import UBI libsoup-2.62.3-9.el8_10

2025-05-26 12:47:54 +00:00 · 2025-05-26 12:47:54 +00:00 · 199b71fcf6
commit 199b71fcf6
parent b767a7d3cb
10 changed files with 329 additions and 4 deletions
--- a/SOURCES/CVE-2024-52530.patch
+++ b/SOURCES/CVE-2024-52530.patch
--- a/SOURCES/CVE-2024-52531.patch
+++ b/SOURCES/CVE-2024-52531.patch
--- a/SOURCES/CVE-2024-52532.patch
+++ b/SOURCES/CVE-2024-52532.patch
--- a/SOURCES/CVE-2025-2784.patch
+++ b/SOURCES/CVE-2025-2784.patch
@ -0,0 +1,48 @@
+From b7213fc6c639b5ca6c91e215aee18cea36d9dc95 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 18 Feb 2025 14:29:50 -0600
+Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space()
+
+---
+ libsoup/soup-content-sniffer.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
+index 698d05e4..3fb29adf 100644
+--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
+@@ -612,8 +612,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+ }
+ 
+ static gboolean
+-skip_insignificant_space (const char *resource, int *pos, int resource_length)
+skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
+ {
+        if (*pos >= resource_length)
+	        return TRUE;
+
+ 	while ((resource[*pos] == '\x09') ||
+ 	       (resource[*pos] == '\x20') ||
+ 	       (resource[*pos] == '\x0A') ||
+@@ -632,7 +635,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+ {
+ 	const char *resource = (const char *)buffer->data;
+ 	int resource_length = MIN (512, buffer->length);
+-	int pos = 0;
+	gsize pos = 0;
+ 
+ 	if (resource_length < 3)
+ 		goto text_html;
+@@ -642,9 +645,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+ 		pos = 3;
+ 
+  look_for_tag:
+-	if (pos > resource_length)
+-		goto text_html;
+-
+ 	if (skip_insignificant_space (resource, &pos, resource_length))
+ 		goto text_html;
+ 
+-- 
+2.49.0
+
--- a/SOURCES/CVE-2025-32049.patch
+++ b/SOURCES/CVE-2025-32049.patch
@ -0,0 +1,30 @@
+From 6ec7c5be50b48d6ce0a09aa3468f2c5725406a97 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Wed, 21 May 2025 10:42:51 -0500
+Subject: [PATCH] Add size limit for total message size
+
+This size limit could break applications, but it will close the denial
+of service issue.
+---
+ libsoup/soup-websocket-connection.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
+index 36524d04..f8764aff 100644
+--- a/libsoup/soup-websocket-connection.c
+++ b/libsoup/soup-websocket-connection.c
+@@ -913,6 +913,11 @@ process_contents (SoupWebsocketConnection *self,
+ 		switch (pv->message_opcode) {
+ 		case 0x01:
+ 		case 0x02:
+			/* Safety valve */
+			if (pv->message_data->len + payload_len > pv->max_incoming_payload_size) {
+				too_big_error_and_close (self, (pv->message_data->len + payload_len));
+				return;
+			}
+ 			g_byte_array_append (pv->message_data, payload, payload_len);
+ 			break;
+ 		default:
+-- 
+2.49.0
+
--- a/SOURCES/CVE-2025-32914.patch
+++ b/SOURCES/CVE-2025-32914.patch
@ -0,0 +1,30 @@
+From 51c25f470f85b485818c253718594a4d59b39931 Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Tue, 15 Apr 2025 09:03:00 +0200
+Subject: [PATCH] multipart: Fix read out of buffer bounds under
+ soup_multipart_new_from_message()
+
+This is CVE-2025-32914, special crafted input can cause read out of buffer bounds
+of the body argument.
+
+Closes #436
+---
+ libsoup/soup-multipart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index a7e550f1..dd939739 100644
+--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
+@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
+ 			return NULL;
+ 		}
+ 
+-		split = strstr (start, "\r\n\r\n");
+		split = g_strstr_len (start, body_end - start, "\r\n\r\n");
+ 		if (!split || split > end) {
+ 			soup_multipart_free (multipart);
+ 			soup_buffer_free (flattened);
+-- 
+2.49.0
+
--- a/SOURCES/CVE-2025-4948.patch
+++ b/SOURCES/CVE-2025-4948.patch
@ -0,0 +1,30 @@
+From 592db079bc2dfea75708751ed0b7533ac9fd36df Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Thu, 15 May 2025 17:49:11 +0200
+Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body
+
+It could happen that the boundary started at a place which resulted into
+a negative number, which in an unsigned integer is a very large value.
+Check the body size is not a negative value before setting it.
+
+Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
+---
+ libsoup/soup-multipart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index dd939739..ce2fc109 100644
+--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
+@@ -214,7 +214,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
+ 		 */
+ 		part_body = soup_buffer_new_subbuffer (flattened,
+ 						       split - flattened->data,
+-						       end - 2 - split);
+						       end - 2 >= split ? end - 2 - split : 0);
+ 		g_ptr_array_add (multipart->bodies, part_body);
+ 
+ 		start = end;
+-- 
+2.49.0
+
--- a/SOURCES/fix-ssl-test.patch
+++ b/SOURCES/fix-ssl-test.patch
@ -0,0 +1,123 @@
+From c720f9c696b3b39d8c386abf8c8a9ddad447cda0 Mon Sep 17 00:00:00 2001
+From: Carlos Garcia Campos <cgarcia@igalia.com>
+Date: Wed, 9 Sep 2020 14:44:25 +0200
+Subject: [PATCH 1/2] tests: fix SSL test with glib-networking >= 2.65.90
+
