From 732e58f75d0d1985b499643091e2a91a1a1ac628 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 13 May 2025 15:06:20 +0000 Subject: [PATCH] import UBI libsoup-2.72.0-10.el9_6.1 --- SOURCES/CVE-2025-32050.patch | 25 ++++ SOURCES/CVE-2025-32052.patch | 26 ++++ SOURCES/CVE-2025-32053.patch | 35 +++++ SOURCES/CVE-2025-32906.patch | 137 ++++++++++++++++++++ SOURCES/CVE-2025-32907.patch | 31 +++++ SOURCES/CVE-2025-32911-CVE-2025-32913.patch | 110 ++++++++++++++++ SOURCES/CVE-2025-46420.patch | 56 ++++++++ SOURCES/CVE-2025-46421.patch | 134 +++++++++++++++++++ SOURCES/server-test-timeouts.patch | 44 +++++++ SOURCES/test-cert-expiration.patch | 60 +++++++++ SOURCES/test-timeouts.patch | 14 ++ SPECS/libsoup.spec | 55 ++++++-- 12 files changed, 714 insertions(+), 13 deletions(-) create mode 100644 SOURCES/CVE-2025-32050.patch create mode 100644 SOURCES/CVE-2025-32052.patch create mode 100644 SOURCES/CVE-2025-32053.patch create mode 100644 SOURCES/CVE-2025-32906.patch create mode 100644 SOURCES/CVE-2025-32907.patch create mode 100644 SOURCES/CVE-2025-32911-CVE-2025-32913.patch create mode 100644 SOURCES/CVE-2025-46420.patch create mode 100644 SOURCES/CVE-2025-46421.patch create mode 100644 SOURCES/server-test-timeouts.patch create mode 100644 SOURCES/test-cert-expiration.patch create mode 100644 SOURCES/test-timeouts.patch diff --git a/SOURCES/CVE-2025-32050.patch b/SOURCES/CVE-2025-32050.patch new file mode 100644 index 0000000..e189bb6 --- /dev/null +++ b/SOURCES/CVE-2025-32050.patch @@ -0,0 +1,25 @@ +From 9bb0a55de55c6940ced811a64fbca82fe93a9323 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 28 Oct 2024 12:29:48 -0500 +Subject: [PATCH] Fix using int instead of size_t for strcspn return + +--- + libsoup/soup-headers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 613e1905..a5f7a7f6 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -907,7 +907,7 @@ append_param_quoted (GString *string, + const char *name, + const char *value) + { +- int len; ++ gsize len; + + g_string_append (string, name); + g_string_append (string, "=\""); +-- +GitLab + diff --git a/SOURCES/CVE-2025-32052.patch b/SOURCES/CVE-2025-32052.patch new file mode 100644 index 0000000..861731b --- /dev/null +++ b/SOURCES/CVE-2025-32052.patch @@ -0,0 +1,26 @@ +From 1542173d11df64e39e71367f10596e8160481290 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 16 Nov 2024 12:07:30 -0600 +Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff + +Co-Author: Ar Jun +--- + libsoup/soup-content-sniffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 967ec614..26c65bbd 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -504,7 +504,7 @@ sniff_unknown (SoupContentSniffer *sniffer, SoupBuffer *buffer, + guint index_pattern = 0; + gboolean skip_row = FALSE; + +- while ((index_stream < resource_length) && ++ while ((index_stream < resource_length - 1) && + (index_pattern <= type_row->pattern_length)) { + /* Skip insignificant white space ("WS" in the spec) */ + if (type_row->pattern[index_pattern] == ' ') { +-- +2.49.0 + diff --git a/SOURCES/CVE-2025-32053.patch b/SOURCES/CVE-2025-32053.patch new file mode 100644 index 0000000..92a7442 --- /dev/null +++ b/SOURCES/CVE-2025-32053.patch @@ -0,0 +1,35 @@ +From 8e1793e2ddd8c2648b9a28f06bf21fd13bd12b39 Mon Sep 17 00:00:00 2001 +From: Ar Jun +Date: Mon, 18 Nov 2024 14:59:51 -0600 +Subject: [PATCH] Fix heap buffer overflow in + soup-content-sniffer.c:sniff_feed_or_html() + +--- + libsoup/soup-content-sniffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 26c65bbd..698d05e4 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -620,7 +620,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length) + (resource[*pos] == '\x0D')) { + *pos = *pos + 1; + +- if (*pos > resource_length) ++ if (*pos >= resource_length) + return TRUE; + } + +@@ -682,7 +682,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + do { + pos++; + +- if (pos > resource_length) ++ if ((pos + 1) > resource_length) + goto text_html; + } while (resource[pos] != '>'); + +-- +2.49.0 + diff --git a/SOURCES/CVE-2025-32906.patch b/SOURCES/CVE-2025-32906.patch new file mode 100644 index 0000000..ba848a8 --- /dev/null +++ b/SOURCES/CVE-2025-32906.patch @@ -0,0 +1,137 @@ +From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 11 Feb 2025 14:36:26 -0600 +Subject: [PATCH 1/2] headers: Handle parsing edge case + +This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds. +--- + libsoup/soup-headers.c | 2 +- + tests/header-parsing-test.c | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 85385cea..9d6d00a3 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str, + !g_ascii_isdigit (version[5])) + return SOUP_STATUS_BAD_REQUEST; + major_version = strtoul (version + 5, &p, 10); +- if (*p != '.' || !g_ascii_isdigit (p[1])) ++ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1])) + return SOUP_STATUS_BAD_REQUEST; + minor_version = strtoul (p + 1, &p, 10); + version_end = p; +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 07ea2866..10ddb684 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -6,6 +6,10 @@ typedef struct { + const char *name, *value; + } Header; + ++static char unterminated_http_version[] = { ++ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.' ++}; ++ + static struct RequestTest { + const char *description; + const char *bugref; +@@ -383,6 +387,14 @@ static struct RequestTest { + { { NULL } } + }, + ++ /* This couldn't be a C string as going one byte over would have been safe. */ ++ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404", ++ unterminated_http_version, sizeof (unterminated_http_version), ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } ++ }, ++ + { "Non-HTTP request", NULL, + "GET / SOUP/1.1\r\nHost: example.com\r\n", -1, + SOUP_STATUS_BAD_REQUEST, +-- +GitLab + + +From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 12 Feb 2025 11:30:02 -0600 +Subject: [PATCH 2/2] headers: Handle parsing only newlines + +Closes #404 +Closes #407 +--- + libsoup/soup-headers.c | 4 ++-- + tests/header-parsing-test.c | 13 ++++++++++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 9d6d00a3..52ef2ece 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str, + /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s) + * received where a Request-Line is expected." + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str, + * after a response, which we then see prepended to the next + * response on that connection. + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 10ddb684..4faafbd6 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -6,10 +6,15 @@ typedef struct { + const char *name, *value; + } Header; + ++/* These are not C strings to ensure going one byte over is not safe. */ + static char unterminated_http_version[] = { + 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.' + }; + ++static char only_newlines[] = { ++ '\n', '\n', '\n', '\n' ++}; ++ + static struct RequestTest { + const char *description; + const char *bugref; +@@ -387,7 +392,6 @@ static struct RequestTest { + { { NULL } } + }, + +- /* This couldn't be a C string as going one byte over would have been safe. */ + { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404", + unterminated_http_version, sizeof (unterminated_http_version), + SOUP_STATUS_BAD_REQUEST, +@@ -457,6 +461,13 @@ static struct RequestTest { + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, + { { NULL } } ++ }, ++ ++ { "Only newlines", NULL, ++ only_newlines, sizeof (only_newlines), ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +-- +GitLab + diff --git a/SOURCES/CVE-2025-32907.patch b/SOURCES/CVE-2025-32907.patch new