diff --git a/SOURCES/CVE-2025-52530.patch b/SOURCES/CVE-2024-52530.patch similarity index 100% rename from SOURCES/CVE-2025-52530.patch rename to SOURCES/CVE-2024-52530.patch diff --git a/SOURCES/CVE-2025-52531.patch b/SOURCES/CVE-2024-52531.patch similarity index 100% rename from SOURCES/CVE-2025-52531.patch rename to SOURCES/CVE-2024-52531.patch diff --git a/SOURCES/CVE-2025-52532.patch b/SOURCES/CVE-2024-52532.patch similarity index 100% rename from SOURCES/CVE-2025-52532.patch rename to SOURCES/CVE-2024-52532.patch diff --git a/SOURCES/CVE-2025-2784.patch b/SOURCES/CVE-2025-2784.patch new file mode 100644 index 0000000..726abb9 --- /dev/null +++ b/SOURCES/CVE-2025-2784.patch @@ -0,0 +1,48 @@ +From b7213fc6c639b5ca6c91e215aee18cea36d9dc95 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 18 Feb 2025 14:29:50 -0600 +Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space() + +--- + libsoup/soup-content-sniffer.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 698d05e4..3fb29adf 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -612,8 +612,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer) + } + + static gboolean +-skip_insignificant_space (const char *resource, int *pos, int resource_length) ++skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length) + { ++ if (*pos >= resource_length) ++ return TRUE; ++ + while ((resource[*pos] == '\x09') || + (resource[*pos] == '\x20') || + (resource[*pos] == '\x0A') || +@@ -632,7 +635,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + { + const char *resource = (const char *)buffer->data; + int resource_length = MIN (512, buffer->length); +- int pos = 0; ++ gsize pos = 0; + + if (resource_length < 3) + goto text_html; +@@ -642,9 +645,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + pos = 3; + + look_for_tag: +- if (pos > resource_length) +- goto text_html; +- + if (skip_insignificant_space (resource, &pos, resource_length)) + goto text_html; + +-- +2.49.0 + diff --git a/SOURCES/CVE-2025-32049.patch b/SOURCES/CVE-2025-32049.patch new file mode 100644 index 0000000..fa17d1f --- /dev/null +++ b/SOURCES/CVE-2025-32049.patch @@ -0,0 +1,30 @@ +From 6ec7c5be50b48d6ce0a09aa3468f2c5725406a97 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Wed, 21 May 2025 10:42:51 -0500 +Subject: [PATCH] Add size limit for total message size + +This size limit could break applications, but it will close the denial +of service issue. +--- + libsoup/soup-websocket-connection.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c +index 36524d04..f8764aff 100644 +--- a/libsoup/soup-websocket-connection.c ++++ b/libsoup/soup-websocket-connection.c +@@ -913,6 +913,11 @@ process_contents (SoupWebsocketConnection *self, + switch (pv->message_opcode) { + case 0x01: + case 0x02: ++ /* Safety valve */ ++ if (pv->message_data->len + payload_len > pv->max_incoming_payload_size) { ++ too_big_error_and_close (self, (pv->message_data->len + payload_len)); ++ return; ++ } + g_byte_array_append (pv->message_data, payload, payload_len); + break; + default: +-- +2.49.0 + diff --git a/SOURCES/CVE-2025-32914.patch b/SOURCES/CVE-2025-32914.patch new file mode 100644 index 0000000..39c1679 --- /dev/null +++ b/SOURCES/CVE-2025-32914.patch @@ -0,0 +1,30 @@ +From 51c25f470f85b485818c253718594a4d59b39931 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 15 Apr 2025 09:03:00 +0200 +Subject: [PATCH] multipart: Fix read out of buffer bounds under + soup_multipart_new_from_message() + +This is CVE-2025-32914, special crafted input can cause read out of buffer bounds +of the body argument. + +Closes #436 +--- + libsoup/soup-multipart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index a7e550f1..dd939739 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + return NULL; + } + +- split = strstr (start, "\r\n\r\n"); ++ split = g_strstr_len (start, body_end - start, "\r\n\r\n"); + if (!split || split > end) { + soup_multipart_free (multipart); + soup_buffer_free (flattened); +-- +2.49.0 + diff --git a/SOURCES/CVE-2025-4948.patch b/SOURCES/CVE-2025-4948.patch new file mode 100644 index 0000000..128d926 --- /dev/null +++ b/SOURCES/CVE-2025-4948.patch @@ -0,0 +1,30 @@ +From 592db079bc2dfea75708751ed0b7533ac9fd36df Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Thu, 15 May 2025 17:49:11 +0200 +Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body + +It could happen that the boundary started at a place which resulted into +a negative number, which in an unsigned integer is a very large value. +Check the body size is not a negative value before setting it. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 +--- + libsoup/soup-multipart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index dd939739..ce2fc109 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -214,7 +214,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + */ + part_body = soup_buffer_new_subbuffer (flattened, + split - flattened->data, +- end - 2 - split); ++ end - 2 >= split ? end - 2 - split : 0); + g_ptr_array_add (multipart->bodies, part_body); + + start = end; +-- +2.49.0 + diff --git a/SOURCES/fix-ssl-test.patch b/SOURCES/fix-ssl-test.patch new file mode 100644 index 0000000..97d4ae7 --- /dev/null +++ b/SOURCES/fix-ssl-test.patch @@ -0,0 +1,123 @@ +From c720f9c696b3b39d8c386abf8c8a9ddad447cda0 Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos +Date: Wed, 9 Sep 2020 14:44:25 +0200 +Subject: [PATCH 1/2] tests: fix SSL test with glib-networking >= 2.65.90 + +To make SSL tests fail with our testing certificate we create and empty +GTlsDatabase passing /dev/null to g_tls_file_database_new(). This no +longer works with newer glib-networking, since an empty file is +considered an error by gnutls and +g_tls_file_database_gnutls_populate_trust_list() now handles gnutls +errors properly. Instead, we can just use the system CA file that won't +contain our testing certificate for sure. + +Fixes #201 +--- + tests/ssl-test.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/tests/ssl-test.c b/tests/ssl-test.c +index 735ba416..2c93ca85 100644 +--- a/tests/ssl-test.c ++++ b/tests/ssl-test.c +@@ -3,7 +3,6 @@ + #include "test-utils.h" + + SoupURI *uri; +-GTlsDatabase *null_tlsdb; + + static void + do_properties_test_for_session (SoupSession *session) +@@ -37,7 +36,7 @@ do_async_properties_tests (void) + + session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL); + g_object_set (G_OBJECT (session), +- SOUP_SESSION_TLS_DATABASE, null_tlsdb, ++ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, + SOUP_SESSION_SSL_STRICT, FALSE, + NULL); + do_properties_test_for_session (session); +@@ -53,7 +52,7 @@ do_sync_properties_tests (void) + + session = soup_test_session_new (SOUP_TYPE_SESSION_SYNC, NULL); + g_object_set (G_OBJECT (session), +- SOUP_SESSION_TLS_DATABASE, null_tlsdb, ++ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, + SOUP_SESSION_SSL_STRICT, FALSE, + NULL); + do_properties_test_for_session (session); +@@ -106,7 +105,7 @@ do_strictness_test (gconstpointer data) + } + if (!test->with_ca_list) { + g_object_set (G_OBJECT (session), +- SOUP_SESSION_TLS_DATABASE, null_tlsdb, ++ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, + NULL); + } + +@@ -433,7 +432,6 @@ main (int argc, char **argv) + { + SoupServer *server = NULL; + int i, ret; +- GError *error = NULL; + + test_init (argc, argv, NULL); + +@@ -441,9 +439,6 @@ main (int argc, char **argv) + server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); + soup_server_add_handler (server, NULL, server_handler, NULL, NULL); + uri = soup_test_server_get_uri (server, "https", "127.0.0.1"); +- +- null_tlsdb = g_tls_file_database_new ("/dev/null", &error); +- g_assert_no_error (error); + } else + uri = NULL; + +@@ -463,7 +458,6 @@ main (int argc, char **argv) + if (tls_available) { + soup_uri_free (uri); + soup_test_server_quit_unref (server); +- g_object_unref (null_tlsdb); + } + + test_cleanup (); +-- +2.43.5 + + +From 0fbc7e8220c32f4848d6f1407efe81cc13ab18ef Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Sat, 18 Jan 2025 01:20:24 -0600 +Subject: [PATCH 2/2] Add workaround for flaky ssl-test connection failures + +--- + tests/ssl-test.