+To make SSL tests fail with our testing certificate we create and empty
+GTlsDatabase passing /dev/null to g_tls_file_database_new(). This no
+longer works with newer glib-networking, since an empty file is
+considered an error by gnutls and
+g_tls_file_database_gnutls_populate_trust_list() now handles gnutls
+errors properly. Instead, we can just use the system CA file that won't
+contain our testing certificate for sure.
+
+Fixes #201
+---
+ tests/ssl-test.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/tests/ssl-test.c b/tests/ssl-test.c
+index 735ba416..2c93ca85 100644
+--- a/tests/ssl-test.c
+++ b/tests/ssl-test.c
+@@ -3,7 +3,6 @@
+ #include "test-utils.h"
+ 
+ SoupURI *uri;
+-GTlsDatabase *null_tlsdb;
+ 
+ static void
+ do_properties_test_for_session (SoupSession *session)
+@@ -37,7 +36,7 @@ do_async_properties_tests (void)
+ 
+ 	session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL);
+ 	g_object_set (G_OBJECT (session),
+-		      SOUP_SESSION_TLS_DATABASE, null_tlsdb,
+		      SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+ 		      SOUP_SESSION_SSL_STRICT, FALSE,
+ 		      NULL);
+ 	do_properties_test_for_session (session);
+@@ -53,7 +52,7 @@ do_sync_properties_tests (void)
+ 
+ 	session = soup_test_session_new (SOUP_TYPE_SESSION_SYNC, NULL);
+ 	g_object_set (G_OBJECT (session),
+-		      SOUP_SESSION_TLS_DATABASE, null_tlsdb,
+		      SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+ 		      SOUP_SESSION_SSL_STRICT, FALSE,
+ 		      NULL);
+ 	do_properties_test_for_session (session);
+@@ -106,7 +105,7 @@ do_strictness_test (gconstpointer data)
+ 	}
+ 	if (!test->with_ca_list) {
+ 		g_object_set (G_OBJECT (session),
+-			      SOUP_SESSION_TLS_DATABASE, null_tlsdb,
+			      SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+ 			      NULL);
+ 	}
+ 
+@@ -433,7 +432,6 @@ main (int argc, char **argv)
+ {
+ 	SoupServer *server = NULL;
+ 	int i, ret;
+-	GError *error = NULL;
+ 
+ 	test_init (argc, argv, NULL);
+ 
+@@ -441,9 +439,6 @@ main (int argc, char **argv)
+ 		server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+ 		soup_server_add_handler (server, NULL, server_handler, NULL, NULL);
+ 		uri = soup_test_server_get_uri (server, "https", "127.0.0.1");
+-
+-		null_tlsdb = g_tls_file_database_new ("/dev/null", &error);
+-		g_assert_no_error (error);
+ 	} else
+ 		uri = NULL;
+ 
+@@ -463,7 +458,6 @@ main (int argc, char **argv)
+ 	if (tls_available) {
+ 		soup_uri_free (uri);
+ 		soup_test_server_quit_unref (server);
+-		g_object_unref (null_tlsdb);
+ 	}
+ 
+ 	test_cleanup ();
+-- 
+2.43.5
+
+
+From 0fbc7e8220c32f4848d6f1407efe81cc13ab18ef Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Sat, 18 Jan 2025 01:20:24 -0600
+Subject: [PATCH 2/2] Add workaround for flaky ssl-test connection failures
+
+---
+ tests/ssl-test.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/tests/ssl-test.c b/tests/ssl-test.c
+index 2c93ca85..1b48c6aa 100644
+--- a/tests/ssl-test.c
+++ b/tests/ssl-test.c
+@@ -348,6 +348,19 @@ got_connection (GThreadedSocketService *service,
+ 		g_clear_error (&error);
+ 	}
+ 
+	// Work around a race condition where do_tls_interaction_test's call to
+	// soup_session_send_message() fails due to the server having closed the
+	// connection:
+	//
+	// ERROR:../tests/ssl-test.c:405:do_tls_interaction_test: Unexpected status 7 Connection terminated unexpectedly (expected 200 OK)
+	//
+	// This bug is already fixed upstream, so no sense in spending a bunch
+	// of time trying to find a proper fix.
+	//
+	// I'm not certain, but I suspect it's fixed by:
+	// https://gitlab.gnome.org/GNOME/libsoup/-/commit/bd6de90343839125bd07c43c97e1000deb0b40c3
+	sleep (1);
+
+ 	g_io_stream_close (tls, NULL, &error);
+ 	g_assert_no_error (error);
+ 
+-- 
+2.43.5
+
--- a/SOURCES/server-test-timeouts.patch
+++ b/SOURCES/server-test-timeouts.patch
@ -0,0 +1,44 @@
+From 9ff306aa714efd06ceeafacee03298a3665055b1 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Wed, 30 Apr 2025 14:13:41 -0500
+Subject: [PATCH] test-utils: fix deadlock in add_listener_in_thread()
+
+The mutex is locked in the wrong place here.
+
+Hopefully fixes #379
+---
+ tests/test-utils.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tests/test-utils.c b/tests/test-utils.c
+index df4cee44..5c1e316c 100644
+--- a/tests/test-utils.c
+++ b/tests/test-utils.c
+@@ -607,9 +607,11 @@ static gboolean
+ add_listener_in_thread (gpointer user_data)
+ {
+ 	AddListenerData *data = user_data;
+	SoupURI *uri;
+ 
+-	data->uri = add_listener (data->server, data->scheme, data->host);
+	uri = add_listener (data->server, data->scheme, data->host);
+ 	g_mutex_lock (&data->mutex);
+	data->uri = uri;
+ 	g_cond_signal (&data->cond);
+ 	g_mutex_unlock (&data->mutex);
+ 
+@@ -641,9 +643,9 @@ soup_test_server_get_uri (SoupServer    *server,
+ 		data.host = host;
+ 		data.uri = NULL;
+ 
+-		g_mutex_lock (&data.mutex);
+ 		soup_add_completion (context, add_listener_in_thread, &data);
+ 
+		g_mutex_lock (&data.mutex);
+ 		while (!data.uri)
+ 			g_cond_wait (&data.cond, &data.mutex);
+ 
+-- 
+GitLab
+
+
--- a/SPECS/libsoup.spec
+++ b/SPECS/libsoup.spec
@ -2,7 +2,7 @@

