rpms/libsoup
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:c8s
rpms:c9s
rpms:c9-beta
rpms:c8-beta
rpms:c10s
rpms:imports/c9/libsoup-2.72.0-12.el9_7.5
rpms:imports/c8/libsoup-2.62.3-13.el8_10
rpms:imports/c8/libsoup-2.62.3-11.el8_10
rpms:imports/c9/libsoup-2.72.0-12.el9_7.3
rpms:imports/c9/libsoup-2.72.0-12.el9_7.1
rpms:imports/c9/libsoup-2.72.0-10.el9_6.3
rpms:imports/c8/libsoup-2.62.3-10.el8_10
rpms:imports/c8/libsoup-2.62.3-9.el8_10
rpms:imports/c9/libsoup-2.72.0-10.el9_6.2
rpms:imports/c9/libsoup-2.72.0-10.el9_6.1
rpms:imports/c8/libsoup-2.62.3-8.el8_10
rpms:imports/c9-beta/libsoup-2.72.0-10.el9
rpms:imports/c8/libsoup-2.62.3-7.el8_10
rpms:imports/c9/libsoup-2.72.0-8.el9_5.3
rpms:imports/c8/libsoup-2.62.3-6.el8_10
rpms:imports/c9/libsoup-2.72.0-8.el9_5.2
rpms:imports/c8/libsoup-2.62.3-5.el8
rpms:imports/c8/libsoup-2.62.3-4.el8
rpms:imports/c8-beta/libsoup-2.62.3-4.el8
rpms:imports/c8/libsoup-2.62.3-3.el8
rpms:imports/c8-beta/libsoup-2.62.3-3.el8
rpms:imports/c8s/libsoup-2.62.3-3.el8
rpms:imports/c9/libsoup-2.72.0-8.el9
rpms:imports/c9-beta/libsoup-2.72.0-8.el9
rpms:imports/c8-beta/libsoup-2.62.3-2.el8
rpms:imports/c8-beta/libsoup-2.62.3-1.el8
rpms:imports/c8s/libsoup-2.62.3-2.el8
rpms:imports/c8/libsoup-2.62.3-2.el8
rpms:imports/c8/libsoup-2.62.3-1.el8
..
compare: rpms:c8-beta
Branches Tags
rpms:c9
rpms:c8
rpms:c8s
rpms:c9s
rpms:c9-beta
rpms:c8-beta
rpms:c10s
rpms:imports/c9/libsoup-2.72.0-12.el9_7.5
rpms:imports/c8/libsoup-2.62.3-13.el8_10
rpms:imports/c8/libsoup-2.62.3-11.el8_10
rpms:imports/c9/libsoup-2.72.0-12.el9_7.3
rpms:imports/c9/libsoup-2.72.0-12.el9_7.1
rpms:imports/c9/libsoup-2.72.0-10.el9_6.3
rpms:imports/c8/libsoup-2.62.3-10.el8_10
rpms:imports/c8/libsoup-2.62.3-9.el8_10
rpms:imports/c9/libsoup-2.72.0-10.el9_6.2
rpms:imports/c9/libsoup-2.72.0-10.el9_6.1
rpms:imports/c8/libsoup-2.62.3-8.el8_10
rpms:imports/c9-beta/libsoup-2.72.0-10.el9
rpms:imports/c8/libsoup-2.62.3-7.el8_10
rpms:imports/c9/libsoup-2.72.0-8.el9_5.3
rpms:imports/c8/libsoup-2.62.3-6.el8_10
rpms:imports/c9/libsoup-2.72.0-8.el9_5.2
rpms:imports/c8/libsoup-2.62.3-5.el8
rpms:imports/c8/libsoup-2.62.3-4.el8
rpms:imports/c8-beta/libsoup-2.62.3-4.el8
rpms:imports/c8/libsoup-2.62.3-3.el8
rpms:imports/c8-beta/libsoup-2.62.3-3.el8
rpms:imports/c8s/libsoup-2.62.3-3.el8
rpms:imports/c9/libsoup-2.72.0-8.el9
rpms:imports/c9-beta/libsoup-2.72.0-8.el9
rpms:imports/c8-beta/libsoup-2.62.3-2.el8
rpms:imports/c8-beta/libsoup-2.62.3-1.el8
rpms:imports/c8s/libsoup-2.62.3-2.el8
rpms:imports/c8/libsoup-2.62.3-2.el8
rpms:imports/c8/libsoup-2.62.3-1.el8

No commits in common. "c8" and "c8-beta" have entirely different histories.
c8 ... c8-beta

23 changed files with 1 additions and 2254 deletions
Show Stats Expand all files Collapse all files

129
SOURCES/CVE-2024-52530.patch
View File

@ -1,129 +0,0 @@
diff -up libsoup-2.62.2/libsoup/soup-headers.c.cve-2024-52530 libsoup-2.62.2/libsoup/soup-headers.c
--- libsoup-2.62.2/libsoup/soup-headers.c.cve-2024-52530 2018-03-23 14:44:54.000000000 +0100
+++ libsoup-2.62.2/libsoup/soup-headers.c 2024-11-12 10:23:16.693272087 +0100
@@ -50,13 +50,14 @@ soup_headers_parse (const char *str, int
* ignorable trailing whitespace.
*/
+ /* No '\0's are allowed */
+ if (memchr (str, '\0', len))
+ return FALSE;
+
/* Skip over the Request-Line / Status-Line */
headers_start = memchr (str, '\n', len);
if (!headers_start)
return FALSE;
- /* No '\0's in the Request-Line / Status-Line */
- if (memchr (str, '\0', headers_start - str))
- return FALSE;
/* We work on a copy of the headers, which we can write '\0's
* into, so that we don't have to individually g_strndup and
@@ -68,14 +69,6 @@ soup_headers_parse (const char *str, int
headers_copy[copy_len] = '\0';
value_end = headers_copy;
- /* There shouldn't be any '\0's in the headers already, but
- * this is the web we're talking about.
- */
- while ((p = memchr (headers_copy, '\0', copy_len))) {
- memmove (p, p + 1, copy_len - (p - headers_copy));
- copy_len--;
- }
-
while (*(value_end + 1)) {
name = value_end + 1;
name_end = strchr (name, ':');
diff -up libsoup-2.62.2/tests/header-parsing.c.cve-2024-52530 libsoup-2.62.2/tests/header-parsing.c
--- libsoup-2.62.2/tests/header-parsing.c.cve-2024-52530 2024-11-12 10:25:26.452447520 +0100
+++ libsoup-2.62.2/tests/header-parsing.c 2024-11-12 10:28:05.738158891 +0100
@@ -358,24 +358,6 @@ static struct RequestTest {
}
},
- { "NUL in header name", "760832",
- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
- SOUP_STATUS_OK,
- "GET", "/", SOUP_HTTP_1_1,
- { { "Host", "example.com" },
- { NULL }
- }
- },
-
- { "NUL in header value", "760832",
- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
- SOUP_STATUS_OK,
- "GET", "/", SOUP_HTTP_1_1,
- { { "Host", "examplecom" },
- { NULL }
- }
- },
-
/************************/
/*** INVALID REQUESTS ***/
/************************/
@@ -448,6 +430,21 @@ static struct RequestTest {
SOUP_STATUS_EXPECTATION_FAILED,
NULL, NULL, -1,
{ { NULL } }
+ },
+
+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+ { "NUL in header name", NULL,
+ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
+ },
+
+ { "NUL in header value", NULL,
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
}
};
static const int num_reqtests = G_N_ELEMENTS (reqtests);
@@ -620,22 +617,6 @@ static struct ResponseTest {
{ NULL } }
},
- { "NUL in header name", "760832",
- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
- { { "Foo", "bar" },
- { NULL }
- }
- },
-
- { "NUL in header value", "760832",
- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
- { { "Foo", "bar" },
- { NULL }
- }
- },
-
/********************************/
/*** VALID CONTINUE RESPONSES ***/
/********************************/
@@ -768,6 +749,19 @@ static struct ResponseTest {
{ { NULL }
}
},
+
+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+ { "NUL in header name", NULL,
+ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
+ -1, 0, NULL,
+ { { NULL } }
+ },
+
+ { "NUL in header value", "760832",
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+ -1, 0, NULL,
+ { { NULL } }
+ },
};
static const int num_resptests = G_N_ELEMENTS (resptests);

121
SOURCES/CVE-2024-52531.patch
View File

@ -1,121 +0,0 @@
From bbeb7d59f98d0073291ca4a7ee9ce1a946842734 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 27 Aug 2024 13:53:26 -0500
Subject: [PATCH] headers: Be more robust against invalid input when parsing
params
If you pass invalid input to a function such as soup_header_parse_param_list_strict()
it can cause an overflow if it decodes the input to UTF-8.
This should never happen with valid UTF-8 input which libsoup's client API
ensures, however it's server API does not currently.
---
libsoup/soup-headers.c | 46 +++++++++++++++++++++---------------------
1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 271d2a63..8657483f 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -650,8 +650,9 @@ soup_header_contains (const char *header, const char *token)
}
static void
-decode_quoted_string (char *quoted_string)
+decode_quoted_string_inplace (GString *quoted_gstring)
{
+ char *quoted_string = quoted_gstring->str;
char *src, *dst;
src = quoted_string + 1;
@@ -665,10 +666,11 @@ decode_quoted_string (char *quoted_string)
}
static gboolean
-decode_rfc5987 (char *encoded_string)
+decode_rfc5987_inplace (GString *encoded_gstring)
{
char *q, *decoded;
gboolean iso_8859_1 = FALSE;
+ const char *encoded_string = encoded_gstring->str;
q = strchr (encoded_string, '\'');
if (!q)
@@ -697,14 +699,7 @@ decode_rfc5987 (char *encoded_string)
decoded = utf8;
}
- /* If encoded_string was UTF-8, then each 3-character %-escape
- * will be converted to a single byte, and so decoded is
- * shorter than encoded_string. If encoded_string was
- * iso-8859-1, then each 3-character %-escape will be
- * converted into at most 2 bytes in UTF-8, and so it's still
- * shorter.
- */
- strcpy (encoded_string, decoded);
+ g_string_assign (encoded_gstring, decoded);
g_free (decoded);
return TRUE;
}
@@ -714,15 +709,17 @@ parse_param_list (const char *header, char delim)
{
GHashTable *params;
GSList *list, *iter;
- char *item, *eq, *name_end, *value;
- gboolean override;
params = g_hash_table_new_full (soup_str_case_hash,
soup_str_case_equal,
- g_free, NULL);
+ g_free, g_free);
list = parse_list (header, delim);
for (iter = list; iter; iter = iter->next) {
+ char *item, *eq, *name_end;
+ gboolean override, duplicated;
+ GString *parsed_value = NULL;
+
item = iter->data;
override = FALSE;
@@ -737,24 +734,27 @@ parse_param_list (const char *header, char delim)
*name_end = '\0';
- value = (char *)skip_lws (eq + 1);
+ parsed_value = g_string_new ((char *)skip_lws (eq + 1));
if (name_end[-1] == '*' && name_end > item + 1) {
name_end[-1] = '\0';
- if (!decode_rfc5987 (value)) {
+ if (!decode_rfc5987_inplace (parsed_value)) {
+ g_string_free (parsed_value, TRUE);
g_free (item);
continue;
}
override = TRUE;
- } else if (*value == '"')
- decode_quoted_string (value);
- } else
- value = NULL;
-
- if (override || !g_hash_table_lookup (params, item))
- g_hash_table_replace (params, item, value);
- else
+ } else if (parsed_value->str[0] == '"')
+ decode_quoted_string_inplace (parsed_value);
+ }
+
+ if (override || !g_hash_table_lookup (params, item)) {
+ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
+ } else {
+ if (parsed_value)
+ g_string_free (parsed_value, TRUE);
g_free (item);
+ }
}
g_slist_free (list);
--
2.48.1

