rpms/libsoup3
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Add patch for CVE-2026-1761

Browse Source 
Resolves: RHEL-145670
This commit is contained in:
Michael Catanzaro 2026-02-02 14:42:04 -06:00
parent d745423b80
commit 2eb78ac576
2 changed files with 99 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
CVE-2026-1761.patch Normal file
View File

@ -0,0 +1,97 @@
From 0a55f5ebde48cc3e488bff70215b22f103cc6077 Mon Sep 17 00:00:00 2001
From: Carlos Garcia Campos <cgarcia@igalia.com>
Date: Mon, 19 Jan 2026 15:14:58 +0100
Subject: [PATCH] multipart: check length of bytes read
soup_filter_input_stream_read_until()
We do make sure the read length is smaller than the buffer length when
the boundary is not found, but we should do the same when the boundary
is found.
Spotted in #YWH-PGM9867-149
Closes #493
---
libsoup/soup-filter-input-stream.c | 3 +-
tests/multipart-test.c | 46 ++++++++++++++++++++++++++++++
2 files changed, 48 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c
index b1e616c7..22541aa0 100644
--- a/libsoup/soup-filter-input-stream.c
+++ b/libsoup/soup-filter-input-stream.c
@@ -337,6 +337,7 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream,
if (eof && !*got_boundary)
read_length = MIN (priv->buf->len, length);
else
- read_length = p - buf;
+ read_length = MIN ((gsize)(p - buf), length);
+
return read_from_buf (fstream, buffer, read_length);
}
diff --git a/tests/multipart-test.c b/tests/multipart-test.c
index 92b673eb..0496a4c6 100644
--- a/tests/multipart-test.c
+++ b/tests/multipart-test.c
@@ -527,6 +527,51 @@ test_multipart_bounds_bad (void)
g_bytes_unref (bytes);
}
+static void
+test_multipart_bounds_bad_3 (void)
+{
+ SoupMessage *msg;
+ SoupMessageHeaders *headers;
+ GInputStream *in;
+ SoupMultipartInputStream *multipart;
+ GError *error = NULL;
+ const char raw_data[] = "\0$--A\r\nContent-Disposition: form-data; name=\"f\"\r\n\r\nXXXXXXXXX\r\n--A--\r\n";
+
+ msg = soup_message_new(SOUP_METHOD_POST, "http://foo/upload");
+ headers = soup_message_get_response_headers (msg);
+ soup_message_headers_replace (headers, "Content-Type", "multipart/form-data; boundary=\"A\"");
+
+ in = g_memory_input_stream_new_from_data (raw_data + 2, sizeof(raw_data) - 2, NULL);
+ multipart = soup_multipart_input_stream_new (msg, in);
+ g_object_unref (in);
+
+ while (TRUE) {
+ in = soup_multipart_input_stream_next_part (multipart, NULL, &error);
+ g_assert_no_error (error);
+ if (!in) {
+ g_clear_error (&error);
+ break;
+ }
+
+ char buffer[10];
+ while (TRUE) {
+ gssize bytes_read;
+
+ bytes_read = g_input_stream_read (in, buffer, sizeof(buffer), NULL, &error);
+ g_assert_no_error (error);
+ if (bytes_read <= 0) {
+ g_clear_error (&error);
+ break;
+ }
+ }
+
+ g_object_unref (in);
+ }
+
+ g_object_unref (multipart);
+ g_object_unref (msg);
+}
+
static void
test_multipart_too_large (void)
{
@@ -595,6 +640,7 @@ main (int argc, char **argv)
g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
+ g_test_add_func ("/multipart/bounds-bad-3", test_multipart_bounds_bad_3);
g_test_add_func ("/multipart/too-large", test_multipart_too_large);
ret = g_test_run ();
--
2.52.0

2
libsoup3.spec
View File

@ -39,6 +39,8 @@ Patch: CVE-2025-12105.patch
Patch: CVE-2025-14523.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/494
Patch: CVE-2026-0719.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/496
Patch: CVE-2026-1761.patch
BuildRequires: ca-certificates
BuildRequires: gcc