diff --git a/fix-CVE-2025-46420.patch b/0000-bugfix-for-CVE-2025-46420.patch similarity index 100% rename from fix-CVE-2025-46420.patch rename to 0000-bugfix-for-CVE-2025-46420.patch diff --git a/0001-bugfix-for-CVE-2025-32907.patch b/0001-bugfix-for-CVE-2025-32907.patch new file mode 100644 index 0000000000000000000000000000000000000000..de332a12b854d75fbbfd3de7cbaccfe7bedfd53e --- /dev/null +++ b/0001-bugfix-for-CVE-2025-32907.patch @@ -0,0 +1,32 @@ +From 446b2e0a97ac1c241e9c58545f1b0f5f962d98e2 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 15 Apr 2025 12:17:39 +0200 +Subject: [PATCH] soup-message-headers: Correct merge of ranges + +It had been skipping every second range, which generated an array +of a lot of insane ranges, causing large memory usage by the server. + +Closes #428 + +Conflict: The new test case community is still in discussion and it is recommended not to merge +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/446b2e0a97ac1c241e9c58545f1b0f5f962d98e2 + +--- + libsoup/soup-message-headers.c | 1 + + 1 files changed, 1 insertions(+) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index ee7a3cb1..f101d4b4 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1244,6 +1244,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs, + if (cur->start <= prev->end) { + prev->end = MAX (prev->end, cur->end); + g_array_remove_index (array, i); ++ i--; + } + } + } +-- +GitLab + diff --git a/libsoup.spec b/libsoup.spec index f06d8cc39df4409d424ce4443163eca61129423f..be597ad9c849fea0e7ab0dd80faf66b77708d67a 100644 --- a/libsoup.spec +++ b/libsoup.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 %define glib2_version 2.58 %{!?with_docs: %global with_docs 1} @@ -11,7 +11,8 @@ Summary: Soup, an HTTP library implementation License: LGPLv2 URL: https://wiki.gnome.org/Projects/libsoup Source0: https://download.gnome.org/sources/%{name}/2.74/%{name}-%{version}.tar.xz -Patch1: fix-CVE-2025-46420.patch +Patch0: 0000-bugfix-for-CVE-2025-46420.patch +Patch1: 0001-bugfix-for-CVE-2025-32907.patch BuildRequires: gettext BuildRequires: glib-networking @@ -121,6 +122,9 @@ This package contains developer documentation for %{name}. %endif %changelog +* Wed Jun 04 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 2.74.3-4 +- fix CVE-2025-32907 + * Tue May 13 2025 yangjinlin01 - 2.74.3-3 - fix CVE-2025-46420