 Name: libsoup
 Version: 2.62.3
-Release: 8%{?dist}
+Release: 9%{?dist}
 Summary: Soup, an HTTP library implementation

 License: LGPLv2
@ -14,9 +14,9 @@ Patch0002: 0002-WebSockets-allow-null-characters-in-text-messages-da.patch
 Patch0003: 0003-WebSockets-only-poll-IO-stream-when-needed.patch
 Patch0004: 0004-ntlmv2.patch
 Patch0005: 0005-WebSockets-do-not-start-the-input-source-when-IO-is-closing.patch
-Patch0006: CVE-2025-52530.patch
-Patch0007: CVE-2025-52531.patch
-Patch0008: CVE-2025-52532.patch
+Patch0006: CVE-2024-52530.patch
+Patch0007: CVE-2024-52531.patch
+Patch0008: CVE-2024-52532.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/446
 Patch0009: test-cert-expiration.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/415
@ -31,6 +31,18 @@ Patch0014: CVE-2025-32911-CVE-2025-32913.patch
 Patch0015: CVE-2025-46420.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436
 Patch0016: CVE-2025-46421.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/408 (simplified)
+Patch0017: CVE-2025-32049.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450
+Patch0018: CVE-2025-32914.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/issues/422
+Patch0019: CVE-2025-2784.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463
+Patch0020: CVE-2025-4948.patch
+# https://issues.redhat.com/browse/RHEL-76426
+Patch0021: fix-ssl-test.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/454
+Patch0022: server-test-timeouts.patch

 BuildRequires: chrpath
 BuildRequires: glib2-devel >= %{glib2_version}
@ -105,6 +117,14 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/*.so
 %{_datadir}/vala/vapi/libsoup-2.4.vapi

 %changelog
+* Thu May 22 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.62.3-9
+- Add patches to improve test reliability
+- Backport patches for various CVEs
+  Resolves: RHEL-85879
+  Resolves: RHEL-92280
+  Resolves: RHEL-93031
+  Resolves: RHEL-93032
+
 * Thu May 01 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.62.3-8
 - Backport patches for various CVEs, plus test improvements
  Resolves: RHEL-85887