15
SOURCES/CVE-2024-52532.patch
View File

@ -1,15 +0,0 @@
diff -up libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 libsoup-2.62.3/libsoup/soup-websocket-connection.c
--- libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 2024-11-12 12:00:27.183570627 +0100
+++ libsoup-2.62.3/libsoup/soup-websocket-connection.c 2024-11-12 12:01:02.334987409 +0100
@@ -1041,9 +1041,9 @@ soup_websocket_connection_read (SoupWebs
}
pv->incoming->len = len + count;
- } while (count > 0);
+ process_incoming (self);
+ } while (count > 0 && !pv->close_sent && !pv->io_closing);
- process_incoming (self);
if (end) {
if (!pv->close_sent || !pv->close_received) {

74
SOURCES/CVE-2025-14523.patch
View File

@ -1,74 +0,0 @@
From 383cc02354c2a4235a98338005f8b47ffab4e53a Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Wed, 7 Jan 2026 14:50:33 -0600
Subject: [PATCH] Reject duplicate Host headers (for libsoup 2)
This is a simplified version of my patch for libsoup 3:
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/491
---
libsoup/soup-headers.c | 3 +++
libsoup/soup-message-headers.c | 3 +++
tests/header-parsing.c | 18 ++++++++++++++++++
3 files changed, 24 insertions(+)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 8256de0d..0b08da94 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -138,6 +138,9 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
for (p = strchr (value, '\r'); p; p = strchr (p, '\r'))
*p = ' ';
+ if (g_ascii_strcasecmp (name, "Host") == 0 && soup_message_headers_get_one (dest, "Host"))
+ goto done;
+
soup_message_headers_append (dest, name, value);
}
success = TRUE;
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 83bd89fb..583bd784 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -220,6 +220,9 @@ soup_message_headers_append (SoupMessageHeaders *hdrs,
}
#endif
+ if (g_ascii_strcasecmp (name, "Host") == 0 && soup_message_headers_get_one (hdrs, "Host"))
+ return;
+
header.name = intern_header_name (name, &setter);
header.value = g_strdup (value);
g_array_append_val (hdrs->array, header);
diff --git a/tests/header-parsing.c b/tests/header-parsing.c
index 9888de41..aae2ac5b 100644
--- a/tests/header-parsing.c
+++ b/tests/header-parsing.c
@@ -444,6 +444,24 @@ static struct RequestTest {
"HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
SOUP_STATUS_BAD_REQUEST,
NULL, NULL, -1,
+ { { NULL } },
+ },
+
+ { "Duplicate Host headers",
+ "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472",
+ "GET / HTTP/1.1\r\nHost: example.com\r\nHost: example.org\r\n",
+ -1,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
+ },
+
+ { "Duplicate Host headers (case insensitive)",
+ "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472",
+ "GET / HTTP/1.1\r\nHost: example.com\r\nhost: example.org\r\n",
+ -1,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
{ { NULL } }
}
};
--
2.52.0

48
SOURCES/CVE-2025-2784.patch
View File

@ -1,48 +0,0 @@
From b7213fc6c639b5ca6c91e215aee18cea36d9dc95 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 18 Feb 2025 14:29:50 -0600
Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space()
---
libsoup/soup-content-sniffer.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index 698d05e4..3fb29adf 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -612,8 +612,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer)
}
static gboolean
-skip_insignificant_space (const char *resource, int *pos, int resource_length)
+skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
{
+ if (*pos >= resource_length)
+ return TRUE;
+
while ((resource[*pos] == '\x09') ||
(resource[*pos] == '\x20') ||
(resource[*pos] == '\x0A') ||
@@ -632,7 +635,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
{
const char *resource = (const char *)buffer->data;
int resource_length = MIN (512, buffer->length);
- int pos = 0;
+ gsize pos = 0;
if (resource_length < 3)
goto text_html;
@@ -642,9 +645,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
pos = 3;
look_for_tag:
- if (pos > resource_length)
- goto text_html;
-
if (skip_insignificant_space (resource, &pos, resource_length))
goto text_html;
--
2.49.0

30
SOURCES/CVE-2025-32049.patch
View File

@ -1,30 +0,0 @@
From 6ec7c5be50b48d6ce0a09aa3468f2c5725406a97 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Wed, 21 May 2025 10:42:51 -0500
Subject: [PATCH] Add size limit for total message size
This size limit could break applications, but it will close the denial
of service issue.
---
libsoup/soup-websocket-connection.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
index 36524d04..f8764aff 100644
--- a/libsoup/soup-websocket-connection.c
+++ b/libsoup/soup-websocket-connection.c
@@ -913,6 +913,11 @@ process_contents (SoupWebsocketConnection *self,
switch (pv->message_opcode) {
case 0x01:
case 0x02:
+ /* Safety valve */
+ if (pv->message_data->len + payload_len > pv->max_incoming_payload_size) {
+ too_big_error_and_close (self, (pv->message_data->len + payload_len));
+ return;
+ }
g_byte_array_append (pv->message_data, payload, payload_len);
break;
default:
--
2.49.0

25
SOURCES/CVE-2025-32050.patch
View File

@ -1,25 +0,0 @@
From 9bb0a55de55c6940ced811a64fbca82fe93a9323 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Mon, 28 Oct 2024 12:29:48 -0500
Subject: [PATCH] Fix using int instead of size_t for strcspn return
---
libsoup/soup-headers.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 613e1905..a5f7a7f6 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -907,7 +907,7 @@ append_param_quoted (GString *string,
const char *name,
const char *value)
{
- int len;
+ gsize len;
g_string_append (string, name);
g_string_append (string, "=\"");
--
GitLab

26
SOURCES/CVE-2025-32052.patch
View File

@ -1,26 +0,0 @@
From 1542173d11df64e39e71367f10596e8160481290 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sat, 16 Nov 2024 12:07:30 -0600
Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff
Co-Author: Ar Jun <pkillarjun@protonmail.com>
---
libsoup/soup-content-sniffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index 967ec614..26c65bbd 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -504,7 +504,7 @@ sniff_unknown (SoupContentSniffer *sniffer, SoupBuffer *buffer,
guint index_pattern = 0;
gboolean skip_row = FALSE;
- while ((index_stream < resource_length) &&
+ while ((index_stream < resource_length - 1) &&
(index_pattern <= type_row->pattern_length)) {
/* Skip insignificant white space ("WS" in the spec) */
if (type_row->pattern[index_pattern] == ' ') {
--
2.49.0

35
SOURCES/CVE-2025-32053.patch
View File

@ -1,35 +0,0 @@
From 8e1793e2ddd8c2648b9a28f06bf21fd13bd12b39 Mon Sep 17 00:00:00 2001
From: Ar Jun <pkillarjun@protonmail.com>
Date: Mon, 18 Nov 2024 14:59:51 -0600
Subject: [PATCH] Fix heap buffer overflow in
soup-content-sniffer.c:sniff_feed_or_html()
---
libsoup/soup-content-sniffer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index 26c65bbd..698d05e4 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -620,7 +620,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length)
(resource[*pos] == '\x0D')) {
*pos = *pos + 1;
- if (*pos > resource_length)
+ if (*pos >= resource_length)
return TRUE;
}
@@ -682,7 +682,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
do {
pos++;
- if (pos > resource_length)
+ if ((pos + 1) > resource_length)
goto text_html;
} while (resource[pos] != '>');
--
2.49.0

65
SOURCES/CVE-2025-32906.patch
View File

@ -1,65 +0,0 @@
From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 11 Feb 2025 14:36:26 -0600
Subject: [PATCH 1/2] headers: Handle parsing edge case
This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds.
---
libsoup/soup-headers.c | 2 +-
tests/header-parsing-test.c | 12 ++++++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 85385cea..9d6d00a3 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str,
!g_ascii_isdigit (version[5]))
return SOUP_STATUS_BAD_REQUEST;
major_version = strtoul (version + 5, &p, 10);
- if (*p != '.' || !g_ascii_isdigit (p[1]))
+ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1]))
return SOUP_STATUS_BAD_REQUEST;
minor_version = strtoul (p + 1, &p, 10);
version_end = p;
--
GitLab
From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 12 Feb 2025 11:30:02 -0600
Subject: [PATCH 2/2] headers: Handle parsing only newlines
Closes #404
Closes #407
---
libsoup/soup-headers.c | 4 ++--
tests/header-parsing-test.c | 13 ++++++++++++-
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 9d6d00a3..52ef2ece 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str,
/* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
* received where a Request-Line is expected."
*/
- while ((*str == '\r' || *str == '\n') && len > 0) {
+ while (len > 0 && (*str == '\r' || *str == '\n')) {
str++;
len--;
}
@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str,
* after a response, which we then see prepended to the next
* response on that connection.
*/
- while ((*str == '\r' || *str == '\n') && len > 0) {
+ while (len > 0 && (*str == '\r' || *str == '\n')) {
str++;
len--;
}
--
GitLab

