diff --git a/0003-fix-cve-CVE-2025-2784.patch b/0003-fix-cve-CVE-2025-2784.patch new file mode 100644 index 0000000000000000000000000000000000000000..c369a40c0fe6b10b5337c0a8abad35aa3af566f1 --- /dev/null +++ b/0003-fix-cve-CVE-2025-2784.patch @@ -0,0 +1,48 @@ +From 1911bf99e7fe54898d4911d97948f807c44d4c60 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 14 Jul 2025 16:39:32 +0800 +Subject: [PATCH] fix cve CVE-2025-2784 + +--- + libsoup/soup-content-sniffer.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 20e10d7..8d56e0b 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -612,8 +612,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer) + } + + static gboolean +-skip_insignificant_space (const char *resource, int *pos, int resource_length) ++skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length) + { ++ if (*pos >= resource_length) ++ return TRUE; ++ + while ((resource[*pos] == '\x09') || + (resource[*pos] == '\x20') || + (resource[*pos] == '\x0A') || +@@ -632,7 +635,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + { + const char *resource = (const char *)buffer->data; + int resource_length = MIN (512, buffer->length); +- int pos = 0; ++ gsize pos = 0; + + if (resource_length < 3) + goto text_html; +@@ -642,9 +645,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + pos = 3; + + look_for_tag: +- if (pos > resource_length) +- goto text_html; +- + if (skip_insignificant_space (resource, &pos, resource_length)) + goto text_html; + +-- +2.39.3 + diff --git a/0004-fix-cve-CVE-2025-4948-CVE-2025-32049.patch b/0004-fix-cve-CVE-2025-4948-CVE-2025-32049.patch new file mode 100644 index 0000000000000000000000000000000000000000..41b31d3fad0d04e8edafb1d900538f811ae50ec9 --- /dev/null +++ b/0004-fix-cve-CVE-2025-4948-CVE-2025-32049.patch @@ -0,0 +1,101 @@ +From 6400f01f4ff680f317f2fe61e43602923b69dea6 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 14 Jul 2025 17:39:47 +0800 +Subject: [PATCH] fix cve CVE-2025-4948 CVE-2025-32049 + +--- + libsoup/soup-multipart.c | 2 +- + libsoup/soup-websocket-connection.c | 5 ++++ + tests/multipart-test.c | 40 +++++++++++++++++++++++++++++ + 3 files changed, 46 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index 242c632..92c14d8 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -222,7 +222,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + */ + part_body = soup_buffer_new_subbuffer (flattened, + split - flattened->data, +- end - 2 - split); ++ end - 2 >= split ? end - 2 - split : 0); + g_ptr_array_add (multipart->bodies, part_body); + + start = end; +diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c +index 35eee6a..8180cf6 100644 +--- a/libsoup/soup-websocket-connection.c ++++ b/libsoup/soup-websocket-connection.c +@@ -763,6 +763,11 @@ process_contents (SoupWebsocketConnection *self, + switch (pv->message_opcode) { + case 0x01: + case 0x02: ++ /* Safety valve */ ++ if (pv->message_data->len + payload_len > pv->max_incoming_payload_size) { ++ too_big_error_and_close (self, (pv->message_data->len + payload_len)); ++ return; ++ } + g_byte_array_append (pv->message_data, payload, payload_len); + break; + default: +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index 488865a..0b29555 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -476,6 +476,45 @@ test_multipart (gconstpointer data) + g_main_loop_unref (loop); + } + ++static void ++test_multipart_too_large (void) ++{ ++ const char *raw_body = ++ "-------------------\r\n" ++ "-\n" ++ "Cont\"\r\n" ++ "Content-Tynt----e:n\x8erQK\r\n" ++ "Content-Disposition: name= form-; name=\"file\"; filename=\"ype:i/ -d; ----\xae\r\n" ++ "Content-Typimag\x01/png--\\\n" ++ "\r\n" ++ "---:\n\r\n" ++ "\r\n" ++ "-------------------------------------\r\n" ++ "---------\r\n" ++ "----------------------"; ++ GBytes *body; ++ GHashTable *params; ++ SoupMessageHeaders *headers; ++ SoupMultipart *multipart; ++ ++ params = g_hash_table_new (g_str_hash, g_str_equal); ++ g_hash_table_insert (params, (gpointer) "boundary", (gpointer) "-----------------"); ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_set_content_type (headers, "multipart/form-data", params); ++ g_hash_table_unref (params); ++ ++ body = g_bytes_new_static (raw_body, strlen (raw_body)); ++ multipart = soup_multipart_new_from_message (headers, body); ++ soup_message_headers_free (headers); ++ g_bytes_unref (body); ++ ++ g_assert_nonnull (multipart); ++ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1); ++ g_assert_true (soup_multipart_get_part (multipart, 0, &headers, &body)); ++ g_assert_cmpint (g_bytes_get_size (body), ==, 0); ++ soup_multipart_free (multipart); ++} ++ + int + main (int argc, char **argv) + { +@@ -505,6 +544,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart); + g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart); + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); ++ g_test_add_func ("/multipart/too-large", test_multipart_too_large); + + ret = g_test_run (); + +-- +2.39.3 + diff --git a/0005-fix-cve-CVE-2025-32906.patch b/0005-fix-cve-CVE-2025-32906.patch new file mode 100644 index 0000000000000000000000000000000000000000..ef80abefb9ccbbd5d772bb529b3e165894ebc030 --- /dev/null +++ b/0005-fix-cve-CVE-2025-32906.patch @@ -0,0 +1,92 @@ +From f53d4a4ca87107d6d8c9cc3665570940c3e7f593 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 14 Jul 2025 18:04:49 +0800 +Subject: [PATCH] fix cve CVE-2025-32906 + +--- + libsoup/soup-headers.c | 6 +++--- + tests/header-parsing.c | 23 +++++++++++++++++++++++ + 2 files changed, 26 insertions(+), 3 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 622a821..a01e8c1 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -185,7 +185,7 @@ soup_headers_parse_request (const char *str, + /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s) + * received where a Request-Line is expected." + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +@@ -224,7 +224,7 @@ soup_headers_parse_request (const char *str, + !g_ascii_isdigit (version[5])) + return SOUP_STATUS_BAD_REQUEST; + major_version = strtoul (version + 5, &p, 10); +- if (*p != '.' || !g_ascii_isdigit (p[1])) ++ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1])) + return SOUP_STATUS_BAD_REQUEST; + minor_version = strtoul (p + 1, &p, 10); + version_end = p; +@@ -369,7 +369,7 @@ soup_headers_parse_response (const char *str, + * after a response, which we then see prepended to the next + * response on that connection. + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +diff --git a/tests/header-parsing.c b/tests/header-parsing.c +index 9cf06ce..1a5e10a 100644 +--- a/tests/header-parsing.c ++++ b/tests/header-parsing.c +@@ -6,6 +6,14 @@ typedef struct { + const char *name, *value; + } Header; + ++static char unterminated_http_version[] = { ++ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.' ++}; ++ ++static char only_newlines[] = { ++ '\n', '\n', '\n', '\n' ++}; ++ + static struct RequestTest { + const char *description; + const char *bugref; +@@ -401,6 +409,14 @@ static struct RequestTest { + { { NULL } } + }, + ++ /* This couldn't be a C string as going one byte over would have been safe. */ ++ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404", ++ unterminated_http_version, sizeof (unterminated_http_version), ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } ++ }, ++ + { "Non-HTTP request", NULL, + "GET / SOUP/1.1\r\nHost: example.com\r\n", -1, + SOUP_STATUS_BAD_REQUEST, +@@ -448,6 +464,13 @@ static struct RequestTest { + SOUP_STATUS_EXPECTATION_FAILED, + NULL, NULL, -1, + { { NULL } } ++ }, ++ ++ { "Only newlines", NULL, ++ only_newlines, sizeof (only_newlines), ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +-- +2.39.3 + diff --git a/0006-fix-cve-CVE-2025-32911-CVE-2025-32913-CVE-2025-32914.patch b/0006-fix-cve-CVE-2025-32911-CVE-2025-32913-CVE-2025-32914.patch new file mode 100644 index 0000000000000000000000000000000000000000..e9874dcdf432f9e4039524b594fe0ac3caabdfbb --- /dev/null +++ b/0006-fix-cve-CVE-2025-32911-CVE-2025-32913-CVE-2025-32914.patch @@ -0,0 +1,63 @@ +From d3137ecbf6cc749e326dbedc4ba69f7423615ca8 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 14 Jul 2025 18:26:46 +0800 +Subject: [PATCH] fix cve CVE-2025-32911 CVE-2025-32913 CVE-2025-32914 + +--- + libsoup/soup-message-headers.c | 13 +++++++++---- + libsoup/soup-multipart.c | 2 +- + tests/header-parsing.c | 1 - + 3 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index abef34c..b571bdf 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1434,10 +1434,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + */ + if (params && g_hash_table_lookup_extended (*params, "filename", + &orig_key, &orig_value)) { +- char *filename = strrchr (orig_value, '/'); +- +- if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ if (orig_value) { ++ char *filename = strrchr (orig_value, '/'); ++ ++ if (filename) ++ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1)); ++ } else { ++ /* filename with no value isn't valid. */ ++ g_hash_table_remove (*params, "filename"); ++ } + } + return TRUE; + } +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index 92c14d8..c681746 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -189,7 +189,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + return NULL; + } + +- split = strstr (start, "\r\n\r\n"); ++ split = g_strstr_len (start, body_end - start, "\r\n\r\n"); + if (!split || split > end) { + soup_multipart_free (multipart); + soup_buffer_free (flattened); +diff --git a/tests/header-parsing.c b/tests/header-parsing.c +index 1a5e10a..09fb745 100644 +--- a/tests/header-parsing.c ++++ b/tests/header-parsing.c +@@ -980,7 +980,6 @@ do_qvalue_tests (void) + #define RFC5987_TEST_HEADER_UTF8 "attachment; filename*=UTF-8''t%C3%A9st.txt; filename=\"test.txt\"" + #define RFC5987_TEST_HEADER_ISO "attachment; filename=\"test.txt\"; filename*=iso-8859-1''t%E9st.txt" + #define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\"" +- + static void + do_content_disposition_tests (void) + { +-- +2.39.3 + diff --git a/libsoup.spec b/libsoup.spec index dba0d5601e77dec78b3f2fe426eee863bc0d54ff..0668d211ccc88ed9456aa7340b255d34750389fd 100644 --- a/libsoup.spec +++ b/libsoup.spec @@ -2,7 +2,7 @@ Name: libsoup Version: 2.62.2 -Release: 4%{?dist} +Release: 6%{?dist} Summary: Soup, an HTTP library implementation License: LGPLv2 @@ -18,6 +18,11 @@ Patch03: 0001-cookie-jar-bail-if-hostname-is-an-empty-string.patch Patch04: 0001-cve-CVE-2024-52530.patch Patch05: 0002-fix-cve-CVE-2024-52531.patch #end +Patch06: 0003-fix-cve-CVE-2025-2784.patch +Patch07: 0004-fix-cve-CVE-2025-4948-CVE-2025-32049.patch +Patch08: 0005-fix-cve-CVE-2025-32906.patch +Patch09: 0006-fix-cve-CVE-2025-32911-CVE-2025-32913-CVE-2025-32914.patch + BuildRequires: chrpath BuildRequires: glib2-devel >= %{glib2_version} BuildRequires: glib-networking @@ -57,6 +62,7 @@ you to develop applications that use the libsoup library. %patch03 -p1 -b .cve-2018-12910 %patch04 -p1 -b .cve-CVE-2024-52530 %patch05 -p1 -b .fix-cve-CVE-2024-52531 +%patch06 -p1 -b .fix-cve-CVE-2025-2784 %build %configure --disable-static @@ -98,6 +104,11 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/*.so %{_datadir}/vala/vapi/libsoup-2.4.vapi %changelog +* Mon Jul 14 2025 zhuhongbo - 2.62.2-6 +- fix: fix cve CVE-2025-2784 CVE-2025-4948 CVE-2025-32049 +- fix: fix cve CVE-2025-32906 CVE-2025-32911 CVE-2025-32913 +- fix: fix cve CVE-2025-32914 + * Fri Feb 21 2025 zhuhongbo - 2.62.2-4 - cve: fix CVE-2024-52531