From 4d595a867fd64dbe54968720275dafe47c43ce3e Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Thu, 14 Nov 2024 10:00:21 +0800 Subject: [PATCH 1/2] [CVE]update to libsoup-2.62.3-6.src.rpm to #bug11872 to #bug11867 update to libsoup-2.62.3-6.src.rpm for CVE Project: TC2024080204 Signed-off-by: Zhao Hang --- ...aders-Strictly-don-t-allow-NUL-bytes.patch | 129 ++++++++++++++++++ ...ss-the-frame-as-soon-as-we-read-data.patch | 15 ++ dist | 2 +- libsoup.spec | 27 ++-- 4 files changed, 154 insertions(+), 19 deletions(-) create mode 100644 0001-headers-Strictly-don-t-allow-NUL-bytes.patch create mode 100644 0001-websocket-process-the-frame-as-soon-as-we-read-data.patch diff --git a/0001-headers-Strictly-don-t-allow-NUL-bytes.patch b/0001-headers-Strictly-don-t-allow-NUL-bytes.patch new file mode 100644 index 0000000..8e24c6a --- /dev/null +++ b/0001-headers-Strictly-don-t-allow-NUL-bytes.patch @@ -0,0 +1,129 @@ +diff -up libsoup-2.62.2/libsoup/soup-headers.c.cve-2024-52530 libsoup-2.62.2/libsoup/soup-headers.c +--- libsoup-2.62.2/libsoup/soup-headers.c.cve-2024-52530 2018-03-23 14:44:54.000000000 +0100 ++++ libsoup-2.62.2/libsoup/soup-headers.c 2024-11-12 10:23:16.693272087 +0100 +@@ -50,13 +50,14 @@ soup_headers_parse (const char *str, int + * ignorable trailing whitespace. + */ + ++ /* No '\0's are allowed */ ++ if (memchr (str, '\0', len)) ++ return FALSE; ++ + /* Skip over the Request-Line / Status-Line */ + headers_start = memchr (str, '\n', len); + if (!headers_start) + return FALSE; +- /* No '\0's in the Request-Line / Status-Line */ +- if (memchr (str, '\0', headers_start - str)) +- return FALSE; + + /* We work on a copy of the headers, which we can write '\0's + * into, so that we don't have to individually g_strndup and +@@ -68,14 +69,6 @@ soup_headers_parse (const char *str, int + headers_copy[copy_len] = '\0'; + value_end = headers_copy; + +- /* There shouldn't be any '\0's in the headers already, but +- * this is the web we're talking about. +- */ +- while ((p = memchr (headers_copy, '\0', copy_len))) { +- memmove (p, p + 1, copy_len - (p - headers_copy)); +- copy_len--; +- } +- + while (*(value_end + 1)) { + name = value_end + 1; + name_end = strchr (name, ':'); +diff -up libsoup-2.62.2/tests/header-parsing.c.cve-2024-52530 libsoup-2.62.2/tests/header-parsing.c +--- libsoup-2.62.2/tests/header-parsing.c.cve-2024-52530 2024-11-12 10:25:26.452447520 +0100 ++++ libsoup-2.62.2/tests/header-parsing.c 2024-11-12 10:28:05.738158891 +0100 +@@ -358,24 +358,6 @@ static struct RequestTest { + } + }, + +- { "NUL in header name", "760832", +- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, +- SOUP_STATUS_OK, +- "GET", "/", SOUP_HTTP_1_1, +- { { "Host", "example.com" }, +- { NULL } +- } +- }, +- +- { "NUL in header value", "760832", +- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35, +- SOUP_STATUS_OK, +- "GET", "/", SOUP_HTTP_1_1, +- { { "Host", "examplecom" }, +- { NULL } +- } +- }, +- + /************************/ + /*** INVALID REQUESTS ***/ + /************************/ +@@ -448,6 +430,21 @@ static struct RequestTest { + SOUP_STATUS_EXPECTATION_FAILED, + NULL, NULL, -1, + { { NULL } } ++ }, ++ ++ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 ++ { "NUL in header name", NULL, ++ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } ++ }, ++ ++ { "NUL in header value", NULL, ++ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +@@ -620,22 +617,6 @@ static struct ResponseTest { + { NULL } } + }, + +- { "NUL in header name", "760832", +- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28, +- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK", +- { { "Foo", "bar" }, +- { NULL } +- } +- }, +- +- { "NUL in header value", "760832", +- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, +- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK", +- { { "Foo", "bar" }, +- { NULL } +- } +- }, +- + /********************************/ + /*** VALID CONTINUE RESPONSES ***/ + /********************************/ +@@ -768,6 +749,19 @@ static struct ResponseTest { + { { NULL } + } + }, ++ ++ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 ++ { "NUL in header name", NULL, ++ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28, ++ -1, 0, NULL, ++ { { NULL } } ++ }, ++ ++ { "NUL in header value", "760832", ++ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, ++ -1, 0, NULL, ++ { { NULL } } ++ }, + }; + static const int num_resptests = G_N_ELEMENTS (resptests); + diff --git a/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch b/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch new file mode 100644 index 0000000..cc2d173 --- /dev/null +++ b/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch @@ -0,0 +1,15 @@ +diff -up libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 libsoup-2.62.3/libsoup/soup-websocket-connection.c +--- libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 2024-11-12 12:00:27.183570627 +0100 ++++ libsoup-2.62.3/libsoup/soup-websocket-connection.c 2024-11-12 12:01:02.334987409 +0100 +@@ -1041,9 +1041,9 @@ soup_websocket_connection_read (SoupWebs + } + + pv->incoming->len = len + count; +- } while (count > 0); ++ process_incoming (self); ++ } while (count > 0 && !pv->close_sent && !pv->io_closing); + +- process_incoming (self); + + if (end) { + if (!pv->close_sent || !pv->close_received) { diff --git a/dist b/dist index 9c0e36e..1fe92cf 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8 +an8_10 diff --git a/libsoup.spec b/libsoup.spec index a0f980a..540880d 100644 --- a/libsoup.spec +++ b/libsoup.spec @@ -1,9 +1,8 @@ -%define anolis_release .0.1 %define glib2_version 2.38.0 Name: libsoup Version: 2.62.3 -Release: 5%{anolis_release}%{?dist} +Release: 6%{?dist} Summary: Soup, an HTTP library implementation License: LGPLv2 @@ -15,6 +14,8 @@ Patch0002: 0002-WebSockets-allow-null-characters-in-text-messages-da.patch Patch0003: 0003-WebSockets-only-poll-IO-stream-when-needed.patch Patch0004: 0004-ntlmv2.patch Patch0005: 0005-WebSockets-do-not-start-the-input-source-when-IO-is-closing.patch +Patch0006: 0001-headers-Strictly-don-t-allow-NUL-bytes.patch +Patch0007: 0001-websocket-process-the-frame-as-soon-as-we-read-data.patch BuildRequires: chrpath BuildRequires: glib2-devel >= %{glib2_version} @@ -30,9 +31,6 @@ BuildRequires: vala Requires: glib2%{?_isa} >= %{glib2_version} Requires: glib-networking%{?_isa} >= %{glib2_version} -Requires: glibc -Requires: libxml2 - %description Libsoup is an HTTP library implementation in C. It was originally part of a SOAP (Simple Object Access Protocol) implementation called Soup, but @@ -52,14 +50,6 @@ Requires: %{name}%{?_isa} = %{version}-%{release} Libsoup is an HTTP library implementation in C. This package allows you to develop applications that use the libsoup library. -%package doc -Summary: Documents for %{name} -BuildArch: noarch -Requires: %{name} = %{version}-%{release} - -%description doc -Doc pages for %{name}. - %prep %autosetup -p1 @@ -83,6 +73,7 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/*.so %files -f libsoup.lang %license COPYING +%doc README NEWS AUTHORS %{_libdir}/lib*.so.* %{_libdir}/girepository-1.0/Soup*2.4.typelib @@ -98,12 +89,12 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/*.so %{_datadir}/vala/vapi/libsoup-2.4.deps %{_datadir}/vala/vapi/libsoup-2.4.vapi -%files doc -%doc README NEWS AUTHORS - %changelog -* Wed Jun 26 2024 Weisson - 2.62.3-5.0.1 -- Add doc sub package +* Tue Nov 12 2024 Tomas Popela - 2.62.3-6 +- Backport upstream patch for CVE-2024-52530 - HTTP request smuggling via stripping null bytes from the ends of header names +- Backport upstream patch for CVE-2024-52530 - infinite loop while reading websocket data +- Resolves: RHEL-67076 +- Resolves: RHEL-67067 * Tue Sep 05 2023 Milan Crha - 2.62.3-5 - Resolves: RHEL-2240 (Correct BuildRequires for python3) -- Gitee From 198dc834d7cbe2c78934566edba21e59c4046829 Mon Sep 17 00:00:00 2001 From: Weisson Date: Mon, 18 Jul 2022 10:59:52 +0800 Subject: [PATCH 2/2] spec: add doc sub package Signed-off-by: Weisson --- libsoup.spec | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/libsoup.spec b/libsoup.spec index 540880d..b2558eb 100644 --- a/libsoup.spec +++ b/libsoup.spec @@ -1,8 +1,9 @@ +%define anolis_release .0.1 %define glib2_version 2.38.0 Name: libsoup Version: 2.62.3 -Release: 6%{?dist} +Release: 6%{anolis_release}%{?dist} Summary: Soup, an HTTP library implementation License: LGPLv2 @@ -31,6 +32,9 @@ BuildRequires: vala Requires: glib2%{?_isa} >= %{glib2_version} Requires: glib-networking%{?_isa} >= %{glib2_version} +Requires: glibc +Requires: libxml2 + %description Libsoup is an HTTP library implementation in C. It was originally part of a SOAP (Simple Object Access Protocol) implementation called Soup, but @@ -50,6 +54,14 @@ Requires: %{name}%{?_isa} = %{version}-%{release} Libsoup is an HTTP library implementation in C. This package allows you to develop applications that use the libsoup library. +%package doc +Summary: Documents for %{name} +BuildArch: noarch +Requires: %{name} = %{version}-%{release} + +%description doc +Doc pages for %{name}. + %prep %autosetup -p1 @@ -73,7 +85,6 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/*.so %files -f libsoup.lang %license COPYING -%doc README NEWS AUTHORS %{_libdir}/lib*.so.* %{_libdir}/girepository-1.0/Soup*2.4.typelib @@ -89,7 +100,13 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/*.so %{_datadir}/vala/vapi/libsoup-2.4.deps %{_datadir}/vala/vapi/libsoup-2.4.vapi +%files doc +%doc README NEWS AUTHORS + %changelog +* Thu Nov 14 2024 Weisson - 2.62.3-6.0.1 +- Add doc sub package + * Tue Nov 12 2024 Tomas Popela - 2.62.3-6 - Backport upstream patch for CVE-2024-52530 - HTTP request smuggling via stripping null bytes from the ends of header names - Backport upstream patch for CVE-2024-52530 - infinite loop while reading websocket data -- Gitee