import UBI libsoup3-3.6.5-3.el10_1.9

2026-02-05 23:30:03 +00:00 · 2026-02-05 23:30:03 +00:00 · 4e9eff2ae7
commit 4e9eff2ae7
parent 814dc4957c
3 changed files with 291 additions and 1 deletions
--- a/CVE-2026-0719.patch
+++ b/CVE-2026-0719.patch
@ -0,0 +1,185 @@
+From 427a5ed7048dda4d22f13c164a3a439e68604406 Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Thu, 8 Jan 2026 16:19:37 -0600
+Subject: [PATCH] soup-auth-ntlm: Reject excessively long passwords
+
+According to
+https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/ntlm-user-authentication,
+the practical limit for a NTLM password is 128 Unicode characters, so it
+should be safe to reject passwords longer than 256 bytes. Previously,
+md4sum could overflow and cause an out-of-bounds memory access if an
+extremely long password was provided. Also update md4sum to use unsigned
+variables for size-related calculations, as a precaution.
+
+This is CVE-2026-0719.
+
+Closes #477.
+---
+ libsoup/auth/soup-auth-ntlm.c | 27 +++++++++++----
+ tests/ntlm-test.c             | 64 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 84 insertions(+), 7 deletions(-)
+
+diff --git a/libsoup/auth/soup-auth-ntlm.c b/libsoup/auth/soup-auth-ntlm.c
+index dc440ad1..a338389b 100644
+--- a/libsoup/auth/soup-auth-ntlm.c
+++ b/libsoup/auth/soup-auth-ntlm.c
+@@ -355,6 +355,14 @@ soup_auth_ntlm_update_connection (SoupConnectionAuth *auth, SoupMessage *msg,
+ 		return FALSE;
+ 	}
+ 
+	if (priv->password_state == SOUP_NTLM_PASSWORD_PROVIDED && !priv->nt_hash[0]) {
+		/* This can happen if an excessively long password was
+		 * provided, in which case we don't try to hash */
+		conn->state = SOUP_NTLM_FAILED;
+		priv->password_state = SOUP_NTLM_PASSWORD_REJECTED;
+		return TRUE;
+	}
+
+ 	if (!soup_ntlm_parse_challenge (auth_header + 5, &conn->nonce,
+ 					priv->domain ? NULL : &priv->domain,
+ 					&conn->ntlmv2_session, &conn->negotiate_target,
+@@ -449,8 +457,10 @@ soup_auth_ntlm_authenticate (SoupAuth *auth, const char *username,
+ 		priv->username = g_strdup (username);
+ 	}
+ 
+-	soup_ntlm_nt_hash (password, priv->nt_hash);
+-	soup_ntlm_lanmanager_hash (password, priv->lm_hash);
+	if (strlen (password) < 256) {
+		soup_ntlm_nt_hash (password, priv->nt_hash);
+		soup_ntlm_lanmanager_hash (password, priv->lm_hash);
+	}
+ 
+ 	priv->password_state = SOUP_NTLM_PASSWORD_PROVIDED;
+ }
+@@ -616,7 +626,7 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class)
+ }
+ 
+ static void md4sum                (const unsigned char *in, 
+-				   int                  nbytes, 
+				   size_t               nbytes,
+ 				   unsigned char        digest[16]);
+ 
+ typedef guint32 DES_KS[16][2]; /* Single-key DES key schedule */
+@@ -662,7 +672,7 @@ soup_ntlm_nt_hash (const char *password, guchar hash[21])
+ {
+ 	unsigned char *buf, *p;
+ 
+-	p = buf = g_malloc (strlen (password) * 2);
+	p = buf = g_malloc_n (strlen (password), 2);
+ 
+ 	while (*password) {
+ 		*p++ = *password++;
+@@ -1104,15 +1114,16 @@ calc_response (const guchar *key, const guchar *plaintext, guchar *results)
+ #define ROT(val, n) ( ((val) << (n)) | ((val) >> (32 - (n))) )
+ 
+ static void
+-md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
+md4sum (const unsigned char *in, size_t nbytes, unsigned char digest[16])