67
SOURCES/CVE-2025-32911-CVE-2025-32913.patch
View File

@ -1,67 +0,0 @@
From f2d316341c00a343d0b46edd590efa8c102521c3 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 17:53:50 -0600
Subject: [PATCH 1/2] soup_message_headers_get_content_disposition: Fix NULL
deref
---
libsoup/soup-message-headers.c | 13 +++++++++----
tests/header-parsing-test.c | 13 +++++++++++++
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 5c8c7cb9..ccf31233 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1443,10 +1443,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
*/
if (params && g_hash_table_lookup_extended (*params, "filename",
&orig_key, &orig_value)) {
- char *filename = strrchr (orig_value, '/');
-
- if (filename)
- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ if (orig_value) {
+ char *filename = strrchr (orig_value, '/');
+
+ if (filename)
+ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ } else {
+ /* filename with no value isn't valid. */
+ g_hash_table_remove (*params, "filename");
+ }
}
return TRUE;
}
--
2.49.0
From dd3a245941f117832dd1fdda4f8bc68b44e2810d Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 18:00:39 -0600
Subject: [PATCH 2/2] soup_message_headers_get_content_disposition: strdup
truncated filenames
This table frees the strings it contains.
---
libsoup/soup-message-headers.c | 2 +-
tests/header-parsing-test.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index ccf31233..64847e30 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1447,7 +1447,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
char *filename = strrchr (orig_value, '/');
if (filename)
- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1));
} else {
/* filename with no value isn't valid. */
g_hash_table_remove (*params, "filename");
--
2.49.0

30
SOURCES/CVE-2025-32914.patch
View File

@ -1,30 +0,0 @@
From 51c25f470f85b485818c253718594a4d59b39931 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Tue, 15 Apr 2025 09:03:00 +0200
Subject: [PATCH] multipart: Fix read out of buffer bounds under
soup_multipart_new_from_message()
This is CVE-2025-32914, special crafted input can cause read out of buffer bounds
of the body argument.
Closes #436
---
libsoup/soup-multipart.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
index a7e550f1..dd939739 100644
--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
return NULL;
}
- split = strstr (start, "\r\n\r\n");
+ split = g_strstr_len (start, body_end - start, "\r\n\r\n");
if (!split || split > end) {
soup_multipart_free (multipart);
soup_buffer_free (flattened);
--
2.49.0

56
SOURCES/CVE-2025-46420.patch
View File

@ -1,56 +0,0 @@
From 355d7979ac27c6a83684e079d5bc6cf148e7bc16 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Thu, 26 Dec 2024 18:31:42 -0600
Subject: [PATCH] soup_header_parse_quality_list: Fix leak
When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings.
---
libsoup/soup-headers.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index eec28adf..3e922816 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -535,7 +535,7 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
GSList *unsorted;
QualityItem *array;
GSList *sorted, *iter;
- char *item, *semi;
+ char *semi;
const char *param, *equal, *value;
double qval;
int n;
@@ -548,9 +548,8 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
unsorted = soup_header_parse_list (header);
array = g_new0 (QualityItem, g_slist_length (unsorted));
for (iter = unsorted, n = 0; iter; iter = iter->next) {
- item = iter->data;
qval = 1.0;
- for (semi = strchr (item, ';'); semi; semi = strchr (semi + 1, ';')) {
+ for (semi = strchr (iter->data, ';'); semi; semi = strchr (semi + 1, ';')) {
param = skip_lws (semi + 1);
if (*param != 'q')
continue;
@@ -582,15 +581,15 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
if (qval == 0.0) {
if (unacceptable) {
*unacceptable = g_slist_prepend (*unacceptable,
- item);
+ g_steal_pointer (&iter->data));
}
} else {
- array[n].item = item;
+ array[n].item = g_steal_pointer (&iter->data);
array[n].qval = qval;
n++;
}
}
- g_slist_free (unsorted);
+ g_slist_free_full (unsorted, g_free);
qsort (array, n, sizeof (QualityItem), sort_by_qval);
sorted = NULL;
--
2.49.0

32
SOURCES/CVE-2025-46421.patch
View File

@ -1,32 +0,0 @@
From 4329a7e88c72079ae3eedbb1558b929851507464 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 16:18:10 -0600
Subject: [PATCH] session: Strip authentication credentails on cross-origin
redirect
This should match the behavior of Firefox and Safari but not of Chromium.
---
libsoup/soup-session.c | 6 ++++
tests/auth-test.c | 77 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 83 insertions(+)
diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
index dd3cdc46..82ca8bf9 100644
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -1187,6 +1187,12 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg)
SOUP_ENCODING_NONE);
}
+ /* Strip all credentials on cross-origin redirect. */
+ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
+ soup_message_headers_remove (msg->request_headers, "Authorization");
+ soup_message_set_auth (msg, NULL);
+ }
+
soup_message_set_uri (msg, new_uri);
soup_uri_free (new_uri);
--
2.49.0

