diff --git a/SPECS/libsoup/CVE-2025-4948.patch b/SPECS/libsoup/CVE-2025-4948.patch new file mode 100644 index 00000000000..92fda1be357 --- /dev/null +++ b/SPECS/libsoup/CVE-2025-4948.patch @@ -0,0 +1,27 @@ +From cec5cbbc2619712b4e81e9e5dee095b3b0307d59 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Fri, 18 Jul 2025 19:09:46 +0000 +Subject: [PATCH] Fix CVE CVE-2025-4948 in libsoup + +Upstream Patch Reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463.patch +--- + libsoup/soup-multipart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index 102ce37..a587fe7 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -204,7 +204,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + */ + part_body = g_bytes_new_from_bytes (body, // FIXME + split - body_data, +- end - 2 - split); ++ end - 2 >= split ? end - 2 - split : 0); + g_ptr_array_add (multipart->bodies, part_body); + + start = end; +-- +2.45.4 + diff --git a/SPECS/libsoup/libsoup.spec b/SPECS/libsoup/libsoup.spec index c92992274dd..add1f067f50 100644 --- a/SPECS/libsoup/libsoup.spec +++ b/SPECS/libsoup/libsoup.spec @@ -4,7 +4,7 @@ Summary: libsoup HTTP client/server library Name: libsoup Version: 3.4.4 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -65,6 +65,7 @@ Patch15: CVE-2025-46421.patch Patch16: CVE-2025-32053.patch Patch17: CVE-2025-4476.patch Patch18: CVE-2025-32907.patch +Patch19: CVE-2025-4948.patch %description libsoup is HTTP client/server library for GNOME @@ -132,6 +133,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %defattr(-,root,root) %changelog +* Fri Jul 18 2025 Azure Linux Security Servicing Account - 3.4.4-8 +- Patch for CVE-2025-4948 + * Fri Jun 13 2025 Kevin Lockwood - 3.4.4-7 - Add patch for CVE-2025-4476 - Add patch for CVE-2025-32907