import OL libsoup-2.72.0-12.el9_7.5

2026-02-10 06:44:11 +00:00 · 2026-02-10 06:44:11 +00:00 · 1f226ca75e
commit 1f226ca75e
parent 8ac0b4e891
4 changed files with 246 additions and 1 deletions
--- a/SOURCES/CVE-2026-0719.patch
+++ b/SOURCES/CVE-2026-0719.patch
@ -0,0 +1,102 @@
+From a7c24b42bda9db562cc54dca7ab1e5791fb5b07d Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Thu, 8 Jan 2026 16:19:37 -0600
+Subject: [PATCH] soup-auth-ntlm: Reject excessively long passwords
+
+According to
+https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/ntlm-user-authentication,
+the practical limit for a NTLM password is 128 Unicode characters, so it
+should be safe to reject passwords longer than 256 bytes. Previously,
+md4sum could overflow and cause an out-of-bounds memory access if an
+extremely long password was provided. Also update md4sum to use unsigned
+variables for size-related calculations, as a precaution.
+
+This is CVE-2026-0719.
+
+Closes #477.
+---
+ libsoup/soup-auth-ntlm.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/libsoup/soup-auth-ntlm.c b/libsoup/soup-auth-ntlm.c
+index a4465ada..64eedc64 100644
+--- a/libsoup/soup-auth-ntlm.c
+++ b/libsoup/soup-auth-ntlm.c
+@@ -349,6 +349,14 @@ soup_auth_ntlm_update_connection (SoupConnectionAuth *auth, SoupMessage *msg,
+ 		return FALSE;
+ 	}
+ 
+	if (priv->password_state == SOUP_NTLM_PASSWORD_PROVIDED && !priv->nt_hash[0]) {
+		/* This can happen if an excessively long password was
+		 * provided, in which case we don't try to hash */
+		conn->state = SOUP_NTLM_FAILED;
+		priv->password_state = SOUP_NTLM_PASSWORD_REJECTED;
+		return TRUE;
+	}
+
+ 	if (!soup_ntlm_parse_challenge (auth_header + 5, &conn->nonce,
+ 					priv->domain ? NULL : &priv->domain,
+ 					&conn->ntlmv2_session, &conn->negotiate_target,
+@@ -439,8 +447,10 @@ soup_auth_ntlm_authenticate (SoupAuth *auth, const char *username,
+ 		priv->username = g_strdup (username);
+ 	}
+ 
+-	soup_ntlm_nt_hash (password, priv->nt_hash);
+-	soup_ntlm_lanmanager_hash (password, priv->lm_hash);
+	if (strlen (password) < 256) {
+		soup_ntlm_nt_hash (password, priv->nt_hash);
+		soup_ntlm_lanmanager_hash (password, priv->lm_hash);
+	}
+ 
+ 	priv->password_state = SOUP_NTLM_PASSWORD_PROVIDED;
+ }
+@@ -606,7 +616,7 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class)
+ }
+ 
+ static void md4sum                (const unsigned char *in, 
+-				   int                  nbytes, 
+				   size_t               nbytes,
+ 				   unsigned char        digest[16]);
+ 
+ typedef guint32 DES_KS[16][2]; /* Single-key DES key schedule */
+@@ -652,7 +662,7 @@ soup_ntlm_nt_hash (const char *password, guchar hash[21])
+ {
+ 	unsigned char *buf, *p;
+ 
+-	p = buf = g_malloc (strlen (password) * 2);
+	p = buf = g_malloc_n (strlen (password), 2);
+ 
+ 	while (*password) {
+ 		*p++ = *password++;
+@@ -1091,15 +1101,16 @@ calc_response (const guchar *key, const guchar *plaintext, guchar *results)
+ #define ROT(val, n) ( ((val) << (n)) | ((val) >> (32 - (n))) )
+ 
+ static void
+-md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
+md4sum (const unsigned char *in, size_t nbytes, unsigned char digest[16])
+ {
+ 	unsigned char *M;
+ 	guint32 A, B, C, D, AA, BB, CC, DD, X[16];
+-	int pbytes, nbits = nbytes * 8, i, j;
+	size_t pbytes, nbits = nbytes * 8;
+	int i, j;
+ 
+ 	/* There is *always* padding of at least one bit. */
+ 	pbytes = ((119 - (nbytes % 64)) % 64) + 1;
+-	M = alloca (nbytes + pbytes + 8);
+	M = g_malloc (nbytes + pbytes + 8);
+ 	memcpy (M, in, nbytes);
+ 	memset (M + nbytes, 0, pbytes + 8);
+ 	M[nbytes] = 0x80;
+@@ -1199,6 +1210,8 @@ md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
+ 	digest[13] = (D >>  8) & 0xFF;
+ 	digest[14] = (D >> 16) & 0xFF;
+ 	digest[15] = (D >> 24) & 0xFF;
+
+	g_free (M);
+ }
+ 
+ 
+-- 
+2.52.0
+
--- a/SOURCES/CVE-2026-1761.patch
+++ b/SOURCES/CVE-2026-1761.patch
@ -0,0 +1,32 @@
+From 2574e765b5d74caa642d1bf4714da1f035a55e76 Mon Sep 17 00:00:00 2001
+From: Carlos Garcia Campos <cgarcia@igalia.com>
+Date: Mon, 19 Jan 2026 15:14:58 +0100
+Subject: [PATCH] multipart: check length of bytes read
