SLFO-pool/libsoup
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: SLFO-pool:main
Branches Tags
SLFO-pool:main SLFO-pool:1.1
...
pull from: SLFO-pool:1.1
Branches Tags
SLFO-pool:1.1 SLFO-pool:main

3 Commits
main ... 1.1

Author SHA256 Message Date
Adrian Schröter
af33913d62 Sync from SUSE:SLFO:1.1 libsoup revision b1997b7295320f1ac6a39853df5caaab 2025-08-21 11:27:12 +02:00
Adrian Schröter
18f5cce06c Sync from SUSE:SLFO:1.1 libsoup revision d423a14dcd108cae73cfd039576e3ddf 2025-06-25 10:12:33 +02:00
Adrian Schröter
3bc4e1b547 Sync from SUSE:SLFO:1.1 libsoup revision fb3a66ea8826f2e6fd39262d70c71c61 2025-03-19 11:52:11 +01:00
30 changed files with 2088 additions and 111 deletions
Expand all files Collapse all files

145
04df03bc.patch Normal file
View File

@@ -0,0 +1,145 @@
From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Mon, 8 Jul 2024 12:33:15 -0500
Subject: [PATCH] headers: Strictly don't allow NUL bytes
In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.
---
libsoup/soup-headers.c | 15 +++------
tests/header-parsing-test.c | 62 +++++++++++++++++--------------------
2 files changed, 32 insertions(+), 45 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index a0cf351ac..f30ee467a 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -51,13 +51,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
* ignorable trailing whitespace.
*/
+ /* No '\0's are allowed */
+ if (memchr (str, '\0', len))
+ return FALSE;
+
/* Skip over the Request-Line / Status-Line */
headers_start = memchr (str, '\n', len);
if (!headers_start)
return FALSE;
- /* No '\0's in the Request-Line / Status-Line */
- if (memchr (str, '\0', headers_start - str))
- return FALSE;
/* We work on a copy of the headers, which we can write '\0's
* into, so that we don't have to individually g_strndup and
@@ -69,14 +70,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
headers_copy[copy_len] = '\0';
value_end = headers_copy;
- /* There shouldn't be any '\0's in the headers already, but
- * this is the web we're talking about.
- */
- while ((p = memchr (headers_copy, '\0', copy_len))) {
- memmove (p, p + 1, copy_len - (p - headers_copy));
- copy_len--;
- }
-
while (*(value_end + 1)) {
name = value_end + 1;
name_end = strchr (name, ':');
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index edf8eebb3..715c2c6f2 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -358,24 +358,6 @@ static struct RequestTest {
}
},
- { "NUL in header name", "760832",
- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
- SOUP_STATUS_OK,
- "GET", "/", SOUP_HTTP_1_1,
- { { "Host", "example.com" },
- { NULL }
- }
- },
-
- { "NUL in header value", "760832",
- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
- SOUP_STATUS_OK,
- "GET", "/", SOUP_HTTP_1_1,
- { { "Host", "examplecom" },
- { NULL }
- }
- },
-
/************************/
/*** INVALID REQUESTS ***/
/************************/
@@ -448,6 +430,21 @@ static struct RequestTest {
SOUP_STATUS_EXPECTATION_FAILED,
NULL, NULL, -1,
{ { NULL } }
+ },
+
+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+ { "NUL in header name", NULL,
+ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
+ },
+
+ { "NUL in header value", NULL,
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
}
};
static const int num_reqtests = G_N_ELEMENTS (reqtests);
@@ -620,22 +617,6 @@ static struct ResponseTest {
{ NULL } }
},
- { "NUL in header name", "760832",
- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
- { { "Foo", "bar" },
- { NULL }
- }
- },
-
- { "NUL in header value", "760832",
- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
- { { "Foo", "bar" },
- { NULL }
- }
- },
-
/********************************/
/*** VALID CONTINUE RESPONSES ***/
/********************************/
@@ -768,6 +749,19 @@ static struct ResponseTest {
{ { NULL }
}
},
+
+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+ { "NUL in header name", NULL,
+ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
+ -1, 0, NULL,
+ { { NULL } }
+ },
+
+ { "NUL in header value", "760832",
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+ -1, 0, NULL,
+ { { NULL } }
+ },
};
static const int num_resptests = G_N_ELEMENTS (resptests);
--
GitLab

