diff --git a/SPECS/libsoup/CVE-2025-4948.patch b/SPECS/libsoup/CVE-2025-4948.patch new file mode 100644 index 00000000000..1cd31278019 --- /dev/null +++ b/SPECS/libsoup/CVE-2025-4948.patch @@ -0,0 +1,91 @@ +From 14e00acc5167fc26a2bf71e2df6a754d340152cd Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Thu, 15 May 2025 17:49:11 +0200 +Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body + +It could happen that the boundary started at a place which resulted into +a negative number, which in an unsigned integer is a very large value. +Check the body size is not a negative value before setting it. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 + +Part-of: +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 40 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index 102ce37..a587fe7 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -204,7 +204,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + */ + part_body = g_bytes_new_from_bytes (body, // FIXME + split - body_data, +- end - 2 - split); ++ end - 2 >= split ? end - 2 - split : 0); + g_ptr_array_add (multipart->bodies, part_body); + + start = end; +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index ab5f41c..a3a0b36 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -527,6 +527,45 @@ test_multipart_bounds_bad (void) + g_bytes_unref (bytes); + } + ++static void ++test_multipart_too_large (void) ++{ ++ const char *raw_body = ++ "-------------------\r\n" ++ "-\n" ++ "Cont\"\r\n" ++ "Content-Tynt----e:n\x8erQK\r\n" ++ "Content-Disposition: name= form-; name=\"file\"; filename=\"ype:i/ -d; ----\xae\r\n" ++ "Content-Typimag\x01/png--\\\n" ++ "\r\n" ++ "---:\n\r\n" ++ "\r\n" ++ "-------------------------------------\r\n" ++ "---------\r\n" ++ "----------------------"; ++ GBytes *body; ++ GHashTable *params; ++ SoupMessageHeaders *headers; ++ SoupMultipart *multipart; ++ ++ params = g_hash_table_new (g_str_hash, g_str_equal); ++ g_hash_table_insert (params, (gpointer) "boundary", (gpointer) "-----------------"); ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_set_content_type (headers, "multipart/form-data", params); ++ g_hash_table_unref (params); ++ ++ body = g_bytes_new_static (raw_body, strlen (raw_body)); ++ multipart = soup_multipart_new_from_message (headers, body); ++ soup_message_headers_unref (headers); ++ g_bytes_unref (body); ++ ++ g_assert_nonnull (multipart); ++ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1); ++ g_assert_true (soup_multipart_get_part (multipart, 0, &headers, &body)); ++ g_assert_cmpint (g_bytes_get_size (body), ==, 0); ++ soup_multipart_free (multipart); ++} ++ + int + main (int argc, char **argv) + { +@@ -556,6 +595,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); ++ g_test_add_func ("/multipart/too-large", test_multipart_too_large); + + ret = g_test_run (); + +-- +2.45.4 + diff --git a/SPECS/libsoup/libsoup.spec b/SPECS/libsoup/libsoup.spec index c92992274dd..06602a86ec8 100644 --- a/SPECS/libsoup/libsoup.spec +++ b/SPECS/libsoup/libsoup.spec @@ -4,7 +4,7 @@ Summary: libsoup HTTP client/server library Name: libsoup Version: 3.4.4 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -65,6 +65,7 @@ Patch15: CVE-2025-46421.patch Patch16: CVE-2025-32053.patch Patch17: CVE-2025-4476.patch Patch18: CVE-2025-32907.patch +Patch19: CVE-2025-4948.patch %description libsoup is HTTP client/server library for GNOME @@ -132,6 +133,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %defattr(-,root,root) %changelog +* Tue Jul 29 2025 Azure Linux Security Servicing Account - 3.4.4-8 +- Patch for CVE-2025-4948 + * Fri Jun 13 2025 Kevin Lockwood - 3.4.4-7 - Add patch for CVE-2025-4476 - Add patch for CVE-2025-32907 diff --git a/libsoup/BUILD/.note.package.bin b/libsoup/BUILD/.note.package.bin new file mode 100644 index 00000000000..d164c2cae80 Binary files /dev/null and b/libsoup/BUILD/.note.package.bin differ diff --git a/libsoup/BUILD/auto_module_info.h b/libsoup/BUILD/auto_module_info.h new file mode 100644 index 00000000000..dd19541a58e --- /dev/null +++ b/libsoup/BUILD/auto_module_info.h @@ -0,0 +1,10 @@ +#ifndef _AUTO_MODULE_INFO_H_ +#define _AUTO_MODULE_INFO_H_ + +#define MODULE_VERSION "3.4.4.0" +#define PACKAGE_VERSION "3.4.4-7.azl3" +#define PACKAGE_NAME "libsoup" +#define TARGET_OS "mariner" +#define TARGET_OS_VERSION "%{distro_release_version}" + +#endif //_AUTO_MODULE_INFO_H_ \ No newline at end of file diff --git a/libsoup/BUILD/libsoup-3.4.4 b/libsoup/BUILD/libsoup-3.4.4 new file mode 160000 index 00000000000..b6fcdd01b41 --- /dev/null +++ b/libsoup/BUILD/libsoup-3.4.4 @@ -0,0 +1 @@ +Subproject commit b6fcdd01b4110850324e9af4e2e2b660853d614e diff --git a/libsoup/BUILD/module_info.ld b/libsoup/BUILD/module_info.ld new file mode 100644 index 00000000000..940238a09c4 --- /dev/null +++ b/libsoup/BUILD/module_info.ld @@ -0,0 +1,74 @@ +/* + + This file is automatically generated by generate-package-note.py tool. + Do not modify this file, your changes will be lost! + +*/ + +/* +/usr/lib/rpm/azl/generate-package-note.py --os mariner --osVersion %{distro_release_version} --type rpm --name libsoup --version 3.4.4-7.azl3 --moduleVersion 3.4.4.0 --stamp LinkerOnly --outdir /mnt/vss/_work/1/s/autosec/azurelinux/libsoup/BUILD/ +*/ + +/* +{ + "moduleVersion": "3.4.4.0", + "name": "libsoup", + "os": "mariner", + "osVersion": "%{distro_release_version}", + "type": "rpm", + "version": "3.4.4-7.azl3" +} +*/ + +SECTIONS +{ + .note.package (READONLY) : ALIGN(4) + { + BYTE(0x04) BYTE(0x00) BYTE(0x00) BYTE(0x00) + BYTE(0x9c) BYTE(0x00) BYTE(0x00) BYTE(0x00) + BYTE(0x7e) BYTE(0x1a) BYTE(0xfe) BYTE(0xca) + BYTE(0x46) BYTE(0x44) BYTE(0x4f) BYTE(0x00) + BYTE(0x7b) BYTE(0x0a) BYTE(0x20) BYTE(0x22) + BYTE(0x6d) BYTE(0x6f) BYTE(0x64) BYTE(0x75) + BYTE(0x6c) BYTE(0x65) BYTE(0x56) BYTE(0x65) + BYTE(0x72) BYTE(0x73) BYTE(0x69) BYTE(0x6f) + BYTE(0x6e) BYTE(0x22) BYTE(0x3a) BYTE(0x20) + BYTE(0x22) BYTE(0x33) BYTE(0x2e) BYTE(0x34) + BYTE(0x2e) BYTE(0x34) BYTE(0x2e) BYTE(0x30) + BYTE(0x22) BYTE(0x2c) BYTE(0x0a) BYTE(0x20) + BYTE(0x22) BYTE(0x6e) BYTE(0x61) BYTE(0x6d) + BYTE(0x65) BYTE(0x22) BYTE(0x3a) BYTE(0x20) + BYTE(0x22) BYTE(0x6c) BYTE(0x69) BYTE(0x62) + BYTE(0x73) BYTE(0x6f) BYTE(0x75) BYTE(0x70) + BYTE(0x22) BYTE(0x2c) BYTE(0x0a) BYTE(0x20) + BYTE(0x22) BYTE(0x6f) BYTE(0x73) BYTE(0x22) + BYTE(0x3a) BYTE(0x20) BYTE(0x22) BYTE(0x6d) + BYTE(0x61) BYTE(0x72) BYTE(0x69) BYTE(0x6e) + BYTE(0x65) BYTE(0x72) BYTE(0x22) BYTE(0x2c) + BYTE(0x0a) BYTE(0x20) BYTE(0x22) BYTE(0x6f) + BYTE(0x73) BYTE(0x56) BYTE(0x65) BYTE(0x72) + BYTE(0x73) BYTE(0x69) BYTE(0x6f) BYTE(0x6e) + BYTE(0x22) BYTE(0x3a) BYTE(0x20) BYTE(0x22) + BYTE(0x25) BYTE(0x7b) BYTE(0x64) BYTE(0x69) + BYTE(0x73) BYTE(0x74) BYTE(0x72) BYTE(0x6f) + BYTE(0x5f) BYTE(0x72) BYTE(0x65) BYTE(0x6c) + BYTE(0x65) BYTE(0x61) BYTE(0x73) BYTE(0x65) + BYTE(0x5f) BYTE(0x76) BYTE(0x65) BYTE(0x72) + BYTE(0x73) BYTE(0x69) BYTE(0x6f) BYTE(0x6e) + BYTE(0x7d) BYTE(0x22) BYTE(0x2c) BYTE(0x0a) + BYTE(0x20) BYTE(0x22) BYTE(0x74) BYTE(0x79) + BYTE(0x70) BYTE(0x65) BYTE(0x22) BYTE(0x3a) + BYTE(0x20) BYTE(0x22) BYTE(0x72) BYTE(0x70) + BYTE(0x6d) BYTE(0x22) BYTE(0x2c) BYTE(0x0a) + BYTE(0x20) BYTE(0x22) BYTE(0x76) BYTE(0x65) + BYTE(0x72) BYTE(0x73) BYTE(0x69) BYTE(0x6f) + BYTE(0x6e) BYTE(0x22) BYTE(0x3a) BYTE(0x20) + BYTE(0x22) BYTE(0x33) BYTE(0x2e) BYTE(0x34) + BYTE(0x2e) BYTE(0x34) BYTE(0x2d) BYTE(0x37) + BYTE(0x2e) BYTE(0x61) BYTE(0x7a) BYTE(0x6c) + BYTE(0x33) BYTE(0x22) BYTE(0x0a) BYTE(0x7d) + + KEEP (*(.note.package)) + } +} +INSERT AFTER .note.gnu.build-id; \ No newline at end of file diff --git a/libsoup/CVE-2025-4948/libsoup-3.4.4 b/libsoup/CVE-2025-4948/libsoup-3.4.4 new file mode 160000 index 00000000000..14e00acc516 --- /dev/null +++ b/libsoup/CVE-2025-4948/libsoup-3.4.4 @@ -0,0 +1 @@ +Subproject commit 14e00acc5167fc26a2bf71e2df6a754d340152cd diff --git a/libsoup/SOURCES/CVE-2024-52530.patch b/libsoup/SOURCES/CVE-2024-52530.patch new file mode 100644 index 00000000000..2d174f2db8f --- /dev/null +++ b/libsoup/SOURCES/CVE-2024-52530.patch @@ -0,0 +1,145 @@ +From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 8 Jul 2024 12:33:15 -0500 +Subject: [PATCH] headers: Strictly don't allow NUL bytes + +In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem. +--- + libsoup/soup-headers.c | 15 +++------ + tests/header-parsing-test.c | 62 +++++++++++++++++-------------------- + 2 files changed, 32 insertions(+), 45 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index a0cf351ac..f30ee467a 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -51,13 +51,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) + * ignorable trailing whitespace. + */ + ++ /* No '\0's are allowed */ ++ if (memchr (str, '\0', len)) ++ return FALSE; ++ + /* Skip over the Request-Line / Status-Line */ + headers_start = memchr (str, '\n', len); + if (!headers_start) + return FALSE; +- /* No '\0's in the Request-Line / Status-Line */ +- if (memchr (str, '\0', headers_start - str)) +- return FALSE; + + /* We work on a copy of the headers, which we can write '\0's + * into, so that we don't have to individually g_strndup and +@@ -69,14 +70,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) + headers_copy[copy_len] = '\0'; + value_end = headers_copy; + +- /* There shouldn't be any '\0's in the headers already, but +- * this is the web we're talking about. +- */ +- while ((p = memchr (headers_copy, '\0', copy_len))) { +- memmove (p, p + 1, copy_len - (p - headers_copy)); +- copy_len--; +- } +- + while (*(value_end + 1)) { + name = value_end + 1; + name_end = strchr (name, ':'); +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index edf8eebb3..715c2c6f2 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -358,24 +358,6 @@ static struct RequestTest { + } + }, + +- { "NUL in header name", "760832", +- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, +- SOUP_STATUS_OK, +- "GET", "/", SOUP_HTTP_1_1, +- { { "Host", "example.com" }, +- { NULL } +- } +- }, +- +- { "NUL in header value", "760832", +- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35, +- SOUP_STATUS_OK, +- "GET", "/", SOUP_HTTP_1_1, +- { { "Host", "examplecom" }, +- { NULL } +- } +- }, +- + /************************/ + /*** INVALID REQUESTS ***/ + /************************/ +@@ -448,6 +430,21 @@ static struct RequestTest { + SOUP_STATUS_EXPECTATION_FAILED, + NULL, NULL, -1, + { { NULL } } ++ }, ++ ++ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 ++ { "NUL in header name", NULL, ++ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } ++ }, ++ ++ { "NUL in header value", NULL, ++ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +@@ -620,22 +617,6 @@ static struct ResponseTest { + { NULL } } + }, + +- { "NUL in header name", "760832", +- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28, +- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK", +- { { "Foo", "bar" }, +- { NULL } +- } +- }, +- +- { "NUL in header value", "760832", +- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, +- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK", +- { { "Foo", "bar" }, +- { NULL } +- } +- }, +- + /********************************/ + /*** VALID CONTINUE RESPONSES ***/ + /********************************/ +@@ -768,6 +749,19 @@ static struct ResponseTest { + { { NULL } + } + }, ++ ++ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 ++ { "NUL in header name", NULL, ++ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28, ++ -1, 0, NULL, ++ { { NULL } } ++ }, ++ ++ { "NUL in header value", "760832", ++ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, ++ -1, 0, NULL, ++ { { NULL } } ++ }, + }; + static const int num_resptests = G_N_ELEMENTS (resptests); + +-- +GitLab + diff --git a/libsoup/SOURCES/CVE-2024-52531.patch b/libsoup/SOURCES/CVE-2024-52531.patch new file mode 100644 index 00000000000..2be11a41df6 --- /dev/null +++ b/libsoup/SOURCES/CVE-2024-52531.patch @@ -0,0 +1,336 @@ +From 4ec9e3d286b6d3e982cb0fc3564dee0bf8d87ede Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 27 Aug 2024 12:18:58 -0500 +Subject: [PATCH 1/4] fuzzing: Cover soup_header_parse_param_list + +--- + fuzzing/fuzz.h | 9 +++++++-- + fuzzing/fuzz_header_parsing.c | 19 +++++++++++++++++++ + fuzzing/fuzz_header_parsing.dict | 8 ++++++++ + fuzzing/meson.build | 2 ++ + 4 files changed, 36 insertions(+), 2 deletions(-) + create mode 100644 fuzzing/fuzz_header_parsing.c + create mode 100644 fuzzing/fuzz_header_parsing.dict + +diff --git a/fuzzing/fuzz.h b/fuzzing/fuzz.h +index 0d3802856..f3bd28eee 100644 +--- a/fuzzing/fuzz.h ++++ b/fuzzing/fuzz.h +@@ -1,13 +1,14 @@ + #include "libsoup/soup.h" + + int LLVMFuzzerTestOneInput (const unsigned char *data, size_t size); ++static int set_logger = 0; + + #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + static GLogWriterOutput + empty_logging_func (GLogLevelFlags log_level, const GLogField *fields, + gsize n_fields, gpointer user_data) + { +- return G_LOG_WRITER_HANDLED; ++ return G_LOG_WRITER_HANDLED; + } + #endif + +@@ -16,6 +17,10 @@ static void + fuzz_set_logging_func (void) + { + #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +- g_log_set_writer_func (empty_logging_func, NULL, NULL); ++ if (!set_logger) ++ { ++ set_logger = 1; ++ g_log_set_writer_func (empty_logging_func, NULL, NULL); ++ } + #endif + } +diff --git a/fuzzing/fuzz_header_parsing.c b/fuzzing/fuzz_header_parsing.c +new file mode 100644 +index 000000000..a8e5c1f9f +--- /dev/null ++++ b/fuzzing/fuzz_header_parsing.c +@@ -0,0 +1,19 @@ ++#include "fuzz.h" ++ ++int ++LLVMFuzzerTestOneInput (const unsigned char *data, size_t size) ++{ ++ GHashTable *elements; ++ ++ // We only accept NUL terminated strings ++ if (!size || data[size - 1] != '\0') ++ return 0; ++ ++ fuzz_set_logging_func (); ++ ++ elements = soup_header_parse_param_list((char*)data); ++ ++ g_hash_table_unref(elements); ++ ++ return 0; ++} +\ No newline at end of file +diff --git a/fuzzing/fuzz_header_parsing.dict b/fuzzing/fuzz_header_parsing.dict +new file mode 100644 +index 000000000..1562ca3a6 +--- /dev/null ++++ b/fuzzing/fuzz_header_parsing.dict +@@ -0,0 +1,8 @@ ++"*=UTF-8''" ++"*=iso-8859-1''" ++"'" ++"''" ++"=" ++"*=" ++""" ++";" +\ No newline at end of file +diff --git a/fuzzing/meson.build b/fuzzing/meson.build +index b14cbb509..5dd0f4173 100644 +--- a/fuzzing/meson.build ++++ b/fuzzing/meson.build +@@ -5,6 +5,7 @@ fuzz_targets = [ + 'fuzz_cookie_parse', + 'fuzz_content_sniffer', + 'fuzz_date_time', ++ 'fuzz_header_parsing', + ] + + fuzzing_args = '-fsanitize=fuzzer,address,undefined' +@@ -34,6 +35,7 @@ if have_fuzzing and (fuzzing_feature.enabled() or fuzzing_feature.auto()) + '-runs=200000', + '-artifact_prefix=meson-logs/' + target + '-', + '-print_final_stats=1', ++ '-max_len=4096', + ] + extra_args, + env: [ + 'ASAN_OPTIONS=fast_unwind_on_malloc=0', +-- +GitLab + + +From 825fda3425546847b42ad5270544e9388ff349fe Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 27 Aug 2024 13:52:08 -0500 +Subject: [PATCH 2/4] tests: Add test for passing invalid UTF-8 to + soup_header_parse_semi_param_list() + +--- + tests/header-parsing-test.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 715c2c6f2..5e423d2b2 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -825,6 +825,17 @@ static struct ParamListTest { + { "filename", "t\xC3\xA9st.txt" }, + }, + }, ++ ++ /* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */ ++ { TRUE, ++ "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo", ++ { ++ { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" }, ++ { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" }, ++ { "foo", NULL }, ++ ++ }, ++ } + }; + static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests); + +-- +GitLab + + +From 3c54033634ae537b52582900a7ba432c52ae8174 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 16 Sep 2024 13:56:09 -0500 +Subject: [PATCH 3/4] Define GLIB_VERSION_MAX_ALLOWED and + GLIB_VERSION_MIN_REQUIRED + +--- + meson.build | 3 +++ + tests/hsts-db-test.c | 3 ++- + tests/proxy-test.c | 3 ++- + 3 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/meson.build b/meson.build +index f7c633891..08b0d764d 100644 +--- a/meson.build ++++ b/meson.build +@@ -112,6 +112,9 @@ glib_deps = [glib_dep, gmodule_dep, gobject_dep, gio_dep] + + cdata = configuration_data() + ++cdata.set('GLIB_VERSION_MAX_ALLOWED', 'GLIB_VERSION_2_70') ++cdata.set('GLIB_VERSION_MIN_REQUIRED', 'GLIB_VERSION_2_70') ++ + libnghttp2_dep = dependency('libnghttp2') + if (libnghttp2_dep.version() == 'unknown' and (libnghttp2_dep.type_name() == 'internal' or cc.has_function('nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation', prefix : '#include ', dependencies : libnghttp2_dep))) or libnghttp2_dep.version().version_compare('>=1.50') + cdata.set('HAVE_NGHTTP2_OPTION_SET_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION', '1') +diff --git a/tests/hsts-db-test.c b/tests/hsts-db-test.c +index 1149a044f..04d7c4f12 100644 +--- a/tests/hsts-db-test.c ++++ b/tests/hsts-db-test.c +@@ -1,8 +1,9 @@ ++#include "test-utils.h" ++ + #include + #include + + #include +-#include "test-utils.h" + #include "soup-uri-utils-private.h" + + #define