From 78de2d53d7f1050c415a9187fc82f5f87871d22f Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Mon, 26 May 2025 08:37:07 +0000
Subject: [PATCH] import UBI libsoup-2.72.0-10.el9_6.2

---
 SOURCES/CVE-2024-52532.patch | 103 ++++++++++++++---------------------
 SOURCES/CVE-2025-2784.patch  |  48 ++++++++++++++++
 SOURCES/CVE-2025-32049.patch |  30 ++++++++++
 SOURCES/CVE-2025-32914.patch |  30 ++++++++++
 SOURCES/CVE-2025-4948.patch  |  30 ++++++++++
 SPECS/libsoup.spec           |  17 +++++-
 6 files changed, 194 insertions(+), 64 deletions(-)
 create mode 100644 SOURCES/CVE-2025-2784.patch
 create mode 100644 SOURCES/CVE-2025-32049.patch
 create mode 100644 SOURCES/CVE-2025-32914.patch
 create mode 100644 SOURCES/CVE-2025-4948.patch

diff --git a/SOURCES/CVE-2024-52532.patch b/SOURCES/CVE-2024-52532.patch
index 5f0428e..73357fc 100644
--- a/SOURCES/CVE-2024-52532.patch
+++ b/SOURCES/CVE-2024-52532.patch
@@ -1,7 +1,20 @@
-diff -up libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 libsoup-2.62.3/libsoup/soup-websocket-connection.c
---- libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532	2024-11-12 12:00:27.183570627 +0100
-+++ libsoup-2.62.3/libsoup/soup-websocket-connection.c	2024-11-12 12:01:02.334987409 +0100
-@@ -1041,9 +1041,9 @@ soup_websocket_connection_read (SoupWebs
+From d1255aae8dd0486dd78f782ad8ed2a714245ea7a Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Wed, 21 May 2025 10:33:36 -0500
+Subject: [PATCH] Upstream patches for CVE-2024-52532
+
+https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/410
+https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/414
+---
+ libsoup/soup-websocket-connection.c | 4 ++--
+ tests/websocket-test.c              | 8 ++++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
+index a4095e1c..36524d04 100644
+--- a/libsoup/soup-websocket-connection.c
++++ b/libsoup/soup-websocket-connection.c
+@@ -1140,9 +1140,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self)
  		}
  
  		pv->incoming->len = len + count;
@@ -13,66 +26,11 @@ diff -up libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 libso
  
  	if (end) {
  		if (!pv->close_sent || !pv->close_received) {
-
-From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001
-From: Ignacio Casal Quinteiro <qignacio@amazon.com>
-Date: Wed, 2 Oct 2024 11:17:19 +0200
-Subject: [PATCH 2/2] websocket-test: disconnect error copy after the test ends
-
-Otherwise the server will have already sent a few more wrong
-bytes and the client will continue getting errors to copy
-but the error is already != NULL and it will assert
----
- tests/websocket-test.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
 diff --git a/tests/websocket-test.c b/tests/websocket-test.c
-index 06c443bb..6a48c1f9 100644
+index 5e40cf36..93e9b14a 100644
 --- a/tests/websocket-test.c
 +++ b/tests/websocket-test.c
-@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test,
- 	GError *error = NULL;
- 	InvalidEncodeLengthTest context = { test, NULL };
- 	guint i;
-+	guint error_id;
- 
--	g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
-+	error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
- 	g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
- 
- 	/* We use 127(\x7f) as payload length with 65535 extended length */
-@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test,
- 	WAIT_UNTIL (error != NULL || received != NULL);
- 	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
- 	g_clear_error (&error);
-+        g_signal_handler_disconnect (test->client, error_id);
- 	g_assert_null (received);
- 
-         g_thread_join (thread);
--- 
-2.45.2
-
-From 4c9e75c6676a37b6485620c332e568e1a3f530ff Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@debian.org>
-Date: Wed, 13 Nov 2024 14:14:23 +0000
-Subject: [PATCH] websocket-test: Disconnect error signal in another place
-
-This is the same change as commit 29b96fab "websocket-test: disconnect
-error copy after the test ends", and is done for the same reason, but
-replicating it into a different function.
-
-Fixes: 6adc0e3e "websocket: process the frame as soon as we read data"
-Resolves: https://gitlab.gnome.org/GNOME/libsoup/-/issues/399
-Signed-off-by: Simon McVittie <smcv@debian.org>
----
- tests/websocket-test.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/tests/websocket-test.c b/tests/websocket-test.c
-index 6a48c1f9..723f2857 100644
---- a/tests/websocket-test.c
-+++ b/tests/websocket-test.c
-@@ -1508,8 +1508,9 @@ test_receive_invalid_encode_length_16 (Test *test,
+@@ -1300,8 +1300,9 @@ test_receive_invalid_encode_length_16 (Test *test,
  	GError *error = NULL;
  	InvalidEncodeLengthTest context = { test, NULL };
  	guint i;
@@ -83,7 +41,7 @@ index 6a48c1f9..723f2857 100644
  	g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
  
