From 4e9eff2ae7a3a5cb59ad2a8052cdc17b2a317e0e Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Thu, 5 Feb 2026 23:30:03 +0000
Subject: [PATCH] import UBI libsoup3-3.6.5-3.el10_1.9

---
 CVE-2026-0719.patch        | 185 +++++++++++++++++++++++++++++++++++++
 libsoup3.spec              |  10 +-
 no-ntlm-in-fips-mode.patch |  97 +++++++++++++++++++
 3 files changed, 291 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2026-0719.patch
 create mode 100644 no-ntlm-in-fips-mode.patch

diff --git a/CVE-2026-0719.patch b/CVE-2026-0719.patch
new file mode 100644
index 0000000..f528d07
--- /dev/null
+++ b/CVE-2026-0719.patch
@@ -0,0 +1,185 @@
+From 427a5ed7048dda4d22f13c164a3a439e68604406 Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Thu, 8 Jan 2026 16:19:37 -0600
+Subject: [PATCH] soup-auth-ntlm: Reject excessively long passwords
+
+According to
+https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/ntlm-user-authentication,
+the practical limit for a NTLM password is 128 Unicode characters, so it
+should be safe to reject passwords longer than 256 bytes. Previously,
+md4sum could overflow and cause an out-of-bounds memory access if an
+extremely long password was provided. Also update md4sum to use unsigned
+variables for size-related calculations, as a precaution.
+
+This is CVE-2026-0719.
+
+Closes #477.
+---
+ libsoup/auth/soup-auth-ntlm.c | 27 +++++++++++----
+ tests/ntlm-test.c             | 64 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 84 insertions(+), 7 deletions(-)
+
+diff --git a/libsoup/auth/soup-auth-ntlm.c b/libsoup/auth/soup-auth-ntlm.c
+index dc440ad1..a338389b 100644
+--- a/libsoup/auth/soup-auth-ntlm.c
++++ b/libsoup/auth/soup-auth-ntlm.c
+@@ -355,6 +355,14 @@ soup_auth_ntlm_update_connection (SoupConnectionAuth *auth, SoupMessage *msg,
+ 		return FALSE;
+ 	}
+ 
++	if (priv->password_state == SOUP_NTLM_PASSWORD_PROVIDED && !priv->nt_hash[0]) {
++		/* This can happen if an excessively long password was
++		 * provided, in which case we don't try to hash */
++		conn->state = SOUP_NTLM_FAILED;
++		priv->password_state = SOUP_NTLM_PASSWORD_REJECTED;
++		return TRUE;
++	}
++
+ 	if (!soup_ntlm_parse_challenge (auth_header + 5, &conn->nonce,
+ 					priv->domain ? NULL : &priv->domain,
+ 					&conn->ntlmv2_session, &conn->negotiate_target,
+@@ -449,8 +457,10 @@ soup_auth_ntlm_authenticate (SoupAuth *auth, const char *username,
+ 		priv->username = g_strdup (username);
+ 	}
+ 
+-	soup_ntlm_nt_hash (password, priv->nt_hash);
+-	soup_ntlm_lanmanager_hash (password, priv->lm_hash);
++	if (strlen (password) < 256) {
++		soup_ntlm_nt_hash (password, priv->nt_hash);
++		soup_ntlm_lanmanager_hash (password, priv->lm_hash);
++	}
+ 
+ 	priv->password_state = SOUP_NTLM_PASSWORD_PROVIDED;
+ }
+@@ -616,7 +626,7 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class)
+ }
+ 
+ static void md4sum                (const unsigned char *in, 
+-				   int                  nbytes, 
++				   size_t               nbytes,
+ 				   unsigned char        digest[16]);
+ 
+ typedef guint32 DES_KS[16][2]; /* Single-key DES key schedule */
+@@ -662,7 +672,7 @@ soup_ntlm_nt_hash (const char *password, guchar hash[21])
+ {
+ 	unsigned char *buf, *p;
+ 
+-	p = buf = g_malloc (strlen (password) * 2);
++	p = buf = g_malloc_n (strlen (password), 2);
+ 
+ 	while (*password) {
+ 		*p++ = *password++;
+@@ -1104,15 +1114,16 @@ calc_response (const guchar *key, const guchar *plaintext, guchar *results)
+ #define ROT(val, n) ( ((val) << (n)) | ((val) >> (32 - (n))) )