931
SOURCES/CVE-2025-4945-CVE-2025-11021.patch
View File

@ -1,931 +0,0 @@
From 52825c2eb7043698d7a0668cfe6bb5a23da87cf5 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Thu, 15 May 2025 07:59:14 +0200
Subject: [PATCH 1/2] soup-date-utils: Add value checks for date/time parsing
Reject date/time when it does not represent a valid value.
Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
---
libsoup/soup-date.c | 23 ++-
tests/cookies-test.c | 10 +
tests/date-test.c | 434 +++++++++++++++++++++++++++++++++++++++++++
3 files changed, 459 insertions(+), 8 deletions(-)
create mode 100644 tests/date-test.c
diff --git a/libsoup/soup-date.c b/libsoup/soup-date.c
index dabae9d4..8b2beea4 100644
--- a/libsoup/soup-date.c
+++ b/libsoup/soup-date.c
@@ -284,7 +284,7 @@ parse_day (SoupDate *date, const char **date_string)
while (*end == ' ' || *end == '-')
end++;
*date_string = end;
- return TRUE;
+ return date->day >= 1 && date->day <= 31;
}
static inline gboolean
@@ -324,7 +324,7 @@ parse_year (SoupDate *date, const char **date_string)
while (*end == ' ' || *end == '-')
end++;
*date_string = end;
- return TRUE;
+ return date->year > 0 && date->year < 9999;
}
static inline gboolean
@@ -348,7 +348,7 @@ parse_time (SoupDate *date, const char **date_string)
while (*p == ' ')
p++;
*date_string = p;
- return TRUE;
+ return date->hour >= 0 && date->hour < 24 && date->minute >= 0 && date->minute < 60 && date->second >= 0 && date->second < 60;
}
static inline gboolean
@@ -361,9 +361,14 @@ parse_timezone (SoupDate *date, const char **date_string)
gulong val;
int sign = (**date_string == '+') ? -1 : 1;
val = strtoul (*date_string + 1, (char **)date_string, 10);
- if (**date_string == ':')
- val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10);
- else
+ if (val > 9999)
+ return FALSE;
+ if (**date_string == ':') {
+ gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10);
+ if (val > 99 || val2 > 99)
+ return FALSE;
+ val = 60 * val + val2;
+ } else
val = 60 * (val / 100) + (val % 100);
date->offset = sign * val;
date->utc = (sign == -1) && !val;
@@ -407,7 +412,8 @@ parse_textual_date (SoupDate *date, const char *date_string)
if (!parse_month (date, &date_string) ||
!parse_day (date, &date_string) ||
!parse_time (date, &date_string) ||
- !parse_year (date, &date_string))
+ !parse_year (date, &date_string) ||
+ !g_date_valid_dmy (date->day, date->month, date->year))
return FALSE;
/* There shouldn't be a timezone, but check anyway */
@@ -419,7 +425,8 @@ parse_textual_date (SoupDate *date, const char *date_string)
if (!parse_day (date, &date_string) ||
!parse_month (date, &date_string) ||
!parse_year (date, &date_string) ||
- !parse_time (date, &date_string))
+ !parse_time (date, &date_string) ||
+ !g_date_valid_dmy (date->day, date->month, date->year))
return FALSE;
/* This time there *should* be a timezone, but we
diff --git a/tests/cookies-test.c b/tests/cookies-test.c
index 17b77f29..61adfac5 100644
--- a/tests/cookies-test.c
+++ b/tests/cookies-test.c
@@ -288,6 +288,15 @@ do_cookies_parsing_nopath_nullorigin (void)
soup_cookie_free (cookie);
}
+static void
+do_cookies_parsing_int32_overflow (void)
+{
+ SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9 999:9:9+ 999999999-age=main=gne=", NULL);
+ g_assert_nonnull (cookie);
+ g_assert_null (soup_cookie_get_expires (cookie));
+ soup_cookie_free (cookie);
+}
+
int
main (int argc, char **argv)
{
@@ -309,6 +318,7 @@ main (int argc, char **argv)
g_test_add_func ("/cookies/accept-policy-subdomains", do_cookies_subdomain_policy_test);
g_test_add_func ("/cookies/parsing", do_cookies_parsing_test);
g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin);
+ g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow);
ret = g_test_run ();
diff --git a/tests/date-test.c b/tests/date-test.c
new file mode 100644
index 00000000..38f27335
--- /dev/null
+++ b/tests/date-test.c
@@ -0,0 +1,434 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
+/*
+ * Copyright (C) 2005 Novell, Inc.
+ */
+
+#include "test-utils.h"
+
+static void check_ok (gconstpointer data);
+
+static SoupDate *
+make_date (const char *strdate)
+{
+ char *dup;
+ SoupDate *date;
+
+ /* We do it this way so that if soup_date_new_from_string()
+ * reads off the end of the string, it will trigger an error
+ * when valgrinding, rather than just reading the start of the
+ * next const string.
+ */
+ dup = g_strdup (strdate);
+ date = soup_date_new_from_string (dup);
+ g_free (dup);
+ return date;
+}
+
+static SoupDate *
+check_correct_date (const char *strdate)
+{
+ SoupDate *date;
+
+ date = make_date (strdate);
+ if (!date) {
+ g_assert_nonnull (date);
+ return NULL;
+ }
+
+ g_assert_cmpint (date->year, ==, 2004);
+ g_assert_cmpint (date->month, ==, 11);
+ g_assert_cmpint (date->day, ==, 6);
+ g_assert_cmpint (date->hour, ==, 8);
+ g_assert_cmpint (date->minute, ==, 9);
+ g_assert_cmpint (date->second, ==, 7);
+
+ return date;
+}
+
+typedef struct {
+ SoupDateFormat format;
+ const char *date;
+ const char *bugref;
+} GoodDate;
+
+static const GoodDate good_dates[] = {
+ { SOUP_DATE_HTTP, "Sat, 06 Nov 2004 08:09:07 GMT", NULL },
+ { SOUP_DATE_COOKIE, "Sat, 06-Nov-2004 08:09:07 GMT", NULL },
+ { SOUP_DATE_RFC2822, "Sat, 6 Nov 2004 08:09:07 -0430", "579055" },
+ { SOUP_DATE_ISO8601_COMPACT, "20041106T080907", NULL },
+ { SOUP_DATE_ISO8601_FULL, "2004-11-06T08:09:07", NULL },
+ { SOUP_DATE_ISO8601_XMLRPC, "20041106T08:09:07", NULL }
+};
+
+static void
+check_good (gconstpointer data)
+{
+ GoodDate *good = (GoodDate *)data;
+ SoupDate *date;
+ char *strdate2;
+
+ if (good->bugref)
+ g_test_bug (good->bugref);
+
+ date = check_correct_date (good->date);
+ if (!date)
+ return;
+
+ strdate2 = soup_date_to_string (date, good->format);
+ soup_date_free (date);
+
+ soup_test_assert (strcmp (good->date, strdate2) == 0,
+ "restringification failed: '%s' -> '%s'\n",
+ good->date, strdate2);
+ g_free (strdate2);
+}
+
+typedef struct {
+ const char *date;
+ const char *bugref;
+} OkDate;
+
+static const OkDate ok_dates[] = {
+ /* rfc1123-date, and broken variants */
+ { "Sat, 06 Nov 2004 08:09:07 GMT", NULL },
+ { "Sat, 6 Nov 2004 08:09:07 GMT", NULL },
+ { "Sat, 6 Nov 2004 08:09:07 GMT", NULL },
+ { "Sat, 06 Nov 2004 08:09:07", NULL },
+ { "06 Nov 2004 08:09:07 GMT", NULL },
+ { "SAT, 06 NOV 2004 08:09:07 +1000", "644048" },
+ { "Sat, 06-Nov-2004 08:09:07 -10000", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/448" },
+ { "Sat, 06-Nov-2004 08:09:07 +01:30", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/448" },
+ { "Sat, 06-Nov-2004 08:09:07 +0:180", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/448" },
+ { "Sat, 06-Nov-2004 08:09:07 +100:100", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/448" },
+ { "Sat, 06-Nov-2004 08:09:07 Z", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/448" },
+
+ /* rfc850-date, and broken variants */
+ { "Saturday, 06-Nov-04 08:09:07 GMT", NULL },
+ { "Saturday, 6-Nov-04 08:09:07 GMT", NULL },
+ { "Saturday, 6-Nov-04 08:09:07 GMT", NULL },
+ { "Saturday, 06-Nov-104 08:09:07 GMT", NULL },
+ { "Saturday, 06-Nov-2004 08:09:07 GMT", NULL },
+ { "Saturday, 6-Nov-2004 08:09:07 GMT", NULL },
+ { "Saturday, 6-Nov-2004 08:09:07 GMT", NULL },
+ { "Saturday, 06-Nov-04 08:09:07", NULL },
+ { "06-Nov-04 08:09:07 GMT", NULL },
+
+ /* asctime-date, and broken variants */
+ { "Sat Nov 6 08:09:07 2004", NULL },
+ { "Sat Nov 06 08:09:07 2004", NULL },
+ { "Sat Nov 6 08:09:07 2004", NULL },
+ { "Sat Nov 6 08:09:07 2004 GMT", NULL },
+ { "Sat Nov 6 08:09:07 2004 NoZone", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/448" },
+ { "Sat Nov 6 08:09:07 2004 UTC", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/448" },
+
+ /* ISO 8601 */
+ { "2004-11-06T08:09:07Z", NULL },
+ { "20041106T08:09:07Z", NULL },
+ { "20041106T08:09:07+00:00", NULL },
+ { "20041106T080907+00:00", NULL },
+
+ /* Netscape cookie spec date, and broken variants */
+ { "Sat, 06-Nov-2004 08:09:07 GMT", NULL },
+ { "Sat, 6-Nov-2004 08:09:07 GMT", NULL },
+ { "Sat, 6-Nov-2004 08:09:07 GMT", NULL },
+ { "Sat, 06-Nov-2004 08:09:07", NULL },
+
+ /* Original version of Netscape cookie spec, and broken variants */
+ { "Sat, 06-Nov-04 08:09:07 GMT", NULL },
+ { "Sat, 6-Nov-04 08:09:07 GMT", NULL },
+ { "Sat, 6-Nov-04 08:09:07 GMT", NULL },
+ { "Sat, 06-Nov-104 08:09:07 GMT", NULL },
+ { "Sat, 06-Nov-04 08:09:07", NULL },
+
+ /* Miscellaneous broken formats seen on the web */
+ { "Sat 06-Nov-2004 08:9:07", NULL },
+ { "Saturday, 06-Nov-04 8:9:07 GMT", NULL },
+ { "Sat, 06 Nov 2004 08:09:7 GMT", NULL }
+};
+
+static void
+check_ok (gconstpointer data)
+{
+ OkDate *ok = (OkDate *)data;
+ SoupDate *date;
+
+ if (ok->bugref)
+ g_test_bug (ok->bugref);
+
+ date = check_correct_date (ok->date);
+ if (!date)
+ return;
+ soup_date_free (date);
+}
+
+#define TIME_T 1099728547L
+#define TIME_T_STRING "1099728547"
+
+static void
+check_ok_time_t (void)
+{
+ SoupDate *date;
+
+ date = soup_date_new_from_time_t (TIME_T);
+
+ g_assert_cmpint (date->year, ==, 2004);
+ g_assert_cmpint (date->month, ==, 11);
+ g_assert_cmpint (date->day, ==, 6);
+ g_assert_cmpint (date->hour, ==, 8);
+ g_assert_cmpint (date->minute, ==, 9);
+ g_assert_cmpint (date->second, ==, 7);
+
+ g_assert_cmpuint (TIME_T, ==, soup_date_to_time_t (date));
+
+ soup_date_free (date);
+}
+
+typedef struct {
+ const char *date;
+ const char *bugref;
+} BadDate;
+
+static const BadDate bad_dates[] = {
+ /* broken rfc1123-date */
+ { ", 06 Nov 2004 08:09:07 GMT", NULL },
+ { "Sat, Nov 2004 08:09:07 GMT", NULL },
+ { "Sat, 06 2004 08:09:07 GMT", NULL },
+ { "Sat, 06 Nov 08:09:07 GMT", NULL },
+ { "Sat, 06 Nov 2004 :09:07 GMT", NULL },
+ { "Sat, 06 Nov 2004 09:07 GMT", NULL },
+ { "Sat, 06 Nov 2004 08::07 GMT", NULL },
+ { "Sat, 06 Nov 2004 08:09: GMT", NULL },
+
+ /* broken rfc850-date */
+ { ", 06-Nov-04 08:09:07 GMT", NULL },
+ { "Saturday, -Nov-04 08:09:07 GMT", NULL },
+ { "Saturday, Nov-04 08:09:07 GMT", NULL },
+ { "Saturday, 06-04 08:09:07 GMT", NULL },
+ { "Saturday, 06--04 08:09:07 GMT", NULL },
+ { "Saturday, 06-Nov- 08:09:07 GMT", NULL },
+ { "Saturday, 06-Nov 08:09:07 GMT", NULL },
+ { "Saturday, 06-Nov-04 :09:07 GMT", NULL },
+ { "Saturday, 06-Nov-04 09:07 GMT", NULL },
+ { "Saturday, 06-Nov-04 08::07 GMT", NULL },
+ { "Saturday, 06-Nov-04 08:09: GMT", NULL },
+
+ /* broken asctime-date */
+ { "Nov 6 08:09:07 2004", NULL },
+ { "Sat 6 08:09:07 2004", NULL },
+ { "Sat Nov 08:09:07 2004", NULL },
+ { "Sat Nov 6 :09:07 2004", NULL },
+ { "Sat Nov 6 09:07 2004", NULL },
+ { "Sat Nov 6 08::07 2004", NULL },
+ { "Sat Nov 6 08:09: 2004", NULL },
+ { "Sat Nov 6 08:09:07", NULL },
+ { "Sat Nov 6 08:09:07 GMT 2004", NULL },
+
+ /* range constraints added "https://gitlab.gnome.org/GNOME/libsoup/-/issues/448" */
+ { "Sat, 00-Nov-2004 08:09:07 GMT", NULL },
+ { "Sat, 32-Nov-2004 08:09:07 GMT", NULL },
+ { "Sat, 06-Nov-0 08:09:07 GMT", NULL },
+ { "Sat, 06-Nov-9999 08:09:07 GMT", NULL },
+ { "Sat, 06-Nov-2004 0-1:09:07 GMT", NULL },
+ { "(Sat), Nov 6 -1:09:07 2004", NULL },
+ { "Sat, 06-Nov-2004 24:09:07 GMT", NULL },
+ { "Sat, 06-Nov-2004 08:-1:07 GMT", NULL },
+ { "Sat, 06-Nov-2004 08:60:07 GMT", NULL },
+ { "Sat, 06-Nov-2004 08:09:-10 GMT", NULL },
+ { "Sat, 06-Nov-2004 08:09:60 GMT", NULL },
+ { "Sat, 06-Nov-71 08:09:99 UTC", NULL },
+ { "Sat, 31-Feb-2004 08:09:07 UTC", NULL },
+};
+
+static void
+check_bad (gconstpointer data)
+{
+ BadDate *bad = (BadDate *)data;
+ SoupDate *date;
+
+ if (bad->bugref)
+ g_test_bug (bad->bugref);
+
+ date = make_date (bad->date);
+ soup_test_assert (date == NULL,
+ "date parsing succeeded for '%s': %d %d %d - %d %d %d",
+ bad->date,
+ date->year, date->month, date->day,
+ date->hour, date->minute, date->second);
+ g_clear_pointer (&date, soup_date_free);
+}
+
+typedef struct {
+ const char *source;
+ const char *http, *cookie, *rfc2822, *compact, *full, *xmlrpc;
+} DateConversion;
+
+static const DateConversion conversions[] = {
+ /* SOUP_DATE_HTTP */
+ { "Sat, 06 Nov 2004 08:09:07 GMT",
+
+ "Sat, 06 Nov 2004 08:09:07 GMT",
+ "Sat, 06-Nov-2004 08:09:07 GMT",
+ "Sat, 6 Nov 2004 08:09:07 +0000",
+ "20041106T080907Z",
+ "2004-11-06T08:09:07Z",
+ "20041106T08:09:07" },
+
+ /* RFC2822 GMT */
+ { "Sat, 6 Nov 2004 08:09:07 +0000",
+
+ "Sat, 06 Nov 2004 08:09:07 GMT",
+ "Sat, 06-Nov-2004 08:09:07 GMT",
+ "Sat, 6 Nov 2004 08:09:07 +0000",
+ "20041106T080907Z",
+ "2004-11-06T08:09:07Z",
+ "20041106T08:09:07" },
+
+ /* RFC2822 with positive offset */
+ { "Sat, 6 Nov 2004 08:09:07 +0430",
+
+ "Sat, 06 Nov 2004 04:39:07 GMT",
+ "Sat, 06-Nov-2004 04:39:07 GMT",
+ "Sat, 6 Nov 2004 08:09:07 +0430",
+ "20041106T080907+0430",
+ "2004-11-06T08:09:07+04:30",
+ "20041106T08:09:07" },
+
+ /* RFC2822 with negative offset */
+ { "Sat, 6 Nov 2004 08:09:07 -0430",
+
+ "Sat, 06 Nov 2004 12:39:07 GMT",
+ "Sat, 06-Nov-2004 12:39:07 GMT",
+ "Sat, 6 Nov 2004 08:09:07 -0430",
+ "20041106T080907-0430",
+ "2004-11-06T08:09:07-04:30",
+ "20041106T08:09:07" },
+
+ /* RFC2822 floating */
+ { "Sat, 6 Nov 2004 08:09:07 -0000",
+