  	/* We use 126(~) as payload length with 125 extended length */
-@@ -1522,6 +1523,7 @@ test_receive_invalid_encode_length_16 (Test *test,
+@@ -1314,6 +1315,7 @@ test_receive_invalid_encode_length_16 (Test *test,
  	WAIT_UNTIL (error != NULL || received != NULL);
  	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
  	g_clear_error (&error);
@@ -91,6 +49,25 @@ index 6a48c1f9..723f2857 100644
  	g_assert_null (received);
  
  	g_thread_join (thread);
+@@ -1331,8 +1333,9 @@ test_receive_invalid_encode_length_64 (Test *test,
+ 	GError *error = NULL;
+ 	InvalidEncodeLengthTest context = { test, NULL };
+ 	guint i;
++	guint error_id;
+ 
+-	g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
++	error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+ 	g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
+ 
+ 	/* We use 127(\x7f) as payload length with 65535 extended length */
+@@ -1345,6 +1348,7 @@ test_receive_invalid_encode_length_64 (Test *test,
+ 	WAIT_UNTIL (error != NULL || received != NULL);
+ 	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
+ 	g_clear_error (&error);
++        g_signal_handler_disconnect (test->client, error_id);
+ 	g_assert_null (received);
+ 
+         g_thread_join (thread);
 -- 
-GitLab
+2.49.0
 
