diff --git a/0013-bugfix-for-CVE-2025-32049.patch b/0013-bugfix-for-CVE-2025-32049.patch new file mode 100644 index 0000000000000000000000000000000000000000..fa17d1fa7425f16becabc7b3c7c372349bf990c9 --- /dev/null +++ b/0013-bugfix-for-CVE-2025-32049.patch @@ -0,0 +1,30 @@ +From 6ec7c5be50b48d6ce0a09aa3468f2c5725406a97 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Wed, 21 May 2025 10:42:51 -0500 +Subject: [PATCH] Add size limit for total message size + +This size limit could break applications, but it will close the denial +of service issue. +--- + libsoup/soup-websocket-connection.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c +index 36524d04..f8764aff 100644 +--- a/libsoup/soup-websocket-connection.c ++++ b/libsoup/soup-websocket-connection.c +@@ -913,6 +913,11 @@ process_contents (SoupWebsocketConnection *self, + switch (pv->message_opcode) { + case 0x01: + case 0x02: ++ /* Safety valve */ ++ if (pv->message_data->len + payload_len > pv->max_incoming_payload_size) { ++ too_big_error_and_close (self, (pv->message_data->len + payload_len)); ++ return; ++ } + g_byte_array_append (pv->message_data, payload, payload_len); + break; + default: +-- +2.49.0 + diff --git a/libsoup.spec b/libsoup.spec index a6e429d7047c2bc4baa9461000ebb3b80355a9e3..8233d9507e089a4f58b9720d1e2b10e5dd4db326 100644 --- a/libsoup.spec +++ b/libsoup.spec @@ -1,4 +1,4 @@ -%define anolis_release 12 +%define anolis_release 13 %define glib2_version 2.58 %{!?with_docs: %global with_docs 1} @@ -24,6 +24,7 @@ Patch9: 0009-bugfix-for-CVE-2025-32053.patch Patch10: 0010-bugfix-for-CVE-2025-32911-CVE-2025-32913.patch Patch11: 0011-bugfix-for-CVE-2025-32906.patch Patch12: 0012-bugfix-for-CVE-2025-32914.patch +Patch13: 0013-bugfix-for-CVE-2025-32049.patch BuildRequires: gettext BuildRequires: glib-networking @@ -133,6 +134,9 @@ This package contains developer documentation for %{name}. %endif %changelog +* Fri Jun 13 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 2.74.3-13 +- fix CVE-2025-32049 + * Wed Jun 11 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 2.74.3-12 - fix CVE-2025-32914