import UBI libsoup3-3.6.5-3.el10_0.6

This commit is contained in:
eabdullin 2025-05-26 11:25:23 +00:00
parent 5701397e93
commit 739d76f6ce
6 changed files with 433 additions and 2 deletions

16
CVE-2025-32049.patch Normal file
View File

@ -0,0 +1,16 @@
diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
index a1448134..48b08b60 100644
--- a/libsoup/websocket/soup-websocket-connection.c
+++ b/libsoup/websocket/soup-websocket-connection.c
@@ -971,6 +971,11 @@ process_contents (SoupWebsocketConnection *self,
switch (priv->message_opcode) {
case 0x01:
case 0x02:
+ /* Safety valve */
+ if (priv->message_data->len + payload_len > priv->max_incoming_payload_size) {
+ too_big_error_and_close (self, (priv->message_data->len + payload_len));
+ return;
+ }
g_byte_array_append (priv->message_data, payload, payload_len);
break;
default:

30
CVE-2025-32907.patch Normal file
View File

@ -0,0 +1,30 @@
From 84e601252a9ae5eafaba9cb9cb5e4bd77ca41bdb Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Tue, 15 Apr 2025 12:17:39 +0200
Subject: [PATCH] soup-message-headers: Correct merge of ranges
It had been skipping every second range, which generated an array
of a lot of insane ranges, causing large memory usage by the server.
Closes #428
---
libsoup/soup-message-headers.c | 1 +
tests/meson.build | 1 +
tests/server-mem-limit-test.c | 144 +++++++++++++++++++++++++++++++++
3 files changed, 146 insertions(+)
create mode 100644 tests/server-mem-limit-test.c
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 64847e30..f612bff1 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1024,6 +1024,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs,
if (cur->start <= prev->end) {
prev->end = MAX (prev->end, cur->end);
g_array_remove_index (array, i);
+ i--;
}
}
}
--
2.49.0

View File

@ -81,3 +81,50 @@ index 5b6da5e4..ec7972fe 100644
--
GitLab
From 527428a033df573ef4558ce1106e080fd9ec5c71 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Mon, 28 Apr 2025 10:55:42 +0200
Subject: [PATCH] soup-server-http2: Correct check of the validity of the
constructed connection URI
RFC 5740: the CONNECT has unset the "scheme" and "path", thus allow them unset.
The commit a792b23ab87cacbf4dd9462bf7b675fa678efbae also missed to decrement
the `io->in_callback` in the early returns.
Related to #429
---
.../server/http2/soup-server-message-io-http2.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c
index f1fe2d5c..913afb46 100644
--- a/libsoup/server/http2/soup-server-message-io-http2.c
+++ b/libsoup/server/http2/soup-server-message-io-http2.c
@@ -771,13 +771,18 @@ on_frame_recv_callback (nghttp2_session *session,
char *uri_string;
GUri *uri;
- if (msg_io->scheme == NULL || msg_io->authority == NULL || msg_io->path == NULL)
- return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
- uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path);
+ if (msg_io->authority == NULL) {
+ io->in_callback--;
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ }
+ /* RFC 5740: the CONNECT has unset the "scheme" and "path", but the GUri requires the scheme, thus let it be "(null)" */
+ uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path == NULL ? "" : msg_io->path);
uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL);
g_free (uri_string);
- if (uri == NULL)
- return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ if (uri == NULL) {
+ io->in_callback--;
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ }
soup_server_message_set_uri (msg_io->msg, uri);
g_uri_unref (uri);
--
GitLab

