[*pos] == '\x0A') || +@@ -632,7 +635,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + { + const char *resource = (const char *)buffer->data; + int resource_length = MIN (512, buffer->length); +- int pos = 0; ++ gsize pos = 0; + + if (resource_length < 3) + goto text_html; +@@ -642,9 +645,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + pos = 3; + + look_for_tag: +- if (pos >= resource_length) +- goto text_html; +- + if (skip_insignificant_space (resource, &pos, resource_length)) + goto text_html; + +diff --git a/tests/resources/whitespace.html b/tests/resources/whitespace.html +deleted file mode 100644 +index 7f07a0e639a102284d6f7c0c5d5560170f994553..0000000000000000000000000000000000000000 +GIT binary patch +literal 0 +HcmV?d00001 + +literal 512 +TcmcCf)YWAe1tT*Abam|ja4Z2( + +diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c +index 0a4569a..e2dfed4 100644 +--- a/tests/sniffing-test.c ++++ b/tests/sniffing-test.c +@@ -436,6 +436,52 @@ test_disabled (gconstpointer data) + soup_uri_free (uri); + } + ++static const gsize MARKUP_LENGTH = strlen (""); ++ ++static void ++do_skip_whitespace_test (void) ++{ ++ SoupContentSniffer *sniffer = soup_content_sniffer_new (); ++ SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org"); ++ const char *test_cases[] = { ++ "", ++ "response_headers, "text/html", NULL); ++ ++ for (guint i = 0; i < G_N_ELEMENTS (test_cases); i++) { ++ const char *trailing_data = test_cases[i]; ++ gsize leading_zeros = 512 - MARKUP_LENGTH - strlen (trailing_data); ++ gsize testsize = MARKUP_LENGTH + leading_zeros + strlen (trailing_data); ++ guint8 *data = g_malloc0 (testsize); ++ guint8 *p = data; ++ char *content_type; ++ GBytes *buffer; ++ ++ // Format of $trailing_data ++ memcpy (p, "", strlen ("-->")); ++ p += strlen ("-->"); ++ if (strlen (trailing_data)) ++ memcpy (p, trailing_data, strlen (trailing_data)); ++ // Purposefully not NUL terminated. ++ ++ buffer = g_bytes_new_take (g_steal_pointer (&data), testsize); ++ content_type = soup_content_sniffer_sniff (sniffer, msg, buffer, NULL); ++ ++ g_free (content_type); ++ g_bytes_unref (buffer); ++ } ++ ++ g_object_unref (msg); ++ g_object_unref (sniffer); ++} ++ + int + main (int argc, char **argv) + { +@@ -605,16 +651,13 @@ main (int argc, char **argv) + "type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8", + do_sniffing_test); + +- /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */ +- g_test_add_data_func ("/sniffing/whitespace", +- "type/text_html/whitespace.html => text/html", +- do_sniffing_test); +- + /* Test that disabling the sniffer works correctly */ + g_test_add_data_func ("/sniffing/disabled", + "/text_or_binary/home.gif", + test_disabled); + ++ g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test); ++ + ret = g_test_run (); + + soup_uri_free (base_uri); +diff --git a/tests/soup-tests.gresource.xml b/tests/soup-tests.gresource.xml +index cbef1d4..9c08d17 100644 +--- a/tests/soup-tests.gresource.xml ++++ b/tests/soup-tests.gresource.xml +@@ -25,6 +25,5 @@ + resources/text.txt + resources/text_binary.txt + resources/tux.webp +- resources/whitespace.html + + +-- +2.46.0 + diff --git a/backport-CVE-2025-32050.patch b/backport-CVE-2025-32050.patch new file mode 100644 index 0000000000000000000000000000000000000000..da83530de07093a1b186a012c78de6bb8091c990 --- /dev/null +++ b/backport-CVE-2025-32050.patch @@ -0,0 +1,28 @@ +From 9bb0a55de55c6940ced811a64fbca82fe93a9323 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 28 Oct 2024 12:29:48 -0500 +Subject: [PATCH] Fix using int instead of size_t for strcspn return + +Conflict: NA +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323 + +--- + libsoup/soup-headers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 613e1905..a5f7a7f6 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -907,7 +907,7 @@ append_param_quoted (GString *string, + const char *name, + const char *value) + { +- int len; ++ gsize len; + + g_string_append (string, name); + g_string_append (string, "=\""); +-- +GitLab + diff --git a/backport-CVE-2025-32052.patch b/backport-CVE-2025-32052.patch new file mode 100644 index 0000000000000000000000000000000000000000..9b799bc897c8cca5bcf1317a861b1704e38c60ca --- /dev/null +++ b/backport-CVE-2025-32052.patch @@ -0,0 +1,30 @@ +From f182429e5b1fc034050510da20c93256c4fa9652 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 16 Nov 2024 12:07:30 -0600 +Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff + +Co-Author: Ar Jun + +Conflict: Modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652 + +--- + libsoup/soup-content-sniffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index de0985eac..b62e48889 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -524,7 +524,7 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer, + guint index_pattern = 0; + gboolean skip_row = FALSE; + +- while ((index_stream < resource_length) && ++ while ((index_stream < resource_length - 1) && + (index_pattern <= type_row->pattern_length)) { + /* Skip insignificant white space ("WS" in the spec) */ + if (type_row->pattern[index_pattern] == ' ') { +-- +GitLab + diff --git a/libsoup.spec b/libsoup.spec index 270f32b26ac35b9d0535a72780cd6e6f4eae56dc..38819090d749f7cf2f9a2ab7699dcc2c77606cbc 100644 --- a/libsoup.spec +++ b/libsoup.spec @@ -1,13 +1,13 @@ Name: libsoup Version: 2.74.3 -Release: 4 +Release: 5 Summary: An HTTP library implementation License: LGPLv2 URL: https://wiki.gnome.org/Projects/libsoup Source0: https://download.gnome.org/sources/%{name}/2.74/%{name}-%{version}.tar.xz BuildRequires: glib2-devel glib-networking krb5-devel gobject-introspection-devel gettext BuildRequires: libxml2-devel libpsl-devel sqlite-devel vala gtk-doc meson libxslt -BuildRequires: samba-winbind-clients brotli-devel +BuildRequires: samba-winbind-clients brotli-devel git BuildRequires: pkgconfig(sysprof-capture-4) Requires: glib2 glib-networking @@ -18,6 +18,11 @@ Patch6002: backport-0001-CVE-2024-52531.patch Patch6003: backport-0002-CVE-2024-52531.patch Patch6004: backport-0001-CVE-2024-52532.patch Patch6005: backport-0002-CVE-2024-52532.patch +Patch6007: backport-CVE-2025-32050.patch +Patch6008: backport-CVE-2025-32052.patch +Patch6009: backport-0001-CVE-2025-32053.patch +Patch6010: backport-0002-CVE-2025-32053.patch +Patch6011: backport-CVE-2025-2784.patch %description libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop, @@ -34,7 +39,7 @@ The %{name}-devel package contains libraries and header files for %{name}. %package_help %prep -%autosetup -n %{name}-%{version} -p1 +%autosetup -n %{name}-%{version} -p1 -S git %build %meson -Dgtk_doc=true @@ -69,6 +74,12 @@ sed -i 's/idm[0-9]\{5,32\}/idm12345678912345/g' %{buildroot}%{_datadir}/gtk-doc/ %{_datadir}/gtk-doc/html/libsoup-2.4/* %changelog +* Tue Apr 8 2025 zhangpan - 2.74.3-5 +- Type:cves +- ID:CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-2784 +- SUG:NA +- DESC:fix CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-2784 + * Thu Nov 14 2024 xinghe - 2.74.3-4 - Type:cves - ID:CVE-2024-52530 CVE-2024-52531 CVE-2024-52532