+ "Sat, 06 Nov 2004 08:09:07 GMT",
+ "Sat, 06-Nov-2004 08:09:07 GMT",
+ "Sat, 6 Nov 2004 08:09:07 -0000",
+ "20041106T080907",
+ "2004-11-06T08:09:07",
+ "20041106T08:09:07" },
+
+ /* ISO GMT */
+ { "2004-11-06T08:09:07Z",
+
+ "Sat, 06 Nov 2004 08:09:07 GMT",
+ "Sat, 06-Nov-2004 08:09:07 GMT",
+ "Sat, 6 Nov 2004 08:09:07 +0000",
+ "20041106T080907Z",
+ "2004-11-06T08:09:07Z",
+ "20041106T08:09:07" },
+
+ /* ISO with positive offset */
+ { "2004-11-06T08:09:07+04:30",
+
+ "Sat, 06 Nov 2004 04:39:07 GMT",
+ "Sat, 06-Nov-2004 04:39:07 GMT",
+ "Sat, 6 Nov 2004 08:09:07 +0430",
+ "20041106T080907+0430",
+ "2004-11-06T08:09:07+04:30",
+ "20041106T08:09:07" },
+
+ /* ISO with negative offset */
+ { "2004-11-06T08:09:07-04:30",
+
+ "Sat, 06 Nov 2004 12:39:07 GMT",
+ "Sat, 06-Nov-2004 12:39:07 GMT",
+ "Sat, 6 Nov 2004 08:09:07 -0430",
+ "20041106T080907-0430",
+ "2004-11-06T08:09:07-04:30",
+ "20041106T08:09:07" },
+
+ /* ISO floating */
+ { "2004-11-06T08:09:07",
+
+ "Sat, 06 Nov 2004 08:09:07 GMT",
+ "Sat, 06-Nov-2004 08:09:07 GMT",
+ "Sat, 6 Nov 2004 08:09:07 -0000",
+ "20041106T080907",
+ "2004-11-06T08:09:07",
+ "20041106T08:09:07" }
+};
+
+static void
+check_conversion (gconstpointer data)
+{
+ const DateConversion *conv = data;
+ SoupDate *date;
+ char *str;
+
+ date = make_date (conv->source);
+ if (!date) {
+ soup_test_assert (FALSE, "date parsing failed for '%s'.", conv->source);
+ return;
+ }
+
+ str = soup_date_to_string (date, SOUP_DATE_HTTP);
+ g_assert_cmpstr (str, ==, conv->http);
+ g_free (str);
+
+ str = soup_date_to_string (date, SOUP_DATE_COOKIE);
+ g_assert_cmpstr (str, ==, conv->cookie);
+ g_free (str);
+
+ str = soup_date_to_string (date, SOUP_DATE_RFC2822);
+ g_assert_cmpstr (str, ==, conv->rfc2822);
+ g_free (str);
+
+ str = soup_date_to_string (date, SOUP_DATE_ISO8601_COMPACT);
+ g_assert_cmpstr (str, ==, conv->compact);
+ g_free (str);
+
+ str = soup_date_to_string (date, SOUP_DATE_ISO8601_FULL);
+ g_assert_cmpstr (str, ==, conv->full);
+ g_free (str);
+
+ str = soup_date_to_string (date, SOUP_DATE_ISO8601_XMLRPC);
+ g_assert_cmpstr (str, ==, conv->xmlrpc);
+ g_free (str);
+
+ soup_date_free (date);
+}
+
+int
+main (int argc, char **argv)
+{
+ int i, ret;
+ char *path;
+
+ test_init (argc, argv, NULL);
+
+ for (i = 0; i < G_N_ELEMENTS (good_dates); i++) {
+ path = g_strdup_printf ("/date/good/%s", good_dates[i].date);
+ g_test_add_data_func (path, &good_dates[i], check_good);
+ g_free (path);
+ }
+
+ for (i = 0; i < G_N_ELEMENTS (ok_dates); i++) {
+ path = g_strdup_printf ("/date/ok/%s", ok_dates[i].date);
+ g_test_add_data_func (path, &ok_dates[i], check_ok);
+ g_free (path);
+ }
+ g_test_add_func ("/date/ok/" TIME_T_STRING, check_ok_time_t);
+
+ for (i = 0; i < G_N_ELEMENTS (bad_dates); i++) {
+ path = g_strdup_printf ("/date/bad/%s", bad_dates[i].date);
+ g_test_add_data_func (path, &bad_dates[i], check_bad);
+ g_free (path);
+ }
+
+ for (i = 0; i < G_N_ELEMENTS (conversions); i++) {
+ path = g_strdup_printf ("/date/conversions/%s", conversions[i].source);
+ g_test_add_data_func (path, &conversions[i], check_conversion);
+ g_free (path);
+ }
+
+ ret = g_test_run ();
+
+ test_cleanup ();
+ return ret;
+}
--
2.51.0
From 724efae52bcf2c0b8a247f736103285ad68d1b15 Mon Sep 17 00:00:00 2001
From: Brian Yurko <155515-byurko@users.noreply.gitlab.gnome.org>
Date: Wed, 11 Jun 2025 11:00:56 -0400
Subject: [PATCH 2/2] tests: Add tests for date-time including timezone
validation work
These tests are built on top of earlier work in a related pull request.
Closes #448
---
libsoup/soup-date-utils.c | 339 ++++++++++++++++++++++++++++++++++++++
tests/cookies-test.c | 1 +
2 files changed, 340 insertions(+)
create mode 100644 libsoup/soup-date-utils.c
diff --git a/libsoup/soup-date-utils.c b/libsoup/soup-date-utils.c
new file mode 100644
index 00000000..73f80ab6
--- /dev/null
+++ b/libsoup/soup-date-utils.c
@@ -0,0 +1,339 @@
+/*
+ * Copyright (C) 2020 Igalia, S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB. If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdlib.h>
+
+#include "soup-date-utils.h"
+#include "soup-date-utils-private.h"
+
+/**
+ * soup_date_time_is_past:
+ * @date: a #GDateTime
+ *
+ * Determines if @date is in the past.
+ *
+ * Returns: %TRUE if @date is in the past
+ */
+gboolean
+soup_date_time_is_past (GDateTime *date)
+{
+ g_return_val_if_fail (date != NULL, TRUE);
+
+ /* optimization */
+ if (g_date_time_get_year (date) < 2025)
+ return TRUE;
+
+ return g_date_time_to_unix (date) < time (NULL);
+}
+
+/**
+ * SoupDateFormat:
+ * @SOUP_DATE_HTTP: RFC 1123 format, used by the HTTP "Date" header. Eg
+ * "Sun, 06 Nov 1994 08:49:37 GMT".
+ * @SOUP_DATE_COOKIE: The format for the "Expires" timestamp in the
+ * Netscape cookie specification. Eg, "Sun, 06-Nov-1994 08:49:37 GMT".
+ *
+ * Date formats that [func@date_time_to_string] can use.
+ *
+ * @SOUP_DATE_HTTP and @SOUP_DATE_COOKIE always coerce the time to
+ * UTC.
+ *
+ * This enum may be extended with more values in future releases.
+ **/
+
+/* Do not internationalize */
+static const char *const months[] = {
+ "Jan", "Feb", "Mar", "Apr", "May", "Jun",
+ "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
+};
+
+/* Do not internationalize */
+static const char *const days[] = {
+ "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", "Sun"
+};
+
+/**
+ * soup_date_time_to_string:
+ * @date: a #GDateTime
+ * @format: the format to generate the date in
+ *
+ * Converts @date to a string in the format described by @format.
+ *
+ * Returns: (transfer full): @date as a string or %NULL
+ **/
+char *
+soup_date_time_to_string (GDateTime *date,
+ SoupDateFormat format)
+{
+ g_return_val_if_fail (date != NULL, NULL);
+
+ if (format == SOUP_DATE_HTTP || format == SOUP_DATE_COOKIE) {
+ /* HTTP and COOKIE formats require UTC timestamp, so coerce
+ * @date if it's non-UTC.
+ */
+ GDateTime *utcdate = g_date_time_to_utc (date);
+ char *date_format;
+ char *formatted_date;
+
+ // We insert days/months ourselves to avoid locale specific formatting
+ if (format == SOUP_DATE_HTTP) {
+ /* "Sun, 06 Nov 1994 08:49:37 GMT" */
+ date_format = g_strdup_printf ("%s, %%d %s %%Y %%T GMT",
+ days[g_date_time_get_day_of_week (utcdate) - 1],
+ months[g_date_time_get_month (utcdate) - 1]);
+ } else {
+ /* "Sun, 06-Nov-1994 08:49:37 GMT" */
+ date_format = g_strdup_printf ("%s, %%d-%s-%%Y %%T GMT",
+ days[g_date_time_get_day_of_week (utcdate) - 1],
+ months[g_date_time_get_month (utcdate) - 1]);
+ }
+
+ formatted_date = g_date_time_format (utcdate, (const char*)date_format);
+ g_date_time_unref (utcdate);
+ g_free (date_format);
+ return formatted_date;
+ }
+
+ g_return_val_if_reached (NULL);
+}
+
+static inline gboolean
+parse_day (int *day, const char **date_string)
+{
+ char *end;
+
+ *day = strtoul (*date_string, &end, 10);
+ if (end == (char *)*date_string)
+ return FALSE;
+
+ while (*end == ' ' || *end == '-')
+ end++;
+ *date_string = end;
+ return *day >= 1 && *day <= 31;
+}
+
+static inline gboolean
+parse_month (int *month, const char **date_string)
+{
+ int i;
+
+ for (i = 0; i < G_N_ELEMENTS (months); i++) {
+ if (!g_ascii_strncasecmp (*date_string, months[i], 3)) {
+ *month = i + 1;
+ *date_string += 3;
+ while (**date_string == ' ' || **date_string == '-')
+ (*date_string)++;
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
+static inline gboolean
+parse_year (int *year, const char **date_string)
+{
+ char *end;
+
+ *year = strtoul (*date_string, &end, 10);
+ if (end == (char *)*date_string)
+ return FALSE;
+
+ if (end == (char *)*date_string + 2) {
+ if (*year < 70)
+ *year += 2000;
+ else
+ *year += 1900;
+ } else if (end == (char *)*date_string + 3)
+ *year += 1900;
+
+ while (*end == ' ' || *end == '-')
+ end++;
+ *date_string = end;
+ return *year > 0 && *year < 9999;
+}
+
+static inline gboolean
+parse_time (int *hour, int *minute, int *second, const char **date_string)
+{
+ char *p, *end;
+
+ *hour = strtoul (*date_string, &end, 10);
+ if (end == (char *)*date_string || *end++ != ':')
+ return FALSE;
+ p = end;
+ *minute = strtoul (p, &end, 10);
+ if (end == p || *end++ != ':')
+ return FALSE;
+ p = end;
+ *second = strtoul (p, &end, 10);
+ if (end == p)
+ return FALSE;
+ p = end;
+
+ while (*p == ' ')
+ p++;
+ *date_string = p;
+ return *hour >= 0 && *hour < 24 && *minute >= 0 && *minute < 60 && *second >= 0 && *second < 60;
+}
+
+static inline gboolean
+parse_timezone (GTimeZone **timezone, const char **date_string)
+{
+ gint32 offset_minutes;
+ gboolean utc;
+
+ if (!**date_string) {
+ utc = FALSE;
+ offset_minutes = 0;
+ } else if (**date_string == '+' || **date_string == '-') {
+ gulong val;
+ int sign = (**date_string == '+') ? 1 : -1;
+ val = strtoul (*date_string + 1, (char **)date_string, 10);
+ if (val > 9999)
+ return FALSE;
+ if (**date_string == ':') {
+ gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10);
+ if (val > 99 || val2 > 99)
+ return FALSE;
+ val = 60 * val + val2;
+ } else
+ val = 60 * (val / 100) + (val % 100);
+ offset_minutes = sign * val;
+ utc = (sign == -1) && !val;
+ } else if (**date_string == 'Z') {
+ offset_minutes = 0;
+ utc = TRUE;
+ (*date_string)++;
+ } else if (!strcmp (*date_string, "GMT") ||
+ !strcmp (*date_string, "UTC")) {
+ offset_minutes = 0;
+ utc = TRUE;
+ (*date_string) += 3;
+ } else if (strchr ("ECMP", **date_string) &&
+ ((*date_string)[1] == 'D' || (*date_string)[1] == 'S') &&
+ (*date_string)[2] == 'T') {
+ offset_minutes = -60 * (5 * strcspn ("ECMP", *date_string));
+ if ((*date_string)[1] == 'D')
+ offset_minutes += 60;
+ utc = FALSE;
+ } else
+ return FALSE;
+
+ if (utc)
+ *timezone = g_time_zone_new_utc ();
+ else
+ *timezone = g_time_zone_new_offset (offset_minutes * 60);
+ return TRUE;
+}
+
+static GDateTime *
+parse_textual_date (const char *date_string)
+{
+ int month, day, year, hour, minute, second;
+ GTimeZone *tz = NULL;
+ GDateTime *date;
+
+ /* If it starts with a word, it must be a weekday, which we skip */
+ if (g_ascii_isalpha (*date_string)) {
+ while (g_ascii_isalpha (*date_string))
+ date_string++;
+ if (*date_string == ',')
+ date_string++;
+ while (g_ascii_isspace (*date_string))
+ date_string++;
+ }
+
+ /* If there's now another word, this must be an asctime-date */
+ if (g_ascii_isalpha (*date_string)) {
+ /* (Sun) Nov 6 08:49:37 1994 */
+ if (!parse_month (&month, &date_string) ||
+ !parse_day (&day, &date_string) ||
+ !parse_time (&hour, &minute, &second, &date_string) ||
+ !parse_year (&year, &date_string) ||
+ !g_date_valid_dmy (day, month, year))
+ return NULL;
+
+ /* There shouldn't be a timezone, but check anyway */
+ parse_timezone (&tz, &date_string);
+ } else {
+ /* Non-asctime date, so some variation of
+ * (Sun,) 06 Nov 1994 08:49:37 GMT
+ */
+ if (!parse_day (&day, &date_string) ||
+ !parse_month (&month, &date_string) ||
+ !parse_year (&year, &date_string) ||
+ !parse_time (&hour, &minute, &second, &date_string) ||
+ !g_date_valid_dmy (day, month, year))
+ return NULL;
+
+ /* This time there *should* be a timezone, but we
+ * survive if there isn't.
+ */
+ parse_timezone (&tz, &date_string);
+ }
+
+ if (!tz)
+ tz = g_time_zone_new_utc ();
+
+ date = g_date_time_new (tz, year, month, day, hour, minute, second);
+ g_time_zone_unref (tz);
+
+ return date;
+}
+
+/**
+ * soup_date_time_new_from_http_string:
+ * @date_string: The date as a string
+ *
+ * Parses @date_string and tries to extract a date from it.
+ *
+ * This recognizes all of the "HTTP-date" formats from RFC 2616, RFC 2822 dates,
+ * and reasonable approximations thereof. (Eg, it is lenient about whitespace,
+ * leading "0"s, etc.)
+ *
+ * Returns: (nullable): a new #GDateTime, or %NULL if @date_string
+ * could not be parsed.
+ **/
+GDateTime *
+soup_date_time_new_from_http_string (const char *date_string)
+{
+ g_return_val_if_fail (date_string != NULL, NULL);
+
+ while (g_ascii_isspace (*date_string))
+ date_string++;
+
+ /* If it starts with a digit, it's either an ISO 8601 date, or
+ * an RFC2822 date without the optional weekday; in the later
+ * case, there will be a month name later on, so look for one
+ * of the month-start letters.
+ * Previous versions of this library supported parsing iso8601 strings
+ * however g_date_time_new_from_iso8601() should be used now. Just
+ * catch those in case for testing.
+ */
+ if (G_UNLIKELY (g_ascii_isdigit (*date_string) && !strpbrk (date_string, "JFMASOND"))) {
+ g_debug ("Unsupported format passed to soup_date_time_new_from_http_string(): %s", date_string);
+ return NULL;
+ }
+
+ return parse_textual_date (date_string);
+}
diff --git a/tests/cookies-test.c b/tests/cookies-test.c
index 61adfac5..aa719cdc 100644
--- a/tests/cookies-test.c
+++ b/tests/cookies-test.c
@@ -292,6 +292,7 @@ static void
do_cookies_parsing_int32_overflow (void)
{
SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9 999:9:9+ 999999999-age=main=gne=", NULL);
+ g_test_bug ("https://gitlab.gnome.org/GNOME/libsoup/-/issues/448");
g_assert_nonnull (cookie);
g_assert_null (soup_cookie_get_expires (cookie));
soup_cookie_free (cookie);
--
2.51.0