231
CVE-2025-4035.patch Normal file
View File

@ -0,0 +1,231 @@
From 845e198402377f8644e9ae5200f1715df1ddfc08 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Thu, 27 Mar 2025 14:43:26 -0500
Subject: [PATCH 1/3] cookie: Always normalize domain value
In order for libpsl to give accurate results the domain must be lowercased.
To make it easiest we normalize it at construction time of the cookie.
---
libsoup/cookies/soup-cookie-jar.c | 11 ++++++++---
libsoup/cookies/soup-cookie.c | 22 +++++++++++++++++++---
libsoup/soup-tld.c | 11 ++++++++++-
libsoup/soup-uri-utils-private.h | 2 ++
libsoup/soup-uri-utils.c | 18 ++++++++++++++++++
tests/cookies-test.c | 19 +++++++++++++++++++
6 files changed, 76 insertions(+), 7 deletions(-)
diff --git a/libsoup/cookies/soup-cookie-jar.c b/libsoup/cookies/soup-cookie-jar.c
index fac53a5f9..7f92ace1f 100644
--- a/libsoup/cookies/soup-cookie-jar.c
+++ b/libsoup/cookies/soup-cookie-jar.c
@@ -519,6 +519,7 @@ incoming_cookie_is_third_party (SoupCookieJar *jar,
{
SoupCookieJarPrivate *priv;
const char *normalized_cookie_domain;
+ char *normalized_first_party_host;
const char *cookie_base_domain;
const char *first_party_base_domain;
const char *first_party_host;
@@ -540,12 +541,16 @@ incoming_cookie_is_third_party (SoupCookieJar *jar,
if (cookie_base_domain == NULL)
cookie_base_domain = soup_cookie_get_domain (cookie);
- first_party_base_domain = soup_tld_get_base_domain (first_party_host, NULL);
+ normalized_first_party_host = soup_uri_normalize_domain (first_party_host);
+ first_party_base_domain = soup_tld_get_base_domain (normalized_first_party_host, NULL);
if (first_party_base_domain == NULL)
- first_party_base_domain = first_party_host;
+ first_party_base_domain = normalized_first_party_host;
- if (soup_host_matches_host (cookie_base_domain, first_party_base_domain))
+ if (soup_host_matches_host (cookie_base_domain, first_party_base_domain)) {
+ g_free (normalized_first_party_host);
return FALSE;
+ }
+ g_free (normalized_first_party_host);
if (policy == SOUP_COOKIE_JAR_ACCEPT_NO_THIRD_PARTY)
return TRUE;
diff --git a/libsoup/cookies/soup-cookie.c b/libsoup/cookies/soup-cookie.c
index cc80d001f..b6d771646 100644
--- a/libsoup/cookies/soup-cookie.c
+++ b/libsoup/cookies/soup-cookie.c
@@ -168,6 +168,16 @@ parse_date (const char **val_p)
return date;
}
+static gboolean
+is_lowercase_ascii_string (const char *str)
+{
+ for (; *str; str++) {
+ if (!g_ascii_islower (*str))
+ return FALSE;
+ }
+ return TRUE;
+}
+
#define MAX_AGE_CAP_IN_SECONDS 31536000 // 1 year
#define MAX_ATTRIBUTE_SIZE 1024
@@ -311,6 +321,12 @@ parse_one_cookie (const char *header, GUri *origin)
g_free (cookie->domain);
cookie->domain = tmp;
}
+
+ if (!is_lowercase_ascii_string (cookie->domain)) {
+ char *tmp = soup_uri_normalize_domain (cookie->domain);
+ g_free (cookie->domain);
+ cookie->domain = tmp;
+ }
}
if (origin) {
@@ -321,7 +337,7 @@ parse_one_cookie (const char *header, GUri *origin)
return NULL;
}
} else
- cookie->domain = g_strdup (g_uri_get_host (origin));
+ cookie->domain = soup_uri_normalize_domain (g_uri_get_host (origin));
/* The original cookie spec didn't say that pages
* could only set cookies for paths they were under.
@@ -364,7 +380,7 @@ cookie_new_internal (const char *name, const char *value,
cookie = g_slice_new0 (SoupCookie);
cookie->name = g_strdup (name);
cookie->value = g_strdup (value);
- cookie->domain = g_strdup (domain);
+ cookie->domain = soup_uri_normalize_domain (domain);
cookie->path = g_strdup (path);
soup_cookie_set_max_age (cookie, max_age);
cookie->same_site_policy = SOUP_SAME_SITE_POLICY_LAX;
@@ -537,7 +553,7 @@ void
soup_cookie_set_domain (SoupCookie *cookie, const char *domain)
