diff --git a/backport-0001-CVE-2025-32906.patch b/backport-0001-CVE-2025-32906.patch new file mode 100644 index 0000000000000000000000000000000000000000..407fce5a1d4ed3d75cb45371cf8fbf3403528a41 --- /dev/null +++ b/backport-0001-CVE-2025-32906.patch @@ -0,0 +1,61 @@ +From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 11 Feb 2025 14:36:26 -0600 +Subject: [PATCH] headers: Handle parsing edge case + +This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds. + +Conflict: NA +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931 + +--- + libsoup/soup-headers.c | 2 +- + tests/header-parsing-test.c | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 85385cea..9d6d00a3 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str, + !g_ascii_isdigit (version[5])) + return SOUP_STATUS_BAD_REQUEST; + major_version = strtoul (version + 5, &p, 10); +- if (*p != '.' || !g_ascii_isdigit (p[1])) ++ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1])) + return SOUP_STATUS_BAD_REQUEST; + minor_version = strtoul (p + 1, &p, 10); + version_end = p; +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 07ea2866..10ddb684 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -6,6 +6,10 @@ typedef struct { + const char *name, *value; + } Header; + ++static char unterminated_http_version[] = { ++ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.' ++}; ++ + static struct RequestTest { + const char *description; + const char *bugref; +@@ -383,6 +387,14 @@ static struct RequestTest { + { { NULL } } + }, + ++ /* This couldn't be a C string as going one byte over would have been safe. */ ++ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404", ++ unterminated_http_version, sizeof (unterminated_http_version), ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } ++ }, ++ + { "Non-HTTP request", NULL, + "GET / SOUP/1.1\r\nHost: example.com\r\n", -1, + SOUP_STATUS_BAD_REQUEST, +-- +GitLab + diff --git a/backport-0001-CVE-2025-32910-CVE-2025-32912.patch b/backport-0001-CVE-2025-32910-CVE-2025-32912.patch new file mode 100644 index 0000000000000000000000000000000000000000..e435ef6676a1c9e733cbd8d4b5feaa7f5064deb5 --- /dev/null +++ b/backport-0001-CVE-2025-32910-CVE-2025-32912.patch @@ -0,0 +1,98 @@ +From e40df6d48a1cbab56f5d15016cc861a503423cfe Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sun, 8 Dec 2024 20:00:35 -0600 +Subject: [PATCH] auth-digest: Handle missing realm in authenticate header + +Conflict: tests/auth-test.c file context adaptation and modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe + +--- + libsoup/soup-auth-digest.c | 3 +++ + tests/auth-test.c | 50 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index e8ba990..263a15a 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + ++ if (!soup_auth_get_realm (auth)) ++ return FALSE; ++ + g_free (priv->domain); + g_free (priv->nonce); + g_free (priv->opaque); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 8295ec3..dfc6b09 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1549,6 +1549,55 @@ do_cancel_after_retry_test (void) + soup_test_session_abort_unref (session); + } + ++static void ++on_request_read_for_missing_realm (SoupServer *server, ++ SoupServerMessage *msg, ++ gpointer user_data) ++{ ++ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); ++ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); ++} ++ ++static void ++do_missing_realm_test (void) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ SoupServer *server; ++ SoupAuthDomain *digest_auth_domain; ++ gint status; ++ GUri *uri; ++ ++ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ soup_server_add_handler (server, NULL, ++ server_callback, NULL, NULL); ++ uri = soup_test_server_get_uri (server, "http", NULL); ++ ++ digest_auth_domain = soup_auth_domain_digest_new ( ++ "realm", "auth-test", ++ "auth-callback", server_digest_auth_callback, ++ NULL); ++ soup_auth_domain_add_path (digest_auth_domain, "/"); ++ soup_server_add_auth_domain (server, digest_auth_domain); ++ g_object_unref (digest_auth_domain); ++ ++ g_signal_connect (server, "request-read", ++ G_CALLBACK (on_request_read_for_missing_realm), ++ NULL); ++ ++ session = soup_test_session_new (NULL); ++ msg = soup_message_new_from_uri ("GET", uri); ++ g_signal_connect (msg, "authenticate", ++ G_CALLBACK (on_digest_authenticate), ++ NULL); ++ ++ status = soup_test_session_send_message (session, msg); ++ ++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED); ++ g_uri_unref (uri); ++ soup_test_server_quit_unref (server); ++} ++ + int + main (int argc, char **argv) + { +@@ -1576,6 +1625,7 @@ main (int argc, char **argv) + g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test); + g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test); + g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test); ++ g_test_add_func ("/auth/missing-realm", do_missing_realm_test); + + ret = g_test_run (); + +-- +2.48.1 + diff --git a/backport-0001-CVE-2025-32911-CVE-2025-32913.patch b/backport-0001-CVE-2025-32911-CVE-2025-32913.patch new file mode 100644 index 0000000000000000000000000000000000000000..0f02da78c5e8d9a36b8b3e5d5afbb34235430d97 --- /dev/null +++ b/backport-0001-CVE-2025-32911-CVE-2025-32913.patch @@ -0,0 +1,72 @@ +From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 17:53:50 -0600 +Subject: [PATCH] soup_message_headers_get_content_disposition: Fix NULL deref + +Conflict: tests/header-parsing-test.c file context adaptation +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34 + +--- + libsoup/soup-message-headers.c | 13 +++++++++---- + tests/header-parsing-test.c | 14 ++++++++++++++ + 2 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 39ad14a..a577169 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1454,10 +1454,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + */ + if (params && g_hash_table_lookup_extended (*params, "filename", + &orig_key, &orig_value)) { +- char *filename = strrchr (orig_value, '/'); +- +- if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ if (orig_value) { ++ char *filename = strrchr (orig_value, '/'); ++ ++ if (filename) ++ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ } else { ++ /* filename with no value isn't valid. */ ++ g_hash_table_remove (*params, "filename"); ++ } + } + return TRUE; + } +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 03ea34d..45316c5 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -1062,6 +1062,7 @@ do_param_list_tests (void) + #define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\"" + #define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\"" + #define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar" ++#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename" + + static void + do_content_disposition_tests (void) +@@ -1163,6 +1164,19 @@ do_content_disposition_tests (void) + g_assert_cmpstr (parameter2, ==, "bar"); + g_hash_table_destroy (params); + ++ /* Empty filename */ ++ soup_message_headers_clear (hdrs); ++ soup_message_headers_append (hdrs, "Content-Disposition", ++ RFC5987_TEST_HEADER_EMPTY_FILENAME); ++ if (!soup_message_headers_get_content_disposition (hdrs, ++ &disposition, ++ ¶ms)) { ++ soup_test_assert (FALSE, "empty filename decoding FAILED"); ++ return; ++ } ++ g_assert_false (g_hash_table_contains (params, "filename")); ++ g_hash_table_destroy (params); ++ + soup_message_headers_free (hdrs); + + /* Ensure that soup-multipart always quotes filename */ +-- +2.48.1 + diff --git a/backport-0002-CVE-2025-32906.patch b/backport-0002-CVE-2025-32906.patch new file mode 100644 index 0000000000000000000000000000000000000000..53e44e16f6b985fc99b9f92cd4ae759fa460653d --- /dev/null +++ b/backport-0002-CVE-2025-32906.patch @@ -0,0 +1,83 @@ +From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 12 Feb 2025 11:30:02 -0600 +Subject: [PATCH] headers: Handle parsing only newlines + +Closes #404 +Closes #407 + +Conflict: NA +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f + +--- + libsoup/soup-headers.c | 4 ++-- + tests/header-parsing-test.c | 13 ++++++++++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 9d6d00a3..52ef2ece 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str, + /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s) + * received where a Request-Line is expected." + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str, + * after a response, which we then see prepended to the next + * response on that connection. + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 10ddb684..4faafbd6 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -6,10 +6,15 @@ typedef struct { + const char *name, *value; + } Header; + ++/* These are not C strings to ensure going one byte over is not safe. */ + static char unterminated_http_version[] = { + 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.' + }; + ++static