+ 
+ static void
+-md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
++md4sum (const unsigned char *in, size_t nbytes, unsigned char digest[16])
+ {
+ 	unsigned char *M;
+ 	guint32 A, B, C, D, AA, BB, CC, DD, X[16];
+-	int pbytes, nbits = nbytes * 8, i, j;
++	size_t pbytes, nbits = nbytes * 8;
++	int i, j;
+ 
+ 	/* There is *always* padding of at least one bit. */
+ 	pbytes = ((119 - (nbytes % 64)) % 64) + 1;
+-	M = alloca (nbytes + pbytes + 8);
++	M = g_malloc (nbytes + pbytes + 8);
+ 	memcpy (M, in, nbytes);
+ 	memset (M + nbytes, 0, pbytes + 8);
+ 	M[nbytes] = 0x80;
+@@ -1212,6 +1223,8 @@ md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
+ 	digest[13] = (D >>  8) & 0xFF;
+ 	digest[14] = (D >> 16) & 0xFF;
+ 	digest[15] = (D >> 24) & 0xFF;
++
++	g_free (M);
+ }
+ 
+ 
+diff --git a/tests/ntlm-test.c b/tests/ntlm-test.c
+index e19f5663..c95fcd50 100644
+--- a/tests/ntlm-test.c
++++ b/tests/ntlm-test.c
+@@ -740,6 +740,67 @@ do_retrying_test (TestServer *ts,
+ 	soup_test_session_abort_unref (session);
+ }
+ 
++static gboolean
++long_password_test_authenticate (SoupMessage *msg,
++			         SoupAuth    *auth,
++			         gboolean     retrying,
++			         gpointer user)
++{
++	size_t l = 65536;
++	char *password;
++	char tmp[10000];
++	size_t i;
++
++	password = (char *)g_malloc (l);
++
++	for (i = 0; i < 10000; i++) {
++		tmp[i] = 'A';
++	}
++	for (i = 0; i < l/10000; i++) {
++		memcpy (password + i * 10000, tmp, 10000);
++	}
++	memcpy (password + l - 1 - 10000, tmp, 10000);
++
++	soup_auth_authenticate (auth, "alice", password);
++
++	g_free (password);
++	return TRUE;
++}
++
++static void
++do_long_password_test (TestServer *ts,
++		  gconstpointer data)
++{
++	SoupSession *session;
++	SoupMessage *msg;
++	GUri *uri;
++	GBytes *body;
++
++	if (!can_do_ntlm_test ()) {
++		g_test_skip ("NTLM authentication not available (likely due to FIPS mode)");
++		return;
++	}
++
++	session = soup_test_session_new (NULL);
++        soup_session_add_feature_by_type (session, SOUP_TYPE_AUTH_NTLM);
++        soup_session_set_proxy_resolver(session, NULL);
++
++	uri = g_uri_parse_relative (ts->uri, "/alice", SOUP_HTTP_URI_FLAGS, NULL);
++	msg = soup_message_new_from_uri ("GET", uri);
++	g_signal_connect (msg, "authenticate",
++			  G_CALLBACK (long_password_test_authenticate), NULL);
++	g_uri_unref (uri);
++
++	body = soup_session_send_and_read (session, msg, NULL, NULL);
++
++	soup_test_assert_message_status (msg, SOUP_STATUS_UNAUTHORIZED);
++
++	g_bytes_unref (body);
++	g_object_unref (msg);
++
++	soup_test_session_abort_unref (session);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -763,6 +824,9 @@ main (int argc, char **argv)
+ 	g_test_add ("/ntlm/retry", TestServer, NULL,
+ 		    setup_server, do_retrying_test, teardown_server);
+ 
++	g_test_add ("/ntlm/long-password", TestServer, NULL,
++		    setup_server, do_long_password_test, teardown_server);
++
+ 	ret = g_test_run ();
+ 
+ 	test_cleanup ();
+-- 
+2.52.0
+
diff --git a/libsoup3.spec b/libsoup3.spec
index d0eac13..add8e6e 100644
--- a/libsoup3.spec
+++ b/libsoup3.spec
@@ -2,7 +2,7 @@
 ## (rpmautospec version 0.6.5)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 8;
+    release_number = 9;
     base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
     print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@@ -19,6 +19,9 @@ License: LGPL-2.0-or-later
 URL:     https://wiki.gnome.org/Projects/libsoup
 Source0: https://download.gnome.org/sources/libsoup/3.6/libsoup-%{version}.tar.xz
 