38
29b96fab.patch Normal file
View File

@@ -0,0 +1,38 @@
From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001
From: Ignacio Casal Quinteiro <qignacio@amazon.com>
Date: Wed, 2 Oct 2024 11:17:19 +0200
Subject: [PATCH] websocket-test: disconnect error copy after the test ends
Otherwise the server will have already sent a few more wrong
bytes and the client will continue getting errors to copy
but the error is already != NULL and it will assert
---
tests/websocket-test.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/websocket-test.c b/tests/websocket-test.c
index 06c443bb5..6a48c1f9b 100644
--- a/tests/websocket-test.c
+++ b/tests/websocket-test.c
@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test,
GError *error = NULL;
InvalidEncodeLengthTest context = { test, NULL };
guint i;
+ guint error_id;
- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
/* We use 127(\x7f) as payload length with 65535 extended length */
@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test,
WAIT_UNTIL (error != NULL || received != NULL);
g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
g_clear_error (&error);
+ g_signal_handler_disconnect (test->client, error_id);
g_assert_null (received);
g_thread_join (thread);
--
GitLab

42
4c9e75c6.patch Normal file
View File

@@ -0,0 +1,42 @@
From 4c9e75c6676a37b6485620c332e568e1a3f530ff Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Wed, 13 Nov 2024 14:14:23 +0000
Subject: [PATCH] websocket-test: Disconnect error signal in another place
This is the same change as commit 29b96fab "websocket-test: disconnect
error copy after the test ends", and is done for the same reason, but
replicating it into a different function.
Fixes: 6adc0e3e "websocket: process the frame as soon as we read data"
Resolves: https://gitlab.gnome.org/GNOME/libsoup/-/issues/399
Signed-off-by: Simon McVittie <smcv@debian.org>
---
tests/websocket-test.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/websocket-test.c b/tests/websocket-test.c
index 6a48c1f9..723f2857 100644
--- a/tests/websocket-test.c
+++ b/tests/websocket-test.c
@@ -1508,8 +1508,9 @@ test_receive_invalid_encode_length_16 (Test *test,
GError *error = NULL;
InvalidEncodeLengthTest context = { test, NULL };
guint i;
+ guint error_id;
- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
/* We use 126(~) as payload length with 125 extended length */
@@ -1522,6 +1523,7 @@ test_receive_invalid_encode_length_16 (Test *test,
WAIT_UNTIL (error != NULL || received != NULL);
g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
g_clear_error (&error);
+ g_signal_handler_disconnect (test->client, error_id);
g_assert_null (received);
g_thread_join (thread);
--
GitLab

32
6adc0e3e.patch Normal file
View File

@@ -0,0 +1,32 @@
From 6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be Mon Sep 17 00:00:00 2001
From: Ignacio Casal Quinteiro <qignacio@amazon.com>
Date: Wed, 11 Sep 2024 11:52:11 +0200
Subject: [PATCH] websocket: process the frame as soon as we read data
Otherwise we can enter in a read loop because we were not
validating the data until the all the data was read.
Fixes #391
---
libsoup/websocket/soup-websocket-connection.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
index a1a730473..a14481340 100644
--- a/libsoup/websocket/soup-websocket-connection.c
+++ b/libsoup/websocket/soup-websocket-connection.c
@@ -1199,9 +1199,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self)
}
priv->incoming->len = len + count;
- } while (count > 0);
- process_incoming (self);
+ process_incoming (self);
+ } while (count > 0 && !priv->close_sent && !priv->io_closing);
if (end) {
if (!priv->close_sent || !priv->close_received) {
--
GitLab

19
_service
View File

@@ -1,19 +0,0 @@
<?xml version="1.0"?>
<services>
<service name="obs_scm" mode="manual">
<param name="scm">git</param>
<param name="url">https://gitlab.gnome.org/GNOME/libsoup.git</param>
<param name="revision">3.6.4</param>
<param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param>
<param name="versionrewrite-pattern">v?(.*)\+0</param>
<param name="versionrewrite-replacement">\1</param>
<!-- <param name="changesgenerate">enable</param> -->
</service>
<service name="tar" mode="buildtime"/>
<service name="recompress" mode="buildtime">
<param name="file">*.tar</param>
<param name="compression">zst</param>
</service>
<service name="set_version" mode="manual" />
</services>