+ soup_filter_input_stream_read_until()
+
+We do make sure the read length is smaller than the buffer length when
+the boundary is not found, but we should do the same when the boundary
+is found.
+
+Spotted in #YWH-PGM9867-149
+Closes #493
+---
+ libsoup/soup-filter-input-stream.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c
+index 2c30bf98..d46bff20 100644
+--- a/libsoup/soup-filter-input-stream.c
+++ b/libsoup/soup-filter-input-stream.c
+@@ -272,6 +272,7 @@ soup_filter_input_stream_read_until (SoupFilterInputStream  *fstream,
+ 	if (eof && !*got_boundary)
+ 		read_length = MIN (fstream->priv->buf->len, length);
+ 	else
+-		read_length = p - buf;
+                read_length = MIN ((gsize)(p - buf), length);
+
+ 	return read_from_buf (fstream, buffer, read_length);
+ }
+-- 
+2.52.0
+
--- a/SOURCES/no-ntlm-in-fips-mode.patch
+++ b/SOURCES/no-ntlm-in-fips-mode.patch
@ -0,0 +1,97 @@
+From 3f6f16cc35f3f550bea0eb378dd7bf57cede8f9d Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Thu, 29 Jan 2026 15:06:17 -0600
+Subject: [PATCH] Disable NTLM auth and tests in FIPS mode
+
+This is a downstream Fedora/RHEL-ecosystem patch. Upstream GHmac
+supports MD5 unconditionally, but in Fedora/RHEL trying to use MD5 HMAC
+will crash if FIPS mode is enabled due to the glib2 package's
+gnutls-hmac.patch, which I have thus far failed to upstream. This isn't
+great, but it looks like finding an upstream solution will be difficult,
+so we'll just have to carry this patch for now.
+
+https://gitlab.gnome.org/GNOME/glib/merge_requests/897
+---
+ libsoup/soup-auth-ntlm.c | 12 ++++++++++++
+ tests/ntlm-test.c        | 21 +++++++++++++++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/libsoup/soup-auth-ntlm.c b/libsoup/soup-auth-ntlm.c
+index 2d078461..a4465ada 100644
+--- a/libsoup/soup-auth-ntlm.c
+++ b/libsoup/soup-auth-ntlm.c
+@@ -445,6 +445,17 @@ soup_auth_ntlm_authenticate (SoupAuth *auth, const char *username,
+ 	priv->password_state = SOUP_NTLM_PASSWORD_PROVIDED;
+ }
+ 
+static gboolean
+soup_auth_ntlm_can_authenticate (SoupAuth *auth)
+{
+	GHmac *hmac = g_hmac_new (G_CHECKSUM_MD5, (const unsigned char *)"abc123", sizeof ("abc123"));
+	if (hmac) {
+		g_hmac_unref (hmac);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+ static gboolean
+ soup_auth_ntlm_is_authenticated (SoupAuth *auth)
+ {
+@@ -577,6 +588,7 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class)
+ 
+ 	auth_class->get_protection_space = soup_auth_ntlm_get_protection_space;
+ 	auth_class->authenticate = soup_auth_ntlm_authenticate;
+	auth_class->can_authenticate = soup_auth_ntlm_can_authenticate;
+ 	auth_class->is_authenticated = soup_auth_ntlm_is_authenticated;
+ 
+ 	connauth_class->create_connection_state = soup_auth_ntlm_create_connection_state;
+diff --git a/tests/ntlm-test.c b/tests/ntlm-test.c
+index dcacd74e..ba3f633e 100644
+--- a/tests/ntlm-test.c
+++ b/tests/ntlm-test.c
+@@ -557,6 +557,17 @@ static const NtlmTest ntlmv2_tests[] = {
+ 	{ "/ntlm/v2/basic", "alice", FALSE, BUILTIN }
+ };
+ 
+static gboolean
+can_do_ntlm_test (void)
+{
+	GHmac *hmac = g_hmac_new (G_CHECKSUM_MD5, (const unsigned char *)"abc123", sizeof ("abc123"));
+	if (hmac) {
+		g_hmac_unref (hmac);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+ static void
+ do_ntlm_test (TestServer *ts,
+ 	      gconstpointer data)
+@@ -564,6 +575,11 @@ do_ntlm_test (TestServer *ts,
+ 	const NtlmTest *test = data;
+ 	gboolean use_builtin_ntlm = TRUE;
+ 
+	if (!can_do_ntlm_test ()) {
+		g_test_skip ("NTLM authentication not available (likely due to FIPS mode)");
+		return;
+	}
+
+ 	switch (test->ntlm_type) {
+ 	case BUILTIN:
+ 		/* Built-in NTLM auth support. (We set SOUP_NTLM_AUTH_DEBUG to
+@@ -639,6 +655,11 @@ do_retrying_test (TestServer *ts,
+ 
+ 	g_test_bug ("693222");
+ 
+	if (!can_do_ntlm_test ()) {
+		g_test_skip ("NTLM authentication not available (likely due to FIPS mode)");
+		return;
+	}
+
+ 	g_setenv ("SOUP_NTLM_AUTH_DEBUG", "", TRUE);
+ 
+ 	debug_printf (1, "  /alice\n");
+-- 
+2.52.0
+
--- a/SPECS/libsoup.spec
+++ b/SPECS/libsoup.spec
@ -5,13 +5,16 @@