diff --git a/SOURCES/CVE-2025-2784.patch b/SOURCES/CVE-2025-2784.patch
new file mode 100644
index 0000000..726abb9
--- /dev/null
+++ b/SOURCES/CVE-2025-2784.patch
@@ -0,0 +1,48 @@
+From b7213fc6c639b5ca6c91e215aee18cea36d9dc95 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 18 Feb 2025 14:29:50 -0600
+Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space()
+
+---
+ libsoup/soup-content-sniffer.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
+index 698d05e4..3fb29adf 100644
+--- a/libsoup/soup-content-sniffer.c
++++ b/libsoup/soup-content-sniffer.c
+@@ -612,8 +612,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+ }
+ 
+ static gboolean
+-skip_insignificant_space (const char *resource, int *pos, int resource_length)
++skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
+ {
++        if (*pos >= resource_length)
++	        return TRUE;
++
+ 	while ((resource[*pos] == '\x09') ||
+ 	       (resource[*pos] == '\x20') ||
+ 	       (resource[*pos] == '\x0A') ||
+@@ -632,7 +635,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+ {
+ 	const char *resource = (const char *)buffer->data;
+ 	int resource_length = MIN (512, buffer->length);
+-	int pos = 0;
++	gsize pos = 0;
+ 
+ 	if (resource_length < 3)
+ 		goto text_html;
+@@ -642,9 +645,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+ 		pos = 3;
+ 
+  look_for_tag:
+-	if (pos > resource_length)
+-		goto text_html;
+-
+ 	if (skip_insignificant_space (resource, &pos, resource_length))
+ 		goto text_html;
+ 
+-- 
+2.49.0
+
diff --git a/SOURCES/CVE-2025-32049.patch b/SOURCES/CVE-2025-32049.patch
new file mode 100644
index 0000000..fa17d1f
--- /dev/null
+++ b/SOURCES/CVE-2025-32049.patch
@@ -0,0 +1,30 @@
+From 6ec7c5be50b48d6ce0a09aa3468f2c5725406a97 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Wed, 21 May 2025 10:42:51 -0500
+Subject: [PATCH] Add size limit for total message size
+
+This size limit could break applications, but it will close the denial
+of service issue.
+---
+ libsoup/soup-websocket-connection.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
+index 36524d04..f8764aff 100644
+--- a/libsoup/soup-websocket-connection.c
++++ b/libsoup/soup-websocket-connection.c
+@@ -913,6 +913,11 @@ process_contents (SoupWebsocketConnection *self,
+ 		switch (pv->message_opcode) {
+ 		case 0x01:
+ 		case 0x02:
++			/* Safety valve */
++			if (pv->message_data->len + payload_len > pv->max_incoming_payload_size) {
++				too_big_error_and_close (self, (pv->message_data->len + payload_len));
++				return;
++			}
+ 			g_byte_array_append (pv->message_data, payload, payload_len);
+ 			break;
+ 		default:
+-- 
+2.49.0
+
diff --git a/SOURCES/CVE-2025-32914.patch b/SOURCES/CVE-2025-32914.patch
new file mode 100644
index 0000000..39c1679
--- /dev/null
+++ b/SOURCES/CVE-2025-32914.patch
@@ -0,0 +1,30 @@
+From 51c25f470f85b485818c253718594a4d59b39931 Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Tue, 15 Apr 2025 09:03:00 +0200
+Subject: [PATCH] multipart: Fix read out of buffer bounds under
+ soup_multipart_new_from_message()
+
+This is CVE-2025-32914, special crafted input can cause read out of buffer bounds
+of the body argument.
+
+Closes #436
+---
+ libsoup/soup-multipart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index a7e550f1..dd939739 100644
+--- a/libsoup/soup-multipart.c
++++ b/libsoup/soup-multipart.c
+@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
+ 			return NULL;
+ 		}
+ 
+-		split = strstr (start, "\r\n\r\n");
++		split = g_strstr_len (start, body_end - start, "\r\n\r\n");
+ 		if (!split || split > end) {
+ 			soup_multipart_free (multipart);
+ 			soup_buffer_free (flattened);
+-- 
+2.49.0
+
diff --git a/SOURCES/CVE-2025-4948.patch b/SOURCES/CVE-2025-4948.patch
new file mode 100644
index 0000000..128d926
--- /dev/null
+++ b/SOURCES/CVE-2025-4948.patch
@@ -0,0 +1,30 @@
+From 592db079bc2dfea75708751ed0b7533ac9fd36df Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Thu, 15 May 2025 17:49:11 +0200
+Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body
+
+It could happen that the boundary started at a place which resulted into
+a negative number, which in an unsigned integer is a very large value.
+Check the body size is not a negative value before setting it.
+
+Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
+---
+ libsoup/soup-multipart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index dd939739..ce2fc109 100644
+--- a/libsoup/soup-multipart.c
++++ b/libsoup/soup-multipart.c
+@@ -214,7 +214,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
+ 		 */
+ 		part_body = soup_buffer_new_subbuffer (flattened,
+ 						       split - flattened->data,
+-						       end - 2 - split);
++						       end - 2 >= split ? end - 2 - split : 0);
+ 		g_ptr_array_add (multipart->bodies, part_body);
+ 
+ 		start = end;
+-- 
+2.49.0
+
diff --git a/SPECS/libsoup.spec b/SPECS/libsoup.spec
index da72baa..1b9a429 100644
--- a/SPECS/libsoup.spec
+++ b/SPECS/libsoup.spec
@@ -5,7 +5,7 @@
 
 Name: libsoup
 Version: 2.72.0
-Release: 10%{?dist}.1
+Release: 10%{?dist}.2
 Summary: Soup, an HTTP library implementation
 
 License: LGPLv2
@@ -42,6 +42,14 @@ Patch: CVE-2025-32907.patch
 Patch: CVE-2025-46420.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436
 Patch: CVE-2025-46421.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/408 (simplified)
+Patch: CVE-2025-32049.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450
+Patch: CVE-2025-32914.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/issues/422
+Patch: CVE-2025-2784.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463
+Patch: CVE-2025-4948.patch
 
 BuildRequires: gettext
 BuildRequires: glib2-devel >= %{glib2_version}
@@ -146,6 +154,13 @@ This package contains developer documentation for %{name}.
 %endif
 
 %changelog
+* Wed May 21 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.72.0-10.2
+- Backport patches for various CVEs
+  Resolves: RHEL-85888
+  Resolves: RHEL-87081
+  Resolves: RHEL-88332
+  Resolves: RHEL-92285
+
 * Wed Apr 30 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.72.0-10.1
 - Backport patches for various CVEs, plus test improvements
   Resolves: RHEL-85906