From c984b3bb4e17a91d7b684868af85fc54712c8668 Mon Sep 17 00:00:00 2001 From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> Date: Wed, 4 Jun 2025 16:02:26 +0800 Subject: [PATCH] [CVE] FIX CVE-2025-32907 to #20409 add patch to fix CVE-2025-32907 Project: TC2024080204 Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> --- ...ch => 0000-bugfix-for-CVE-2025-46420.patch | 0 0001-bugfix-for-CVE-2025-32907.patch | 32 +++++++++++++++++++ libsoup.spec | 8 +++-- 3 files changed, 38 insertions(+), 2 deletions(-) rename fix-CVE-2025-46420.patch => 0000-bugfix-for-CVE-2025-46420.patch (100%) create mode 100644 0001-bugfix-for-CVE-2025-32907.patch diff --git a/fix-CVE-2025-46420.patch b/0000-bugfix-for-CVE-2025-46420.patch similarity index 100% rename from fix-CVE-2025-46420.patch rename to 0000-bugfix-for-CVE-2025-46420.patch diff --git a/0001-bugfix-for-CVE-2025-32907.patch b/0001-bugfix-for-CVE-2025-32907.patch new file mode 100644 index 0000000..de332a1 --- /dev/null +++ b/0001-bugfix-for-CVE-2025-32907.patch @@ -0,0 +1,32 @@ +From 446b2e0a97ac1c241e9c58545f1b0f5f962d98e2 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 15 Apr 2025 12:17:39 +0200 +Subject: [PATCH] soup-message-headers: Correct merge of ranges + +It had been skipping every second range, which generated an array +of a lot of insane ranges, causing large memory usage by the server. + +Closes #428 + +Conflict: The new test case community is still in discussion and it is recommended not to merge +Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/446b2e0a97ac1c241e9c58545f1b0f5f962d98e2 + +--- + libsoup/soup-message-headers.c | 1 + + 1 files changed, 1 insertions(+) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index ee7a3cb1..f101d4b4 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1244,6 +1244,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs, + if (cur->start <= prev->end) { + prev->end = MAX (prev->end, cur->end); + g_array_remove_index (array, i); ++ i--; + } + } + } +-- +GitLab + diff --git a/libsoup.spec b/libsoup.spec index f06d8cc..be597ad 100644 --- a/libsoup.spec +++ b/libsoup.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 %define glib2_version 2.58 %{!?with_docs: %global with_docs 1} @@ -11,7 +11,8 @@ Summary: Soup, an HTTP library implementation License: LGPLv2 URL: https://wiki.gnome.org/Projects/libsoup Source0: https://download.gnome.org/sources/%{name}/2.74/%{name}-%{version}.tar.xz -Patch1: fix-CVE-2025-46420.patch +Patch0: 0000-bugfix-for-CVE-2025-46420.patch +Patch1: 0001-bugfix-for-CVE-2025-32907.patch BuildRequires: gettext BuildRequires: glib-networking @@ -121,6 +122,9 @@ This package contains developer documentation for %{name}. %endif %changelog +* Wed Jun 04 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 2.74.3-4 +- fix CVE-2025-32907 + * Tue May 13 2025 yangjinlin01 - 2.74.3-3 - fix CVE-2025-46420 -- Gitee