129
a35222dd.patch Normal file
View File

@@ -0,0 +1,129 @@
From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 27 Aug 2024 13:53:26 -0500
Subject: [PATCH] headers: Be more robust against invalid input when parsing
params
If you pass invalid input to a function such as soup_header_parse_param_list_strict()
it can cause an overflow if it decodes the input to UTF-8.
This should never happen with valid UTF-8 input which libsoup's client API
ensures, however it's server API does not currently.
---
libsoup/soup-headers.c | 46 ++++++++++++++++++++++--------------------
1 file changed, 24 insertions(+), 22 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index f30ee467..613e1905 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -646,8 +646,9 @@ soup_header_contains (const char *header, const char *token)
}
static void
-decode_quoted_string (char *quoted_string)
+decode_quoted_string_inplace (GString *quoted_gstring)
{
+ char *quoted_string = quoted_gstring->str;
char *src, *dst;
src = quoted_string + 1;
@@ -661,10 +662,11 @@ decode_quoted_string (char *quoted_string)
}
static gboolean
-decode_rfc5987 (char *encoded_string)
+decode_rfc5987_inplace (GString *encoded_gstring)
{
char *q, *decoded;
gboolean iso_8859_1 = FALSE;
+ const char *encoded_string = encoded_gstring->str;
q = strchr (encoded_string, '\'');
if (!q)
@@ -696,14 +698,7 @@ decode_rfc5987 (char *encoded_string)
decoded = utf8;
}
- /* If encoded_string was UTF-8, then each 3-character %-escape
- * will be converted to a single byte, and so decoded is
- * shorter than encoded_string. If encoded_string was
- * iso-8859-1, then each 3-character %-escape will be
- * converted into at most 2 bytes in UTF-8, and so it's still
- * shorter.
- */
- strcpy (encoded_string, decoded);
+ g_string_assign (encoded_gstring, decoded);
g_free (decoded);
return TRUE;
}
@@ -713,15 +708,17 @@ parse_param_list (const char *header, char delim, gboolean strict)
{
GHashTable *params;
GSList *list, *iter;
- char *item, *eq, *name_end, *value;
- gboolean override, duplicated;
params = g_hash_table_new_full (soup_str_case_hash,
soup_str_case_equal,
- g_free, NULL);
+ g_free, g_free);
list = parse_list (header, delim);
for (iter = list; iter; iter = iter->next) {
+ char *item, *eq, *name_end;
+ gboolean override, duplicated;
+ GString *parsed_value = NULL;
+
item = iter->data;
override = FALSE;
@@ -736,19 +733,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
*name_end = '\0';
- value = (char *)skip_lws (eq + 1);
+ parsed_value = g_string_new ((char *)skip_lws (eq + 1));
if (name_end[-1] == '*' && name_end > item + 1) {
name_end[-1] = '\0';
- if (!decode_rfc5987 (value)) {
+ if (!decode_rfc5987_inplace (parsed_value)) {
+ g_string_free (parsed_value, TRUE);
g_free (item);
continue;
}
override = TRUE;
- } else if (*value == '"')
- decode_quoted_string (value);
- } else
- value = NULL;
+ } else if (parsed_value->str[0] == '"')
+ decode_quoted_string_inplace (parsed_value);
+ }
duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
@@ -756,11 +753,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
soup_header_free_param_list (params);
params = NULL;
g_slist_foreach (iter, (GFunc)g_free, NULL);
+ if (parsed_value)
+ g_string_free (parsed_value, TRUE);
break;
- } else if (override || !duplicated)
- g_hash_table_replace (params, item, value);
- else
+ } else if (override || !duplicated) {
+ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
+ } else {
+ if (parsed_value)
+ g_string_free (parsed_value, TRUE);
g_free (item);
+ }
}
g_slist_free (list);
--
GitLab

BIN
libsoup-3.4.4.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
libsoup-3.6.4.obscpio (Stored with Git LFS)
View File

Binary file not shown.