file mode 100644 index 0000000..843211f --- /dev/null +++ b/SOURCES/CVE-2025-32907.patch @@ -0,0 +1,31 @@ +From 84e601252a9ae5eafaba9cb9cb5e4bd77ca41bdb Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 15 Apr 2025 12:17:39 +0200 +Subject: [PATCH] soup-message-headers: Correct merge of ranges + +It had been skipping every second range, which generated an array +of a lot of insane ranges, causing large memory usage by the server. + +Closes #428 +--- + libsoup/soup-message-headers.c | 1 + + tests/meson.build | 1 + + tests/server-mem-limit-test.c | 144 +++++++++++++++++++++++++++++++++ + 3 files changed, 146 insertions(+) + create mode 100644 tests/server-mem-limit-test.c + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 64847e30..f612bff1 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1024,6 +1024,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs, + if (cur->start <= prev->end) { + prev->end = MAX (prev->end, cur->end); + g_array_remove_index (array, i); ++ i--; + } + } + } +-- +2.49.0 + diff --git a/SOURCES/CVE-2025-32911-CVE-2025-32913.patch b/SOURCES/CVE-2025-32911-CVE-2025-32913.patch new file mode 100644 index 0000000..d03a3cf --- /dev/null +++ b/SOURCES/CVE-2025-32911-CVE-2025-32913.patch @@ -0,0 +1,110 @@ +From f2d316341c00a343d0b46edd590efa8c102521c3 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 17:53:50 -0600 +Subject: [PATCH 1/2] soup_message_headers_get_content_disposition: Fix NULL + deref + +--- + libsoup/soup-message-headers.c | 13 +++++++++---- + tests/header-parsing-test.c | 13 +++++++++++++ + 2 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 5c8c7cb9..ccf31233 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1443,10 +1443,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + */ + if (params && g_hash_table_lookup_extended (*params, "filename", + &orig_key, &orig_value)) { +- char *filename = strrchr (orig_value, '/'); +- +- if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ if (orig_value) { ++ char *filename = strrchr (orig_value, '/'); ++ ++ if (filename) ++ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ } else { ++ /* filename with no value isn't valid. */ ++ g_hash_table_remove (*params, "filename"); ++ } + } + return TRUE; + } +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 31edfd02..9b2d00aa 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -1032,6 +1032,7 @@ do_param_list_tests (void) + #define RFC5987_TEST_HEADER_UTF8 "attachment; filename*=UTF-8''t%C3%A9st.txt; filename=\"test.txt\"" + #define RFC5987_TEST_HEADER_ISO "attachment; filename=\"test.txt\"; filename*=iso-8859-1''t%E9st.txt" + #define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\"" ++#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename" + + static void + do_content_disposition_tests (void) +@@ -1101,6 +1102,18 @@ do_content_disposition_tests (void) + g_assert_cmpstr (filename, ==, RFC5987_TEST_FALLBACK_FILENAME); + g_hash_table_destroy (params); + ++ /* Empty filename */ ++ soup_message_headers_clear (hdrs); ++ soup_message_headers_append (hdrs, "Content-Disposition", ++ RFC5987_TEST_HEADER_EMPTY_FILENAME); ++ if (!soup_message_headers_get_content_disposition (hdrs, ++ &disposition, ++ ¶ms)) { ++ soup_test_assert (FALSE, "empty filename decoding FAILED"); ++ return; ++ } ++ g_assert_false (g_hash_table_contains (params, "filename")); ++ g_hash_table_destroy (params); + soup_message_headers_free (hdrs); + + /* Ensure that soup-multipart always quotes filename */ +-- +2.49.0 + + +From dd3a245941f117832dd1fdda4f8bc68b44e2810d Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 18:00:39 -0600 +Subject: [PATCH 2/2] soup_message_headers_get_content_disposition: strdup + truncated filenames + +This table frees the strings it contains. +--- + libsoup/soup-message-headers.c | 2 +- + tests/header-parsing-test.