18 changed files with 1 additions and 995 deletions
--- a/SOURCES/CVE-2024-52530.patch
+++ b/SOURCES/CVE-2024-52530.patch
@ -1,129 +0,0 @@
 diff -up libsoup-2.62.2/libsoup/soup-headers.c.cve-2024-52530 libsoup-2.62.2/libsoup/soup-headers.c
 --- libsoup-2.62.2/libsoup/soup-headers.c.cve-2024-52530	2018-03-23 14:44:54.000000000 +0100
 +++ libsoup-2.62.2/libsoup/soup-headers.c	2024-11-12 10:23:16.693272087 +0100
@@ -50,13 +50,14 @@ soup_headers_parse (const char *str, int
 	 * ignorable trailing whitespace.
 	 */
 +	/* No '\0's are allowed */
 +	if (memchr (str, '\0', len))
 +		return FALSE;
 +
 	/* Skip over the Request-Line / Status-Line */
 	headers_start = memchr (str, '\n', len);
 	if (!headers_start)
 		return FALSE;
 -	/* No '\0's in the Request-Line / Status-Line */
 -	if (memchr (str, '\0', headers_start - str))
 -		return FALSE;
 	/* We work on a copy of the headers, which we can write '\0's
 	 * into, so that we don't have to individually g_strndup and
@@ -68,14 +69,6 @@ soup_headers_parse (const char *str, int
 	headers_copy[copy_len] = '\0';
 	value_end = headers_copy;
 -	/* There shouldn't be any '\0's in the headers already, but
 -	 * this is the web we're talking about.
 -	 */
 -	while ((p = memchr (headers_copy, '\0', copy_len))) {
 -		memmove (p, p + 1, copy_len - (p - headers_copy));
 -		copy_len--;
 -	}
 -
 	while (*(value_end + 1)) {
 		name = value_end + 1;
 		name_end = strchr (name, ':');
 diff -up libsoup-2.62.2/tests/header-parsing.c.cve-2024-52530 libsoup-2.62.2/tests/header-parsing.c
 --- libsoup-2.62.2/tests/header-parsing.c.cve-2024-52530	2024-11-12 10:25:26.452447520 +0100
 +++ libsoup-2.62.2/tests/header-parsing.c	2024-11-12 10:28:05.738158891 +0100
@@ -358,24 +358,6 @@ static struct RequestTest {
 	  }
 	},
 -	{ "NUL in header name", "760832",
 -	  "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
 -	  SOUP_STATUS_OK,
 -	  "GET", "/", SOUP_HTTP_1_1,
 -	  { { "Host", "example.com" },
 -	    { NULL }
 -	  }
 -	},
 -
 -	{ "NUL in header value", "760832",
 -	  "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
 -	  SOUP_STATUS_OK,
 -	  "GET", "/", SOUP_HTTP_1_1,
 -	  { { "Host", "examplecom" },
 -	    { NULL }
 -	  }
 -	},
 -
 	/************************/
 	/*** INVALID REQUESTS ***/
 	/************************/
@@ -448,6 +430,21 @@ static struct RequestTest {
 	  SOUP_STATUS_EXPECTATION_FAILED,
 	  NULL, NULL, -1,
 	  { { NULL } }
 +	},
 +
 +	// https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
 +	{ "NUL in header name", NULL,
 +	  "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
 +	  SOUP_STATUS_BAD_REQUEST,
 +	  NULL, NULL, -1,
 +	  { { NULL } }
 +	},
 +
 +	{ "NUL in header value", NULL,
 +	  "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
 +	  SOUP_STATUS_BAD_REQUEST,
 +           NULL, NULL, -1,
 +	  { { NULL } }
 	}
 };
 static const int num_reqtests = G_N_ELEMENTS (reqtests);
@@ -620,22 +617,6 @@ static struct ResponseTest {
 	    { NULL } }
 	},
 -	{ "NUL in header name", "760832",
 -	  "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
 -	  SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
 -	  { { "Foo", "bar" },
 -	    { NULL }
 -	  }
 -	},
 -
 -	{ "NUL in header value", "760832",
 -	  "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
 -	  SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
 -	  { { "Foo", "bar" },
 -	    { NULL }
 -	  }
 -	},
 -
 	/********************************/
 	/*** VALID CONTINUE RESPONSES ***/
 	/********************************/
@@ -768,6 +749,19 @@ static struct ResponseTest {
 	  { { NULL }
 	  }
 	},
 +
 +	// https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
 +	{ "NUL in header name", NULL,
 +	  "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
 +	  -1, 0, NULL,
 +	  { { NULL } }
 +	},
 +
 +	{ "NUL in header value", "760832",
 +	  "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
 +	  -1, 0, NULL,
 +	  { { NULL } }
 +	},
 };
 static const int num_resptests = G_N_ELEMENTS (resptests);
--- a/SOURCES/CVE-2024-52531.patch
+++ b/SOURCES/CVE-2024-52531.patch
@ -1,121 +0,0 @@
 From bbeb7d59f98d0073291ca4a7ee9ce1a946842734 Mon Sep 17 00:00:00 2001
 From: Patrick Griffis <pgriffis@igalia.com>
 Date: Tue, 27 Aug 2024 13:53:26 -0500
 Subject: [PATCH] headers: Be more robust against invalid input when parsing
 params
 If you pass invalid input to a function such as soup_header_parse_param_list_strict()
 it can cause an overflow if it decodes the input to UTF-8.