187
libsoup-CVE-2025-2784.patch Normal file
View File

@@ -0,0 +1,187 @@
From 242a10fbb12dbdc12d254bd8fc8669a0ac055304 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 14:39:42 -0600
Subject: [PATCH] sniffer: Fix potential overflow
---
libsoup/content-sniffer/soup-content-sniffer.c | 2 +-
tests/meson.build | 4 +++-
tests/resources/whitespace.html | Bin 0 -> 512 bytes
tests/sniffing-test.c | 5 +++++
tests/soup-tests.gresource.xml | 1 +
5 files changed, 10 insertions(+), 2 deletions(-)
create mode 100644 tests/resources/whitespace.html
diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
index aeee2e25..da94e60c 100644
--- a/libsoup/content-sniffer/soup-content-sniffer.c
+++ b/libsoup/content-sniffer/soup-content-sniffer.c
@@ -669,7 +669,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
pos = 3;
look_for_tag:
- if (pos > resource_length)
+ if (pos >= resource_length)
goto text_html;
if (skip_insignificant_space (resource, &pos, resource_length))
diff --git a/tests/meson.build b/tests/meson.build
index 5aee70bc..ee118a01 100644
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -103,7 +103,9 @@ tests = [
{'name': 'session'},
{'name': 'server-auth'},
{'name': 'server'},
- {'name': 'sniffing'},
+ {'name': 'sniffing',
+ 'depends': [test_resources],
+ },
{'name': 'ssl',
'dependencies': [gnutls_dep],
'depends': mock_pkcs11_module,
diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
index 6116719a..b5428177 100644
--- a/tests/sniffing-test.c
+++ b/tests/sniffing-test.c
@@ -512,6 +512,11 @@ main (int argc, char **argv)
"type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8",
do_sniffing_test);
+ /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */
+ g_test_add_data_func ("/sniffing/whitespace",
+ "type/text_html/whitespace.html => text/html",
+ do_sniffing_test);
+
/* Test that disabling the sniffer works correctly */
g_test_add_data_func ("/sniffing/disabled",
"/text_or_binary/home.gif",
--
From c415ad0b6771992e66c70edf373566c6e247089d Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 18 Feb 2025 14:29:50 -0600
Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space()
---
.../content-sniffer/soup-content-sniffer.c | 10 ++--
tests/resources/whitespace.html | Bin 512 -> 0 bytes
tests/sniffing-test.c | 53 ++++++++++++++++--
tests/soup-tests.gresource.xml | 1 -
4 files changed, 53 insertions(+), 11 deletions(-)
delete mode 100644 tests/resources/whitespace.html
diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
index da94e60c..a5e18d5d 100644
--- a/libsoup/content-sniffer/soup-content-sniffer.c
+++ b/libsoup/content-sniffer/soup-content-sniffer.c
@@ -638,8 +638,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, GBytes *buffer)
}
static gboolean
-skip_insignificant_space (const char *resource, int *pos, int resource_length)
+skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
{
+ if (*pos >= resource_length)
+ return TRUE;
+
while ((resource[*pos] == '\x09') ||
(resource[*pos] == '\x20') ||
(resource[*pos] == '\x0A') ||
@@ -659,7 +662,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
gsize resource_length;
const char *resource = g_bytes_get_data (buffer, &resource_length);
resource_length = MIN (512, resource_length);
- int pos = 0;
+ gsize pos = 0;
if (resource_length < 3)
goto text_html;
@@ -669,9 +672,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
pos = 3;
look_for_tag:
- if (pos >= resource_length)
- goto text_html;
-
if (skip_insignificant_space (resource, &pos, resource_length))
goto text_html;
diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
index b5428177..7857732d 100644
--- a/tests/sniffing-test.c
+++ b/tests/sniffing-test.c
@@ -342,6 +342,52 @@ test_disabled (gconstpointer data)
g_uri_unref (uri);
}
+static const gsize MARKUP_LENGTH = strlen ("<!--") + strlen ("-->");
+
+static void
+do_skip_whitespace_test (void)
+{
+ SoupContentSniffer *sniffer = soup_content_sniffer_new ();
+ SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org");
+ const char *test_cases[] = {
+ "",
+ "<rdf:RDF",
+ "<rdf:RDFxmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"",
+ "<rdf:RDFxmlns=\"http://purl.org/rss/1.0/\"",
+ };
+
+ soup_message_headers_set_content_type (soup_message_get_response_headers (msg), "text/html", NULL);
+
+ for (guint i = 0; i < G_N_ELEMENTS (test_cases); i++) {
+ const char *trailing_data = test_cases[i];
+ gsize leading_zeros = 512 - MARKUP_LENGTH - strlen (trailing_data);
+ gsize testsize = MARKUP_LENGTH + leading_zeros + strlen (trailing_data);
+ guint8 *data = g_malloc0 (testsize);
+ guint8 *p = data;
+ char *content_type;
+ GBytes *buffer;
+
+ // Format of <!--[0x00 * $leading_zeros]-->$trailing_data
+ memcpy (p, "<!--", strlen ("<!--"));
+ p += strlen ("<!--");
+ p += leading_zeros;
+ memcpy (p, "-->", strlen ("-->"));
+ p += strlen ("-->");
+ if (strlen (trailing_data))
+ memcpy (p, trailing_data, strlen (trailing_data));
+ // Purposefully not NUL terminated.
+
+ buffer = g_bytes_new_take (g_steal_pointer (&data), testsize);
+ content_type = soup_content_sniffer_sniff (sniffer, msg, buffer, NULL);
+
+ g_free (content_type);
+ g_bytes_unref (buffer);
+ }
+
+ g_object_unref (msg);
+ g_object_unref (sniffer);
+}
+
int
main (int argc, char **argv)
{
@@ -512,16 +558,13 @@ main (int argc, char **argv)
"type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8",
do_sniffing_test);
- /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */
- g_test_add_data_func ("/sniffing/whitespace",
- "type/text_html/whitespace.html => text/html",
- do_sniffing_test);
-
/* Test that disabling the sniffer works correctly */
g_test_add_data_func ("/sniffing/disabled",
"/text_or_binary/home.gif",
test_disabled);
+ g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test);
+
ret = g_test_run ();
g_uri_unref (base_uri);
--
2.49.0

