Patch libsoup for CVE-2025-4948

Author: azurelinux-security

SPECS/libsoup/CVE-2025-4948.patch

@@ -0,0 +1,27 @@
+From cec5cbbc2619712b4e81e9e5dee095b3b0307d59 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Fri, 18 Jul 2025 19:09:46 +0000
+Subject: [PATCH] Fix CVE CVE-2025-4948 in libsoup
+
+Upstream Patch Reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463.patch
+---
+ libsoup/soup-multipart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index 102ce37..a587fe7 100644
+--- a/libsoup/soup-multipart.c
++++ b/libsoup/soup-multipart.c
+@@ -204,7 +204,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
+ 		 */
+ 		part_body = g_bytes_new_from_bytes (body, // FIXME
+ 						    split - body_data,
+-						    end - 2 - split);
++						    end - 2 >= split ? end - 2 - split : 0);
+ 		g_ptr_array_add (multipart->bodies, part_body);
+ 
+ 		start = end;
+-- 
+2.45.4
+

SPECS/libsoup/libsoup.spec

@@ -4,7 +4,7 @@
 Summary:        libsoup HTTP client/server library
 Name:           libsoup
 Version:        3.4.4
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -65,6 +65,7 @@ Patch15:         CVE-2025-46421.patch
 Patch16:         CVE-2025-32053.patch
 Patch17:         CVE-2025-4476.patch
 Patch18:         CVE-2025-32907.patch
+Patch19:        CVE-2025-4948.patch
 
 %description
 libsoup is HTTP client/server library for GNOME
@@ -132,6 +133,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %defattr(-,root,root)
 
 %changelog
+* Fri Jul 18 2025 Azure Linux Security Servicing Account <[email protected]> - 3.4.4-8
+- Patch for CVE-2025-4948
+
 * Fri Jun 13 2025 Kevin Lockwood <[email protected]> - 3.4.4-7
 - Add patch for CVE-2025-4476
 - Add patch for CVE-2025-32907