char only_newlines[] = { ++ '\n', '\n', '\n', '\n' ++}; ++ + static struct RequestTest { + const char *description; + const char *bugref; +@@ -387,7 +392,6 @@ static struct RequestTest { + { { NULL } } + }, + +- /* This couldn't be a C string as going one byte over would have been safe. */ + { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404", + unterminated_http_version, sizeof (unterminated_http_version), + SOUP_STATUS_BAD_REQUEST, +@@ -457,6 +461,13 @@ static struct RequestTest { + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, + { { NULL } } ++ }, ++ ++ { "Only newlines", NULL, ++ only_newlines, sizeof (only_newlines), ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +-- +GitLab + diff --git a/backport-0002-CVE-2025-32910-CVE-2025-32912.patch b/backport-0002-CVE-2025-32910-CVE-2025-32912.patch new file mode 100644 index 0000000000000000000000000000000000000000..31188c31ea0167bb0aed53e64fba97c929362e68 --- /dev/null +++ b/backport-0002-CVE-2025-32910-CVE-2025-32912.patch @@ -0,0 +1,149 @@ +From 405a8a34597a44bd58c4759e7d5e23f02c3b556a Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Thu, 26 Dec 2024 18:18:35 -0600 +Subject: [PATCH] auth-digest: Handle missing nonce + +Conflict: tests/auth-test.c file context adaptation and modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a + +--- + libsoup/soup-auth-digest.c | 45 +++++++++++++++++++++++++++++--------- + tests/auth-test.c | 19 +++++++++------- + 2 files changed, 46 insertions(+), 18 deletions(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 263a15a..a97e4bb 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop) + return g_string_free (out, FALSE); + } + ++static gboolean ++validate_params (SoupAuthDigest *auth_digest) ++{ ++ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest); ++ ++ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) { ++ if (!priv->nonce) ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ + static gboolean + soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + GHashTable *auth_params) +@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + if (priv->algorithm == -1) + ok = FALSE; + +- stale = g_hash_table_lookup (auth_params, "stale"); +- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) +- recompute_hex_a1 (priv); +- else { +- g_free (priv->user); +- priv->user = NULL; +- g_free (priv->cnonce); +- priv->cnonce = NULL; +- memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); +- memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ if (!validate_params (auth_digest)) ++ ok = FALSE; ++ ++ if (ok) { ++ stale = g_hash_table_lookup (auth_params, "stale"); ++ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) ++ recompute_hex_a1 (priv); ++ else { ++ g_free (priv->user); ++ priv->user = NULL; ++ g_free (priv->cnonce); ++ priv->cnonce = NULL; ++ memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); ++ memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ } + } + + return ok; +@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp, + + /* In MD5-sess, A1 is hex_urp:nonce:cnonce */ + ++ g_assert (nonce && cnonce); ++ + checksum = g_checksum_new (G_CHECKSUM_MD5); + g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char *method, + if (qop) { + char tmp[9]; + ++ g_assert (cnonce); ++ + g_snprintf (tmp, 9, "%.8x", nc); + g_checksum_update (checksum, (guchar *)tmp, strlen (tmp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg) + g_return_val_if_fail (uri != NULL, NULL); + url = soup_uri_to_string (uri, TRUE); + ++ g_assert (priv->nonce); ++ g_assert (!priv->qop || priv->cnonce); ++ + soup_auth_digest_compute_response (msg->method, url, priv->hex_a1, + priv->qop, priv->nonce, + priv->cnonce, priv->nc, +diff --git a/tests/auth-test.c b/tests/auth-test.c +index dfc6b09..6fb1e4a 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void) + } + + static void +-on_request_read_for_missing_realm (SoupServer *server, +- SoupServerMessage *msg, +- gpointer user_data) ++on_request_read_for_missing_params (SoupServer *server, ++ SoupServerMessage *msg, ++ gpointer user_data) + { ++ const char *auth_header = user_data; + SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); +- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); ++ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header); + } + + static void +-do_missing_realm_test (void) ++do_missing_params_test (gconstpointer auth_header) + { + SoupSession *session; + SoupMessage *msg; +@@ -1582,8 +1583,8 @@ do_missing_realm_test (void) + g_object_unref (digest_auth_domain); + + g_signal_connect (server, "request-read", +- G_CALLBACK (on_request_read_for_missing_realm), +- NULL); ++ G_CALLBACK (on_request_read_for_missing_params), ++ (gpointer)auth_header); + + session = soup_test_session_new (NULL); + msg = soup_message_new_from_uri ("GET", uri); +@@ -1625,7 +1626,9 @@ main (int argc, char **argv) + g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test); + g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test); + g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test); +- g_test_add_func ("/auth/missing-realm", do_missing_realm_test); ++ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); + + ret = g_test_run (); + +-- +2.48.1 + diff --git a/backport-0002-CVE-2025-32911-CVE-2025-32913.patch b/backport-0002-CVE-2025-32911-CVE-2025-32913.patch new file mode 100644 index 0000000000000000000000000000000000000000..e34bc268d83e5bdadbeda570207209cf64612bcd --- /dev/null +++ b/backport-0002-CVE-2025-32911-CVE-2025-32913.patch @@ -0,0 +1,44 @@ +From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 18:00:39 -0600 +Subject: [PATCH] soup_message_headers_get_content_disposition: strdup + truncated filenames + +This table frees the strings it contains. + +Conflict: NA +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0 + +--- + libsoup/soup-message-headers.c | 2 +- + tests/header-parsing-test.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index a577169..81e7cea 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1458,7 +1458,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + char *filename = strrchr (orig_value, '/'); + + if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1)); + } else { + /* filename with no value isn't valid. */ + g_hash_table_remove (*params, "filename"); +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 45316c5..c3a62f9 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -1174,6 +1174,7 @@ do_content_disposition_tests (void) + soup_test_assert (FALSE, "empty filename decoding FAILED"); + return; + } ++ g_free (disposition); + g_assert_false (g_hash_table_contains (params, "filename")); + g_hash_table_destroy (params); + +-- +2.48.1 + diff --git a/backport-0003-CVE-2025-32910-CVE-2025-32912.patch b/backport-0003-CVE-2025-32910-CVE-2025-32912.patch new file mode 100644 index 0000000000000000000000000000000000000000..c7954faea4d86ee964f8690eae988892a55517fa --- /dev/null +++ b/backport-0003-CVE-2025-32910-CVE-2025-32912.patch @@ -0,0 +1,27 @@ +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 13:52:52 -0600 +Subject: [PATCH] auth-digest: Fix leak + +Conflict: Modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 + +--- + libsoup/soup-auth-digest.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 350bfde6..9eb7fa0e 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object) + g_free (priv->nonce); + g_free (priv->domain); + g_free (priv->cnonce); ++ g_free (priv->opaque); + + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); +-- +GitLab + diff --git a/backport-0004-CVE-2025-32912.patch b/backport-0004-CVE-2025-32912.patch new file mode 100644 index 0000000000000000000000000000000000000000..9ece47fa349aecdad2aa8512508e101ae66dc10e --- /dev/null +++ b/backport-0004-CVE-2025-32912.patch @@ -0,0 +1,41 @@ +From cd077513f267e43ce4b659eb18a1734d8a369992 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 14:03:05 -0600 +Subject: [PATCH] auth-digest: Handle missing nonce + +Conflict: Modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992 + +--- + libsoup/soup-auth-digest.c | 2 +- + tests/auth-test.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 83069ef..b79e6f8 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + +- if (!soup_auth_get_realm (auth)) ++ if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce")) + return FALSE; + + g_free (priv->domain); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 6fb1e4a..548ac94 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1629,6 +1629,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test); + + ret = g_test_run (); + +-- +2.48.1 + diff --git a/backport-0005-CVE-2025-32912.patch b/backport-0005-CVE-2025-32912.patch new file mode 100644 index 0000000000000000000000000000000000000000..4679db0d5ef1b7789d0d1800c5d0b996052c7eff --- /dev/null +++ b/backport-0005-CVE-2025-32912.patch @@ -0,0 +1,30 @@ +From 910ebdcd3dd82386717a201c13c834f3a63eed7f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 8 Feb 2025 12:30:13 -0600 +Subject: [PATCH] digest-auth: Handle NULL nonce + +`contains` only handles a missing nonce, `lookup` handles both missing and empty. + +Conflict: Modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f + +--- + libsoup/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index d69a4013..dc4dbfc5 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -162,7 +162,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + +- if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce")) ++ if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce")) + return FALSE; + + g_free (priv->domain); +-- +GitLab + diff --git a/backport-0006-CVE-2025-32912.patch b/backport-0006-CVE-2025-32912.patch new file mode 100644 index 0000000000000000000000000000000000000000..6e219b4b667dfd2dd608dc435801f4020c07f7fd --- /dev/null +++ b/backport-0006-CVE-2025-32912.patch @@ -0,0 +1,51 @@ +From e2e3d1cf16a15d725289e3f5a8a6503de08fc63f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 11 Feb 2025 10:32:39 -0600 +Subject: [PATCH] Remove redundant function + +The nonce is validated earlier now. + +Conflict: Modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/e2e3d1cf16a15d725289e3f5a8a6503de08fc63f + +--- + libsoup/soup-auth-digest.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 40b470b..318ebe2 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -133,19 +133,6 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop) + return g_string_free (out, FALSE); + } + +-static gboolean +-validate_params (SoupAuthDigest *auth_digest) +-{ +- SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest); +- +- if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) { +- if (!priv->nonce) +- return FALSE; +- } +- +- return TRUE; +-} +- + static gboolean + soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + GHashTable *auth_params) +@@ -183,9 +170,6 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + if (priv->algorithm == -1) + ok = FALSE; + +- if (!validate_params (auth_digest)) +- ok = FALSE; +- + if (ok) { + stale = g_hash_table_lookup (auth_params, "stale"); + if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) +-- +2.48.1 + diff --git a/backport-CVE-2025-32909.patch b/backport-CVE-2025-32909.patch new file mode 100644 index 0000000000000000000000000000000000000000..bc0853221fc2a06ac29e2aae18a72406c332a7b5 --- /dev/null +++ b/backport-CVE-2025-32909.patch @@ -0,0 +1,36 @@ +From ba4c3a6f988beff59e45801ab36067293d24ce92 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 8 Jan 2025 16:30:17 -0600 +Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than 4 + bytes + +Conflict: context adaptation and modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92 + +--- + libsoup/soup-content-sniffer.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index c52d2d0..ee32971 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -227,9 +227,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, SoupBuffer *buffer) + { + const char *resource = (const char *)buffer->data; + guint resource_length = MIN (512, buffer->length); +- guint32 box_size = *((guint32*)resource); ++ guint32 box_size; + guint i; + ++ if (resource_length < sizeof (guint32)) ++ return FALSE; ++ ++ box_size = *((guint32*)resource); ++ + #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + box_size = ((box_size >> 24) | + ((box_size << 8) & 0x00FF0000) | +-- +2.48.1 + diff --git a/backport-Handle-sniffing-bytes-with-0-size.patch b/backport-Handle-sniffing-bytes-with-0-size.patch new file mode 100644 index 0000000000000000000000000000000000000000..7e159af4ca1f5b64fd6860c44c071589694cc983 --- /dev/null +++ b/backport-Handle-sniffing-bytes-with-0-size.patch @@ -0,0 +1,25 @@ +From b0fd7e1f65049b7efdf50febe6765039de4289ed Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 16 Dec 2020 15:54:32 -0600 +Subject: [PATCH] Handle sniffing bytes with 0 size + +--- + libsoup/soup-content-sniffer.