 Name: libsoup
 Version: 2.72.0
-Release: 12%{?dist}.3
+Release: 12%{?dist}.5
 Summary: Soup, an HTTP library implementation

 License: LGPLv2
 URL: https://wiki.gnome.org/Projects/libsoup
 Source0: https://download.gnome.org/sources/%{name}/2.72/%{name}-%{version}.tar.xz

+# Downstream patch, needed due to glib2 gnutls-hmac.patch
+Patch:   no-ntlm-in-fips-mode.patch
+
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/426
 Patch: test-timeouts.patch
 # https://issues.redhat.com/browse/RHEL-76426
@ -54,6 +57,10 @@ Patch: CVE-2025-4948.patch
 Patch: CVE-2025-4945-CVE-2025-11021.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/491
 Patch: CVE-2025-14523.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/494
+Patch: CVE-2026-0719.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/496
+Patch: CVE-2026-1761.patch

 BuildRequires: gettext
 BuildRequires: glib2-devel >= %{glib2_version}
@ -158,6 +165,13 @@ This package contains developer documentation for %{name}.
 %endif

 %changelog
+* Mon Feb 02 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 2.72.0-12.5
+- Backport patch for CVE-2026-1761
+
+* Fri Jan 30 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 2.72.0-12.4
+- Backport patch for CVE-2026-0719
+- Fix NTLM authentication test failures in FIPS mode
+
 * Thu Jan 08 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 2.72.0-12.3
 - Fix patch for CVE-2025-14523 to handle comparison case-insensitively