30
SOURCES/CVE-2025-4948.patch
View File

@ -1,30 +0,0 @@
From 592db079bc2dfea75708751ed0b7533ac9fd36df Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Thu, 15 May 2025 17:49:11 +0200
Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body
It could happen that the boundary started at a place which resulted into
a negative number, which in an unsigned integer is a very large value.
Check the body size is not a negative value before setting it.
Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
---
libsoup/soup-multipart.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
index dd939739..ce2fc109 100644
--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
@@ -214,7 +214,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
*/
part_body = soup_buffer_new_subbuffer (flattened,
split - flattened->data,
- end - 2 - split);
+ end - 2 >= split ? end - 2 - split : 0);
g_ptr_array_add (multipart->bodies, part_body);
start = end;
--
2.49.0

102
SOURCES/CVE-2026-0719.patch
View File

@ -1,102 +0,0 @@
From 509a0471b4a5f901596e6c669dbbf5313f637a4c Mon Sep 17 00:00:00 2001
From: Mike Gorse <mgorse@suse.com>
Date: Thu, 8 Jan 2026 16:19:37 -0600
Subject: [PATCH] soup-auth-ntlm: Reject excessively long passwords
According to
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/ntlm-user-authentication,
the practical limit for a NTLM password is 128 Unicode characters, so it
should be safe to reject passwords longer than 256 bytes. Previously,
md4sum could overflow and cause an out-of-bounds memory access if an
extremely long password was provided. Also update md4sum to use unsigned
variables for size-related calculations, as a precaution.
This is CVE-2026-0719.
Closes #477.
---
libsoup/soup-auth-ntlm.c | 27 ++++++++++++++++++++-------
1 file changed, 20 insertions(+), 7 deletions(-)
diff --git a/libsoup/soup-auth-ntlm.c b/libsoup/soup-auth-ntlm.c
index a4465ada..64eedc64 100644
--- a/libsoup/soup-auth-ntlm.c
+++ b/libsoup/soup-auth-ntlm.c
@@ -349,6 +349,14 @@ soup_auth_ntlm_update_connection (SoupConnectionAuth *auth, SoupMessage *msg,
return FALSE;
}
+ if (priv->password_state == SOUP_NTLM_PASSWORD_PROVIDED && !priv->nt_hash[0]) {
+ /* This can happen if an excessively long password was
+ * provided, in which case we don't try to hash */
+ conn->state = SOUP_NTLM_FAILED;
+ priv->password_state = SOUP_NTLM_PASSWORD_REJECTED;
+ return TRUE;
+ }
+
if (!soup_ntlm_parse_challenge (auth_header + 5, &conn->nonce,
priv->domain ? NULL : &priv->domain,
&conn->ntlmv2_session, &conn->negotiate_target,
@@ -439,8 +447,10 @@ soup_auth_ntlm_authenticate (SoupAuth *auth, const char *username,
priv->username = g_strdup (username);
}
- soup_ntlm_nt_hash (password, priv->nt_hash);
- soup_ntlm_lanmanager_hash (password, priv->lm_hash);
+ if (strlen (password) < 256) {
+ soup_ntlm_nt_hash (password, priv->nt_hash);
+ soup_ntlm_lanmanager_hash (password, priv->lm_hash);
+ }
priv->password_state = SOUP_NTLM_PASSWORD_PROVIDED;
}
@@ -606,7 +616,7 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class)
}
static void md4sum (const unsigned char *in,
- int nbytes,
+ size_t nbytes,
unsigned char digest[16]);
typedef guint32 DES_KS[16][2]; /* Single-key DES key schedule */
@@ -652,7 +662,7 @@ soup_ntlm_nt_hash (const char *password, guchar hash[21])
{
unsigned char *buf, *p;
- p = buf = g_malloc (strlen (password) * 2);
+ p = buf = g_malloc_n (strlen (password), 2);
while (*password) {
*p++ = *password++;
@@ -1091,15 +1101,16 @@ calc_response (const guchar *key, const guchar *plaintext, guchar *results)
#define ROT(val, n) ( ((val) << (n)) | ((val) >> (32 - (n))) )
static void
-md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
+md4sum (const unsigned char *in, size_t nbytes, unsigned char digest[16])
{
unsigned char *M;
guint32 A, B, C, D, AA, BB, CC, DD, X[16];
- int pbytes, nbits = nbytes * 8, i, j;
+ size_t pbytes, nbits = nbytes * 8;
+ int i, j;
/* There is *always* padding of at least one bit. */
pbytes = ((119 - (nbytes % 64)) % 64) + 1;
- M = alloca (nbytes + pbytes + 8);
+ M = g_malloc (nbytes + pbytes + 8);
memcpy (M, in, nbytes);
memset (M + nbytes, 0, pbytes + 8);
M[nbytes] = 0x80;
@@ -1199,6 +1210,8 @@ md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
digest[13] = (D >> 8) & 0xFF;
digest[14] = (D >> 16) & 0xFF;
digest[15] = (D >> 24) & 0xFF;
+
+ g_free (M);
}
--
2.52.0