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/tests/ssl-test.c b/tests/ssl-test.c +index 2c93ca85..1b48c6aa 100644 +--- a/tests/ssl-test.c ++++ b/tests/ssl-test.c +@@ -348,6 +348,19 @@ got_connection (GThreadedSocketService *service, + g_clear_error (&error); + } + ++ // Work around a race condition where do_tls_interaction_test's call to ++ // soup_session_send_message() fails due to the server having closed the ++ // connection: ++ // ++ // ERROR:../tests/ssl-test.c:405:do_tls_interaction_test: Unexpected status 7 Connection terminated unexpectedly (expected 200 OK) ++ // ++ // This bug is already fixed upstream, so no sense in spending a bunch ++ // of time trying to find a proper fix. ++ // ++ // I'm not certain, but I suspect it's fixed by: ++ // https://gitlab.gnome.org/GNOME/libsoup/-/commit/bd6de90343839125bd07c43c97e1000deb0b40c3 ++ sleep (1); ++ + g_io_stream_close (tls, NULL, &error); + g_assert_no_error (error); + +-- +2.43.5 + diff --git a/SOURCES/server-test-timeouts.patch b/SOURCES/server-test-timeouts.patch new file mode 100644 index 0000000..b4d334d --- /dev/null +++ b/SOURCES/server-test-timeouts.patch @@ -0,0 +1,44 @@ +From 9ff306aa714efd06ceeafacee03298a3665055b1 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Wed, 30 Apr 2025 14:13:41 -0500 +Subject: [PATCH] test-utils: fix deadlock in add_listener_in_thread() + +The mutex is locked in the wrong place here. + +Hopefully fixes #379 +--- + tests/test-utils.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tests/test-utils.c b/tests/test-utils.c +index df4cee44..5c1e316c 100644 +--- a/tests/test-utils.c ++++ b/tests/test-utils.c +@@ -607,9 +607,11 @@ static gboolean + add_listener_in_thread (gpointer user_data) + { + AddListenerData *data = user_data; ++ SoupURI *uri; + +- data->uri = add_listener (data->server, data->scheme, data->host); ++ uri = add_listener (data->server, data->scheme, data->host); + g_mutex_lock (&data->mutex); ++ data->uri = uri; + g_cond_signal (&data->cond); + g_mutex_unlock (&data->mutex); + +@@ -641,9 +643,9 @@ soup_test_server_get_uri (SoupServer *server, + data.host = host; + data.uri = NULL; + +- g_mutex_lock (&data.mutex); + soup_add_completion (context, add_listener_in_thread, &data); + ++ g_mutex_lock (&data.mutex); + while (!data.uri) + g_cond_wait (&data.cond, &data.mutex); + +-- +GitLab + + diff --git a/SPECS/libsoup.spec b/SPECS/libsoup.spec index 06eb861..9809e3a 100644 --- a/SPECS/libsoup.spec +++ b/SPECS/libsoup.spec @@ -2,7 +2,7 @@ Name: libsoup Version: 2.62.3 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Soup, an HTTP library implementation License: LGPLv2 @@ -14,9 +14,9 @@ Patch0002: 0002-WebSockets-allow-null-characters-in-text-messages-da.patch Patch0003: 0003-WebSockets-only-poll-IO-stream-when-needed.patch Patch0004: 0004-ntlmv2.patch Patch0005: 0005-WebSockets-do-not-start-the-input-source-when-IO-is-closing.patch -Patch0006: CVE-2025-52530.patch -Patch0007: CVE-2025-52531.patch -Patch0008: CVE-2025-52532.patch +Patch0006: CVE-2024-52530.patch +Patch0007: CVE-2024-52531.patch +Patch0008: CVE-2024-52532.patch # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/446 Patch0009: test-cert-expiration.patch # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/415 @@ -31,6 +31,18 @@ Patch0014: CVE-2025-32911-CVE-2025-32913.patch Patch0015: CVE-2025-46420.patch # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436 Patch0016: CVE-2025-46421.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/408 (simplified) +Patch0017: CVE-2025-32049.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450 +Patch0018: CVE-2025-32914.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/issues/422 +Patch0019: CVE-2025-2784.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463 +Patch0020: CVE-2025-4948.patch +# https://issues.redhat.com/browse/RHEL-76426 +Patch0021: fix-ssl-test.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/454 +Patch0022: server-test-timeouts.patch BuildRequires: chrpath BuildRequires: glib2-devel >= %{glib2_version} @@ -105,6 +117,14 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/*.so %{_datadir}/vala/vapi/libsoup-2.4.vapi %changelog +* Thu May 22 2025 Michael Catanzaro - 2.62.3-9 +- Add patches to improve test reliability +- Backport patches for various CVEs + Resolves: RHEL-85879 + Resolves: RHEL-92280 + Resolves: RHEL-93031 + Resolves: RHEL-93032 + * Thu May 01 2025 Michael Catanzaro - 2.62.3-8 - Backport patches for various CVEs, plus test improvements Resolves: RHEL-85887