+# Downstream patch, needed due to glib2 gnutls-hmac.patch
+Patch:   no-ntlm-in-fips-mode.patch
+
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/426
 Patch:   test-timeouts.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/454
@@ -44,6 +47,8 @@ Patch:   CVE-2025-4945-CVE-2025-11021.patch
 Patch:   CVE-2025-12105.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/491
 Patch:   CVE-2025-14523.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/494
+Patch:   CVE-2026-0719.patch
 
 BuildRequires: ca-certificates
 BuildRequires: gcc
@@ -138,6 +143,9 @@ install -m 644 -D tests/libsoup.supp %{buildroot}%{_datadir}/libsoup-3.0/libsoup
 
 %changelog
 ## START: Generated by rpmautospec
+* Fri Jan 30 2026 Michael Catanzaro <mcatanzaro@gnome.org> - 3.6.5-9
+- Fix CVE-2026-0719
+
 * Wed Jan 07 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 3.6.5-8
 - Fix CVE-2025-14523
 
diff --git a/no-ntlm-in-fips-mode.patch b/no-ntlm-in-fips-mode.patch
new file mode 100644
index 0000000..40b59ec
--- /dev/null
+++ b/no-ntlm-in-fips-mode.patch
@@ -0,0 +1,97 @@
+From 667e6977ac21a7f4aeadd825436f5de972cab2df Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Thu, 29 Jan 2026 15:06:17 -0600
+Subject: [PATCH] Disable NTLM auth and tests in FIPS mode
+
+This is a downstream Fedora/RHEL-ecosystem patch. Upstream GHmac
+supports MD5 unconditionally, but in Fedora/RHEL trying to use MD5 HMAC
+will crash if FIPS mode is enabled due to the glib2 package's
+gnutls-hmac.patch, which I have thus far failed to upstream. This isn't
+great, but it looks like finding an upstream solution will be difficult,
+so we'll just have to carry this patch for now.
+
+https://gitlab.gnome.org/GNOME/glib/merge_requests/897
+---
+ libsoup/auth/soup-auth-ntlm.c | 12 ++++++++++++
+ tests/ntlm-test.c             | 21 +++++++++++++++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/libsoup/auth/soup-auth-ntlm.c b/libsoup/auth/soup-auth-ntlm.c
+index 7108a32c..dc440ad1 100644
+--- a/libsoup/auth/soup-auth-ntlm.c
++++ b/libsoup/auth/soup-auth-ntlm.c
+@@ -455,6 +455,17 @@ soup_auth_ntlm_authenticate (SoupAuth *auth, const char *username,
+ 	priv->password_state = SOUP_NTLM_PASSWORD_PROVIDED;
+ }
+ 
++static gboolean
++soup_auth_ntlm_can_authenticate (SoupAuth *auth)
++{
++	GHmac *hmac = g_hmac_new (G_CHECKSUM_MD5, (const unsigned char *)"abc123", sizeof ("abc123"));
++	if (hmac) {
++		g_hmac_unref (hmac);
++		return TRUE;
++	}
++	return FALSE;
++}
++
+ static gboolean
+ soup_auth_ntlm_is_authenticated (SoupAuth *auth)
+ {
+@@ -587,6 +598,7 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class)
+ 
+ 	auth_class->get_protection_space = soup_auth_ntlm_get_protection_space;
+ 	auth_class->authenticate = soup_auth_ntlm_authenticate;
++	auth_class->can_authenticate = soup_auth_ntlm_can_authenticate;
+ 	auth_class->is_authenticated = soup_auth_ntlm_is_authenticated;
+ 
+ 	connauth_class->create_connection_state = soup_auth_ntlm_create_connection_state;
+diff --git a/tests/ntlm-test.c b/tests/ntlm-test.c
+index a92a21c8..18f13a7d 100644
+--- a/tests/ntlm-test.c
++++ b/tests/ntlm-test.c
+@@ -578,6 +578,17 @@ static const NtlmTest ntlmv2_tests[] = {
+ 	{ "/ntlm/v2/basic", "alice", FALSE, BUILTIN }
+ };
+ 
++static gboolean
++can_do_ntlm_test (void)
++{
++	GHmac *hmac = g_hmac_new (G_CHECKSUM_MD5, (const unsigned char *)"abc123", sizeof ("abc123"));
++	if (hmac) {
++		g_hmac_unref (hmac);
++		return TRUE;
++	}
++	return FALSE;
++}
++
+ static void
+ do_ntlm_test (TestServer *ts,
+ 	      gconstpointer data)
+@@ -585,6 +596,11 @@ do_ntlm_test (TestServer *ts,
+ 	const NtlmTest *test = data;
+ 	gboolean use_builtin_ntlm = TRUE;
+ 
++	if (!can_do_ntlm_test ()) {
++		g_test_skip ("NTLM authentication not available (likely due to FIPS mode)");
++		return;
++	}
++
+ 	switch (test->ntlm_type) {
+ 	case BUILTIN:
+ 		/* Built-in NTLM auth support. (We set SOUP_NTLM_AUTH_DEBUG to
+@@ -668,6 +684,11 @@ do_retrying_test (TestServer *ts,
+ 
+ 	g_test_bug ("693222");
+ 
++	if (!can_do_ntlm_test ()) {
++		g_test_skip ("NTLM authentication not available (likely due to FIPS mode)");
++		return;
++	}
++
+ 	g_setenv ("SOUP_NTLM_AUTH_DEBUG", "", TRUE);
+ 
+ 	debug_printf (1, "  /alice\n");
+-- 
+2.52.0
+