diff --git a/CVE-2025-32050.patch b/CVE-2025-32050.patch new file mode 100644 index 0000000000000000000000000000000000000000..e189bb65d9a0b5a16f726f736710701f685d19b2 --- /dev/null +++ b/CVE-2025-32050.patch @@ -0,0 +1,25 @@ +From 9bb0a55de55c6940ced811a64fbca82fe93a9323 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 28 Oct 2024 12:29:48 -0500 +Subject: [PATCH] Fix using int instead of size_t for strcspn return + +--- + libsoup/soup-headers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 613e1905..a5f7a7f6 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -907,7 +907,7 @@ append_param_quoted (GString *string, + const char *name, + const char *value) + { +- int len; ++ gsize len; + + g_string_append (string, name); + g_string_append (string, "=\""); +-- +GitLab + diff --git a/CVE-2025-32052.patch b/CVE-2025-32052.patch new file mode 100644 index 0000000000000000000000000000000000000000..861731b89ada353681d9ac0ac17ec5d182db3db7 --- /dev/null +++ b/CVE-2025-32052.patch @@ -0,0 +1,26 @@ +From 1542173d11df64e39e71367f10596e8160481290 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 16 Nov 2024 12:07:30 -0600 +Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff + +Co-Author: Ar Jun +--- + libsoup/soup-content-sniffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 967ec614..26c65bbd 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -504,7 +504,7 @@ sniff_unknown (SoupContentSniffer *sniffer, SoupBuffer *buffer, + guint index_pattern = 0; + gboolean skip_row = FALSE; + +- while ((index_stream < resource_length) && ++ while ((index_stream < resource_length - 1) && + (index_pattern <= type_row->pattern_length)) { + /* Skip insignificant white space ("WS" in the spec) */ + if (type_row->pattern[index_pattern] == ' ') { +-- +2.49.0 + diff --git a/CVE-2025-32053.patch b/CVE-2025-32053.patch new file mode 100644 index 0000000000000000000000000000000000000000..92a744233006dc002469c7183b3b6661d1d45ef5 --- /dev/null +++ b/CVE-2025-32053.patch @@ -0,0 +1,35 @@ +From 8e1793e2ddd8c2648b9a28f06bf21fd13bd12b39 Mon Sep 17 00:00:00 2001 +From: Ar Jun +Date: Mon, 18 Nov 2024 14:59:51 -0600 +Subject: [PATCH] Fix heap buffer overflow in + soup-content-sniffer.c:sniff_feed_or_html() + +--- + libsoup/soup-content-sniffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 26c65bbd..698d05e4 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -620,7 +620,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length) + (resource[*pos] == '\x0D')) { + *pos = *pos + 1; + +- if (*pos > resource_length) ++ if (*pos >= resource_length) + return TRUE; + } + +@@ -682,7 +682,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + do { + pos++; + +- if (pos > resource_length) ++ if ((pos + 1) > resource_length) + goto text_html; + } while (resource[pos] != '>'); + +-- +2.49.0 + diff --git a/CVE-2025-32906.patch b/CVE-2025-32906.patch new file mode 100644 index 0000000000000000000000000000000000000000..0dc4c274490771b1ce8a4e57b5a9c3c85c0598ad --- /dev/null +++ b/CVE-2025-32906.patch @@ -0,0 +1,65 @@ +From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 11 Feb 2025 14:36:26 -0600 +Subject: [PATCH 1/2] headers: Handle parsing edge case + +This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds. +--- + libsoup/soup-headers.c | 2 +- + tests/header-parsing-test.c | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 85385cea..9d6d00a3 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str, + !g_ascii_isdigit (version[5])) + return SOUP_STATUS_BAD_REQUEST; + major_version = strtoul (version + 5, &p, 10); +- if (*p != '.' || !g_ascii_isdigit (p[1])) ++ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1])) + return SOUP_STATUS_BAD_REQUEST; + minor_version = strtoul (p + 1, &p, 10); + version_end = p; +-- +GitLab + + +From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 12 Feb 2025 11:30:02 -0600 +Subject: [PATCH 