 This should never happen with valid UTF-8 input which libsoup's client API
 ensures, however it's server API does not currently.
 ---
 libsoup/soup-headers.c | 46 +++++++++++++++++++++---------------------
 1 file changed, 23 insertions(+), 23 deletions(-)
 diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
 index 271d2a63..8657483f 100644
 --- a/libsoup/soup-headers.c
 +++ b/libsoup/soup-headers.c
@@ -650,8 +650,9 @@ soup_header_contains (const char *header, const char *token)
 }
 static void
 -decode_quoted_string (char *quoted_string)
 +decode_quoted_string_inplace (GString *quoted_gstring)
 {
 +	char *quoted_string = quoted_gstring->str;
 	char *src, *dst;
 	src = quoted_string + 1;
@@ -665,10 +666,11 @@ decode_quoted_string (char *quoted_string)
 }
 static gboolean
 -decode_rfc5987 (char *encoded_string)
 +decode_rfc5987_inplace (GString *encoded_gstring)
 {
 	char *q, *decoded;
 	gboolean iso_8859_1 = FALSE;
 +	const char *encoded_string = encoded_gstring->str;
 	q = strchr (encoded_string, '\'');
 	if (!q)
@@ -697,14 +699,7 @@ decode_rfc5987 (char *encoded_string)
 		decoded = utf8;
 	}
 -	/* If encoded_string was UTF-8, then each 3-character %-escape
 -	 * will be converted to a single byte, and so decoded is
 -	 * shorter than encoded_string. If encoded_string was
 -	 * iso-8859-1, then each 3-character %-escape will be
 -	 * converted into at most 2 bytes in UTF-8, and so it's still
 -	 * shorter.
 -	 */
 -	strcpy (encoded_string, decoded);
 +	g_string_assign (encoded_gstring, decoded);
 	g_free (decoded);
 	return TRUE;
 }
@@ -714,15 +709,17 @@ parse_param_list (const char *header, char delim)
 {
 	GHashTable *params;
 	GSList *list, *iter;
 -	char *item, *eq, *name_end, *value;
 -	gboolean override;
 	params = g_hash_table_new_full (soup_str_case_hash, 
 					soup_str_case_equal,
 -					g_free, NULL);
 +					g_free, g_free);
 	list = parse_list (header, delim);
 	for (iter = list; iter; iter = iter->next) {
 +		char *item, *eq, *name_end;
 +		gboolean override, duplicated;
 +		GString *parsed_value = NULL;
 +
 		item = iter->data;
 		override = FALSE;
@@ -737,24 +734,27 @@ parse_param_list (const char *header, char delim)
 			*name_end = '\0';
 -			value = (char *)skip_lws (eq + 1);
 +			parsed_value = g_string_new ((char *)skip_lws (eq + 1));
 			if (name_end[-1] == '*' && name_end > item + 1) {
 				name_end[-1] = '\0';
 -				if (!decode_rfc5987 (value)) {
 +				if (!decode_rfc5987_inplace (parsed_value)) {
 +					g_string_free (parsed_value, TRUE);
 					g_free (item);
 					continue;
 				}
 				override = TRUE;
 -			} else if (*value == '"')
 -				decode_quoted_string (value);
 -		} else
 -			value = NULL;
 -
 -		if (override || !g_hash_table_lookup (params, item))
 -			g_hash_table_replace (params, item, value);
 -		else
 +			} else if (parsed_value->str[0] == '"')
 +				decode_quoted_string_inplace (parsed_value);
 +		}
 +
 +		if (override || !g_hash_table_lookup (params, item)) {
 +			g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
 +		} else {
 +			if (parsed_value)
 +				g_string_free (parsed_value, TRUE);
 			g_free (item);
 +		}
 	}
 	g_slist_free (list);
 -- 
 2.48.1
--- a/SOURCES/CVE-2024-52532.patch
+++ b/SOURCES/CVE-2024-52532.patch
@ -1,15 +0,0 @@
 diff -up libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 libsoup-2.62.3/libsoup/soup-websocket-connection.c
 --- libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532	2024-11-12 12:00:27.183570627 +0100
 +++ libsoup-2.62.3/libsoup/soup-websocket-connection.c	2024-11-12 12:01:02.334987409 +0100
@@ -1041,9 +1041,9 @@ soup_websocket_connection_read (SoupWebs
 		}
 		pv->incoming->len = len + count;
 -	} while (count > 0);
 +		process_incoming (self);
 +	} while (count > 0 && !pv->close_sent && !pv->io_closing);
 -	process_incoming (self);
 	if (end) {
 		if (!pv->close_sent || !pv->close_received) {
--- a/SOURCES/CVE-2025-2784.patch
+++ b/SOURCES/CVE-2025-2784.patch
@ -1,48 +0,0 @@
 From b7213fc6c639b5ca6c91e215aee18cea36d9dc95 Mon Sep 17 00:00:00 2001
 From: Patrick Griffis <pgriffis@igalia.com>
 Date: Tue, 18 Feb 2025 14:29:50 -0600
 Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space()
 ---
 libsoup/soup-content-sniffer.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
 index 698d05e4..3fb29adf 100644
 --- a/libsoup/soup-content-sniffer.c
 +++ b/libsoup/soup-content-sniffer.c
@@ -612,8 +612,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer)
 }
 static gboolean
 -skip_insignificant_space (const char *resource, int *pos, int resource_length)
 +skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
 {
 +        if (*pos >= resource_length)
 +	        return TRUE;
 +
 	while ((resource[*pos] == '\x09') ||
 	       (resource[*pos] == '\x20') ||
 	       (resource[*pos] == '\x0A') ||
@@ -632,7 +635,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
 {
 	const char *resource = (const char *)buffer->data;
 	int resource_length = MIN (512, buffer->length);
 -	int pos = 0;
 +	gsize pos = 0;
 	if (resource_length < 3)
 		goto text_html;
@@ -642,9 +645,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
 		pos = 3;
  look_for_tag:
 -	if (pos > resource_length)
 -		goto text_html;
 -
 	if (skip_insignificant_space (resource, &pos, resource_length))
 		goto text_html;
 -- 
 2.49.0
--- a/SOURCES/CVE-2025-32049.patch
+++ b/SOURCES/CVE-2025-32049.patch
@ -1,30 +0,0 @@
 From 6ec7c5be50b48d6ce0a09aa3468f2c5725406a97 Mon Sep 17 00:00:00 2001
 From: Michael Catanzaro <mcatanzaro@redhat.com>
 Date: Wed, 21 May 2025 10:42:51 -0500
 Subject: [PATCH] Add size limit for total message size
 This size limit could break applications, but it will close the denial
 of service issue.
 ---
 libsoup/soup-websocket-connection.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
 index 36524d04..f8764aff 100644
 --- a/libsoup/soup-websocket-connection.c
 +++ b/libsoup/soup-websocket-connection.c
@@ -913,6 +913,11 @@ process_contents (SoupWebsocketConnection *self,
 		switch (pv->message_opcode) {
 		case 0x01:
 		case 0x02:
 +			/* Safety valve */
 +			if (pv->message_data->len + payload_len > pv->max_incoming_payload_size) {
 +				too_big_error_and_close (self, (pv->message_data->len + payload_len));
 +				return;
 +			}
 			g_byte_array_append (pv->message_data, payload, payload_len);
 			break;
 		default:
 -- 
 2.49.0
--- a/SOURCES/CVE-2025-32050.patch
+++ b/SOURCES/CVE-2025-32050.patch
@ -1,25 +0,0 @@
 From 9bb0a55de55c6940ced811a64fbca82fe93a9323 Mon Sep 17 00:00:00 2001
 From: Patrick Griffis <pgriffis@igalia.com>
 Date: Mon, 28 Oct 2024 12:29:48 -0500
 Subject: [PATCH] Fix using int instead of size_t for strcspn return
 ---
 libsoup/soup-headers.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
 index 613e1905..a5f7a7f6 100644
 --- a/libsoup/soup-headers.c
 +++ b/libsoup/soup-headers.c
@@ -907,7 +907,7 @@ append_param_quoted (GString    *string,
 		     const char *name,
 		     const char *value)
 {
 -	int len;
 +	gsize len;
 	g_string_append (string, name);
 	g_string_append (string, "=\"");
 -- 
 GitLab
--- a/SOURCES/CVE-2025-32052.patch
+++ b/SOURCES/CVE-2025-32052.patch
@ -1,26 +0,0 @@
 From 1542173d11df64e39e71367f10596e8160481290 Mon Sep 17 00:00:00 2001
 From: Patrick Griffis <pgriffis@igalia.com>
 Date: Sat, 16 Nov 2024 12:07:30 -0600
 Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff
 Co-Author: Ar Jun <pkillarjun@protonmail.com>
 ---
 libsoup/soup-content-sniffer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
 index 967ec614..26c65bbd 100644
 --- a/libsoup/soup-content-sniffer.c
 +++ b/libsoup/soup-content-sniffer.c
@@ -504,7 +504,7 @@ sniff_unknown (SoupContentSniffer *sniffer, SoupBuffer *buffer,
 			guint index_pattern = 0;
 			gboolean skip_row = FALSE;
 -			while ((index_stream < resource_length) &&
 +			while ((index_stream < resource_length - 1) &&
 			       (index_pattern <= type_row->pattern_length)) {
 				/* Skip insignificant white space ("WS" in the spec) */
 				if (type_row->pattern[index_pattern] == ' ') {
 -- 
 2.49.0
--- a/SOURCES/CVE-2025-32053.patch
+++ b/SOURCES/CVE-2025-32053.patch
@ -1,35 +0,0 @@
 From 8e1793e2ddd8c2648b9a28f06bf21fd13bd12b39 Mon Sep 17 00:00:00 2001
 From: Ar Jun <pkillarjun@protonmail.com>
 Date: Mon, 18 Nov 2024 14:59:51 -0600
 Subject: [PATCH] Fix heap buffer overflow in
 soup-content-sniffer.c:sniff_feed_or_html()
 ---
 libsoup/soup-content-sniffer.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
 index 26c65bbd..698d05e4 100644
 --- a/libsoup/soup-content-sniffer.c
 +++ b/libsoup/soup-content-sniffer.c
@@ -620,7 +620,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length)
 	       (resource[*pos] == '\x0D')) {
 		*pos = *pos + 1;
 -		if (*pos > resource_length)
 +		if (*pos >= resource_length)
 			return TRUE;
 	}
@@ -682,7 +682,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
 		do {
 			pos++;
 -			if (pos > resource_length)
 +			if ((pos + 1) > resource_length)
 				goto text_html;
 		} while (resource[pos] != '>');
 -- 
 2.49.0
--- a/SOURCES/CVE-2025-32906.patch
+++ b/SOURCES/CVE-2025-32906.patch
@ -1,65 +0,0 @@
 From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001
 From: Patrick Griffis <pgriffis@igalia.com>
 Date: Tue, 11 Feb 2025 14:36:26 -0600
 Subject: [PATCH 1/2] headers: Handle parsing edge case
 This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds.