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index cb4255ade..cf5da7e1f 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -507,6 +507,9 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer, + guint resource_length = MIN (512, buffer->length); + guint i; + ++ if (resource_length == 0) ++ return g_strdup ("application/octet-stream"); ++ + for (i = 0; i < G_N_ELEMENTS (types_table); i++) { + SoupContentSnifferPattern *type_row = &(types_table[i]); + +-- +GitLab diff --git a/backport-content-sniffer-empty-resources-should-be-considered-text-plain.patch b/backport-content-sniffer-empty-resources-should-be-considered-text-plain.patch new file mode 100644 index 0000000000000000000000000000000000000000..6d1b08f26bfb3105df01f0538643b6acb63566ff --- /dev/null +++ b/backport-content-sniffer-empty-resources-should-be-considered-text-plain.patch @@ -0,0 +1,60 @@ +From f7df4e4e1f7314ff309e4d26fcd7f352c33870ef Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos +Date: Wed, 17 Feb 2021 14:08:40 +0100 +Subject: [PATCH] content-sniffer: empty resources should be considered + text/plain + +Instead of application/octet-stream according to the HTML5 spec +--- + libsoup/soup-content-sniffer.c | 2 +- + tests/sniffing-test.c | 13 +++++++++---- + 2 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index f5a13d18c..948dc182d 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -507,7 +507,7 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer, + guint i; + + if (resource_length == 0) +- return g_strdup ("application/octet-stream"); ++ return g_strdup ("text/plain"); + + for (i = 0; i < G_N_ELEMENTS (types_table); i++) { + SoupContentSnifferPattern *type_row = &(types_table[i]); +diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c +index 1f2bb9115..23e05c1a3 100644 +--- a/tests/sniffing-test.c ++++ b/tests/sniffing-test.c +@@ -79,11 +79,13 @@ server_callback (SoupServer *server, + } + + if (g_str_has_prefix (path, "/unknown/")) { +- char *base_name = g_path_get_basename (path); ++ if (!empty_response) { ++ char *base_name = g_path_get_basename (path); + +- response = soup_test_load_resource (base_name, &error); +- g_assert_no_error (error); +- g_free (base_name); ++ response = soup_test_load_resource (base_name, &error); ++ g_assert_no_error (error); ++ g_free (base_name); ++ } + + soup_message_headers_append (msg->response_headers, + "Content-Type", "UNKNOWN/unknown"); +@@ -439,6 +441,9 @@ main (int argc, char **argv) + g_test_add_data_func ("/sniffing/type/unknown-mbox", + "unknown/mbox => text/plain", + do_sniffing_test); ++ g_test_add_data_func ("/sniffing/type/unknown-empty", ++ "unknown/mbox?empty_response=yes => text/plain", ++ do_sniffing_test); + g_test_add_data_func ("/sniffing/type/unknown-binary", + "unknown/text_binary.txt => application/octet-stream", + do_sniffing_test); +-- +GitLab + diff --git a/libsoup.spec b/libsoup.spec index 85d50716aff67045d435b99e6c56da58dc92f030..8661407dbc5da60c129534d099aadc2c6ccfd628 100644 --- a/libsoup.spec +++ b/libsoup.spec @@ -2,7 +2,7 @@ Name: libsoup Version: 2.74.3 -Release: 6 +Release: 7 Summary: An HTTP library implementation License: LGPL-2.0-only URL: https://wiki.gnome.org/Projects/libsoup @@ -20,6 +20,19 @@ Patch6008: backport-CVE-2025-32052.patch Patch6009: backport-0001-CVE-2025-32053.patch Patch6010: backport-0002-CVE-2025-32053.patch Patch6011: backport-CVE-2025-2784.patch +Patch6012: backport-0001-CVE-2025-32906.patch +Patch6013: backport-0002-CVE-2025-32906.patch +Patch6014: backport-0001-CVE-2025-32910-CVE-2025-32912.patch +Patch6015: backport-0002-CVE-2025-32910-CVE-2025-32912.patch +Patch6016: backport-0003-CVE-2025-32910-CVE-2025-32912.patch +Patch6017: backport-0001-CVE-2025-32911-CVE-2025-32913.patch +Patch6018: backport-0002-CVE-2025-32911-CVE-2025-32913.patch +Patch6019: backport-0004-CVE-2025-32912.patch +Patch6020: backport-0005-CVE-2025-32912.patch +Patch6021: backport-0006-CVE-2025-32912.patch +Patch6022: backport-Handle-sniffing-bytes-with-0-size.patch +Patch6023: backport-content-sniffer-empty-resources-should-be-considered-text-plain.patch +Patch6024: backport-CVE-2025-32909.patch BuildRequires: meson >= 0.50 BuildRequires: pkgconfig(gio-2.0) >= 2.58 @@ -93,6 +106,12 @@ sed -i 's/idm[0-9]\{5,32\}/idm12345678912345/g' %{buildroot}%{_datadir}/gtk-doc/ %{_datadir}/gtk-doc/html/libsoup-2.4 %changelog +* Mon Apr 21 2025 zhangpan - 2.74.3-7 +- Type:cves +- ID:CVE-2025-32906 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32912 CVE-2025-32913 +- SUG:NA +- DESC:fix CVE-2025-32906 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32912 CVE-2025-32913 + * Tue Apr 8 2025 zhangpan - 2.74.3-6 - Type:cves - ID:CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-2784