DB_FILE "hsts-db.sqlite" +diff --git a/tests/proxy-test.c b/tests/proxy-test.c +index ec0393671..d730c8a7b 100644 +--- a/tests/proxy-test.c ++++ b/tests/proxy-test.c +@@ -1,8 +1,9 @@ + /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */ + +-#include + #include "test-utils.h" + ++#include ++ + typedef struct { + const char *explanation; + const char *url; +-- +GitLab + + +From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 27 Aug 2024 13:53:26 -0500 +Subject: [PATCH 4/4] headers: Be more robust against invalid input when + parsing params + +If you pass invalid input to a function such as soup_header_parse_param_list_strict() +it can cause an overflow if it decodes the input to UTF-8. + +This should never happen with valid UTF-8 input which libsoup's client API +ensures, however it's server API does not currently. +--- + libsoup/soup-headers.c | 46 ++++++++++++++++++++++-------------------- + 1 file changed, 24 insertions(+), 22 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index f30ee467a..613e1905e 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -646,8 +646,9 @@ soup_header_contains (const char *header, const char *token) + } + + static void +-decode_quoted_string (char *quoted_string) ++decode_quoted_string_inplace (GString *quoted_gstring) + { ++ char *quoted_string = quoted_gstring->str; + char *src, *dst; + + src = quoted_string + 1; +@@ -661,10 +662,11 @@ decode_quoted_string (char *quoted_string) + } + + static gboolean +-decode_rfc5987 (char *encoded_string) ++decode_rfc5987_inplace (GString *encoded_gstring) + { + char *q, *decoded; + gboolean iso_8859_1 = FALSE; ++ const char *encoded_string = encoded_gstring->str; + + q = strchr (encoded_string, '\''); + if (!q) +@@ -696,14 +698,7 @@ decode_rfc5987 (char *encoded_string) + decoded = utf8; + } + +- /* If encoded_string was UTF-8, then each 3-character %-escape +- * will be converted to a single byte, and so decoded is +- * shorter than encoded_string. If encoded_string was +- * iso-8859-1, then each 3-character %-escape will be +- * converted into at most 2 bytes in UTF-8, and so it's still +- * shorter. +- */ +- strcpy (encoded_string, decoded); ++ g_string_assign (encoded_gstring, decoded); + g_free (decoded); + return TRUE; + } +@@ -713,15 +708,17 @@ parse_param_list (const char *header, char delim, gboolean strict) + { + GHashTable *params; + GSList *list, *iter; +- char *item, *eq, *name_end, *value; +- gboolean override, duplicated; + + params = g_hash_table_new_full (soup_str_case_hash, + soup_str_case_equal, +- g_free, NULL); ++ g_free, g_free); + + list = parse_list (header, delim); + for (iter = list; iter; iter = iter->next) { ++ char *item, *eq, *name_end; ++ gboolean override, duplicated; ++ GString *parsed_value = NULL; ++ + item = iter->data; + override = FALSE; + +@@ -736,19 +733,19 @@ parse_param_list (const char *header, char delim, gboolean strict) + + *name_end = '\0'; + +- value = (char *)skip_lws (eq + 1); ++ parsed_value = g_string_new ((char *)skip_lws (eq + 1)); + + if (name_end[-1] == '*' && name_end > item + 1) { + name_end[-1] = '\0'; +- if (!decode_rfc5987 (value)) { ++ if (!decode_rfc5987_inplace (parsed_value)) { ++ g_string_free (parsed_value, TRUE); + g_free (item); + continue; + } + override = TRUE; +- } else if (*value == '"') +- decode_quoted_string (value); +- } else +- value = NULL; ++ } else if (parsed_value->str[0] == '"') ++ decode_quoted_string_inplace (parsed_value); ++ } + + duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL); + +@@ -756,11 +753,16 @@ parse_param_list (const char *header, char delim, gboolean strict) + soup_header_free_param_list (params); + params = NULL; + g_slist_foreach (iter, (GFunc)g_free, NULL); ++ if (parsed_value) ++ g_string_free (parsed_value, TRUE); + break; +- } else if (override || !duplicated) +- g_hash_table_replace (params, item, value); +- else ++ } else if (override || !duplicated) { ++ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL); ++ } else { ++ if (parsed_value) ++ g_string_free (parsed_value, TRUE); + g_free (item); ++ } + } + + g_slist_free (list); +-- +GitLab + diff --git a/libsoup/SOURCES/CVE-2024-52532.patch b/libsoup/SOURCES/CVE-2024-52532.patch new file mode 100644 index 00000000000..7ee26f8e462 --- /dev/null +++ b/libsoup/SOURCES/CVE-2024-52532.patch @@ -0,0 +1,114 @@ +From 6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Wed, 11 Sep 2024 11:52:11 +0200 +Subject: [PATCH 1/2] websocket: process the frame as soon as we read data + +Otherwise we can enter in a read loop because we were not +validating the data until the all the data was read. + +Fixes #391 +--- + libsoup/websocket/soup-websocket-connection.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c +index a1a730473..a14481340 100644 +--- a/libsoup/websocket/soup-websocket-connection.c ++++ b/libsoup/websocket/soup-websocket-connection.c +@@ -1199,9 +1199,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self) + } + + priv->incoming->len = len + count; +- } while (count > 0); + +- process_incoming (self); ++ process_incoming (self); ++ } while (count > 0 && !priv->close_sent && !priv->io_closing); + + if (end) { + if (!priv->close_sent || !priv->close_received) { +-- +GitLab + + +From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Wed, 2 Oct 2024 11:17:19 +0200 +Subject: [PATCH 2/2] websocket-test: disconnect error copy after the test ends + +Otherwise the server will have already sent a few more wrong +bytes and the client will continue getting errors to copy +but the error is already != NULL and it will assert +--- + tests/websocket-test.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tests/websocket-test.c b/tests/websocket-test.c +index 06c443bb5..6a48c1f9b 100644 +--- a/tests/websocket-test.c ++++ b/tests/websocket-test.c +@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test, + GError *error = NULL; + InvalidEncodeLengthTest context = { test, NULL }; + guint i; ++ guint error_id; + +- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); ++ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); + g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received); + + /* We use 127(\x7f) as payload length with 65535 extended length */ +@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test, + WAIT_UNTIL (error != NULL || received != NULL); + g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR); + g_clear_error (&error); ++ g_signal_handler_disconnect (test->client, error_id); + g_assert_null (received); + + g_thread_join (thread); +-- +GitLab + + +From 4c9e75c6676a37b6485620c332e568e1a3f530ff Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 13 Nov 2024 14:14:23 +0000 +Subject: [PATCH] websocket-test: Disconnect error signal in another place + +This is the same change as commit 29b96fab "websocket-test: disconnect +error copy after the test ends", and is done for the same reason, but +replicating it into a different function. + +Fixes: 6adc0e3e "websocket: process the frame as soon as we read data" +Resolves: https://gitlab.gnome.org/GNOME/libsoup/-/issues/399 +Signed-off-by: Simon McVittie +--- + tests/websocket-test.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tests/websocket-test.c b/tests/websocket-test.c +index 6a48c1f9..723f2857 100644 +--- a/tests/websocket-test.c ++++ b/tests/websocket-test.c +@@ -1508,8 +1508,9 @@ test_receive_invalid_encode_length_16 (Test *test, + GError *error = NULL; + InvalidEncodeLengthTest context = { test, NULL }; + guint i; ++ guint error_id; + +- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); ++ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); + g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received); + + /* We use 126(~) as payload length with 125 extended length */ +@@ -1522,6 +1523,7 @@ test_receive_invalid_encode_length_16 (Test *test, + WAIT_UNTIL (error != NULL || received != NULL); + g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR); + g_clear_error (&error); ++ g_signal_handler_disconnect (test->client, error_id); + g_assert_null (received); + + g_thread_join (thread); +-- +GitLab + diff --git a/libsoup/SOURCES/CVE-2025-2784.patch b/libsoup/SOURCES/CVE-2025-2784.patch new file mode 100644 index 00000000000..5eb690a50ee --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-2784.patch @@ -0,0 +1,134 @@ +From 0cd5cb7d61ec22b60ce21f84f91a1d8da930eff6 Mon Sep 17 00:00:00 2001 +From: Kshitiz Godara +Date: Sun, 4 May 2025 12:46:20 +0000 +Subject: [PATCH 1/6] Combined two patches to address CVE-2025-2784 + +Upstream references: +https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435/diffs +https://gitlab.gnome.org/GNOME/libsoup/-/commit/c415ad0b6771992e66c70edf373566c6e247089d +--- + .../content-sniffer/soup-content-sniffer.c | 10 ++-- + tests/meson.build | 4 +- + tests/sniffing-test.c | 48 +++++++++++++++++++ + 3 files changed, 56 insertions(+), 6 deletions(-) + +diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c +index 2351c3f..150d285 100644 +--- a/libsoup/content-sniffer/soup-content-sniffer.c ++++ b/libsoup/content-sniffer/soup-content-sniffer.c +@@ -638,8 +638,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, GBytes *buffer) + } + + static gboolean +-skip_insignificant_space (const char *resource, int *pos, int resource_length) ++skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length) + { ++ if (*pos >= resource_length) ++ return TRUE; ++ + while ((resource[*pos] == '\x09') || + (resource[*pos] == '\x20') || + (resource[*pos] == '\x0A') || +@@ -659,7 +662,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer) + gsize resource_length; + const char *resource = g_bytes_get_data (buffer, &resource_length); + resource_length = MIN (512, resource_length); +- int pos = 0; ++ gsize pos = 0; + + if (resource_length < 3) + goto text_html; +@@ -669,9 +672,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer) + pos = 3; + + look_for_tag: +- if (pos > resource_length) +- goto text_html; +- + if (skip_insignificant_space (resource, &pos, resource_length)) + goto text_html; + +diff --git a/tests/meson.build b/tests/meson.build +index 9bf88be..b4112ec 100644 +--- a/tests/meson.build ++++ b/tests/meson.build +@@ -94,7 +94,9 @@ tests = [ + {'name': 'session'}, + {'name': 'server-auth'}, + {'name': 'server'}, +- {'name': 'sniffing'}, ++ {'name': 'sniffing', ++ 'depends': [test_resources], ++ }, + {'name': 'ssl', + 'dependencies': [gnutls_dep], + 'depends': mock_pkcs11_module, +diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c +index 6116719..7857732 100644 +--- a/tests/sniffing-test.c ++++ b/tests/sniffing-test.c +@@ -342,6 +342,52 @@ test_disabled (gconstpointer data) + g_uri_unref (uri); + } + ++static const gsize MARKUP_LENGTH = strlen (""); ++ ++static void ++do_skip_whitespace_test (void) ++{ ++ SoupContentSniffer *sniffer = soup_content_sniffer_new (); ++ SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org"); ++ const char *test_cases[] = { ++ "", ++ "$trailing_data ++ memcpy (p, "", strlen ("-->")); ++ p += strlen ("-->"); ++ if (strlen (trailing_data)) ++ memcpy (p, trailing_data, strlen (trailing_data)); ++ // Purposefully not NUL terminated. ++ ++ buffer = g_bytes_new_take (g_steal_pointer (&data), testsize); ++ content_type = soup_content_sniffer_sniff (sniffer, msg, buffer, NULL); ++ ++ g_free (content_type); ++ g_bytes_unref (buffer); ++ } ++ ++ g_object_unref (msg); ++ g_object_unref (sniffer); ++} ++ + int + main (int argc, char **argv) + { +@@ -517,6 +563,8 @@ main (int argc, char **argv) + "/text_or_binary/home.gif", + test_disabled); + ++ g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test); ++ + ret = g_test_run (); + + g_uri_unref (base_uri); +-- +2.45.3 + diff --git a/libsoup/SOURCES/CVE-2025-32050.patch b/libsoup/SOURCES/CVE-2025-32050.patch new file mode 100644 index 00000000000..ae910906bc4 --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-32050.patch @@ -0,0 +1,27 @@ +From 2825634dd081a3af1800d6967ba0991f3def3347 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 28 Oct 2024 12:29:48 -0500 +Subject: [PATCH 3/6] Fix using int instead of size_t for strcspn return + +Upstream reference: +https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323 +--- + libsoup/soup-headers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 8382b8f..4468415 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -907,7 +907,7 @@ append_param_quoted (GString *string, + const char *name, + const char *value) + { +- int len; ++ gsize len; + + g_string_append (string, name); + g_string_append (string, "=\""); +-- +2.45.3 + diff --git a/libsoup/SOURCES/CVE-2025-32051.patch b/libsoup/SOURCES/CVE-2025-32051.patch new file mode 100644 index 00000000000..928699b9f1f --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-32051.patch @@ -0,0 +1,48 @@ +From 206e54eb90bdc53faed29e04d26373433b6605f6 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 22 Nov 2024 13:39:51 -0600 +Subject: [PATCH 4/6] soup_uri_decode_data_uri(): Handle URIs with a path + starting with // + +Upstream reference: +https://gitlab.gnome.org/GNOME/libsoup/-/commit/79cfd65c9bd8024cd45dd725c284766329873709 +https://gitlab.gnome.org/GNOME/libsoup/-/commit/0713ba4a719da938dc8facc89fca99cd0aa3069f +--- + libsoup/soup-uri-utils.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c +index be2b79b..ad70fe6 100644 +--- a/libsoup/soup-uri-utils.c ++++ b/libsoup/soup-uri-utils.c +@@ -286,6 +286,7 @@ soup_uri_decode_data_uri (const char *uri, + gboolean base64 = FALSE; + char *uri_string; + GBytes *bytes; ++ const char *path; + + g_return_val_if_fail (uri != NULL, NULL); + +@@ -300,9 +301,19 @@ soup_uri_decode_data_uri (const char *uri, + + if (content_type) + *content_type = NULL; ++ /* g_uri_to_string() is picky about paths that start with `//` and will assert. */ ++ path = g_uri_get_path (soup_uri); ++ if (path[0] == '/' && path[1] == '/') { ++ g_uri_unref (soup_uri); ++ return NULL; ++ } ++ + + uri_string = g_uri_to_string (soup_uri); + g_uri_unref (soup_uri); ++ if (!uri_string) ++ return NULL; ++ + + start = uri_string + 5; + comma = strchr (start, ','); +-- +2.45.3 + diff --git a/libsoup/SOURCES/CVE-2025-32052.patch b/libsoup/SOURCES/CVE-2025-32052.patch new file mode 100644 index 00000000000..41ea4720590 --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-32052.patch @@ -0,0 +1,29 @@ +From 81ae25238849867f6197e22ec42f5bb4dcb7b8ad Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 16 Nov 2024 12:07:30 -0600 +Subject: [PATCH 2/6] Fix heap buffer overflow in soup_content_sniffer_sniff + +Co-Author: Ar Jun + +Upstream reference: +https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652 +--- + libsoup/content-sniffer/soup-content-sniffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c +index 150d285..a772c7c 100644 +--- a/libsoup/content-sniffer/soup-content-sniffer.c ++++ b/libsoup/content-sniffer/soup-content-sniffer.c +@@ -529,7 +529,7 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer, + guint index_pattern = 0; + gboolean skip_row = FALSE; + +- while ((index_stream < resource_length) && ++ while ((index_stream < resource_length - 1) && + (index_pattern <= type_row->pattern_length)) { + /* Skip insignificant white space ("WS" in the spec) */ + if (type_row->pattern[index_pattern] == ' ') { +-- +2.45.3 + diff --git a/libsoup/SOURCES/CVE-2025-32053.patch b/libsoup/SOURCES/CVE-2025-32053.patch new file mode 100644 index 00000000000..5a49b386f2e --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-32053.patch @@ -0,0 +1,36 @@ +From eaed42ca8d40cd9ab63764e3d63641180505f40a Mon Sep 17 00:00:00 2001 +From: Ar Jun +Date: Mon, 18 Nov 2024 14:59:51 -0600 +Subject: [PATCH] Fix heap buffer overflow in + soup-content-sniffer.c:sniff_feed_or_html() + +Upstream patch reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/eaed42ca8d40cd9ab63764e3d63641180505f40a +--- + libsoup/content-sniffer/soup-content-sniffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c +index b62e4888..5a181ff1 100644 +--- a/libsoup/content-sniffer/soup-content-sniffer.c ++++ b/libsoup/content-sniffer/soup-content-sniffer.c +@@ -641,7 +641,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length) + (resource[*pos] == '\x0D')) { + *pos = *pos + 1; + +- if (*pos > resource_length) ++ if (*pos >= resource_length) + return TRUE; + } + +@@ -704,7 +704,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer) + do { + pos++; + +- if (pos > resource_length) ++ if ((pos + 1) > resource_length) + goto text_html; + } while (resource[pos] != '>'); + +-- +GitLab + diff --git a/libsoup/SOURCES/CVE-2025-32906.patch b/libsoup/SOURCES/CVE-2025-32906.patch new file mode 100644 index 00000000000..32c9cfb2380 --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-32906.patch @@ -0,0 +1,38 @@ +From e0831346d685ee907065fa5e489e133f8ca12013 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 12 Feb 2025 11:30:02 -0600 +Subject: [PATCH] headers: Handle parsing only newlines + +Closes #404 +Closes #407 + +Link: https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f.patch +--- + libsoup/soup-headers.