 ---
 libsoup/soup-headers.c      |  2 +-
 tests/header-parsing-test.c | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
 diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
 index 85385cea..9d6d00a3 100644
 --- a/libsoup/soup-headers.c
 +++ b/libsoup/soup-headers.c
@@ -225,7 +225,7 @@ soup_headers_parse_request (const char          *str,
 	    !g_ascii_isdigit (version[5]))
 		return SOUP_STATUS_BAD_REQUEST;
 	major_version = strtoul (version + 5, &p, 10);
 -	if (*p != '.' || !g_ascii_isdigit (p[1]))
 +	if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1]))
 		return SOUP_STATUS_BAD_REQUEST;
 	minor_version = strtoul (p + 1, &p, 10);
 	version_end = p;
 -- 
 GitLab
 From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001
 From: Patrick Griffis <pgriffis@igalia.com>
 Date: Wed, 12 Feb 2025 11:30:02 -0600
 Subject: [PATCH 2/2] headers: Handle parsing only newlines
 Closes #404
 Closes #407
 ---
 libsoup/soup-headers.c      |  4 ++--
 tests/header-parsing-test.c | 13 ++++++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)
 diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
 index 9d6d00a3..52ef2ece 100644
 --- a/libsoup/soup-headers.c
 +++ b/libsoup/soup-headers.c
@@ -186,7 +186,7 @@ soup_headers_parse_request (const char          *str,
 	/* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
 	 * received where a Request-Line is expected."
 	 */
 -	while ((*str == '\r' || *str == '\n') && len > 0) {
 +	while (len > 0 && (*str == '\r' || *str == '\n')) {
 		str++;
 		len--;
 	}
@@ -371,7 +371,7 @@ soup_headers_parse_response (const char          *str,
 	 * after a response, which we then see prepended to the next
 	 * response on that connection.
 	 */
 -	while ((*str == '\r' || *str == '\n') && len > 0) {
 +	while (len > 0 && (*str == '\r' || *str == '\n')) {
 		str++;
 		len--;
 	}
 -- 
 GitLab
--- a/SOURCES/CVE-2025-32911-CVE-2025-32913.patch
+++ b/SOURCES/CVE-2025-32911-CVE-2025-32913.patch
@ -1,67 +0,0 @@
 From f2d316341c00a343d0b46edd590efa8c102521c3 Mon Sep 17 00:00:00 2001
 From: Patrick Griffis <pgriffis@igalia.com>
 Date: Fri, 27 Dec 2024 17:53:50 -0600
 Subject: [PATCH 1/2] soup_message_headers_get_content_disposition: Fix NULL
 deref
 ---
 libsoup/soup-message-headers.c | 13 +++++++++----
 tests/header-parsing-test.c    | 13 +++++++++++++
 2 files changed, 22 insertions(+), 4 deletions(-)
 diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
 index 5c8c7cb9..ccf31233 100644
 --- a/libsoup/soup-message-headers.c
 +++ b/libsoup/soup-message-headers.c
@@ -1443,10 +1443,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders  *hdrs,
 	 */
 	if (params && g_hash_table_lookup_extended (*params, "filename",
 						    &orig_key, &orig_value)) {
 -		char *filename = strrchr (orig_value, '/');
 -
 -		if (filename)
 -			g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
 +                if (orig_value) {
 +                        char *filename = strrchr (orig_value, '/');
 +
 +                        if (filename)
 +                                g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
 +                } else {
 +                        /* filename with no value isn't valid. */
 +                        g_hash_table_remove (*params, "filename");
 +                }
 	}
 	return TRUE;
 }
 -- 
 2.49.0
 From dd3a245941f117832dd1fdda4f8bc68b44e2810d Mon Sep 17 00:00:00 2001
 From: Patrick Griffis <pgriffis@igalia.com>
 Date: Fri, 27 Dec 2024 18:00:39 -0600
 Subject: [PATCH 2/2] soup_message_headers_get_content_disposition: strdup
 truncated filenames
 This table frees the strings it contains.
