From 1f226ca75ec0b2fc9151848e246a3539f19e0ad7 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 10 Feb 2026 06:44:11 +0000 Subject: [PATCH] import OL libsoup-2.72.0-12.el9_7.5 --- SOURCES/CVE-2026-0719.patch | 102 +++++++++++++++++++++++++++++ SOURCES/CVE-2026-1761.patch | 32 +++++++++ SOURCES/no-ntlm-in-fips-mode.patch | 97 +++++++++++++++++++++++++++ SPECS/libsoup.spec | 16 ++++- 4 files changed, 246 insertions(+), 1 deletion(-) create mode 100644 SOURCES/CVE-2026-0719.patch create mode 100644 SOURCES/CVE-2026-1761.patch create mode 100644 SOURCES/no-ntlm-in-fips-mode.patch diff --git a/SOURCES/CVE-2026-0719.patch b/SOURCES/CVE-2026-0719.patch new file mode 100644 index 0000000..f1e36ae --- /dev/null +++ b/SOURCES/CVE-2026-0719.patch @@ -0,0 +1,102 @@ +From a7c24b42bda9db562cc54dca7ab1e5791fb5b07d Mon Sep 17 00:00:00 2001 +From: Mike Gorse +Date: Thu, 8 Jan 2026 16:19:37 -0600 +Subject: [PATCH] soup-auth-ntlm: Reject excessively long passwords + +According to +https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/ntlm-user-authentication, +the practical limit for a NTLM password is 128 Unicode characters, so it +should be safe to reject passwords longer than 256 bytes. Previously, +md4sum could overflow and cause an out-of-bounds memory access if an +extremely long password was provided. Also update md4sum to use unsigned +variables for size-related calculations, as a precaution. + +This is CVE-2026-0719. + +Closes #477. +--- + libsoup/soup-auth-ntlm.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +diff --git a/libsoup/soup-auth-ntlm.c b/libsoup/soup-auth-ntlm.c +index a4465ada..64eedc64 100644 +--- a/libsoup/soup-auth-ntlm.c ++++ b/libsoup/soup-auth-ntlm.c +@@ -349,6 +349,14 @@ soup_auth_ntlm_update_connection (SoupConnectionAuth *auth, SoupMessage *msg, + return FALSE; + } + ++ if (priv->password_state == SOUP_NTLM_PASSWORD_PROVIDED && !priv->nt_hash[0]) { ++ /* This can happen if an excessively long password was ++ * provided, in which case we don't try to hash */ ++ conn->state = SOUP_NTLM_FAILED; ++ priv->password_state = SOUP_NTLM_PASSWORD_REJECTED; ++ return TRUE; ++ } ++ + if (!soup_ntlm_parse_challenge (auth_header + 5, &conn->nonce, + priv->domain ? NULL : &priv->domain, + &conn->ntlmv2_session, &conn->negotiate_target, +@@ -439,8 +447,10 @@ soup_auth_ntlm_authenticate (SoupAuth *auth, const char *username, + priv->username = g_strdup (username); + } + +- soup_ntlm_nt_hash (password, priv->nt_hash); +- soup_ntlm_lanmanager_hash (password, priv->lm_hash); ++ if (strlen (password) < 256) { ++ soup_ntlm_nt_hash (password, priv->nt_hash); ++ soup_ntlm_lanmanager_hash (password, priv->lm_hash); ++ } + + priv->password_state = SOUP_NTLM_PASSWORD_PROVIDED; + } +@@ -606,7 +616,7 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class) + } + + static void md4sum (const unsigned char *in, +- int nbytes, ++ size_t nbytes, + unsigned char digest[16]); + + typedef guint32 DES_KS[16][2]; /* Single-key DES key schedule */ +@@ -652,7 +662,7 @@ soup_ntlm_nt_hash (const char *password, guchar hash[21]) + { + unsigned char *buf, *p; + +- p = buf = g_malloc (strlen (password) * 2); ++ p = buf = g_malloc_n (strlen (password), 2); + + while (*password) { + *p++ = *password++; +@@ -1091,15 +1101,16 @@ calc_response (const guchar *key, const guchar *plaintext, guchar *results) + #define ROT(val, n) ( ((val) << (n)) | ((val) >> (32 - (n))) ) + + static void +-md4sum (const unsigned char *in, int nbytes, unsigned char digest[16]) ++md4sum (const unsigned char *in, size_t nbytes, unsigned char digest[16]) + { + unsigned char *M; + guint32 A, B, C, D, AA, BB, CC, DD, X[16]; +- int pbytes, nbits = nbytes * 8, i, j; ++ size_t pbytes, nbits = nbytes * 8; ++ int i, j; + + /* There is *always* padding of at least one bit. */ + pbytes = ((119 - (nbytes % 64)) % 64) + 1; +- M = alloca (nbytes + pbytes + 8); ++ M = g_malloc (nbytes + pbytes + 8); + memcpy (M, in, nbytes); + memset (M + nbytes, 0, pbytes + 8); + M[nbytes] = 0x80; +@@ -1199,6 +1210,8 @@ md4sum (const unsigned char *in, int nbytes, unsigned char digest[16]) + digest[13] = (D >> 8) & 0xFF; + digest[14] = (D >> 16) & 0xFF; + digest[15] = (D >> 24) & 0xFF; ++ ++ g_free (M); + } + + +-- +2.52.0 + diff --git a/SOURCES/CVE-2026-1761.patch b/SOURCES/CVE-2026-1761.patch new file mode 100644 index 0000000..bf07d4a --- /dev/null +++ b/SOURCES/CVE-2026-1761.patch @@ -0,0 +1,32 @@ +From 2574e765b5d74caa642d1bf4714da1f035a55e76 Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos +Date: Mon, 19 Jan 2026 15:14:58 +0100 +Subject: [PATCH] multipart: check length of bytes read + soup_filter_input_stream_read_until() + +We do make sure the read length is smaller than the buffer length when +the boundary is not found, but we should do the same when the boundary +is found. + +Spotted in #YWH-PGM9867-149 +Closes #493 +--- + libsoup/soup-filter-input-stream.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c +index 2c30bf98..d46bff20 100644 +--- a/libsoup/soup-filter-input-stream.c ++++ b/libsoup/soup-filter-input-stream.c +@@ -272,6 +272,7 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream, + if (eof && !*got_boundary) + read_length = MIN (fstream->priv->buf->len, length); + else +- read_length = p - buf; ++ read_length = MIN ((gsize)(p - buf), length); ++ + return read_from_buf (fstream, buffer, read_length); + } +-- +2.52.0 + diff --git a/SOURCES/no-ntlm-in-fips-mode.patch b/SOURCES/no-ntlm-in-fips-mode.patch new file mode 100644 index 0000000..12c3428 --- /dev/null +++ b/SOURCES/no-ntlm-in-fips-mode.patch @@ -0,0 +1,97 @@ +From 3f6f16cc35f3f550bea0eb378dd7bf57cede8f9d Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 29 Jan 2026 15:06:17 -0600 +Subject: [PATCH] Disable NTLM auth and tests in FIPS mode + +This is a downstream Fedora/RHEL-ecosystem patch. Upstream GHmac +supports MD5 unconditionally, but in Fedora/RHEL trying to use MD5 HMAC +will crash if FIPS mode is enabled due to the glib2 package's +gnutls-hmac.patch, which I have thus far failed to upstream. This isn't +great, but it looks like finding an upstream solution will be difficult, +so we'll just have to carry this patch for now. + +https://gitlab.gnome.org/GNOME/glib/merge_requests/897 +--- + libsoup/soup-auth-ntlm.c | 12 ++++++++++++ + tests/ntlm-test.c | 21 +++++++++++++++++++++ + 2 files changed, 33 insertions(+) + +diff --git a/libsoup/soup-auth-ntlm.c b/libsoup/soup-auth-ntlm.c +index 2d078461..a4465ada 100644 +--- a/libsoup/soup-auth-ntlm.c ++++ b/libsoup/soup-auth-ntlm.c +@@ -445,6 +445,17 @@ soup_auth_ntlm_authenticate (SoupAuth *auth, const char *username, + priv->password_state = SOUP_NTLM_PASSWORD_PROVIDED; + } + ++static gboolean ++soup_auth_ntlm_can_authenticate (SoupAuth *auth) ++{ ++ GHmac *hmac = g_hmac_new (G_CHECKSUM_MD5, (const unsigned char *)"abc123", sizeof ("abc123")); ++ if (hmac) { ++ g_hmac_unref (hmac); ++ return TRUE; ++ } ++ return FALSE; ++} ++ + static gboolean + soup_auth_ntlm_is_authenticated (SoupAuth *auth) + { +@@ -577,6 +588,7 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class) + + auth_class->get_protection_space = soup_auth_ntlm_get_protection_space; + auth_class->authenticate = soup_auth_ntlm_authenticate; ++ auth_class->can_authenticate = soup_auth_ntlm_can_authenticate; + auth_class->is_authenticated = soup_auth_ntlm_is_authenticated; + + connauth_class->create_connection_state = soup_auth_ntlm_create_connection_state; +diff --git a/tests/ntlm-test.c b/tests/ntlm-test.c +index dcacd74e..ba3f633e 100644 +--- a/tests/ntlm-test.c ++++ b/tests/ntlm-test.c +@@ -557,6 +557,17 @@ static const NtlmTest ntlmv2_tests[] = { + { "/ntlm/v2/basic", "alice", FALSE, BUILTIN } + }; + ++static gboolean ++can_do_ntlm_test (void) ++{ ++ GHmac *hmac = g_hmac_new (G_CHECKSUM_MD5, (const unsigned char *)"abc123", sizeof ("abc123")); ++ if (hmac) { ++ g_hmac_unref (hmac); ++ return TRUE; ++ } ++ return FALSE; ++} ++ + static void + do_ntlm_test (TestServer *ts, + gconstpointer data) +@@ -564,6 +575,11 @@ do_ntlm_test (TestServer *ts, + const NtlmTest *test = data; + gboolean use_builtin_ntlm = TRUE; + ++ if (!can_do_ntlm_test ()) { ++ g_test_skip ("NTLM authentication not available (likely due to FIPS mode)"); ++ return; ++ } ++ + switch (test->ntlm_type) { + case BUILTIN: + /* Built-in NTLM auth support. (We set SOUP_NTLM_AUTH_DEBUG to +@@ -639,6 +655,11 @@ do_retrying_test (TestServer *ts, + + g_test_bug ("693222"); + ++ if (!can_do_ntlm_test ()) { ++ g_test_skip ("NTLM authentication not available (likely due to FIPS mode)"); ++ return; ++ } ++ + g_setenv ("SOUP_NTLM_AUTH_DEBUG", "", TRUE); + + debug_printf (1, " /alice\n"); +-- +2.52.0 + diff --git a/SPECS/libsoup.spec b/SPECS/libsoup.spec index dd3cb14..b10aa5c 100644 --- a/SPECS/libsoup.spec +++ b/SPECS/libsoup.spec @@ -5,13 +5,16 @@ Name: libsoup Version: 2.72.0 -Release: 12%{?dist}.3 +Release: 12%{?dist}.5 Summary: Soup, an HTTP library implementation License: LGPLv2 URL: https://wiki.gnome.org/Projects/libsoup Source0: https://download.gnome.org/sources/%{name}/2.72/%{name}-%{version}.tar.xz +# Downstream patch, needed due to glib2 gnutls-hmac.patch +Patch: no-ntlm-in-fips-mode.patch + # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/426 Patch: test-timeouts.patch # https://issues.redhat.com/browse/RHEL-76426 @@ -54,6 +57,10 @@ Patch: CVE-2025-4948.patch Patch: CVE-2025-4945-CVE-2025-11021.patch # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/491 Patch: CVE-2025-14523.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/494 +Patch: CVE-2026-0719.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/496 +Patch: CVE-2026-1761.patch BuildRequires: gettext BuildRequires: glib2-devel >= %{glib2_version} @@ -158,6 +165,13 @@ This package contains developer documentation for %{name}. %endif %changelog +* Mon Feb 02 2026 Michael Catanzaro - 2.72.0-12.5 +- Backport patch for CVE-2026-1761 + +* Fri Jan 30 2026 Michael Catanzaro - 2.72.0-12.4 +- Backport patch for CVE-2026-0719 +- Fix NTLM authentication test failures in FIPS mode + * Thu Jan 08 2026 Michael Catanzaro - 2.72.0-12.3 - Fix patch for CVE-2025-14523 to handle comparison case-insensitively