2/2] headers: Handle parsing only newlines + +Closes #404 +Closes #407 +--- + libsoup/soup-headers.c | 4 ++-- + tests/header-parsing-test.c | 13 ++++++++++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 9d6d00a3..52ef2ece 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str, + /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s) + * received where a Request-Line is expected." + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str, + * after a response, which we then see prepended to the next + * response on that connection. + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +-- +GitLab + diff --git a/CVE-2025-32911-CVE-2025-32913.patch b/CVE-2025-32911-CVE-2025-32913.patch new file mode 100644 index 0000000000000000000000000000000000000000..e7fae232459c4652210b10a8ea4f2da6f8aeaadf --- /dev/null +++ b/CVE-2025-32911-CVE-2025-32913.patch @@ -0,0 +1,67 @@ +From f2d316341c00a343d0b46edd590efa8c102521c3 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 17:53:50 -0600 +Subject: [PATCH 1/2] soup_message_headers_get_content_disposition: Fix NULL + deref + +--- + libsoup/soup-message-headers.c | 13 +++++++++---- + tests/header-parsing-test.c | 13 +++++++++++++ + 2 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 5c8c7cb9..ccf31233 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1443,10 +1443,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + */ + if (params && g_hash_table_lookup_extended (*params, "filename", + &orig_key, &orig_value)) { +- char *filename = strrchr (orig_value, '/'); +- +- if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ if (orig_value) { ++ char *filename = strrchr (orig_value, '/'); ++ ++ if (filename) ++ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ } else { ++ /* filename with no value isn't valid. */ ++ g_hash_table_remove (*params, "filename"); ++ } + } + return TRUE; + } +-- +2.49.0 + + +From dd3a245941f117832dd1fdda4f8bc68b44e2810d Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 18:00:39 -0600 +Subject: [PATCH 2/2] soup_message_headers_get_content_disposition: strdup + truncated filenames + +This table frees the strings it contains. +--- + libsoup/soup-message-headers.c | 2 +- + tests/header-parsing-test.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index ccf31233..64847e30 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1447,7 +1447,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + char *filename = strrchr (orig_value, '/'); + + if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1)); + } else { + /* filename with no value isn't valid. */ + g_hash_table_remove (*params, "filename"); +-- +2.49.0 + diff --git a/CVE-2025-46420.patch b/CVE-2025-46420.patch new file mode 100644 index 0000000000000000000000000000000000000000..c7dfb9e8e2433eeaa71525854b2751d938904867 --- /dev/null +++ b/CVE-2025-46420.patch @@ -0,0 +1,56 @@ +From 355d7979ac27c6a83684e079d5bc6cf148e7bc16 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Thu, 26 Dec 2024 18:31:42 -0600 +Subject: [PATCH] soup_header_parse_quality_list: Fix leak + +When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings. +--- + libsoup/soup-headers.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index eec28adf..3e922816 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -535,7 +535,7 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + GSList *unsorted; + QualityItem *array; + GSList *sorted, *iter; +- char *item, *semi; ++ char *semi; + const char *param, *equal, *value; + double qval; + int n; +@@ -548,9 +548,8 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + unsorted = soup_header_parse_list (header); + array = g_new0 (QualityItem, g_slist_length (unsorted)); + for (iter = unsorted, n = 0; iter; iter = iter->next) { +- item = iter->data; + qval = 1.0; +- for (semi = strchr (item, ';'); semi; semi = strchr (semi + 1, ';')) { ++ for (semi = strchr (iter->data, ';'); semi; semi = strchr (semi + 1, ';')) { + param = skip_lws (semi + 1); + if (*param != 'q') + continue; +@@ -582,15 +581,15 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + if (qval == 0.0) { + if (unacceptable) { + *unacceptable = g_slist_prepend (*unacceptable, +- item); ++ g_steal_pointer (&iter->data)); + } + } else { +- array[n].item = item; ++ array[n].item = g_steal_pointer (&iter->data); + array[n].qval = qval; + n++; + } + } +- g_slist_free (unsorted); ++ g_slist_free_full (unsorted, g_free); + + qsort (array, n, sizeof (QualityItem), sort_by_qval); + sorted = NULL; +-- +2.49.0 + diff --git a/CVE-2025-46421.patch b/CVE-2025-46421.patch new file mode 100644 index 0000000000000000000000000000000000000000..18c90934df0455592e55670a8ccb4ffc863bd300 --- /dev/null +++ b/CVE-2025-46421.patch @@ -0,0 +1,32 @@ +From 4329a7e88c72079ae3eedbb1558b929851507464 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 16:18:10 -0600 +Subject: [PATCH] session: Strip authentication credentails on cross-origin + redirect + +This should match the behavior of Firefox and Safari but not of Chromium. +--- + libsoup/soup-session.c | 6 ++++ + tests/auth-test.c | 77 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 83 insertions(+) + +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c +index dd3cdc46..82ca8bf9 100644 +--- a/libsoup/soup-session.c ++++ b/libsoup/soup-session.c +@@ -1187,6 +1187,12 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg) + SOUP_ENCODING_NONE); + } + ++ /* Strip all credentials on cross-origin redirect. */ ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { ++ soup_message_headers_remove (msg->request_headers, "Authorization"); ++ soup_message_set_auth (msg, NULL); ++ } ++ + soup_message_set_uri (msg, new_uri); + soup_uri_free (new_uri); + +-- +2.49.0 + diff --git a/0001-headers-Strictly-don-t-allow-NUL-bytes.patch b/CVE-2025-52530.patch similarity index 100% rename from 0001-headers-Strictly-don-t-allow-NUL-bytes.patch rename to CVE-2025-52530.patch diff --git a/0001-headers-Be-more-robust-against-invalid-input-when-pa.patch b/CVE-2025-52531.patch similarity index 100% rename from 0001-headers-Be-more-robust-against-invalid-input-when-pa.patch rename to CVE-2025-52531.patch diff --git a/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch b/CVE-2025-52532.patch similarity index 100% rename from 0001-websocket-process-the-frame-as-soon-as-we-read-data.patch rename to CVE-2025-52532.patch diff --git a/libsoup.spec b/libsoup.spec index c683804a283f2556efbb6458f2a70ab7ebf67b1f..17921c2cf3d6e617b0bd04a88a096d8a5922d01f 100644 --- a/libsoup.spec +++ b/libsoup.spec @@ -3,7 +3,7 @@ Name: libsoup Version: 2.62.3 -Release: 7%{anolis_release}%{?dist} +Release: 8%{anolis_release}%{?dist} Summary: Soup, an HTTP library implementation License: LGPLv2 @@ -15,9 +15,23 @@ Patch0002: 0002-WebSockets-allow-null-characters-in-text-messages-da.patch Patch0003: 0003-WebSockets-only-poll-IO-stream-when-needed.patch Patch0004: 0004-ntlmv2.patch Patch0005: 0005-WebSockets-do-not-start-the-input-source-when-IO-is-closing.patch -Patch0006: 0001-headers-Strictly-don-t-allow-NUL-bytes.patch -Patch0007: 0001-websocket-process-the-frame-as-soon-as-we-read-data.patch -Patch0008: 0001-headers-Be-more-robust-against-invalid-input-when-pa.patch +Patch0006: CVE-2025-52530.patch +Patch0007: CVE-2025-52531.patch +Patch0008: CVE-2025-52532.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/446 +Patch0009: test-cert-expiration.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/415 +Patch0010: CVE-2025-32050.patch +Patch0011: CVE-2025-32052.patch +Patch0012: CVE-2025-32053.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/440 +Patch0013: CVE-2025-32906.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/422 +Patch0014: CVE-2025-32911-CVE-2025-32913.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/421 +Patch0015: CVE-2025-46420.