 ---
 libsoup/soup-message-headers.c | 2 +-
 tests/header-parsing-test.c    | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
 diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
 index ccf31233..64847e30 100644
 --- a/libsoup/soup-message-headers.c
 +++ b/libsoup/soup-message-headers.c
@@ -1447,7 +1447,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders  *hdrs,
                         char *filename = strrchr (orig_value, '/');
                         if (filename)
 -                                g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
 +                                g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1));
                 } else {
                         /* filename with no value isn't valid. */
                         g_hash_table_remove (*params, "filename");
 -- 
 2.49.0
--- a/SOURCES/CVE-2025-32914.patch
+++ b/SOURCES/CVE-2025-32914.patch
@ -1,30 +0,0 @@
 From 51c25f470f85b485818c253718594a4d59b39931 Mon Sep 17 00:00:00 2001
 From: Milan Crha <mcrha@redhat.com>
 Date: Tue, 15 Apr 2025 09:03:00 +0200
 Subject: [PATCH] multipart: Fix read out of buffer bounds under
 soup_multipart_new_from_message()
 This is CVE-2025-32914, special crafted input can cause read out of buffer bounds
 of the body argument.
 Closes #436
 ---
 libsoup/soup-multipart.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
 index a7e550f1..dd939739 100644
 --- a/libsoup/soup-multipart.c
 +++ b/libsoup/soup-multipart.c
@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
 			return NULL;
 		}
 -		split = strstr (start, "\r\n\r\n");
 +		split = g_strstr_len (start, body_end - start, "\r\n\r\n");
 		if (!split || split > end) {
 			soup_multipart_free (multipart);
 			soup_buffer_free (flattened);
 -- 
 2.49.0
--- a/SOURCES/CVE-2025-46420.patch
+++ b/SOURCES/CVE-2025-46420.patch
@ -1,56 +0,0 @@
 From 355d7979ac27c6a83684e079d5bc6cf148e7bc16 Mon Sep 17 00:00:00 2001
 From: Patrick Griffis <pgriffis@igalia.com>
 Date: Thu, 26 Dec 2024 18:31:42 -0600
 Subject: [PATCH] soup_header_parse_quality_list: Fix leak
 When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings.
 ---
 libsoup/soup-headers.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)
 diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
 index eec28adf..3e922816 100644
 --- a/libsoup/soup-headers.c
 +++ b/libsoup/soup-headers.c
@@ -535,7 +535,7 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
 	GSList *unsorted;
 	QualityItem *array;
 	GSList *sorted, *iter;
 -	char *item, *semi;
 +	char *semi;
 	const char *param, *equal, *value;
 	double qval;
 	int n;
@@ -548,9 +548,8 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
 	unsorted = soup_header_parse_list (header);
 	array = g_new0 (QualityItem, g_slist_length (unsorted));
 	for (iter = unsorted, n = 0; iter; iter = iter->next) {
 -		item = iter->data;
 		qval = 1.0;
 -		for (semi = strchr (item, ';'); semi; semi = strchr (semi + 1, ';')) {
 +		for (semi = strchr (iter->data, ';'); semi; semi = strchr (semi + 1, ';')) {
 			param = skip_lws (semi + 1);
 			if (*param != 'q')
 				continue;
@@ -582,15 +581,15 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
 		if (qval == 0.0) {
 			if (unacceptable) {
 				*unacceptable = g_slist_prepend (*unacceptable,
 -								 item);
 +								 g_steal_pointer (&iter->data));
 			}
 		} else {
 -			array[n].item = item;
 +			array[n].item = g_steal_pointer (&iter->data);
 			array[n].qval = qval;
 			n++;
 		}
 	}
 -	g_slist_free (unsorted);
 +	g_slist_free_full (unsorted, g_free);
 	qsort (array, n, sizeof (QualityItem), sort_by_qval);
 	sorted = NULL;
 -- 
 2.49.0
--- a/SOURCES/CVE-2025-46421.patch
+++ b/SOURCES/CVE-2025-46421.patch
@ -1,32 +0,0 @@
 From 4329a7e88c72079ae3eedbb1558b929851507464 Mon Sep 17 00:00:00 2001
 From: Patrick Griffis <pgriffis@igalia.com>
 Date: Wed, 5 Feb 2025 16:18:10 -0600
 Subject: [PATCH] session: Strip authentication credentails on cross-origin
 redirect
 This should match the behavior of Firefox and Safari but not of Chromium.
 ---
 libsoup/soup-session.c |  6 ++++
 tests/auth-test.c      | 77 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+)
 diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
 index dd3cdc46..82ca8bf9 100644
 --- a/libsoup/soup-session.c
 +++ b/libsoup/soup-session.c
@@ -1187,6 +1187,12 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg)
 						   SOUP_ENCODING_NONE);
 	}
 +        /* Strip all credentials on cross-origin redirect. */
 +        if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
 +                soup_message_headers_remove (msg->request_headers, "Authorization");
 +                soup_message_set_auth (msg, NULL);
 +        }
 +
 	soup_message_set_uri (msg, new_uri);
 	soup_uri_free (new_uri);
 -- 
 2.49.0
--- a/SOURCES/CVE-2025-4948.patch
+++ b/SOURCES/CVE-2025-4948.patch
@ -1,30 +0,0 @@
 From 592db079bc2dfea75708751ed0b7533ac9fd36df Mon Sep 17 00:00:00 2001
 From: Milan Crha <mcrha@redhat.com>
 Date: Thu, 15 May 2025 17:49:11 +0200
 Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body
 It could happen that the boundary started at a place which resulted into
 a negative number, which in an unsigned integer is a very large value.
