From 14fd18758277d05880c80507b81ef77e23cd0ddc Mon Sep 17 00:00:00 2001 From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> Date: Fri, 13 Jun 2025 10:36:20 +0800 Subject: [PATCH] [CVE] FIX CVE-2025-32049 to #20132 add patch to fix CVE-2025-32049 Project: TC2024080204 Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> --- 0013-bugfix-for-CVE-2025-32049.patch | 30 ++++++++++++++++++++++++++++ libsoup.spec | 6 +++++- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 0013-bugfix-for-CVE-2025-32049.patch diff --git a/0013-bugfix-for-CVE-2025-32049.patch b/0013-bugfix-for-CVE-2025-32049.patch new file mode 100644 index 0000000..fa17d1f --- /dev/null +++ b/0013-bugfix-for-CVE-2025-32049.patch @@ -0,0 +1,30 @@ +From 6ec7c5be50b48d6ce0a09aa3468f2c5725406a97 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Wed, 21 May 2025 10:42:51 -0500 +Subject: [PATCH] Add size limit for total message size + +This size limit could break applications, but it will close the denial +of service issue. +--- + libsoup/soup-websocket-connection.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c +index 36524d04..f8764aff 100644 +--- a/libsoup/soup-websocket-connection.c ++++ b/libsoup/soup-websocket-connection.c +@@ -913,6 +913,11 @@ process_contents (SoupWebsocketConnection *self, + switch (pv->message_opcode) { + case 0x01: + case 0x02: ++ /* Safety valve */ ++ if (pv->message_data->len + payload_len > pv->max_incoming_payload_size) { ++ too_big_error_and_close (self, (pv->message_data->len + payload_len)); ++ return; ++ } + g_byte_array_append (pv->message_data, payload, payload_len); + break; + default: +-- +2.49.0 + diff --git a/libsoup.spec b/libsoup.spec index a6e429d..8233d95 100644 --- a/libsoup.spec +++ b/libsoup.spec @@ -1,4 +1,4 @@ -%define anolis_release 12 +%define anolis_release 13 %define glib2_version 2.58 %{!?with_docs: %global with_docs 1} @@ -24,6 +24,7 @@ Patch9: 0009-bugfix-for-CVE-2025-32053.patch Patch10: 0010-bugfix-for-CVE-2025-32911-CVE-2025-32913.patch Patch11: 0011-bugfix-for-CVE-2025-32906.patch Patch12: 0012-bugfix-for-CVE-2025-32914.patch +Patch13: 0013-bugfix-for-CVE-2025-32049.patch BuildRequires: gettext BuildRequires: glib-networking @@ -133,6 +134,9 @@ This package contains developer documentation for %{name}. %endif %changelog +* Fri Jun 13 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 2.74.3-13 +- fix CVE-2025-32049 + * Wed Jun 11 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 2.74.3-12 - fix CVE-2025-32914 -- Gitee