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index ccf31233..64847e30 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1447,7 +1447,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + char *filename = strrchr (orig_value, '/'); + + if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1)); + } else { + /* filename with no value isn't valid. */ + g_hash_table_remove (*params, "filename"); +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 9b2d00aa..24a8c3d5 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -1112,6 +1112,7 @@ do_content_disposition_tests (void) + soup_test_assert (FALSE, "empty filename decoding FAILED"); + return; + } ++ g_free (disposition); + g_assert_false (g_hash_table_contains (params, "filename")); + g_hash_table_destroy (params); + soup_message_headers_free (hdrs); +-- +2.49.0 + diff --git a/SOURCES/CVE-2025-46420.patch b/SOURCES/CVE-2025-46420.patch new file mode 100644 index 0000000..c7dfb9e --- /dev/null +++ b/SOURCES/CVE-2025-46420.patch @@ -0,0 +1,56 @@ +From 355d7979ac27c6a83684e079d5bc6cf148e7bc16 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Thu, 26 Dec 2024 18:31:42 -0600 +Subject: [PATCH] soup_header_parse_quality_list: Fix leak + +When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings. +--- + libsoup/soup-headers.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index eec28adf..3e922816 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -535,7 +535,7 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + GSList *unsorted; + QualityItem *array; + GSList *sorted, *iter; +- char *item, *semi; ++ char *semi; + const char *param, *equal, *value; + double qval; + int n; +@@ -548,9 +548,8 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + unsorted = soup_header_parse_list (header); + array = g_new0 (QualityItem, g_slist_length (unsorted)); + for (iter = unsorted, n = 0; iter; iter = iter->next) { +- item = iter->data; + qval = 1.0; +- for (semi = strchr (item, ';'); semi; semi = strchr (semi + 1, ';')) { ++ for (semi = strchr (iter->data, ';'); semi; semi = strchr (semi + 1, ';')) { + param = skip_lws (semi + 1); + if (*param != 'q') + continue; +@@ -582,15 +581,15 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + if (qval == 0.0) { + if (unacceptable) { + *unacceptable = g_slist_prepend (*unacceptable, +- item); ++ g_steal_pointer (&iter->data)); + } + } else { +- array[n].item = item; ++ array[n].item = g_steal_pointer (&iter->data); + array[n].qval = qval; + n++; + } + } +- g_slist_free (unsorted); ++ g_slist_free_full (unsorted, g_free); + + qsort (array, n, sizeof (QualityItem), sort_by_qval); + sorted = NULL; +-- +2.49.0 + diff --git a/SOURCES/CVE-2025-46421.patch b/SOURCES/CVE-2025-46421.patch new file mode 100644 index 0000000..564c401 --- /dev/null +++ b/SOURCES/CVE-2025-46421.patch @@ -0,0 +1,134 @@ +From 4329a7e88c72079ae3eedbb1558b929851507464 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 16:18:10 -0600 +Subject: [PATCH] session: Strip authentication credentails on cross-origin + redirect + +This should match the behavior of Firefox and Safari but not of Chromium. +--- + libsoup/soup-session.c | 6 ++++ + tests/auth-test.c | 77 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 83 insertions(+) + +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c +index dd3cdc46..82ca8bf9 100644 +--- a/libsoup/soup-session.c ++++ b/libsoup/soup-session.c +@@ -1187,6 +1187,12 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg) + SOUP_ENCODING_NONE); + } + ++ /* Strip all credentials on cross-origin redirect. */ ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { ++ soup_message_headers_remove (msg->request_headers, "Authorization"); ++ soup_message_set_auth (msg, NULL); ++ } ++ + soup_message_set_uri (msg, new_uri); + soup_uri_free (new_uri); + +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 8295ec32..97d8f43e 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1,6 +1,7 @@ + /* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */ + + #include "test-utils.h" ++#include "soup-uri-utils-private.h" + + static const char *base_uri; + static GMainLoop *loop; +@@ -1549,6 +1550,81 @@ do_cancel_after_retry_test (void) + soup_test_session_abort_unref (session); + } + ++static void ++redirect_server_callback (SoupServer *server, ++ SoupServerMessage *msg, ++ const char *path, ++ GHashTable *query, ++ gpointer user_data) ++{ ++ static gboolean redirected = FALSE; ++ ++ if (!redirected) { ++ char *redirect_uri = g_uri_to_string (user_data); ++ soup_server_message_set_redirect (msg, SOUP_STATUS_MOVED_PERMANENTLY, redirect_uri); ++ g_free (redirect_uri); ++ redirected = TRUE; ++ return; ++ } ++ ++ g_assert_not_reached (); ++} ++ ++static gboolean ++auth_for_redirect_callback (SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer user_data) ++{ ++ GUri *known_server_uri = user_data; ++ ++ if (!soup_uri_host_equal (known_server_uri, soup_message_get_uri (msg))) ++ return FALSE; ++ ++ soup_auth_authenticate (auth, "user", "good-basic"); ++ ++ return TRUE; ++} ++ ++static void ++do_strip_on_crossorigin_redirect (void) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ SoupServer *server1, *server2; ++ SoupAuthDomain *auth_domain; ++ GUri *uri; ++ gint status; ++ ++ server1 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ server2 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ ++ /* Both servers have the same credentials. */ ++ auth_domain = soup_auth_domain_basic_new ("realm", "auth-test", "auth-callback", server_basic_auth_callback, NULL); ++ soup_auth_domain_add_path (auth_domain, "/"); ++ soup_server_add_auth_domain (server1, auth_domain); ++ soup_server_add_auth_domain (server2, auth_domain); ++ g_object_unref (auth_domain); ++ ++ /* Server 1 asks for auth, then redirects to Server 2. */ ++ soup_server_add_handler (server1, NULL, ++ redirect_server_callback, ++ soup_test_server_get_uri (server2, "http", NULL), (GDestroyNotify)g_uri_unref); ++ /* Server 2 requires auth. */ ++ soup_server_add_handler (server2, NULL, server_callback, NULL, NULL); ++ ++ session = soup_test_session_new (NULL); ++ uri = soup_test_server_get_uri (server1, "http", NULL); ++ msg = soup_message_new_from_uri ("GET", uri); ++ /* The client only sends credentials for the host it knows. */ ++ g_signal_connect (msg, "authenticate", G_CALLBACK (auth_for_redirect_callback), uri); ++ ++ status = soup_test_session_send_message (session, msg); ++ ++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED); ++ ++ g_uri_unref (uri); ++ soup_test_server_quit_unref (server1); ++ soup_test_server_quit_unref (server2); ++} ++ + int + main (int argc, char **argv) + { +@@ -1576,6 +1652,7 @@ main (int argc, char **argv) + g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test); + g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test); + g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test); ++ g_test_add_func ("/auth/strip-on-crossorigin-redirect", do_strip_on_crossorigin_redirect); + + ret = g_test_run (); + +-- +2.49.0 + diff --git a/SOURCES/server-test-timeouts.patch b/SOURCES/server-test-timeouts.patch new file mode 100644 index 0000000..b4d334d --- /dev/null +++ b/SOURCES/server-test-timeouts.patch @@ -0,0 +1,44 @@ +From 9ff306aa714efd06ceeafacee03298a3665055b1 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Wed, 30 Apr 2025 14:13:41 -0500 +Subject: [PATCH] test-utils: fix deadlock in add_listener_in_thread() + +The mutex is locked in the wrong place here. + +Hopefully fixes #379 +--- + tests/test-utils.