 Check the body size is not a negative value before setting it.
 Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
 ---
 libsoup/soup-multipart.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
 index dd939739..ce2fc109 100644
 --- a/libsoup/soup-multipart.c
 +++ b/libsoup/soup-multipart.c
@@ -214,7 +214,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
 		 */
 		part_body = soup_buffer_new_subbuffer (flattened,
 						       split - flattened->data,
 -						       end - 2 - split);
 +						       end - 2 >= split ? end - 2 - split : 0);
 		g_ptr_array_add (multipart->bodies, part_body);
 		start = end;
 -- 
 2.49.0
--- a/SOURCES/fix-ssl-test.patch
+++ b/SOURCES/fix-ssl-test.patch
@ -1,123 +0,0 @@
 From c720f9c696b3b39d8c386abf8c8a9ddad447cda0 Mon Sep 17 00:00:00 2001
 From: Carlos Garcia Campos <cgarcia@igalia.com>
 Date: Wed, 9 Sep 2020 14:44:25 +0200
 Subject: [PATCH 1/2] tests: fix SSL test with glib-networking >= 2.65.90
 To make SSL tests fail with our testing certificate we create and empty
 GTlsDatabase passing /dev/null to g_tls_file_database_new(). This no
 longer works with newer glib-networking, since an empty file is
 considered an error by gnutls and
 g_tls_file_database_gnutls_populate_trust_list() now handles gnutls
 errors properly. Instead, we can just use the system CA file that won't
 contain our testing certificate for sure.
 Fixes #201
 ---
 tests/ssl-test.c | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)
 diff --git a/tests/ssl-test.c b/tests/ssl-test.c
 index 735ba416..2c93ca85 100644
 --- a/tests/ssl-test.c
 +++ b/tests/ssl-test.c
@@ -3,7 +3,6 @@
 #include "test-utils.h"
 SoupURI *uri;
 -GTlsDatabase *null_tlsdb;
 static void
 do_properties_test_for_session (SoupSession *session)
@@ -37,7 +36,7 @@ do_async_properties_tests (void)
 	session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL);
 	g_object_set (G_OBJECT (session),
 -		      SOUP_SESSION_TLS_DATABASE, null_tlsdb,
 +		      SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
 		      SOUP_SESSION_SSL_STRICT, FALSE,
 		      NULL);
 	do_properties_test_for_session (session);
@@ -53,7 +52,7 @@ do_sync_properties_tests (void)
 	session = soup_test_session_new (SOUP_TYPE_SESSION_SYNC, NULL);
 	g_object_set (G_OBJECT (session),
 -		      SOUP_SESSION_TLS_DATABASE, null_tlsdb,
 +		      SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
 		      SOUP_SESSION_SSL_STRICT, FALSE,
 		      NULL);
 	do_properties_test_for_session (session);
@@ -106,7 +105,7 @@ do_strictness_test (gconstpointer data)
 	}
 	if (!test->with_ca_list) {
 		g_object_set (G_OBJECT (session),
 -			      SOUP_SESSION_TLS_DATABASE, null_tlsdb,
 +			      SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
 			      NULL);
 	}
@@ -433,7 +432,6 @@ main (int argc, char **argv)
 {
 	SoupServer *server = NULL;
 	int i, ret;
 -	GError *error = NULL;
 	test_init (argc, argv, NULL);
@@ -441,9 +439,6 @@ main (int argc, char **argv)
 		server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
 		soup_server_add_handler (server, NULL, server_handler, NULL, NULL);
 		uri = soup_test_server_get_uri (server, "https", "127.0.0.1");
 -
 -		null_tlsdb = g_tls_file_database_new ("/dev/null", &error);
 -		g_assert_no_error (error);
 	} else
 		uri = NULL;
@@ -463,7 +458,6 @@ main (int argc, char **argv)
 	if (tls_available) {
 		soup_uri_free (uri);
 		soup_test_server_quit_unref (server);
 -		g_object_unref (null_tlsdb);
 	}
 	test_cleanup ();
 -- 
 2.43.5
 From 0fbc7e8220c32f4848d6f1407efe81cc13ab18ef Mon Sep 17 00:00:00 2001
 From: Michael Catanzaro <mcatanzaro@redhat.com>
 Date: Sat, 18 Jan 2025 01:20:24 -0600
 Subject: [PATCH 2/2] Add workaround for flaky ssl-test connection failures
 ---
 tests/ssl-test.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 diff --git a/tests/ssl-test.c b/tests/ssl-test.c
 index 2c93ca85..1b48c6aa 100644
 --- a/tests/ssl-test.c
 +++ b/tests/ssl-test.c
@@ -348,6 +348,19 @@ got_connection (GThreadedSocketService *service,
 		g_clear_error (&error);
 	}
 +	// Work around a race condition where do_tls_interaction_test's call to
 +	// soup_session_send_message() fails due to the server having closed the
 +	// connection:
 +	//
 +	// ERROR:../tests/ssl-test.c:405:do_tls_interaction_test: Unexpected status 7 Connection terminated unexpectedly (expected 200 OK)
 +	//
 +	// This bug is already fixed upstream, so no sense in spending a bunch
 +	// of time trying to find a proper fix.