+ {
+ 	unsigned char *M;
+ 	guint32 A, B, C, D, AA, BB, CC, DD, X[16];
+-	int pbytes, nbits = nbytes * 8, i, j;
+	size_t pbytes, nbits = nbytes * 8;
+	int i, j;
+ 
+ 	/* There is *always* padding of at least one bit. */
+ 	pbytes = ((119 - (nbytes % 64)) % 64) + 1;
+-	M = alloca (nbytes + pbytes + 8);
+	M = g_malloc (nbytes + pbytes + 8);
+ 	memcpy (M, in, nbytes);
+ 	memset (M + nbytes, 0, pbytes + 8);
+ 	M[nbytes] = 0x80;
+@@ -1212,6 +1223,8 @@ md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
+ 	digest[13] = (D >>  8) & 0xFF;
+ 	digest[14] = (D >> 16) & 0xFF;
+ 	digest[15] = (D >> 24) & 0xFF;
+
+	g_free (M);
+ }
+ 
+ 
+diff --git a/tests/ntlm-test.c b/tests/ntlm-test.c
+index e19f5663..c95fcd50 100644
+--- a/tests/ntlm-test.c
+++ b/tests/ntlm-test.c
+@@ -740,6 +740,67 @@ do_retrying_test (TestServer *ts,
+ 	soup_test_session_abort_unref (session);
+ }
+ 
+static gboolean
+long_password_test_authenticate (SoupMessage *msg,
+			         SoupAuth    *auth,
+			         gboolean     retrying,
+			         gpointer user)
+{
+	size_t l = 65536;
+	char *password;
+	char tmp[10000];
+	size_t i;
+
+	password = (char *)g_malloc (l);
+
+	for (i = 0; i < 10000; i++) {
+		tmp[i] = 'A';
+	}
+	for (i = 0; i < l/10000; i++) {
+		memcpy (password + i * 10000, tmp, 10000);
+	}
+	memcpy (password + l - 1 - 10000, tmp, 10000);
+
+	soup_auth_authenticate (auth, "alice", password);
+
+	g_free (password);
+	return TRUE;
+}
+
+static void
+do_long_password_test (TestServer *ts,
+		  gconstpointer data)
+{
+	SoupSession *session;
+	SoupMessage *msg;
+	GUri *uri;
+	GBytes *body;
+
+	if (!can_do_ntlm_test ()) {
+		g_test_skip ("NTLM authentication not available (likely due to FIPS mode)");
+		return;
+	}
+
+	session = soup_test_session_new (NULL);
+        soup_session_add_feature_by_type (session, SOUP_TYPE_AUTH_NTLM);
+        soup_session_set_proxy_resolver(session, NULL);
+
+	uri = g_uri_parse_relative (ts->uri, "/alice", SOUP_HTTP_URI_FLAGS, NULL);
+	msg = soup_message_new_from_uri ("GET", uri);
+	g_signal_connect (msg, "authenticate",
+			  G_CALLBACK (long_password_test_authenticate), NULL);
+	g_uri_unref (uri);
+
+	body = soup_session_send_and_read (session, msg, NULL, NULL);
+
+	soup_test_assert_message_status (msg, SOUP_STATUS_UNAUTHORIZED);
+
+	g_bytes_unref (body);
+	g_object_unref (msg);
+
+	soup_test_session_abort_unref (session);
+}
+
+ int
+ main (int argc, char **argv)
+ {
+@@ -763,6 +824,9 @@ main (int argc, char **argv)
+ 	g_test_add ("/ntlm/retry", TestServer, NULL,
+ 		    setup_server, do_retrying_test, teardown_server);
+ 
+	g_test_add ("/ntlm/long-password", TestServer, NULL,
+		    setup_server, do_long_password_test, teardown_server);
+
+ 	ret = g_test_run ();
+ 
+ 	test_cleanup ();
+-- 
+2.52.0
+
--- a/libsoup3.spec
+++ b/libsoup3.spec
@ -2,7 +2,7 @@
 ## (rpmautospec version 0.6.5)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 8;
+    release_number = 9;
    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
    print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@ -19,6 +19,9 @@ License: LGPL-2.0-or-later
 URL:     https://wiki.gnome.org/Projects/libsoup
 Source0: https://download.gnome.org/sources/libsoup/3.6/libsoup-%{version}.tar.xz