{
g_free (cookie->domain);
- cookie->domain = g_strdup (domain);
+ cookie->domain = soup_uri_normalize_domain (domain);
}
/**
diff --git a/libsoup/soup-tld.c b/libsoup/soup-tld.c
index 2d8151662..71fac5749 100644
--- a/libsoup/soup-tld.c
+++ b/libsoup/soup-tld.c
@@ -15,6 +15,7 @@
#include <libpsl.h>
#include "soup-tld.h"
+#include "soup-uri-utils-private.h"
#include "soup.h"
static const char *soup_tld_get_base_domain_internal (const char *hostname,
@@ -41,6 +42,8 @@ static const char *soup_tld_get_base_domain_internal (const char *hostname,
* UTF-8 or ASCII format (and the return value will be in the same
* format).
*
+ * For accurate results @hostname must be lowercase.
+ *
* Returns: a pointer to the start of the base domain in @hostname. If
* an error occurs, %NULL will be returned and @error set.
**/
@@ -80,6 +83,8 @@ gboolean
soup_tld_domain_is_public_suffix (const char *domain)
{
const psl_ctx_t* psl = soup_psl_context ();
+ char *normalized;
+ gboolean is_public_suffix;
g_return_val_if_fail (domain, FALSE);
@@ -88,7 +93,11 @@ soup_tld_domain_is_public_suffix (const char *domain)
return FALSE;
}
- return psl_is_public_suffix2 (psl, domain, PSL_TYPE_ANY | PSL_TYPE_NO_STAR_RULE);
+ normalized = soup_uri_normalize_domain (domain);
+ is_public_suffix = psl_is_public_suffix2 (psl, normalized, PSL_TYPE_ANY | PSL_TYPE_NO_STAR_RULE);
+ g_free (normalized);
+
+ return is_public_suffix;
}
/**
diff --git a/libsoup/soup-uri-utils-private.h b/libsoup/soup-uri-utils-private.h
index 0119f0814..c2f984f86 100644
--- a/libsoup/soup-uri-utils-private.h
+++ b/libsoup/soup-uri-utils-private.h
@@ -28,6 +28,8 @@ GUri *soup_uri_copy_with_normalized_flags (GUri *uri);
char *soup_uri_get_host_for_headers (GUri *uri);
+char *soup_uri_normalize_domain (const char *domain);
+
#define SOUP_URI_IS_VALID(x) ((x) && g_uri_get_host(x) && g_uri_get_host(x)[0])
G_END_DECLS
diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c
index 0963a1143..1f65faede 100644
--- a/libsoup/soup-uri-utils.c
+++ b/libsoup/soup-uri-utils.c
@@ -506,3 +506,21 @@ soup_uri_get_host_for_headers (GUri *uri)
return g_strdup (host);
}
+
+char *
+soup_uri_normalize_domain (const char *domain)
+{
+ char *lower;
+ char *normalized;
+
+ g_assert (domain);
+
+ if (g_str_is_ascii (domain))
+ return g_ascii_strdown (domain, -1);
+
+ lower = g_utf8_casefold (domain, -1);
+ normalized = g_utf8_normalize (lower, -1, G_NORMALIZE_NFKC);
+ g_free (lower);
+
+ return normalized;
+}
diff --git a/tests/cookies-test.c b/tests/cookies-test.c
index 1d2d45630..7007aaf59 100644
--- a/tests/cookies-test.c
+++ b/tests/cookies-test.c
@@ -695,6 +695,24 @@ do_cookies_threads_test (void)
soup_test_session_abort_unref (session);
}
+static void
+do_cookies_public_suffix_test (void)
+{
+ SoupCookieJar *jar = soup_cookie_jar_new ();
+ GUri *uri = g_uri_parse ("http://example.CO.uk", SOUP_HTTP_URI_FLAGS, NULL);
+ GSList *cookies;
+
+ soup_cookie_jar_set_cookie (jar, uri, "value=1; domain=.co.uk");
+ soup_cookie_jar_set_cookie (jar, uri, "value=1; domain=.CO.uk");
+ soup_cookie_jar_set_cookie (jar, uri, "value=1; domain=.CO.UK");
+
+ cookies = soup_cookie_jar_all_cookies (jar);
+ g_assert_cmpint (g_slist_length (cookies), ==, 0);
+
+ g_uri_unref (uri);
+ g_object_unref (jar);
+}
+
int
main (int argc, char **argv)
{
@@ -726,6 +744,7 @@ main (int argc, char **argv)
g_test_add_func ("/cookies/secure-cookies", do_cookies_strict_secure_test);
g_test_add_func ("/cookies/prefix", do_cookies_prefix_test);
g_test_add_func ("/cookies/threads", do_cookies_threads_test);
+ g_test_add_func ("/cookies/public-suffix", do_cookies_public_suffix_test);
ret = g_test_run ();
--
GitLab