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436 +Patch0016: CVE-2025-46421.patch BuildRequires: chrpath BuildRequires: glib2-devel >= %{glib2_version} @@ -105,9 +119,20 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/*.so %doc README NEWS AUTHORS %changelog -* Fri Jan 31 2025 Weisson - 2.62.3-7.0.1 +* Fri May 09 2025 Weisson - 2.62.3-8.0.1 - Add doc sub package +* Thu May 01 2025 Michael Catanzaro - 2.62.3-8 +- Backport patches for various CVEs, plus test improvements + Resolves: RHEL-85887 + Resolves: RHEL-85900 + Resolves: RHEL-85901 + Resolves: RHEL-87039 + Resolves: RHEL-87094 + Resolves: RHEL-87114 + Resolves: RHEL-88348 + Resolves: RHEL-88351 + * Tue Jan 28 2025 Michael Catanzaro - 2.62.3-7 - Backport upstream patch for CVE-2024-52531 - buffer overflow via UTF-8 conversion in soup_header_parse_param_list_strict Resolves: RHEL-76376 diff --git a/test-cert-expiration.patch b/test-cert-expiration.patch new file mode 100644 index 0000000000000000000000000000000000000000..c48aad87b3ad62c31c9d098884349d926b530bb0 --- /dev/null +++ b/test-cert-expiration.patch @@ -0,0 +1,60 @@ +From 2dafd907586f52291b38c46362e72c7379558626 Mon Sep 17 00:00:00 2001 +From: "Bernhard M. Wiedemann" +Date: Thu, 18 Feb 2021 09:13:40 +0100 +Subject: [PATCH] Extend test cert to 2049 + +used certtool -u \ + --load-ca-privkey ./tests/test-key.pem \ + --load-ca-certificate ./tests/test-cert.pem \ + --load-certificate ./tests/test-cert.pem + +Without this patch, 3 tests failed in 2027 + 11/29 misc-test FAIL 0.67s (exit status 1) + 21/29 server-test FAIL 0.12s (exit status 1) + 25/29 timeout-test FAIL 4.08s (killed by signal 5 SIGTRAP) + +Background: +As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future. +The usual offset is +15 years, because that is how long I expect some software will be used in some places. +This showed up failing tests in our package build. +See https://reproducible-builds.org/ for why this matters. + +(cherry picked from commit 38a65f080a3168e8af78bdd3e4928debeea2dbd8) +--- + tests/test-cert.pem | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/tests/test-cert.pem b/tests/test-cert.pem +index ff863b4d1..4b8b180dc 100644 +--- a/tests/test-cert.pem ++++ b/tests/test-cert.pem +@@ -1,6 +1,6 @@ + -----BEGIN CERTIFICATE----- + MIIC2zCCAcOgAwIBAgIJALRbg2WnuAAqMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV +-BAMMCTEyNy4wLjAuMTAeFw0xNzA2MjAxNDI3MzBaFw0yNzA2MTgxNDI3MzBaMBQx ++BAMMCTEyNy4wLjAuMTAeFw0yMTAyMTgwODA3MzBaFw00OTEyMzEwODA3MzRaMBQx + EjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC + ggEBAKs4fuRuW77nORhOT9kbbU6BsjKW3GEsMc+ZSmXjINQWpfkES2hV+DQyzhm5 + qh4OLi1vYtXoSbdQNDCbA8ybZJqR8m9F3ed8vobdSSQGxWpPdXTgz27x+TpiAc9P +@@ -8,11 +8,11 @@ w83UuPvlu/0AxHJBFXVAg+id0yFu3wmGWYJHoAtvFi2xeRtAXurNuPtjZyO+gfM9 + BKTRCkGsRSmPpJyGbU2Q96fjxnVfV9oYvQXeugUcSx/pTUCM/kDgD9QZCxG2rflX + NWcqDFY3uO6ZR68Qwi/KouOa8rzrgAcwhFUI6Wz0Zwi1rzRtWK5WqC24aBUYz/tK + hl8i88UDXSMh7spChdYDBGLhZyUCAwEAAaMwMC4wLAYDVR0RBCUwI4IJbG9jYWxo +-b3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IBAQBj +-+U8tebwg5/pof5Rht6TMHqeg6Fcr4OJkL2ph2g+T/AMTS7kEGeFIKJN5AZ+S/qIY +-cdoDKHwc8+bCK/mG6DPmJ4z/2Eamb85YhplOLVrLRwfxRebTK9CtnjcjnflAiU9H +-7vPVwXIvkwebhBSQNKTdkBlPXKaTNWXuygeFG2OVQkPf/KAxSdtg2R+owv/s802Z +-HISk26wY9oFIQz6AiXWdrY1QqNOltZ7rlU5iofAH7X+9ryZlxPWj/gHg2YQRvvLl +-dq6nCF+ED0ke7h0lg5nU0beKEygwli8DlLVbu0JK0PkARFp5t7wUtzC9DCjzvfOc +-gxR44PyZX7/2oaTDm4PS ++b3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IBAQAz ++/qYTUuBGHgp7T1cfaJPnhx6U1SMfdJRtFoWOXDx+MNCK9GYkdMEabzRGUP5uNHO+ ++PiZP/bMIHlpsbRA5AyyVf9Xv8JCujvYh24qYcBbwgZrfvNTm0D52P9JJm0SalTXS ++kwwTj00DWGVfVzJR+wiwYGHRIlyXbHqQSRzv6+z9f/xY5gXw/KpCNYTuOJcXW7w6 ++JfMrUnc9pphRUpcLkuuzOMKuB0dtWRc0mZIr7PZHt+0gitNZWA0bDYI3JI9tlK17 ++nxBUSpGtJwDgH//b8ek/P0P9a5VzQbBC6lXtQUMdxg7ovfAI//IS8ekBoRKI0Wde ++r2IpM9hKSBU3c2gGXcJC + -----END CERTIFICATE----- +-- +GitLab +