32
SOURCES/CVE-2026-1761.patch
View File

@ -1,32 +0,0 @@
From b8a709dd9da6724feea5ce632f666d53f335700f Mon Sep 17 00:00:00 2001
From: Carlos Garcia Campos <cgarcia@igalia.com>
Date: Mon, 19 Jan 2026 15:14:58 +0100
Subject: [PATCH] multipart: check length of bytes read
soup_filter_input_stream_read_until()
We do make sure the read length is smaller than the buffer length when
the boundary is not found, but we should do the same when the boundary
is found.
Spotted in #YWH-PGM9867-149
Closes #493
---
libsoup/soup-filter-input-stream.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c
index 2c30bf98..d46bff20 100644
--- a/libsoup/soup-filter-input-stream.c
+++ b/libsoup/soup-filter-input-stream.c
@@ -272,6 +272,7 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream,
if (eof && !*got_boundary)
read_length = MIN (fstream->priv->buf->len, length);
else
- read_length = p - buf;
+ read_length = MIN ((gsize)(p - buf), length);
+
return read_from_buf (fstream, buffer, read_length);
}
--
2.52.0

123
SOURCES/fix-ssl-test.patch
View File

@ -1,123 +0,0 @@
From c720f9c696b3b39d8c386abf8c8a9ddad447cda0 Mon Sep 17 00:00:00 2001
From: Carlos Garcia Campos <cgarcia@igalia.com>
Date: Wed, 9 Sep 2020 14:44:25 +0200
Subject: [PATCH 1/2] tests: fix SSL test with glib-networking >= 2.65.90
To make SSL tests fail with our testing certificate we create and empty
GTlsDatabase passing /dev/null to g_tls_file_database_new(). This no
longer works with newer glib-networking, since an empty file is
considered an error by gnutls and
g_tls_file_database_gnutls_populate_trust_list() now handles gnutls
errors properly. Instead, we can just use the system CA file that won't
contain our testing certificate for sure.
Fixes #201
---
tests/ssl-test.c | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/tests/ssl-test.c b/tests/ssl-test.c
index 735ba416..2c93ca85 100644
--- a/tests/ssl-test.c
+++ b/tests/ssl-test.c
@@ -3,7 +3,6 @@
#include "test-utils.h"
SoupURI *uri;
-GTlsDatabase *null_tlsdb;
static void
do_properties_test_for_session (SoupSession *session)
@@ -37,7 +36,7 @@ do_async_properties_tests (void)
session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL);
g_object_set (G_OBJECT (session),
- SOUP_SESSION_TLS_DATABASE, null_tlsdb,
+ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
SOUP_SESSION_SSL_STRICT, FALSE,
NULL);
do_properties_test_for_session (session);
@@ -53,7 +52,7 @@ do_sync_properties_tests (void)
session = soup_test_session_new (SOUP_TYPE_SESSION_SYNC, NULL);
g_object_set (G_OBJECT (session),
- SOUP_SESSION_TLS_DATABASE, null_tlsdb,
+ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
SOUP_SESSION_SSL_STRICT, FALSE,
NULL);
do_properties_test_for_session (session);
@@ -106,7 +105,7 @@ do_strictness_test (gconstpointer data)
}
if (!test->with_ca_list) {
g_object_set (G_OBJECT (session),
- SOUP_SESSION_TLS_DATABASE, null_tlsdb,
+ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
NULL);
}
@@ -433,7 +432,6 @@ main (int argc, char **argv)
{
SoupServer *server = NULL;
int i, ret;
- GError *error = NULL;
test_init (argc, argv, NULL);
@@ -441,9 +439,6 @@ main (int argc, char **argv)
server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
soup_server_add_handler (server, NULL, server_handler, NULL, NULL);
uri = soup_test_server_get_uri (server, "https", "127.0.0.1");
-
- null_tlsdb = g_tls_file_database_new ("/dev/null", &error);
- g_assert_no_error (error);
} else
uri = NULL;
@@ -463,7 +458,6 @@ main (int argc, char **argv)
if (tls_available) {
soup_uri_free (uri);
soup_test_server_quit_unref (server);
- g_object_unref (null_tlsdb);
}
test_cleanup ();
--
2.43.5
From 0fbc7e8220c32f4848d6f1407efe81cc13ab18ef Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Sat, 18 Jan 2025 01:20:24 -0600
Subject: [PATCH 2/2] Add workaround for flaky ssl-test connection failures
---
tests/ssl-test.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/tests/ssl-test.c b/tests/ssl-test.c
index 2c93ca85..1b48c6aa 100644
--- a/tests/ssl-test.c
+++ b/tests/ssl-test.c
@@ -348,6 +348,19 @@ got_connection (GThreadedSocketService *service,
g_clear_error (&error);
}
+ // Work around a race condition where do_tls_interaction_test's call to
+ // soup_session_send_message() fails due to the server having closed the
+ // connection:
+ //
+ // ERROR:../tests/ssl-test.c:405:do_tls_interaction_test: Unexpected status 7 Connection terminated unexpectedly (expected 200 OK)
+ //
+ // This bug is already fixed upstream, so no sense in spending a bunch
+ // of time trying to find a proper fix.
+ //
+ // I'm not certain, but I suspect it's fixed by:
+ // https://gitlab.gnome.org/GNOME/libsoup/-/commit/bd6de90343839125bd07c43c97e1000deb0b40c3
+ sleep (1);
+
g_io_stream_close (tls, NULL, &error);
g_assert_no_error (error);
--
2.43.5

97
SOURCES/no-ntlm-in-fips-mode.patch
View File

@ -1,97 +0,0 @@
From 00424003b2209b667a3c5c5b5b8167d4e100e63e Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@gnome.org>
Date: Thu, 29 Jan 2026 15:06:17 -0600
Subject: [PATCH] Disable NTLM auth and tests in FIPS mode
This is a downstream Fedora/RHEL-ecosystem patch. Upstream GHmac
supports MD5 unconditionally, but in Fedora/RHEL trying to use MD5 HMAC
will crash if FIPS mode is enabled due to the glib2 package's
gnutls-hmac.patch, which I have thus far failed to upstream. This isn't
great, but it looks like finding an upstream solution will be difficult,
so we'll just have to carry this patch for now.
https://gitlab.gnome.org/GNOME/glib/merge_requests/897
---
libsoup/soup-auth-ntlm.c | 12 ++++++++++++
tests/ntlm-test.c | 21 +++++++++++++++++++++
2 files changed, 33 insertions(+)
diff --git a/libsoup/soup-auth-ntlm.c b/libsoup/soup-auth-ntlm.c
index 2d078461..a4465ada 100644
--- a/libsoup/soup-auth-ntlm.c
+++ b/libsoup/soup-auth-ntlm.c
@@ -445,6 +445,17 @@ soup_auth_ntlm_authenticate (SoupAuth *auth, const char *username,
priv->password_state = SOUP_NTLM_PASSWORD_PROVIDED;
}
+static gboolean
+soup_auth_ntlm_can_authenticate (SoupAuth *auth)
+{
+ GHmac *hmac = g_hmac_new (G_CHECKSUM_MD5, (const unsigned char *)"abc123", sizeof ("abc123"));
+ if (hmac) {
+ g_hmac_unref (hmac);
+ return TRUE;
+ }
+ return FALSE;
+}
+
static gboolean
soup_auth_ntlm_is_authenticated (SoupAuth *auth)
{
@@ -577,6 +588,7 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class)
auth_class->get_protection_space = soup_auth_ntlm_get_protection_space;
auth_class->authenticate = soup_auth_ntlm_authenticate;
+ auth_class->can_authenticate = soup_auth_ntlm_can_authenticate;
auth_class->is_authenticated = soup_auth_ntlm_is_authenticated;
connauth_class->create_connection_state = soup_auth_ntlm_create_connection_state;
diff --git a/tests/ntlm-test.c b/tests/ntlm-test.c
index 0cc41a7b..2cdd4611 100644
--- a/tests/ntlm-test.c
+++ b/tests/ntlm-test.c
@@ -505,6 +505,17 @@ static const NtlmTest ntlmssp_tests[] = {
{ "/ntlm/ssp/basic", "alice", FALSE, BUILTIN }
};
+static gboolean
+can_do_ntlm_test (void)
+{
+ GHmac *hmac = g_hmac_new (G_CHECKSUM_MD5, (const unsigned char *)"abc123", sizeof ("abc123"));
+ if (hmac) {
+ g_hmac_unref (hmac);
+ return TRUE;
+ }
+ return FALSE;
+}
+
static void
do_ntlm_test (TestServer *ts,
gconstpointer data)
@@ -512,6 +523,11 @@ do_ntlm_test (TestServer *ts,
const NtlmTest *test = data;
gboolean use_builtin_ntlm = TRUE;
+ if (!can_do_ntlm_test ()) {
+ g_test_skip ("NTLM authentication not available (likely due to FIPS mode)");
+ return;
+ }
+
switch (test->ntlm_type) {
case BUILTIN:
/* Built-in NTLM auth support. (We set SOUP_NTLM_AUTH_DEBUG to
@@ -587,6 +603,11 @@ do_retrying_test (TestServer *ts,
g_test_bug ("693222");
+ if (!can_do_ntlm_test ()) {
+ g_test_skip ("NTLM authentication not available (likely due to FIPS mode)");
+ return;
+ }
+
g_setenv ("SOUP_NTLM_AUTH_DEBUG", "", TRUE);
debug_printf (1, " /alice\n");
--
2.52.0

44
SOURCES/server-test-timeouts.patch
View File

@ -1,44 +0,0 @@
From 9ff306aa714efd06ceeafacee03298a3665055b1 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Wed, 30 Apr 2025 14:13:41 -0500
Subject: [PATCH] test-utils: fix deadlock in add_listener_in_thread()
The mutex is locked in the wrong place here.
Hopefully fixes #379
---
tests/test-utils.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tests/test-utils.c b/tests/test-utils.c
index df4cee44..5c1e316c 100644
--- a/tests/test-utils.c
+++ b/tests/test-utils.c
@@ -607,9 +607,11 @@ static gboolean
add_listener_in_thread (gpointer user_data)
{
AddListenerData *data = user_data;
+ SoupURI *uri;
- data->uri = add_listener (data->server, data->scheme, data->host);
+ uri = add_listener (data->server, data->scheme, data->host);
g_mutex_lock (&data->mutex);
+ data->uri = uri;
g_cond_signal (&data->cond);
g_mutex_unlock (&data->mutex);
@@ -641,9 +643,9 @@ soup_test_server_get_uri (SoupServer *server,
data.host = host;
data.uri = NULL;
- g_mutex_lock (&data.mutex);
soup_add_completion (context, add_listener_in_thread, &data);
+ g_mutex_lock (&data.mutex);
while (!data.uri)
g_cond_wait (&data.cond, &data.mutex);
--
GitLab

60
SOURCES/test-cert-expiration.patch
View File

@ -1,60 +0,0 @@
From 2dafd907586f52291b38c46362e72c7379558626 Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
Date: Thu, 18 Feb 2021 09:13:40 +0100
Subject: [PATCH] Extend test cert to 2049
used certtool -u \
--load-ca-privkey ./tests/test-key.pem \
--load-ca-certificate ./tests/test-cert.pem \
--load-certificate ./tests/test-cert.pem
Without this patch, 3 tests failed in 2027
11/29 misc-test FAIL 0.67s (exit status 1)
21/29 server-test FAIL 0.12s (exit status 1)
25/29 timeout-test FAIL 4.08s (killed by signal 5 SIGTRAP)
Background:
As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future.
The usual offset is +15 years, because that is how long I expect some software will be used in some places.
This showed up failing tests in our package build.
See https://reproducible-builds.org/ for why this matters.
(cherry picked from commit 38a65f080a3168e8af78bdd3e4928debeea2dbd8)
---
tests/test-cert.pem | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/tests/test-cert.pem b/tests/test-cert.pem
index ff863b4d1..4b8b180dc 100644
--- a/tests/test-cert.pem
+++ b/tests/test-cert.pem
@@ -1,6 +1,6 @@
-----BEGIN CERTIFICATE-----
MIIC2zCCAcOgAwIBAgIJALRbg2WnuAAqMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
-BAMMCTEyNy4wLjAuMTAeFw0xNzA2MjAxNDI3MzBaFw0yNzA2MTgxNDI3MzBaMBQx
+BAMMCTEyNy4wLjAuMTAeFw0yMTAyMTgwODA3MzBaFw00OTEyMzEwODA3MzRaMBQx
EjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAKs4fuRuW77nORhOT9kbbU6BsjKW3GEsMc+ZSmXjINQWpfkES2hV+DQyzhm5
qh4OLi1vYtXoSbdQNDCbA8ybZJqR8m9F3ed8vobdSSQGxWpPdXTgz27x+TpiAc9P
@@ -8,11 +8,11 @@ w83UuPvlu/0AxHJBFXVAg+id0yFu3wmGWYJHoAtvFi2xeRtAXurNuPtjZyO+gfM9
BKTRCkGsRSmPpJyGbU2Q96fjxnVfV9oYvQXeugUcSx/pTUCM/kDgD9QZCxG2rflX
NWcqDFY3uO6ZR68Qwi/KouOa8rzrgAcwhFUI6Wz0Zwi1rzRtWK5WqC24aBUYz/tK
hl8i88UDXSMh7spChdYDBGLhZyUCAwEAAaMwMC4wLAYDVR0RBCUwI4IJbG9jYWxo
-b3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IBAQBj
-+U8tebwg5/pof5Rht6TMHqeg6Fcr4OJkL2ph2g+T/AMTS7kEGeFIKJN5AZ+S/qIY
-cdoDKHwc8+bCK/mG6DPmJ4z/2Eamb85YhplOLVrLRwfxRebTK9CtnjcjnflAiU9H
-7vPVwXIvkwebhBSQNKTdkBlPXKaTNWXuygeFG2OVQkPf/KAxSdtg2R+owv/s802Z
-HISk26wY9oFIQz6AiXWdrY1QqNOltZ7rlU5iofAH7X+9ryZlxPWj/gHg2YQRvvLl
-dq6nCF+ED0ke7h0lg5nU0beKEygwli8DlLVbu0JK0PkARFp5t7wUtzC9DCjzvfOc
-gxR44PyZX7/2oaTDm4PS
+b3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IBAQAz
+/qYTUuBGHgp7T1cfaJPnhx6U1SMfdJRtFoWOXDx+MNCK9GYkdMEabzRGUP5uNHO+
+PiZP/bMIHlpsbRA5AyyVf9Xv8JCujvYh24qYcBbwgZrfvNTm0D52P9JJm0SalTXS
+kwwTj00DWGVfVzJR+wiwYGHRIlyXbHqQSRzv6+z9f/xY5gXw/KpCNYTuOJcXW7w6
+JfMrUnc9pphRUpcLkuuzOMKuB0dtWRc0mZIr7PZHt+0gitNZWA0bDYI3JI9tlK17
+nxBUSpGtJwDgH//b8ek/P0P9a5VzQbBC6lXtQUMdxg7ovfAI//IS8ekBoRKI0Wde
+r2IpM9hKSBU3c2gGXcJC
-----END CERTIFICATE-----
--
GitLab

83
SPECS/libsoup.spec
View File

@ -2,7 +2,7 @@
Name: libsoup
Version: 2.62.3
Release: 13%{?dist}
Release: 5%{?dist}
Summary: Soup, an HTTP library implementation
License: LGPLv2
@ -14,45 +14,6 @@ Patch0002: 0002-WebSockets-allow-null-characters-in-text-messages-da.patch
Patch0003: 0003-WebSockets-only-poll-IO-stream-when-needed.patch
Patch0004: 0004-ntlmv2.patch
Patch0005: 0005-WebSockets-do-not-start-the-input-source-when-IO-is-closing.patch
Patch0006: CVE-2024-52530.patch
Patch0007: CVE-2024-52531.patch
Patch0008: CVE-2024-52532.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/446
Patch0009: test-cert-expiration.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/415
Patch0010: CVE-2025-32050.patch
Patch0011: CVE-2025-32052.patch
Patch0012: CVE-2025-32053.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/440
Patch0013: CVE-2025-32906.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/422
Patch0014: CVE-2025-32911-CVE-2025-32913.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/421
Patch0015: CVE-2025-46420.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436
Patch0016: CVE-2025-46421.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/408 (simplified)
Patch0017: CVE-2025-32049.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450
Patch0018: CVE-2025-32914.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/issues/422
Patch0019: CVE-2025-2784.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463
Patch0020: CVE-2025-4948.patch
# https://issues.redhat.com/browse/RHEL-76426
Patch0021: fix-ssl-test.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/454
Patch0022: server-test-timeouts.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/473
Patch0023: CVE-2025-4945-CVE-2025-11021.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/issues/472
Patch0024: CVE-2025-14523.patch
# Downstream patch, needed due to glib2 gnutls-hmac.patch
Patch0025: no-ntlm-in-fips-mode.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/494
Patch0026: CVE-2026-0719.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/496
Patch0027: CVE-2026-1761.patch
BuildRequires: chrpath
BuildRequires: glib2-devel >= %{glib2_version}
@ -127,48 +88,6 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/*.so
%{_datadir}/vala/vapi/libsoup-2.4.vapi
%changelog
* Mon Feb 02 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 2.62.3-13
- Backport patch for CVE-2026-1761
* Fri Jan 30 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 2.62.3-12
- Backport patch for CVE-2026-0719
- Fix NTLM authentication test failures in FIPS mode
* Wed Jan 07 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 2.62.3-11
- Backport patch for CVE-2025-14523
* Thu Oct 30 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.62.3-10
- Backport patch for CVE-2025-4945 and CVE-2025-11021
* Thu May 22 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.62.3-9
- Add patches to improve test reliability
- Backport patches for various CVEs
Resolves: RHEL-85879
Resolves: RHEL-92280
Resolves: RHEL-93031
Resolves: RHEL-93032
* Thu May 01 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.62.3-8
- Backport patches for various CVEs, plus test improvements
Resolves: RHEL-85887
Resolves: RHEL-85900
Resolves: RHEL-85901
Resolves: RHEL-87039
Resolves: RHEL-87094
Resolves: RHEL-87114
Resolves: RHEL-88348
Resolves: RHEL-88351
* Tue Jan 28 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.62.3-7
- Backport upstream patch for CVE-2024-52531 - buffer overflow via UTF-8 conversion in soup_header_parse_param_list_strict
Resolves: RHEL-76376
* Tue Nov 12 2024 Tomas Popela <tpopela@redhat.com> - 2.62.3-6
- Backport upstream patch for CVE-2024-52530 - HTTP request smuggling via stripping null bytes from the ends of header names
- Backport upstream patch for CVE-2024-52532 - infinite loop while reading websocket data
- Resolves: RHEL-67076
- Resolves: RHEL-67067
* Tue Sep 05 2023 Milan Crha <mcrha@redhat.com> - 2.62.3-5
- Resolves: RHEL-2240 (Correct BuildRequires for python3)