89
CVE-2025-4948.patch Normal file
View File

@ -0,0 +1,89 @@
From 66521f00e9f87f709d8ad9138f19052db933cf06 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Thu, 15 May 2025 17:49:11 +0200
Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body
It could happen that the boundary started at a place which resulted into
a negative number, which in an unsigned integer is a very large value.
Check the body size is not a negative value before setting it.
Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
---
libsoup/soup-multipart.c | 2 +-
tests/multipart-test.c | 40 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
index 102ce372..a587fe7c 100644
--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
@@ -204,7 +204,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
*/
part_body = g_bytes_new_from_bytes (body, // FIXME
split - body_data,
- end - 2 - split);
+ end - 2 >= split ? end - 2 - split : 0);
g_ptr_array_add (multipart->bodies, part_body);
start = end;
diff --git a/tests/multipart-test.c b/tests/multipart-test.c
index f5b98688..92b673eb 100644
--- a/tests/multipart-test.c
+++ b/tests/multipart-test.c
@@ -527,6 +527,45 @@ test_multipart_bounds_bad (void)
g_bytes_unref (bytes);
}
+static void
+test_multipart_too_large (void)
+{
+ const char *raw_body =
+ "-------------------\r\n"
+ "-\n"
+ "Cont\"\r\n"
+ "Content-Tynt----e:n\x8erQK\r\n"
+ "Content-Disposition: name= form-; name=\"file\"; filename=\"ype:i/ -d; ----\xae\r\n"
+ "Content-Typimag\x01/png--\\\n"
+ "\r\n"
+ "---:\n\r\n"
+ "\r\n"
+ "-------------------------------------\r\n"
+ "---------\r\n"
+ "----------------------";
+ GBytes *body;
+ GHashTable *params;
+ SoupMessageHeaders *headers;
+ SoupMultipart *multipart;
+
+ params = g_hash_table_new (g_str_hash, g_str_equal);
+ g_hash_table_insert (params, (gpointer) "boundary", (gpointer) "-----------------");
+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+ soup_message_headers_set_content_type (headers, "multipart/form-data", params);
+ g_hash_table_unref (params);
+
+ body = g_bytes_new_static (raw_body, strlen (raw_body));
+ multipart = soup_multipart_new_from_message (headers, body);
+ soup_message_headers_unref (headers);
+ g_bytes_unref (body);
+
+ g_assert_nonnull (multipart);
+ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1);
+ g_assert_true (soup_multipart_get_part (multipart, 0, &headers, &body));
+ g_assert_cmpint (g_bytes_get_size (body), ==, 0);
+ soup_multipart_free (multipart);
+}
+
int
main (int argc, char **argv)
{
@@ -556,6 +595,7 @@ main (int argc, char **argv)
g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
+ g_test_add_func ("/multipart/too-large", test_multipart_too_large);
ret = g_test_run ();
--
GitLab

View File

@ -2,7 +2,7 @@
## (rpmautospec version 0.6.5)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 3;
release_number = 6;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@ -12,7 +12,7 @@
Name: libsoup3
Version: 3.6.5
Release: %autorelease
Release: 3%{?dist}.%{autorelease -n}
Summary: Soup, an HTTP library implementation
License: LGPL-2.0-or-later
@ -31,6 +31,15 @@ Patch: CVE-2025-32914.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/451
Patch: CVE-2025-32908.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/448 (simplified and corrected)
Patch: CVE-2025-4035.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463
Patch: CVE-2025-4948.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/408 (simplified)
Patch: CVE-2025-32049.patch
# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452
Patch: CVE-2025-32907.patch
BuildRequires: ca-certificates
BuildRequires: gcc
BuildRequires: gettext
@ -124,6 +133,15 @@ install -m 644 -D tests/libsoup.supp %{buildroot}%{_datadir}/libsoup-3.0/libsoup
%changelog
## START: Generated by rpmautospec
* Wed May 21 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 3.6.5-6
- Add patch for CVE-2025-32907
* Wed May 21 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 3.6.5-5
- Fix release field
* Wed May 21 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 3.6.5-4
- Fix several CVEs
* Thu May 01 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 3.6.5-3
- Add patch to hopefully fix http2-body-size-test timeouts