 +	//
 +	// I'm not certain, but I suspect it's fixed by:
 +	// https://gitlab.gnome.org/GNOME/libsoup/-/commit/bd6de90343839125bd07c43c97e1000deb0b40c3
 +	sleep (1);
 +
 	g_io_stream_close (tls, NULL, &error);
 	g_assert_no_error (error);
 -- 
 2.43.5
--- a/SOURCES/server-test-timeouts.patch
+++ b/SOURCES/server-test-timeouts.patch
@ -1,44 +0,0 @@
 From 9ff306aa714efd06ceeafacee03298a3665055b1 Mon Sep 17 00:00:00 2001
 From: Michael Catanzaro <mcatanzaro@redhat.com>
 Date: Wed, 30 Apr 2025 14:13:41 -0500
 Subject: [PATCH] test-utils: fix deadlock in add_listener_in_thread()
 The mutex is locked in the wrong place here.
 Hopefully fixes #379
 ---
 tests/test-utils.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/tests/test-utils.c b/tests/test-utils.c
 index df4cee44..5c1e316c 100644
 --- a/tests/test-utils.c
 +++ b/tests/test-utils.c
@@ -607,9 +607,11 @@ static gboolean
 add_listener_in_thread (gpointer user_data)
 {
 	AddListenerData *data = user_data;
 +	SoupURI *uri;
 -	data->uri = add_listener (data->server, data->scheme, data->host);
 +	uri = add_listener (data->server, data->scheme, data->host);
 	g_mutex_lock (&data->mutex);
 +	data->uri = uri;
 	g_cond_signal (&data->cond);
 	g_mutex_unlock (&data->mutex);
@@ -641,9 +643,9 @@ soup_test_server_get_uri (SoupServer    *server,
 		data.host = host;
 		data.uri = NULL;
 -		g_mutex_lock (&data.mutex);
 		soup_add_completion (context, add_listener_in_thread, &data);
 +		g_mutex_lock (&data.mutex);
 		while (!data.uri)
 			g_cond_wait (&data.cond, &data.mutex);
 -- 
 GitLab
--- a/SOURCES/test-cert-expiration.patch
+++ b/SOURCES/test-cert-expiration.patch
@ -1,60 +0,0 @@
 From 2dafd907586f52291b38c46362e72c7379558626 Mon Sep 17 00:00:00 2001
 From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
 Date: Thu, 18 Feb 2021 09:13:40 +0100
 Subject: [PATCH] Extend test cert to 2049
 used certtool -u \
  --load-ca-privkey     ./tests/test-key.pem \
  --load-ca-certificate ./tests/test-cert.pem \
  --load-certificate    ./tests/test-cert.pem
 Without this patch, 3 tests failed in 2027
 11/29 misc-test                FAIL           0.67s (exit status 1)
 21/29 server-test              FAIL           0.12s (exit status 1)
 25/29 timeout-test             FAIL           4.08s (killed by signal 5 SIGTRAP)
 Background:
 As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future.
 The usual offset is +15 years, because that is how long I expect some software will be used in some places.
 This showed up failing tests in our package build.
 See https://reproducible-builds.org/ for why this matters.
 (cherry picked from commit 38a65f080a3168e8af78bdd3e4928debeea2dbd8)
 ---
 tests/test-cert.pem | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)
 diff --git a/tests/test-cert.pem b/tests/test-cert.pem
 index ff863b4d1..4b8b180dc 100644
 --- a/tests/test-cert.pem
 +++ b/tests/test-cert.pem
@@ -1,6 +1,6 @@
 -----BEGIN CERTIFICATE-----
 MIIC2zCCAcOgAwIBAgIJALRbg2WnuAAqMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
 -BAMMCTEyNy4wLjAuMTAeFw0xNzA2MjAxNDI3MzBaFw0yNzA2MTgxNDI3MzBaMBQx
 +BAMMCTEyNy4wLjAuMTAeFw0yMTAyMTgwODA3MzBaFw00OTEyMzEwODA3MzRaMBQx
 EjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAKs4fuRuW77nORhOT9kbbU6BsjKW3GEsMc+ZSmXjINQWpfkES2hV+DQyzhm5
 qh4OLi1vYtXoSbdQNDCbA8ybZJqR8m9F3ed8vobdSSQGxWpPdXTgz27x+TpiAc9P
@@ -8,11 +8,11 @@ w83UuPvlu/0AxHJBFXVAg+id0yFu3wmGWYJHoAtvFi2xeRtAXurNuPtjZyO+gfM9
 BKTRCkGsRSmPpJyGbU2Q96fjxnVfV9oYvQXeugUcSx/pTUCM/kDgD9QZCxG2rflX
 NWcqDFY3uO6ZR68Qwi/KouOa8rzrgAcwhFUI6Wz0Zwi1rzRtWK5WqC24aBUYz/tK
 hl8i88UDXSMh7spChdYDBGLhZyUCAwEAAaMwMC4wLAYDVR0RBCUwI4IJbG9jYWxo
 -b3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IBAQBj
 -+U8tebwg5/pof5Rht6TMHqeg6Fcr4OJkL2ph2g+T/AMTS7kEGeFIKJN5AZ+S/qIY
 -cdoDKHwc8+bCK/mG6DPmJ4z/2Eamb85YhplOLVrLRwfxRebTK9CtnjcjnflAiU9H