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tests/test-utils.c b/tests/test-utils.c +index df4cee44..5c1e316c 100644 +--- a/tests/test-utils.c ++++ b/tests/test-utils.c +@@ -607,9 +607,11 @@ static gboolean + add_listener_in_thread (gpointer user_data) + { + AddListenerData *data = user_data; ++ SoupURI *uri; + +- data->uri = add_listener (data->server, data->scheme, data->host); ++ uri = add_listener (data->server, data->scheme, data->host); + g_mutex_lock (&data->mutex); ++ data->uri = uri; + g_cond_signal (&data->cond); + g_mutex_unlock (&data->mutex); + +@@ -641,9 +643,9 @@ soup_test_server_get_uri (SoupServer *server, + data.host = host; + data.uri = NULL; + +- g_mutex_lock (&data.mutex); + soup_add_completion (context, add_listener_in_thread, &data); + ++ g_mutex_lock (&data.mutex); + while (!data.uri) + g_cond_wait (&data.cond, &data.mutex); + +-- +GitLab + + diff --git a/SOURCES/test-cert-expiration.patch b/SOURCES/test-cert-expiration.patch new file mode 100644 index 0000000..c48aad8 --- /dev/null +++ b/SOURCES/test-cert-expiration.patch @@ -0,0 +1,60 @@ +From 2dafd907586f52291b38c46362e72c7379558626 Mon Sep 17 00:00:00 2001 +From: "Bernhard M. Wiedemann" +Date: Thu, 18 Feb 2021 09:13:40 +0100 +Subject: [PATCH] Extend test cert to 2049 + +used certtool -u \ + --load-ca-privkey ./tests/test-key.pem \ + --load-ca-certificate ./tests/test-cert.pem \ + --load-certificate ./tests/test-cert.pem + +Without this patch, 3 tests failed in 2027 + 11/29 misc-test FAIL 0.67s (exit status 1) + 21/29 server-test FAIL 0.12s (exit status 1) + 25/29 timeout-test FAIL 4.08s (killed by signal 5 SIGTRAP) + +Background: +As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future. +The usual offset is +15 years, because that is how long I expect some software will be used in some places. +This showed up failing tests in our package build. +See https://reproducible-builds.org/ for why this matters. + +(cherry picked from commit 38a65f080a3168e8af78bdd3e4928debeea2dbd8) +--- + tests/test-cert.pem | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/tests/test-cert.pem b/tests/test-cert.pem +index ff863b4d1..4b8b180dc 100644 +--- a/tests/test-cert.pem ++++ b/tests/test-cert.pem +@@ -1,6 +1,6 @@ + -----BEGIN CERTIFICATE----- + MIIC2zCCAcOgAwIBAgIJALRbg2WnuAAqMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV +-BAMMCTEyNy4wLjAuMTAeFw0xNzA2MjAxNDI3MzBaFw0yNzA2MTgxNDI3MzBaMBQx ++BAMMCTEyNy4wLjAuMTAeFw0yMTAyMTgwODA3MzBaFw00OTEyMzEwODA3MzRaMBQx + EjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC + ggEBAKs4fuRuW77nORhOT9kbbU6BsjKW3GEsMc+ZSmXjINQWpfkES2hV+DQyzhm5 + qh4OLi1vYtXoSbdQNDCbA8ybZJqR8m9F3ed8vobdSSQGxWpPdXTgz27x+TpiAc9P +@@ -8,11 +8,11 @@ w83UuPvlu/0AxHJBFXVAg+id0yFu3wmGWYJHoAtvFi2xeRtAXurNuPtjZyO+gfM9 + BKTRCkGsRSmPpJyGbU2Q96fjxnVfV9oYvQXeugUcSx/pTUCM/kDgD9QZCxG2rflX + NWcqDFY3uO6ZR68Qwi/KouOa8rzrgAcwhFUI6Wz0Zwi1rzRtWK5WqC24aBUYz/tK + hl8i88UDXSMh7spChdYDBGLhZyUCAwEAAaMwMC4wLAYDVR0RBCUwI4IJbG9jYWxo +-b3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IBAQBj +-+U8tebwg5/pof5Rht6TMHqeg6Fcr4OJkL2ph2g+T/AMTS7kEGeFIKJN5AZ+S/qIY +-cdoDKHwc8+bCK/mG6DPmJ4z/2Eamb85YhplOLVrLRwfxRebTK9CtnjcjnflAiU9H +-7vPVwXIvkwebhBSQNKTdkBlPXKaTNWXuygeFG2OVQkPf/KAxSdtg2R+owv/s802Z +-HISk26wY9oFIQz6AiXWdrY1QqNOltZ7rlU5iofAH7X+9ryZlxPWj/gHg2YQRvvLl +-dq6nCF+ED0ke7h0lg5nU0beKEygwli8DlLVbu0JK0PkARFp5t7wUtzC9DCjzvfOc +-gxR44PyZX7/2oaTDm4PS ++b3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IBAQAz ++/qYTUuBGHgp7T1cfaJPnhx6U1SMfdJRtFoWOXDx+MNCK9GYkdMEabzRGUP5uNHO+ ++PiZP/bMIHlpsbRA5AyyVf9Xv8JCujvYh24qYcBbwgZrfvNTm0D52P9JJm0SalTXS ++kwwTj00DWGVfVzJR+wiwYGHRIlyXbHqQSRzv6+z9f/xY5gXw/KpCNYTuOJcXW7w6 ++JfMrUnc9pphRUpcLkuuzOMKuB0dtWRc0mZIr7PZHt+0gitNZWA0bDYI3JI9tlK17 ++nxBUSpGtJwDgH//b8ek/P0P9a5VzQbBC6lXtQUMdxg7ovfAI//IS8ekBoRKI0Wde ++r2IpM9hKSBU3c2gGXcJC + -----END CERTIFICATE----- +-- +GitLab + diff --git a/SOURCES/test-timeouts.patch