From de927dca4e7b54bea23e1ceeeacee7cb1daac41c Mon Sep 17 00:00:00 2001 From: fandeyuan Date: Wed, 13 Nov 2024 10:58:36 +0800 Subject: [PATCH] fix CVE-2024-52532 --- ...ss-the-frame-as-soon-as-we-read-data.patch | 56 +++++++++++++++++++ libsoup3.spec | 7 ++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 0001-websocket-process-the-frame-as-soon-as-we-read-data.patch diff --git a/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch b/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch new file mode 100644 index 0000000..2ecc8be --- /dev/null +++ b/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch @@ -0,0 +1,56 @@ +From 6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Wed, 11 Sep 2024 11:52:11 +0200 +Subject: [PATCH] websocket: process the frame as soon as we read data + +Otherwise we can enter in a read loop because we were not +validating the data until the all the data was read. + +Fixes #391 +--- + libsoup/websocket/soup-websocket-connection.c | 4 ++-- + tests/websocket-test.c | 4 +++- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c +index 2f7d920..df8f67d 100644 +--- a/libsoup/websocket/soup-websocket-connection.c ++++ b/libsoup/websocket/soup-websocket-connection.c +@@ -1165,9 +1165,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self) + } + + priv->incoming->len = len + count; +- } while (count > 0); + +- process_incoming (self); ++ process_incoming (self); ++ } while (count > 0 && !priv->close_sent && !priv->io_closing); + + if (end) { + if (!priv->close_sent || !priv->close_received) { +diff --git a/tests/websocket-test.c b/tests/websocket-test.c +index b954b01..5cb3ca2 100644 +--- a/tests/websocket-test.c ++++ b/tests/websocket-test.c +@@ -1489,8 +1489,9 @@ test_receive_invalid_encode_length_64 (Test *test, + GError *error = NULL; + InvalidEncodeLengthTest context = { test, NULL }; + guint i; ++ guint error_id; + +- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); ++ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); + g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received); + + /* We use 127(\x7f) as payload length with 65535 extended length */ +@@ -1503,6 +1504,7 @@ test_receive_invalid_encode_length_64 (Test *test, + WAIT_UNTIL (error != NULL || received != NULL); + g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR); + g_clear_error (&error); ++ g_signal_handler_disconnect (test->client, error_id); + g_assert_null (received); + + g_thread_join (thread); +-- +2.43.0 + diff --git a/libsoup3.spec b/libsoup3.spec index 462cc9d..fabc180 100644 --- a/libsoup3.spec +++ b/libsoup3.spec @@ -4,12 +4,14 @@ Name: libsoup3 Version: 3.4.4 -Release: 2 +Release: 3 Summary: Soup, an HTTP library implementation License: LGPL-2.0-or-later URL: https://wiki.gnome.org/Projects/libsoup Source0: https://download.gnome.org/sources/libsoup/3.4/libsoup-%{version}.tar.xz +Patch0001: 0001-websocket-process-the-frame-as-soon-as-we-read-data.patch + BuildRequires: gcc gettext vala krb5-devel samba-winbind-clients BuildRequires: meson >= 0.54 BuildRequires: pkgconfig(gio-2.0) >= %{glib2_version} @@ -84,6 +86,9 @@ install -m 644 -D tests/libsoup.supp %{buildroot}%{_datadir}/libsoup-3.0/libsoup %{_datadir}/doc %changelog +* Wed Nov 13 2024 Deyuan Fan - 3.4.4-3 +- fix CVE-2024-52532 + * Fri Oct 25 2024 Funda Wang - 3.4.4-2 - make sysprof build conditioned -- Gitee