From 14fd18758277d05880c80507b81ef77e23cd0ddc Mon Sep 17 00:00:00 2001
From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
Date: Fri, 13 Jun 2025 10:36:20 +0800
Subject: [PATCH] [CVE] FIX CVE-2025-32049

to #20132
add patch to fix CVE-2025-32049
Project: TC2024080204
Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
---
 0013-bugfix-for-CVE-2025-32049.patch | 30 ++++++++++++++++++++++++++++
 libsoup.spec                         |  6 +++++-
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 0013-bugfix-for-CVE-2025-32049.patch

diff --git a/0013-bugfix-for-CVE-2025-32049.patch b/0013-bugfix-for-CVE-2025-32049.patch
new file mode 100644
index 0000000..fa17d1f
--- /dev/null
+++ b/0013-bugfix-for-CVE-2025-32049.patch
@@ -0,0 +1,30 @@
+From 6ec7c5be50b48d6ce0a09aa3468f2c5725406a97 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Wed, 21 May 2025 10:42:51 -0500
+Subject: [PATCH] Add size limit for total message size
+
+This size limit could break applications, but it will close the denial
+of service issue.
+---
+ libsoup/soup-websocket-connection.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
+index 36524d04..f8764aff 100644
+--- a/libsoup/soup-websocket-connection.c
++++ b/libsoup/soup-websocket-connection.c
+@@ -913,6 +913,11 @@ process_contents (SoupWebsocketConnection *self,
+ 		switch (pv->message_opcode) {
+ 		case 0x01:
+ 		case 0x02:
++			/* Safety valve */
++			if (pv->message_data->len + payload_len > pv->max_incoming_payload_size) {
++				too_big_error_and_close (self, (pv->message_data->len + payload_len));
++				return;
++			}
+ 			g_byte_array_append (pv->message_data, payload, payload_len);
+ 			break;
+ 		default:
+-- 
+2.49.0
+
diff --git a/libsoup.spec b/libsoup.spec
index a6e429d..8233d95 100644
--- a/libsoup.spec
+++ b/libsoup.spec
@@ -1,4 +1,4 @@
-%define anolis_release 12
+%define anolis_release 13
 %define glib2_version 2.58
 
 %{!?with_docs: %global with_docs 1}
@@ -24,6 +24,7 @@ Patch9: 0009-bugfix-for-CVE-2025-32053.patch
 Patch10: 0010-bugfix-for-CVE-2025-32911-CVE-2025-32913.patch
 Patch11: 0011-bugfix-for-CVE-2025-32906.patch
 Patch12: 0012-bugfix-for-CVE-2025-32914.patch
+Patch13: 0013-bugfix-for-CVE-2025-32049.patch
 
 BuildRequires: gettext
 BuildRequires: glib-networking
@@ -133,6 +134,9 @@ This package contains developer documentation for %{name}.
 %endif
 
 %changelog
+* Fri Jun 13 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 2.74.3-13
+- fix CVE-2025-32049
+
 * Wed Jun 11 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 2.74.3-12
 - fix CVE-2025-32914
 
-- 
Gitee