b/SOURCES/test-timeouts.patch new file mode 100644 index 0000000..5a96389 --- /dev/null +++ b/SOURCES/test-timeouts.patch @@ -0,0 +1,14 @@ +diff --git a/tests/meson.build b/tests/meson.build +index 5482aa86..bd90df15 100644 +--- a/tests/meson.build ++++ b/tests/meson.build +@@ -190,7 +190,7 @@ foreach test: tests + ) + # Increase the timeout as on some architectures the tests could be slower + # than the default 30 seconds. +- test(test_name, test_target, env : env, is_parallel : test[1], timeout : 60) ++ test(test_name, test_target, env : env, is_parallel : test[1], timeout : 300) + endforeach + + executable('ntlm-test-helper', 'ntlm-test-helper.c', + diff --git a/SPECS/libsoup.spec b/SPECS/libsoup.spec index f8ed2ae..da72baa 100644 --- a/SPECS/libsoup.spec +++ b/SPECS/libsoup.spec @@ -5,13 +5,22 @@ Name: libsoup Version: 2.72.0 -Release: 8%{?dist}.3 +Release: 10%{?dist}.1 Summary: Soup, an HTTP library implementation License: LGPLv2 URL: https://wiki.gnome.org/Projects/libsoup Source0: https://download.gnome.org/sources/%{name}/2.72/%{name}-%{version}.tar.xz +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/426 +Patch: test-timeouts.patch +# https://issues.redhat.com/browse/RHEL-76426 +Patch: fix-ssl-test.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/446 +Patch: test-cert-expiration.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/454 +Patch: server-test-timeouts.patch + # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/402 Patch: CVE-2024-52530.patch # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407 @@ -19,9 +28,20 @@ Patch: CVE-2024-52531.patch # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/410 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/414 Patch: CVE-2024-52532.patch - -# https://issues.redhat.com/browse/RHEL-76426 -Patch: fix-ssl-test.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/415 +Patch: CVE-2025-32050.patch +Patch: CVE-2025-32052.patch +Patch: CVE-2025-32053.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/440 +Patch: CVE-2025-32906.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/422 +Patch: CVE-2025-32911-CVE-2025-32913.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452 +Patch: CVE-2025-32907.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/421 +Patch: CVE-2025-46420.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436 +Patch: CVE-2025-46421.patch BuildRequires: gettext BuildRequires: glib2-devel >= %{glib2_version} @@ -126,17 +146,26 @@ This package contains developer documentation for %{name}. %endif %changelog -* Tue Jan 28 2025 Michael Catanzaro - 2.72.0-8.3 -- Backport upstream patch for CVE-2024-52531 - buffer overflow via UTF-8 conversion in soup_header_parse_param_list_strict - Resolves: RHEL-76381 +* Wed Apr 30 2025 Michael Catanzaro - 2.72.0-10.1 +- Backport patches for various CVEs, plus test improvements + Resolves: RHEL-85906 + Resolves: RHEL-85912 + Resolves: RHEL-85919 + Resolves: RHEL-87061 + Resolves: RHEL-87069 + Resolves: RHEL-87102 + Resolves: RHEL-87120 + Resolves: RHEL-88364 + Resolves: RHEL-88367 -* Tue Nov 12 2024 Tomas Popela - 2.72.0-8.el9_5.2 -- Backport upstream patch for CVE-2024-52532 - infinite loop while reading websocket data -- Resolves: RHEL-67068 +* Tue Jan 28 2025 Michael Catanzaro - 2.72.0-10 +- Enable tests in check, and add patches to fix tests + Resolves: RHEL-76426 -* Tue Nov 12 2024 Tomas Popela - 2.72.0-8.el9_5.1 -- Backport upstream patch for CVE-2024-52530 - HTTP request smuggling via stripping null bytes from the ends of header names -- Resolves: RHEL-67080 +* Fri Jan 10 2025 Michael Catanzaro - 2.72.0-9 +- Add patches for CVE-2024-52530, CVE-2024-52531, and CVE-2024-52532 + Resolves: RHEL-67069 + Resolves: RHEL-67081 * Mon Aug 09 2021 Mohan Boddu - 2.72.0-8 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags