rpms/libsoup
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI libsoup-2.72.0-12.el9_7.3

Browse Source
This commit is contained in:
eabdullin 2026-01-12 02:54:54 +00:00
parent d179308d09
commit 8ac0b4e891
2 changed files with 83 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
SOURCES/CVE-2025-14523.patch Normal file
View File

@ -0,0 +1,74 @@
From 02a207c3667a1e00be0d63aacb8427de71962008 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Wed, 7 Jan 2026 14:50:33 -0600
Subject: [PATCH] Reject duplicate Host headers (for libsoup 2)
This is a simplified version of my patch for libsoup 3:
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/491
---
libsoup/soup-headers.c | 3 +++
libsoup/soup-message-headers.c | 3 +++
tests/header-parsing-test.c | 18 ++++++++++++++++++
3 files changed, 24 insertions(+)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index ea2f986b..6cd3dad9 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -138,6 +138,9 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
for (p = strchr (value, '\r'); p; p = strchr (p, '\r'))
*p = ' ';
+ if (g_ascii_strcasecmp (name, "Host") == 0 && soup_message_headers_get_one (dest, "Host"))
+ goto done;
+
soup_message_headers_append (dest, name, value);
}
success = TRUE;
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index f612bff1..bb20bbb2 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -220,6 +220,9 @@ soup_message_headers_append (SoupMessageHeaders *hdrs,
}
#endif
+ if (g_ascii_strcasecmp (name, "Host") == 0 && soup_message_headers_get_one (hdrs, "Host"))
+ return;
+
header.name = intern_header_name (name, &setter);
header.value = g_strdup (value);
g_array_append_val (hdrs->array, header);
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 206f1f2c..e823a68b 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -468,6 +468,24 @@ static struct RequestTest {
SOUP_STATUS_BAD_REQUEST,
NULL, NULL, -1,
{ { NULL } }
+ },
+
+ { "Duplicate Host headers",
+ "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472",
+ "GET / HTTP/1.1\r\nHost: example.com\r\nHost: example.org\r\n",
+ -1,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
+ },
+
+ { "Duplicate Host headers (case insensitive)",
+ "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472",
+ "GET / HTTP/1.1\r\nHost: example.com\r\nhost: example.org\r\n",
+ -1,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
}
};
static const int num_reqtests = G_N_ELEMENTS (reqtests);
--
2.52.0

10
SPECS/libsoup.spec
View File

@ -5,7 +5,7 @@
Name: libsoup
Version: 2.72.0
Release: 12%{?dist}.1
Release: 12%{?dist}.3
Summary: Soup, an HTTP library implementation
License: LGPLv2
@ -52,6 +52,8 @@ Patch: CVE-2025-2784.patch
Patch: CVE-2025-4948.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/473
Patch: CVE-2025-4945-CVE-2025-11021.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/491
Patch: CVE-2025-14523.patch
BuildRequires: gettext
BuildRequires: glib2-devel >= %{glib2_version}
@ -156,6 +158,12 @@ This package contains developer documentation for %{name}.
%endif
%changelog
* Thu Jan 08 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 2.72.0-12.3
- Fix patch for CVE-2025-14523 to handle comparison case-insensitively
* Wed Jan 07 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 2.72.0-12.2
- Backport patch for CVE-2025-14523
* Thu Oct 30 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.72.0-12.1
- Backport patch for CVE-2025-4945 and CVE-2025-11021