 -7vPVwXIvkwebhBSQNKTdkBlPXKaTNWXuygeFG2OVQkPf/KAxSdtg2R+owv/s802Z
 -HISk26wY9oFIQz6AiXWdrY1QqNOltZ7rlU5iofAH7X+9ryZlxPWj/gHg2YQRvvLl
 -dq6nCF+ED0ke7h0lg5nU0beKEygwli8DlLVbu0JK0PkARFp5t7wUtzC9DCjzvfOc
 -gxR44PyZX7/2oaTDm4PS
 +b3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IBAQAz
 +/qYTUuBGHgp7T1cfaJPnhx6U1SMfdJRtFoWOXDx+MNCK9GYkdMEabzRGUP5uNHO+
 +PiZP/bMIHlpsbRA5AyyVf9Xv8JCujvYh24qYcBbwgZrfvNTm0D52P9JJm0SalTXS
 +kwwTj00DWGVfVzJR+wiwYGHRIlyXbHqQSRzv6+z9f/xY5gXw/KpCNYTuOJcXW7w6
 +JfMrUnc9pphRUpcLkuuzOMKuB0dtWRc0mZIr7PZHt+0gitNZWA0bDYI3JI9tlK17
 +nxBUSpGtJwDgH//b8ek/P0P9a5VzQbBC6lXtQUMdxg7ovfAI//IS8ekBoRKI0Wde
 +r2IpM9hKSBU3c2gGXcJC
 -----END CERTIFICATE-----
 -- 
 GitLab
--- a/SPECS/libsoup.spec
+++ b/SPECS/libsoup.spec
@ -2,7 +2,7 @@
 Name: libsoup
 Version: 2.62.3
-Release: 9%{?dist}
+Release: 5%{?dist}
 Summary: Soup, an HTTP library implementation
 License: LGPLv2
@ -14,35 +14,6 @@ Patch0002: 0002-WebSockets-allow-null-characters-in-text-messages-da.patch
 Patch0003: 0003-WebSockets-only-poll-IO-stream-when-needed.patch
 Patch0004: 0004-ntlmv2.patch
 Patch0005: 0005-WebSockets-do-not-start-the-input-source-when-IO-is-closing.patch
 Patch0006: CVE-2024-52530.patch
 Patch0007: CVE-2024-52531.patch
 Patch0008: CVE-2024-52532.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/446
 Patch0009: test-cert-expiration.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/415
 Patch0010: CVE-2025-32050.patch
 Patch0011: CVE-2025-32052.patch
 Patch0012: CVE-2025-32053.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/440
 Patch0013: CVE-2025-32906.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/422
 Patch0014: CVE-2025-32911-CVE-2025-32913.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/421
 Patch0015: CVE-2025-46420.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436
 Patch0016: CVE-2025-46421.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/408 (simplified)
 Patch0017: CVE-2025-32049.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450
 Patch0018: CVE-2025-32914.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/issues/422
 Patch0019: CVE-2025-2784.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463
 Patch0020: CVE-2025-4948.patch
 # https://issues.redhat.com/browse/RHEL-76426
 Patch0021: fix-ssl-test.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/454
 Patch0022: server-test-timeouts.patch
 BuildRequires: chrpath
 BuildRequires: glib2-devel >= %{glib2_version}
@ -117,35 +88,6 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/*.so
 %{_datadir}/vala/vapi/libsoup-2.4.vapi
 %changelog
 * Thu May 22 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.62.3-9
 - Add patches to improve test reliability
 - Backport patches for various CVEs
  Resolves: RHEL-85879
  Resolves: RHEL-92280
  Resolves: RHEL-93031
  Resolves: RHEL-93032
 * Thu May 01 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.62.3-8
 - Backport patches for various CVEs, plus test improvements
  Resolves: RHEL-85887
  Resolves: RHEL-85900
  Resolves: RHEL-85901
  Resolves: RHEL-87039
  Resolves: RHEL-87094
  Resolves: RHEL-87114
  Resolves: RHEL-88348
  Resolves: RHEL-88351
 * Tue Jan 28 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.62.3-7
 - Backport upstream patch for CVE-2024-52531 - buffer overflow via UTF-8 conversion in soup_header_parse_param_list_strict
  Resolves: RHEL-76376
 * Tue Nov 12 2024 Tomas Popela <tpopela@redhat.com> - 2.62.3-6
 - Backport upstream patch for CVE-2024-52530 - HTTP request smuggling via stripping null bytes from the ends of header names
 - Backport upstream patch for CVE-2024-52532 - infinite loop while reading websocket data
 - Resolves: RHEL-67076
 - Resolves: RHEL-67067
 * Tue Sep 05 2023 Milan Crha <mcrha@redhat.com> - 2.62.3-5
 - Resolves: RHEL-2240 (Correct BuildRequires for python3)