From 768683dbc2b7d3a8dbd1507b497cfb703b527ac1 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Wed, 11 Feb 2026 05:26:37 +0000
Subject: [PATCH] import UBI libsoup3-3.6.5-3.el10_1.10

---
 CVE-2026-1761.patch | 97 +++++++++++++++++++++++++++++++++++++++++++++
 libsoup3.spec       |  7 +++-
 2 files changed, 103 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2026-1761.patch

diff --git a/CVE-2026-1761.patch b/CVE-2026-1761.patch
new file mode 100644
index 0000000..729b454
--- /dev/null
+++ b/CVE-2026-1761.patch
@@ -0,0 +1,97 @@
+From 0a55f5ebde48cc3e488bff70215b22f103cc6077 Mon Sep 17 00:00:00 2001
+From: Carlos Garcia Campos <cgarcia@igalia.com>
+Date: Mon, 19 Jan 2026 15:14:58 +0100
+Subject: [PATCH] multipart: check length of bytes read
+ soup_filter_input_stream_read_until()
+
+We do make sure the read length is smaller than the buffer length when
+the boundary is not found, but we should do the same when the boundary
+is found.
+
+Spotted in #YWH-PGM9867-149
+Closes #493
+---
+ libsoup/soup-filter-input-stream.c |  3 +-
+ tests/multipart-test.c             | 46 ++++++++++++++++++++++++++++++
+ 2 files changed, 48 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c
+index b1e616c7..22541aa0 100644
+--- a/libsoup/soup-filter-input-stream.c
++++ b/libsoup/soup-filter-input-stream.c
+@@ -337,6 +337,7 @@ soup_filter_input_stream_read_until (SoupFilterInputStream  *fstream,
+ 	if (eof && !*got_boundary)
+ 		read_length = MIN (priv->buf->len, length);
+ 	else
+-		read_length = p - buf;
++                read_length = MIN ((gsize)(p - buf), length);
++
+ 	return read_from_buf (fstream, buffer, read_length);
+ }
+diff --git a/tests/multipart-test.c b/tests/multipart-test.c
+index 92b673eb..0496a4c6 100644
+--- a/tests/multipart-test.c
++++ b/tests/multipart-test.c
+@@ -527,6 +527,51 @@ test_multipart_bounds_bad (void)
+ 	g_bytes_unref (bytes);
+ }
+ 
++static void
++test_multipart_bounds_bad_3 (void)
++{
++        SoupMessage *msg;
++        SoupMessageHeaders *headers;
++        GInputStream *in;
++        SoupMultipartInputStream *multipart;
++        GError *error = NULL;
++        const char raw_data[] = "\0$--A\r\nContent-Disposition: form-data; name=\"f\"\r\n\r\nXXXXXXXXX\r\n--A--\r\n";
++
++        msg = soup_message_new(SOUP_METHOD_POST, "http://foo/upload");
++        headers = soup_message_get_response_headers (msg);
++        soup_message_headers_replace (headers, "Content-Type", "multipart/form-data; boundary=\"A\"");
++
++        in = g_memory_input_stream_new_from_data (raw_data + 2, sizeof(raw_data) - 2, NULL);
++        multipart = soup_multipart_input_stream_new (msg, in);
++        g_object_unref (in);
++
++        while (TRUE) {
++                in = soup_multipart_input_stream_next_part (multipart, NULL, &error);
++                g_assert_no_error (error);
++                if (!in) {
++                        g_clear_error (&error);
++                        break;
++                }
++
++                char buffer[10];
++                while (TRUE) {
++                        gssize bytes_read;
++
++                        bytes_read = g_input_stream_read (in, buffer, sizeof(buffer), NULL, &error);
++                        g_assert_no_error (error);
++                        if (bytes_read <= 0) {
++                                g_clear_error (&error);
++                                break;
++                        }
++                }
++
++                g_object_unref (in);
++        }
++
++        g_object_unref (multipart);
++        g_object_unref (msg);
++}
++
+ static void
+ test_multipart_too_large (void)
+ {
+@@ -595,6 +640,7 @@ main (int argc, char **argv)
+ 	g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
+ 	g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
+ 	g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
++        g_test_add_func ("/multipart/bounds-bad-3", test_multipart_bounds_bad_3);
+ 	g_test_add_func ("/multipart/too-large", test_multipart_too_large);
+ 
+ 	ret = g_test_run ();
+-- 
+2.52.0
+
diff --git a/libsoup3.spec b/libsoup3.spec
index add8e6e..20bfc95 100644
--- a/libsoup3.spec
+++ b/libsoup3.spec
@@ -2,7 +2,7 @@
 ## (rpmautospec version 0.6.5)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 9;
+    release_number = 10;
     base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
     print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@@ -49,6 +49,8 @@ Patch:   CVE-2025-12105.patch
 Patch:   CVE-2025-14523.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/494
 Patch:   CVE-2026-0719.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/496
+Patch:   CVE-2026-1761.patch
 
 BuildRequires: ca-certificates
 BuildRequires: gcc
@@ -143,6 +145,9 @@ install -m 644 -D tests/libsoup.supp %{buildroot}%{_datadir}/libsoup-3.0/libsoup
 
 %changelog
 ## START: Generated by rpmautospec
+* Mon Feb 02 2026 Michael Catanzaro <mcatanzaro@gnome.org> - 3.6.5-10
+- Add patch for CVE-2026-1761
+
 * Fri Jan 30 2026 Michael Catanzaro <mcatanzaro@gnome.org> - 3.6.5-9
 - Fix CVE-2026-0719