+# Downstream patch, needed due to glib2 gnutls-hmac.patch
+Patch:   no-ntlm-in-fips-mode.patch
+
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/426
 Patch:   test-timeouts.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/454
@ -44,6 +47,8 @@ Patch:   CVE-2025-4945-CVE-2025-11021.patch
 Patch:   CVE-2025-12105.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/491
 Patch:   CVE-2025-14523.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/494
+Patch:   CVE-2026-0719.patch

 BuildRequires: ca-certificates
 BuildRequires: gcc
@ -138,6 +143,9 @@ install -m 644 -D tests/libsoup.supp %{buildroot}%{_datadir}/libsoup-3.0/libsoup

 %changelog
 ## START: Generated by rpmautospec
+* Fri Jan 30 2026 Michael Catanzaro <mcatanzaro@gnome.org> - 3.6.5-9
+- Fix CVE-2026-0719
+
 * Wed Jan 07 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 3.6.5-8
 - Fix CVE-2025-14523

--- a/no-ntlm-in-fips-mode.patch
+++ b/no-ntlm-in-fips-mode.patch
@ -0,0 +1,97 @@
+From 667e6977ac21a7f4aeadd825436f5de972cab2df Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Thu, 29 Jan 2026 15:06:17 -0600
+Subject: [PATCH] Disable NTLM auth and tests in FIPS mode
+
+This is a downstream Fedora/RHEL-ecosystem patch. Upstream GHmac
+supports MD5 unconditionally, but in Fedora/RHEL trying to use MD5 HMAC
+will crash if FIPS mode is enabled due to the glib2 package's
+gnutls-hmac.patch, which I have thus far failed to upstream. This isn't
+great, but it looks like finding an upstream solution will be difficult,
+so we'll just have to carry this patch for now.
+
+https://gitlab.gnome.org/GNOME/glib/merge_requests/897
+---
+ libsoup/auth/soup-auth-ntlm.c | 12 ++++++++++++
+ tests/ntlm-test.c             | 21 +++++++++++++++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/libsoup/auth/soup-auth-ntlm.c b/libsoup/auth/soup-auth-ntlm.c
+index 7108a32c..dc440ad1 100644
+--- a/libsoup/auth/soup-auth-ntlm.c
+++ b/libsoup/auth/soup-auth-ntlm.c
+@@ -455,6 +455,17 @@ soup_auth_ntlm_authenticate (SoupAuth *auth, const char *username,
+ 	priv->password_state = SOUP_NTLM_PASSWORD_PROVIDED;
+ }
+ 
+static gboolean
+soup_auth_ntlm_can_authenticate (SoupAuth *auth)
+{
+	GHmac *hmac = g_hmac_new (G_CHECKSUM_MD5, (const unsigned char *)"abc123", sizeof ("abc123"));
+	if (hmac) {
+		g_hmac_unref (hmac);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+ static gboolean
+ soup_auth_ntlm_is_authenticated (SoupAuth *auth)
+ {
+@@ -587,6 +598,7 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class)
+ 
+ 	auth_class->get_protection_space = soup_auth_ntlm_get_protection_space;
+ 	auth_class->authenticate = soup_auth_ntlm_authenticate;
+	auth_class->can_authenticate = soup_auth_ntlm_can_authenticate;
+ 	auth_class->is_authenticated = soup_auth_ntlm_is_authenticated;
+ 
+ 	connauth_class->create_connection_state = soup_auth_ntlm_create_connection_state;
+diff --git a/tests/ntlm-test.c b/tests/ntlm-test.c
+index a92a21c8..18f13a7d 100644
+--- a/tests/ntlm-test.c
+++ b/tests/ntlm-test.c
+@@ -578,6 +578,17 @@ static const NtlmTest ntlmv2_tests[] = {
+ 	{ "/ntlm/v2/basic", "alice", FALSE, BUILTIN }
+ };
+ 
+static gboolean
+can_do_ntlm_test (void)
+{
+	GHmac *hmac = g_hmac_new (G_CHECKSUM_MD5, (const unsigned char *)"abc123", sizeof ("abc123"));
+	if (hmac) {
+		g_hmac_unref (hmac);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+ static void
+ do_ntlm_test (TestServer *ts,
+ 	      gconstpointer data)
+@@ -585,6 +596,11 @@ do_ntlm_test (TestServer *ts,
+ 	const NtlmTest *test = data;
+ 	gboolean use_builtin_ntlm = TRUE;
+ 
+	if (!can_do_ntlm_test ()) {
+		g_test_skip ("NTLM authentication not available (likely due to FIPS mode)");
+		return;
+	}
+
+ 	switch (test->ntlm_type) {
+ 	case BUILTIN:
+ 		/* Built-in NTLM auth support. (We set SOUP_NTLM_AUTH_DEBUG to
+@@ -668,6 +684,11 @@ do_retrying_test (TestServer *ts,
+ 
+ 	g_test_bug ("693222");
+ 
+	if (!can_do_ntlm_test ()) {
+		g_test_skip ("NTLM authentication not available (likely due to FIPS mode)");
+		return;
+	}
+
+ 	g_setenv ("SOUP_NTLM_AUTH_DEBUG", "", TRUE);
+ 
+ 	debug_printf (1, "  /alice\n");
+-- 
+2.52.0
+