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index a0cf351..88aafc9 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -193,7 +193,7 @@ soup_headers_parse_request (const char *str, + /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s) + * received where a Request-Line is expected." + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +@@ -378,7 +378,7 @@ soup_headers_parse_response (const char *str, + * after a response, which we then see prepended to the next + * response on that connection. + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +-- +2.34.1 + diff --git a/libsoup/SOURCES/CVE-2025-32907.patch b/libsoup/SOURCES/CVE-2025-32907.patch new file mode 100644 index 00000000000..01c36f6e353 --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-32907.patch @@ -0,0 +1,259 @@ +From 9bb92f7a685e31e10e9e8221d0342280432ce836 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 15 Apr 2025 12:17:39 +0200 +Subject: [PATCH 1/2] soup-message-headers: Correct merge of ranges + +It had been skipping every second range, which generated an array +of a lot of insane ranges, causing large memory usage by the server. + +Closes #428 + +Part-of: +--- + libsoup/soup-message-headers.c | 1 + + tests/meson.build | 1 + + tests/server-mem-limit-test.c | 144 +++++++++++++++++++++++++++++++++ + 3 files changed, 146 insertions(+) + create mode 100644 tests/server-mem-limit-test.c + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 8eec4200..e799082b 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1244,6 +1244,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs, + if (cur->start <= prev->end) { + prev->end = MAX (prev->end, cur->end); + g_array_remove_index (array, i); ++ i--; + } + } + } +diff --git a/tests/meson.build b/tests/meson.build +index 02924c03..ac892359 100644 +--- a/tests/meson.build ++++ b/tests/meson.build +@@ -103,6 +103,7 @@ tests = [ + {'name': 'samesite'}, + {'name': 'session'}, + {'name': 'server-auth'}, ++ {'name': 'server-mem-limit'}, + {'name': 'server'}, + {'name': 'sniffing', + 'depends': [test_resources], +diff --git a/tests/server-mem-limit-test.c b/tests/server-mem-limit-test.c +new file mode 100644 +index 00000000..98f1c40f +--- /dev/null ++++ b/tests/server-mem-limit-test.c +@@ -0,0 +1,144 @@ ++/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */ ++/* ++ * Copyright (C) 2025 Red Hat ++ */ ++ ++#include "test-utils.h" ++ ++#include ++ ++/* ++ This test limits memory usage to trigger too large buffer allocation crash. ++ As restoring the limits back to what it was does not always work, it's split ++ out of the server-test.c test with copied minimal server code. ++ */ ++ ++typedef struct { ++ SoupServer *server; ++ GUri *base_uri, *ssl_base_uri; ++ GSList *handlers; ++} ServerData; ++ ++static void ++server_setup_nohandler (ServerData *sd, gconstpointer test_data) ++{ ++ sd->server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ sd->base_uri = soup_test_server_get_uri (sd->server, "http", NULL); ++ if (tls_available) ++ sd->ssl_base_uri = soup_test_server_get_uri (sd->server, "https", NULL); ++} ++ ++static void ++server_add_handler (ServerData *sd, ++ const char *path, ++ SoupServerCallback callback, ++ gpointer user_data, ++ GDestroyNotify destroy) ++{ ++ soup_server_add_handler (sd->server, path, callback, user_data, destroy); ++ sd->handlers = g_slist_prepend (sd->handlers, g_strdup (path)); ++} ++ ++static void ++server_setup (ServerData *sd, gconstpointer test_data) ++{ ++ server_setup_nohandler (sd, test_data); ++} ++ ++static void ++server_teardown (ServerData *sd, gconstpointer test_data) ++{ ++ GSList *iter; ++ ++ for (iter = sd->handlers; iter; iter = iter->next) ++ soup_server_remove_handler (sd->server, iter->data); ++ g_slist_free_full (sd->handlers, g_free); ++ ++ g_clear_pointer (&sd->server, soup_test_server_quit_unref); ++ g_clear_pointer (&sd->base_uri, g_uri_unref); ++ g_clear_pointer (&sd->ssl_base_uri, g_uri_unref); ++} ++ ++static void ++server_file_callback (SoupServer *server, ++ SoupServerMessage *msg, ++ const char *path, ++ GHashTable *query, ++ gpointer data) ++{ ++ void *mem; ++ ++ g_assert_cmpstr (path, ==, "/file"); ++ g_assert_cmpstr (soup_server_message_get_method (msg), ==, SOUP_METHOD_GET); ++ ++ mem = g_malloc0 (sizeof (char) * 1024 * 1024); ++ /* fedora-scan CI claims a warning about possibly leaked `mem` variable, thus use ++ the copy and free it explicitly, to workaround the false positive; the g_steal_pointer() ++ did not help for the malloc-ed memory */ ++ soup_server_message_set_response (msg, "application/octet-stream", SOUP_MEMORY_COPY, mem, sizeof (char) * 1024 *1024); ++ soup_server_message_set_status (msg, SOUP_STATUS_OK, NULL); ++ g_free (mem); ++} ++ ++static void ++do_ranges_overlaps_test (ServerData *sd, gconstpointer test_data) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ GString *range; ++ GUri *uri; ++ const char *chunk = ",0,0,0,0,0,0,0,0,0,0,0"; ++ ++ g_test_bug ("428"); ++ ++ #ifdef G_OS_WIN32 ++ g_test_skip ("Cannot run under windows"); ++ return; ++ #endif ++ ++ range = g_string_sized_new (99 * 1024); ++ g_string_append (range, "bytes=1024"); ++ while (range->len < 99 * 1024) ++ g_string_append (range, chunk); ++ ++ session = soup_test_session_new (NULL); ++ server_add_handler (sd, "/file", server_file_callback, NULL, NULL); ++ ++ uri = g_uri_parse_relative (sd->base_uri, "/file", SOUP_HTTP_URI_FLAGS, NULL); ++ ++ msg = soup_message_new_from_uri ("GET", uri); ++ soup_message_headers_append (soup_message_get_request_headers (msg), "Range", range->str); ++ ++ soup_test_session_send_message (session, msg); ++ ++ soup_test_assert_message_status (msg, SOUP_STATUS_PARTIAL_CONTENT); ++ ++ g_object_unref (msg); ++ ++ g_string_free (range, TRUE); ++ g_uri_unref (uri); ++ ++ soup_test_session_abort_unref (session); ++} ++ ++int ++main (int argc, char **argv) ++{ ++ int ret; ++ ++ test_init (argc, argv, NULL); ++ ++ #ifndef G_OS_WIN32 ++ struct rlimit new_rlimit = { 1024 * 1024 * 64, 1024 * 1024 * 64 }; ++ /* limit memory usage, to trigger too large memory allocation abort */ ++ g_assert_cmpint (setrlimit (RLIMIT_DATA, &new_rlimit), ==, 0); ++ #endif ++ ++ g_test_add ("/server-mem/range-overlaps", ServerData, NULL, ++ server_setup, do_ranges_overlaps_test, server_teardown); ++ ++ ret = g_test_run (); ++ ++ test_cleanup (); ++ return ret; ++} +-- +GitLab + + +From eeace39ec686094ff6a05a43e5fce06e9c37f376 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 13 May 2025 14:20:46 +0200 +Subject: [PATCH 2/2] server-mem-limit-test: Limit memory usage only when not + built witha sanitizer + +A build with -Db_sanitize=address crashes with failed mmap(), which is done +inside libasan. The test requires 20.0TB of virtual memory when running with +the sanitizer, which is beyond unsigned integer limits and may not trigger +the bug anyway. + +Part-of: +--- + meson.build | 4 ++++ + tests/server-mem-limit-test.c | 13 +++++++++---- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/meson.build b/meson.build +index 8772a0ea..b31a8791 100644 +--- a/meson.build ++++ b/meson.build +@@ -357,6 +357,10 @@ configinc = include_directories('.') + + prefix = get_option('prefix') + ++if get_option('b_sanitize') != 'none' ++ cdata.set_quoted('B_SANITIZE_OPTION', get_option('b_sanitize')) ++endif ++ + cdata.set_quoted('PACKAGE_VERSION', soup_version) + cdata.set_quoted('LOCALEDIR', join_paths(prefix, get_option('localedir'))) + cdata.set_quoted('GETTEXT_PACKAGE', libsoup_api_name) +diff --git a/tests/server-mem-limit-test.c b/tests/server-mem-limit-test.c +index 98f1c40f..65dc875e 100644 +--- a/tests/server-mem-limit-test.c ++++ b/tests/server-mem-limit-test.c +@@ -126,14 +126,19 @@ main (int argc, char **argv) + { + int ret; + +- test_init (argc, argv, NULL); +- +- #ifndef G_OS_WIN32 +- struct rlimit new_rlimit = { 1024 * 1024 * 64, 1024 * 1024 * 64 }; ++ /* a build with an address sanitizer may crash on mmap() with the limit, ++ thus skip the limit set in such case, even it may not necessarily ++ trigger the bug if it regresses */ ++ #if !defined(G_OS_WIN32) && !defined(B_SANITIZE_OPTION) ++ struct rlimit new_rlimit = { 1024UL * 1024UL * 1024UL * 2UL, 1024UL * 1024UL * 1024UL * 2UL }; + /* limit memory usage, to trigger too large memory allocation abort */ + g_assert_cmpint (setrlimit (RLIMIT_DATA, &new_rlimit), ==, 0); ++ #else ++ g_message ("server-mem-limit-test: Running without memory limit"); + #endif + ++ test_init (argc, argv, NULL); ++ + g_test_add ("/server-mem/range-overlaps", ServerData, NULL, + server_setup, do_ranges_overlaps_test, server_teardown); + +-- +GitLab + diff --git a/libsoup/SOURCES/CVE-2025-32908.patch b/libsoup/SOURCES/CVE-2025-32908.patch new file mode 100644 index 00000000000..3d6de62507b --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-32908.patch @@ -0,0 +1,83 @@ +From a792b23ab87cacbf4dd9462bf7b675fa678efbae Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 15 Apr 2025 09:59:05 +0200 +Subject: [PATCH] soup-server-http2: Check validity of the constructed + connection URI + +The HTTP/2 pseudo-headers can contain invalid values, which the GUri rejects +and returns NULL, but the soup-server did not check the validity and could +abort the server itself later in the code. + +Closes #429 +--- + .../http2/soup-server-message-io-http2.c | 4 +++ + tests/http2-test.c | 28 +++++++++++++++++++ + 2 files changed, 32 insertions(+) + +diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c +index 943ecfd3..f1fe2d5c 100644 +--- a/libsoup/server/http2/soup-server-message-io-http2.c ++++ b/libsoup/server/http2/soup-server-message-io-http2.c +@@ -771,9 +771,13 @@ on_frame_recv_callback (nghttp2_session *session, + char *uri_string; + GUri *uri; + ++ if (msg_io->scheme == NULL || msg_io->authority == NULL || msg_io->path == NULL) ++ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path); + uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL); + g_free (uri_string); ++ if (uri == NULL) ++ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + soup_server_message_set_uri (msg_io->msg, uri); + g_uri_unref (uri); + +diff --git a/tests/http2-test.c b/tests/http2-test.c +index 5b6da5e4..ec7972fe 100644 +--- a/tests/http2-test.c ++++ b/tests/http2-test.c +@@ -1341,6 +1341,30 @@ do_connection_closed_test (Test *test, gconstpointer data) + g_uri_unref (uri); + } + ++static void ++do_broken_pseudo_header_test (Test *test, gconstpointer data) ++{ ++ char *path; ++ SoupMessage *msg; ++ GUri *uri; ++ GBytes *body = NULL; ++ GError *error = NULL; ++ ++ uri = g_uri_parse_relative (base_uri, "/ag", SOUP_HTTP_URI_FLAGS, NULL); ++ ++ /* an ugly cheat to construct a broken URI, which can be sent from other libs */ ++ path = (char *) g_uri_get_path (uri); ++ path[1] = '%'; ++ ++ msg = soup_message_new_from_uri (SOUP_METHOD_GET, uri); ++ body = soup_test_session_async_send (test->session, msg, NULL, &error); ++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_PARTIAL_INPUT); ++ g_assert_null (body); ++ g_clear_error (&error); ++ g_object_unref (msg); ++ g_uri_unref (uri); ++} ++ + static gboolean + unpause_message (SoupServerMessage *msg) + { +@@ -1662,6 +1686,10 @@ main (int argc, char **argv) + setup_session, + do_connection_closed_test, + teardown_session); ++ g_test_add ("/http2/broken-pseudo-header", Test, NULL, ++ setup_session, ++ do_broken_pseudo_header_test, ++ teardown_session); + + ret = g_test_run (); + +-- +GitLab + diff --git a/libsoup/SOURCES/CVE-2025-32909.patch b/libsoup/SOURCES/CVE-2025-32909.patch new file mode 100644 index 00000000000..c593b04d15f --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-32909.patch @@ -0,0 +1,34 @@ +From ba4c3a6f988beff59e45801ab36067293d24ce92 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 8 Jan 2025 16:30:17 -0600 +Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than 4 + bytes + +Link: https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92.patch +--- + libsoup/content-sniffer/soup-content-sniffer.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c +index 5a181ff1..aeee2e25 100644 +--- a/libsoup/content-sniffer/soup-content-sniffer.c ++++ b/libsoup/content-sniffer/soup-content-sniffer.c +@@ -243,9 +243,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, GBytes *buffer) + gsize resource_length; + const char *resource = g_bytes_get_data (buffer, &resource_length); + resource_length = MIN (512, resource_length); +- guint32 box_size = *((guint32*)resource); ++ guint32 box_size; + guint i; + ++ if (resource_length < sizeof (guint32)) ++ return FALSE; ++ ++ box_size = *((guint32*)resource); ++ + #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + box_size = ((box_size >> 24) | + ((box_size << 8) & 0x00FF0000) | +-- +GitLab + diff --git a/libsoup/SOURCES/CVE-2025-32910.patch b/libsoup/SOURCES/CVE-2025-32910.patch new file mode 100644 index 00000000000..ba981eb8c13 --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-32910.patch @@ -0,0 +1,268 @@ +From e40df6d48a1cbab56f5d15016cc861a503423cfe Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sun, 8 Dec 2024 20:00:35 -0600 +Subject: [PATCH 1/3] auth-digest: Handle missing realm in authenticate header + +Link: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417.patch +--- + libsoup/auth/soup-auth-digest.c | 3 ++ + tests/auth-test.c | 50 +++++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 2e81849af..4f12e87a5 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -148,6 +148,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + ++ if (!soup_auth_get_realm (auth)) ++ return FALSE; ++ + g_free (priv->domain); + g_free (priv->nonce); + g_free (priv->opaque); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 158fdac10..3066e904a 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1866,6 +1866,55 @@ do_multiple_digest_algorithms (void) + soup_test_server_quit_unref (server); + } + ++static void ++on_request_read_for_missing_realm (SoupServer *server, ++ SoupServerMessage *msg, ++ gpointer user_data) ++{ ++ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); ++ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); ++} ++ ++static void ++do_missing_realm_test (void) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ SoupServer *server; ++ SoupAuthDomain *digest_auth_domain; ++ gint status; ++ GUri *uri; ++ ++ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ soup_server_add_handler (server, NULL, ++ server_callback, NULL, NULL); ++ uri = soup_test_server_get_uri (server, "http", NULL); ++ ++ digest_auth_domain = soup_auth_domain_digest_new ( ++ "realm", "auth-test", ++ "auth-callback", server_digest_auth_callback, ++ NULL); ++ soup_auth_domain_add_path (digest_auth_domain, "/"); ++ soup_server_add_auth_domain (server, digest_auth_domain); ++ g_object_unref (digest_auth_domain); ++ ++ g_signal_connect (server, "request-read", ++ G_CALLBACK (on_request_read_for_missing_realm), ++ NULL); ++ ++ session = soup_test_session_new (NULL); ++ msg = soup_message_new_from_uri ("GET", uri); ++ g_signal_connect (msg, "authenticate", ++ G_CALLBACK (on_digest_authenticate), ++ NULL); ++ ++ status = soup_test_session_send_message (session, msg); ++ ++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED); ++ g_uri_unref (uri); ++ soup_test_server_quit_unref (server); ++} ++ + int + main (int argc, char **argv) + { +@@ -1899,6 +1948,7 @@ main (int argc, char **argv) + g_test_add_func ("/auth/auth-uri", do_auth_uri_test); + g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate); + g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms); ++ g_test_add_func ("/auth/missing-realm", do_missing_realm_test); + + ret = g_test_run (); + +-- +GitLab + + +From 405a8a34597a44bd58c4759e7d5e23f02c3b556a Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Thu, 26 Dec 2024 18:18:35 -0600 +Subject: [PATCH 2/3] auth-digest: Handle missing nonce + +--- + libsoup/auth/soup-auth-digest.c | 45 +++++++++++++++++++++++++-------- + tests/auth-test.c | 19 ++++++++------ + 2 files changed, 46 insertions(+), 18 deletions(-) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 4f12e87a5..350bfde69 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -138,6 +138,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop) + return g_string_free (out, FALSE); + } + ++static gboolean ++validate_params (SoupAuthDigest *auth_digest) ++{ ++ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest); ++ ++ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) { ++ if (!priv->nonce) ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ + static gboolean + soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + GHashTable *auth_params) +@@ -175,16 +188,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + if (priv->algorithm == -1) + ok = FALSE; + +- stale = g_hash_table_lookup (auth_params, "stale"); +- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) +- recompute_hex_a1 (priv); +- else { +- g_free (priv->user); +- priv->user = NULL; +- g_free (priv->cnonce); +- priv->cnonce = NULL; +- memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); +- memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ if (!validate_params (auth_digest)) ++ ok = FALSE; ++ ++ if (ok) { ++ stale = g_hash_table_lookup (auth_params, "stale"); ++ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) ++ recompute_hex_a1 (priv); ++ else { ++ g_free (priv->user); ++ priv->user = NULL; ++ g_free (priv->cnonce); ++ priv->cnonce = NULL; ++ memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); ++ memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ } + } + + return ok; +@@ -276,6 +294,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp, + + /* In MD5-sess, A1 is hex_urp:nonce:cnonce */ + ++ g_assert (nonce && cnonce); ++ + checksum = g_checksum_new (G_CHECKSUM_MD5); + g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -366,6 +386,8 @@ soup_auth_digest_compute_response (const char *method, + if (qop) { + char tmp[9]; + ++ g_assert (cnonce); ++ + g_snprintf (tmp, 9, "%.8x", nc); + g_checksum_update (checksum, (guchar *)tmp, strlen (tmp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -429,6 +451,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg) + g_return_val_if_fail (uri != NULL, NULL); + url = soup_uri_get_path_and_query (uri); + ++ g_assert (priv->nonce); ++ g_assert (!priv->qop || priv->cnonce); ++ + soup_auth_digest_compute_response (soup_message_get_method (msg), url, priv->hex_a1, + priv->qop, priv->nonce, + priv->cnonce, priv->nc, +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 3066e904a..c651c7cd9 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1867,16 +1867,17 @@ do_multiple_digest_algorithms (void) + } + + static void +-on_request_read_for_missing_realm (SoupServer *server, +- SoupServerMessage *msg, +- gpointer user_data) ++on_request_read_for_missing_params (SoupServer *server, ++ SoupServerMessage *msg, ++ gpointer user_data) + { ++ const char *auth_header = user_data; + SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); +- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); ++ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header); + } + + static void +-do_missing_realm_test (void) ++do_missing_params_test (gconstpointer auth_header) + { + SoupSession *session; + SoupMessage *msg; +@@ -1899,8 +1900,8 @@ do_missing_realm_test (void) + g_object_unref (digest_auth_domain); + + g_signal_connect (server, "request-read", +- G_CALLBACK (on_request_read_for_missing_realm), +- NULL); ++ G_CALLBACK (on_request_read_for_missing_params), ++ (gpointer)auth_header); + + session = soup_test_session_new (NULL); + msg = soup_message_new_from_uri ("GET", uri); +@@ -1948,7 +1949,9 @@ main (int argc, char **argv) + g_test_add_func ("/auth/auth-uri", do_auth_uri_test); + g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate); + g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms); +- g_test_add_func ("/auth/missing-realm", do_missing_realm_test); ++ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); + + ret = g_test_run (); + +-- +GitLab + + +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 13:52:52 -0600 +Subject: [PATCH 3/3] auth-digest: Fix leak + +--- + libsoup/auth/soup-auth-digest.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 350bfde69..9eb7fa0e2 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object) + g_free (priv->nonce); + g_free (priv->domain); + g_free (priv->cnonce); ++ g_free (priv->opaque); + + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); +-- +GitLab + diff --git a/libsoup/SOURCES/CVE-2025-32912.patch b/libsoup/SOURCES/CVE-2025-32912.patch new file mode 100644 index 00000000000..287db01b253 --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-32912.patch @@ -0,0 +1,38 @@ +From cd077513f267e43ce4b659eb18a1734d8a369992 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 14:03:05 -0600 +Subject: [PATCH] auth-digest: Handle missing nonce + +--- + libsoup/auth/soup-auth-digest.c | 2 +- + tests/auth-test.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 9eb7fa0e..d69a4013 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -162,7 +162,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + +- if (!soup_auth_get_realm (auth)) ++ if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce")) + return FALSE; + + g_free (priv->domain); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index c651c7cd..484097f1 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1952,6 +1952,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test); + + ret = g_test_run (); + +-- +GitLab + diff --git a/libsoup/SOURCES/CVE-2025-32913.patch b/libsoup/SOURCES/CVE-2025-32913.patch new file mode 100644 index 00000000000..5b6158594ef --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-32913.patch @@ -0,0 +1,28 @@ +From 260ce178f526f4b8baaa1cafc6e1e81fab225f53 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 18:00:39 -0600 +Subject: [PATCH] soup_message_headers_get_content_disposition: strdup + truncated filenames + +This table frees the strings it contains. +Link: https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0.patch +--- + libsoup/soup-message-headers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index bcee5b9..18cbf98 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1611,7 +1611,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + char *filename = strrchr (orig_value, '/'); + + if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1)); + } + return TRUE; + } +-- +2.34.1 + diff --git a/libsoup/SOURCES/CVE-2025-32914.patch b/libsoup/SOURCES/CVE-2025-32914.patch new file mode 100644 index 00000000000..5ec88a9fb0c --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-32914.patch @@ -0,0 +1,107 @@ +From 5bfcf8157597f2d327050114fb37ff600004dbcf Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 15 Apr 2025 09:03:00 +0200 +Subject: [PATCH] multipart: Fix read out of buffer bounds under + soup_multipart_new_from_message() + +This is CVE-2025-32914, special crafted input can cause read out of buffer bounds +of the body argument. + +Closes #436 +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 58 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 59 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index 2421c91f8..102ce3722 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -173,7 +173,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + return NULL; + } + +- split = strstr (start, "\r\n\r\n"); ++ split = g_strstr_len (start, body_end - start, "\r\n\r\n"); + if (!split || split > end) { + soup_multipart_free (multipart); + return NULL; +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index 2c0e7e969..f5b986889 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -471,6 +471,62 @@ test_multipart (gconstpointer data) + loop = NULL; + } + ++static void ++test_multipart_bounds_good (void) ++{ ++ #define TEXT "line1\r\nline2" ++ SoupMultipart *multipart; ++ SoupMessageHeaders *headers, *set_headers = NULL; ++ GBytes *bytes, *set_bytes = NULL; ++ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\n\r\n" TEXT "\r\n--123--\r\n"; ++ gboolean success; ++ ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); ++ ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); ++ ++ multipart = soup_multipart_new_from_message (headers, bytes); ++ ++ g_assert_nonnull (multipart); ++ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1); ++ success = soup_multipart_get_part (multipart, 0, &set_headers, &set_bytes); ++ g_assert_true (success); ++ g_assert_nonnull (set_headers); ++ g_assert_nonnull (set_bytes); ++ g_assert_cmpint (strlen (TEXT), ==, g_bytes_get_size (set_bytes)); ++ g_assert_cmpstr ("text/plain", ==, soup_message_headers_get_content_type (set_headers, NULL)); ++ g_assert_cmpmem (TEXT, strlen (TEXT), g_bytes_get_data (set_bytes, NULL), g_bytes_get_size (set_bytes)); ++ ++ soup_message_headers_unref (headers); ++ g_bytes_unref (bytes); ++ ++ soup_multipart_free (multipart); ++ ++ #undef TEXT ++} ++ ++static void ++test_multipart_bounds_bad (void) ++{ ++ SoupMultipart *multipart; ++ SoupMessageHeaders *headers; ++ GBytes *bytes; ++ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\nline1\r\nline2\r\n--123--\r\n"; ++ ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); ++ ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); ++ ++ /* it did read out of raw_data/bytes bounds */ ++ multipart = soup_multipart_new_from_message (headers, bytes); ++ g_assert_null (multipart); ++ ++ soup_message_headers_unref (headers); ++ g_bytes_unref (bytes); ++} ++ + int + main (int argc, char **argv) + { +@@ -498,6 +554,8 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart); + g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart); + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); ++ g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); ++ g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); + + ret = g_test_run (); + +-- +GitLab + diff --git a/libsoup/SOURCES/CVE-2025-4476.patch b/libsoup/SOURCES/CVE-2025-4476.patch new file mode 100644 index 00000000000..da06eabba1f --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-4476.patch @@ -0,0 +1,34 @@ +From e64c221f9c7d09b48b610c5626b3b8c400f0907c Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 8 May 2025 09:27:01 -0500 +Subject: [PATCH] auth-digest: fix crash in + soup_auth_digest_get_protection_space() + +We need to validate the Domain parameter in the WWW-Authenticate header. + +Unfortunately this crash only occurs when listening on default ports 80 +and 443, so there's no good way to test for this. The test would require +running as root. + +Fixes #440 +Upstream Link: https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907 +--- + libsoup/auth/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index d8bb2910..292f2045 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -220,7 +220,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, GUri *source_uri) + if (uri && + g_strcmp0 (g_uri_get_scheme (uri), g_uri_get_scheme (source_uri)) == 0 && + g_uri_get_port (uri) == g_uri_get_port (source_uri) && +- !strcmp (g_uri_get_host (uri), g_uri_get_host (source_uri))) ++ !g_strcmp0 (g_uri_get_host (uri), g_uri_get_host (source_uri))) + dir = g_strdup (g_uri_get_path (uri)); + else + dir = NULL; +-- +GitLab + diff --git a/libsoup/SOURCES/CVE-2025-46420.patch b/libsoup/SOURCES/CVE-2025-46420.patch new file mode 100644 index 00000000000..86f03f0b092 --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-46420.patch @@ -0,0 +1,59 @@ +From 909a9c40197d53bb331830d959ec86b97721d64f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Thu, 26 Dec 2024 18:31:42 -0600 +Subject: [PATCH 5/6] soup_header_parse_quality_list: Fix leak + +When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings. + +Upstream reference: +https://gitlab.gnome.org/GNOME/libsoup/-/commit/c9083869ec2a3037e6df4bd86b45c419ba295f8e +--- + libsoup/soup-headers.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 4468415..d28ddff 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -530,7 +530,7 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + GSList *unsorted; + QualityItem *array; + GSList *sorted, *iter; +- char *item, *semi; ++ char *semi; + const char *param, *equal, *value; + double qval; + int n; +@@ -543,9 +543,8 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + unsorted = soup_header_parse_list (header); + array = g_new0 (QualityItem, g_slist_length (unsorted)); + for (iter = unsorted, n = 0; iter; iter = iter->next) { +- item = iter->data; + qval = 1.0; +- for (semi = strchr (item, ';'); semi; semi = strchr (semi + 1, ';')) { ++ for (semi = strchr (iter->data, ';'); semi; semi = strchr (semi + 1, ';')) { + param = skip_lws (semi + 1); + if (*param != 'q') + continue; +@@ -577,15 +576,15 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + if (qval == 0.0) { + if (unacceptable) { + *unacceptable = g_slist_prepend (*unacceptable, +- item); ++ g_steal_pointer (&iter->data)); + } + } else { +- array[n].item = item; ++ array[n].item = g_steal_pointer (&iter->data); + array[n].qval = qval; + n++; + } + } +- g_slist_free (unsorted); ++ g_slist_free_full (unsorted, g_free); + + qsort (array, n, sizeof (QualityItem), sort_by_qval); + sorted = NULL; +-- +2.45.3 + diff --git a/libsoup/SOURCES/CVE-2025-46421.patch b/libsoup/SOURCES/CVE-2025-46421.patch new file mode 100644 index 00000000000..e8f74736ee8 --- /dev/null +++ b/libsoup/SOURCES/CVE-2025-46421.patch @@ -0,0 +1,137 @@ +From 09568d47d796f526820d3a6ff85cd2797eb65843 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 16:18:10 -0600 +Subject: [PATCH 6/6] session: Strip authentication credentails on cross-origin + redirect + +This should match the behavior of Firefox and Safari but not of Chromium. + +Upstream reference: +https://gitlab.gnome.org/GNOME/libsoup/-/commit/3e5c26415811f19e7737238bb23305ffaf96f66b +--- + libsoup/soup-session.c | 6 ++++ + tests/auth-test.c | 77 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 83 insertions(+) + +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c +index 631bec0..9f00b05 100644 +--- a/libsoup/soup-session.c ++++ b/libsoup/soup-session.c +@@ -1230,6 +1230,12 @@ soup_session_redirect_message (SoupSession *session, + SOUP_ENCODING_NONE); + } + ++ /* Strip all credentials on cross-origin redirect. */ ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { ++ soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION); ++ soup_message_set_auth (msg, NULL); ++ } ++ + soup_message_set_request_host_from_uri (msg, new_uri); + soup_message_set_uri (msg, new_uri); + g_uri_unref (new_uri); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 484097f..7c3b551 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1,6 +1,7 @@ + /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */ + + #include "test-utils.h" ++#include "soup-uri-utils-private.h" + + static const char *base_uri; + static GMainLoop *loop; +@@ -1916,6 +1917,81 @@ do_missing_params_test (gconstpointer auth_header) + soup_test_server_quit_unref (server); + } + ++static void ++redirect_server_callback (SoupServer *server, ++ SoupServerMessage *msg, ++ const char *path, ++ GHashTable *query, ++ gpointer user_data) ++{ ++ static gboolean redirected = FALSE; ++ ++ if (!redirected) { ++ char *redirect_uri = g_uri_to_string (user_data); ++ soup_server_message_set_redirect (msg, SOUP_STATUS_MOVED_PERMANENTLY, redirect_uri); ++ g_free (redirect_uri); ++ redirected = TRUE; ++ return; ++ } ++ ++ g_assert_not_reached (); ++} ++ ++static gboolean ++auth_for_redirect_callback (SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer user_data) ++{ ++ GUri *known_server_uri = user_data; ++ ++ if (!soup_uri_host_equal (known_server_uri, soup_message_get_uri (msg))) ++ return FALSE; ++ ++ soup_auth_authenticate (auth, "user", "good-basic"); ++ ++ return TRUE; ++} ++ ++static void ++do_strip_on_crossorigin_redirect (void) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ SoupServer *server1, *server2; ++ SoupAuthDomain *auth_domain; ++ GUri *uri; ++ gint status; ++ ++ server1 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ server2 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ ++ /* Both servers have the same credentials. */ ++ auth_domain = soup_auth_domain_basic_new ("realm", "auth-test", "auth-callback", server_basic_auth_callback, NULL); ++ soup_auth_domain_add_path (auth_domain, "/"); ++ soup_server_add_auth_domain (server1, auth_domain); ++ soup_server_add_auth_domain (server2, auth_domain); ++ g_object_unref (auth_domain); ++ ++ /* Server 1 asks for auth, then redirects to Server 2. */ ++ soup_server_add_handler (server1, NULL, ++ redirect_server_callback, ++ soup_test_server_get_uri (server2, "http", NULL), (GDestroyNotify)g_uri_unref); ++ /* Server 2 requires auth. */ ++ soup_server_add_handler (server2, NULL, server_callback, NULL, NULL); ++ ++ session = soup_test_session_new (NULL); ++ uri = soup_test_server_get_uri (server1, "http", NULL); ++ msg = soup_message_new_from_uri ("GET", uri); ++ /* The client only sends credentials for the host it knows. */ ++ g_signal_connect (msg, "authenticate", G_CALLBACK (auth_for_redirect_callback), uri); ++ ++ status = soup_test_session_send_message (session, msg); ++ ++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED); ++ ++ g_uri_unref (uri); ++ soup_test_server_quit_unref (server1); ++ soup_test_server_quit_unref (server2); ++} ++ + int + main (int argc, char **argv) + { +@@ -1949,6 +2025,7 @@ main (int argc, char **argv) + g_test_add_func ("/auth/auth-uri", do_auth_uri_test); + g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate); + g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms); ++ g_test_add_func ("/auth/strip-on-crossorigin-redirect", do_strip_on_crossorigin_redirect); + g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); +-- +2.45.3 + diff --git a/libsoup/SOURCES/libsoup-3.4.4.tar.xz b/libsoup/SOURCES/libsoup-3.4.4.tar.xz new file mode 100644 index 00000000000..f08c2a15fb9 Binary files /dev/null and b/libsoup/SOURCES/libsoup-3.4.4.tar.xz differ diff --git a/libsoup/libsoup.tar.gz b/libsoup/libsoup.tar.gz new file mode 100644 index 00000000000..69b76f24250 Binary files /dev/null and b/libsoup/libsoup.tar.gz differ