25
libsoup-CVE-2025-32050.patch Normal file
View File

@@ -0,0 +1,25 @@
From 9bb0a55de55c6940ced811a64fbca82fe93a9323 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Mon, 28 Oct 2024 12:29:48 -0500
Subject: [PATCH] Fix using int instead of size_t for strcspn return
---
libsoup/soup-headers.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 613e1905..a5f7a7f6 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -907,7 +907,7 @@ append_param_quoted (GString *string,
const char *name,
const char *value)
{
- int len;
+ gsize len;
g_string_append (string, name);
g_string_append (string, "=\"");
--
2.49.0

76
libsoup-CVE-2025-32051.patch Normal file
View File

@@ -0,0 +1,76 @@
From 0713ba4a719da938dc8facc89fca99cd0aa3069f Mon Sep 17 00:00:00 2001
From: Ar Jun <pkillarjun@protonmail.com>
Date: Sat, 16 Nov 2024 11:50:09 -0600
Subject: [PATCH] Fix possible NULL deref in soup_uri_decode_data_uri
---
libsoup/soup-uri-utils.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c
index 4e76b74d..9dab5d65 100644
--- a/libsoup/soup-uri-utils.c
+++ b/libsoup/soup-uri-utils.c
@@ -303,6 +303,8 @@ soup_uri_decode_data_uri (const char *uri,
uri_string = g_uri_to_string (soup_uri);
g_uri_unref (soup_uri);
+ if (!uri_string)
+ return NULL;
start = uri_string + 5;
comma = strchr (start, ',');
--
From 79cfd65c9bd8024cd45dd725c284766329873709 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 22 Nov 2024 13:39:51 -0600
Subject: [PATCH] soup_uri_decode_data_uri(): Handle URIs with a path starting
with //
---
libsoup/soup-uri-utils.c | 8 ++++++++
tests/uri-parsing-test.c | 2 ++
2 files changed, 10 insertions(+)
diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c
index 9dab5d65..f61e7656 100644
--- a/libsoup/soup-uri-utils.c
+++ b/libsoup/soup-uri-utils.c
@@ -286,6 +286,7 @@ soup_uri_decode_data_uri (const char *uri,
gboolean base64 = FALSE;
char *uri_string;
GBytes *bytes;
+ const char *path;
g_return_val_if_fail (uri != NULL, NULL);
@@ -301,6 +302,13 @@ soup_uri_decode_data_uri (const char *uri,
if (content_type)
*content_type = NULL;
+ /* g_uri_to_string() is picky about paths that start with `//` and will assert. */
+ path = g_uri_get_path (soup_uri);
+ if (path[0] == '/' && path[1] == '/') {
+ g_uri_unref (soup_uri);
+ return NULL;
+ }
+
uri_string = g_uri_to_string (soup_uri);
g_uri_unref (soup_uri);
if (!uri_string)
diff --git a/tests/uri-parsing-test.c b/tests/uri-parsing-test.c
index 1f16273d..418391eb 100644
--- a/tests/uri-parsing-test.c
+++ b/tests/uri-parsing-test.c
@@ -141,6 +141,8 @@ static struct {
{ "data:text/plain;base64,aGVsbG8=", "hello", "text/plain" },
{ "data:text/plain;base64,invalid=", "", "text/plain" },
{ "data:,", "", CONTENT_TYPE_DEFAULT },
+ { "data:.///", NULL, NULL },
+ { "data:/.//", NULL, NULL },
};
static void
--
2.49.0

26
libsoup-CVE-2025-32052.patch Normal file
View File

@@ -0,0 +1,26 @@
From f182429e5b1fc034050510da20c93256c4fa9652 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sat, 16 Nov 2024 12:07:30 -0600
Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff
Co-Author: Ar Jun <pkillarjun@protonmail.com>
---
libsoup/content-sniffer/soup-content-sniffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
index de0985ea..b62e4888 100644
--- a/libsoup/content-sniffer/soup-content-sniffer.c
+++ b/libsoup/content-sniffer/soup-content-sniffer.c
@@ -524,7 +524,7 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer,
guint index_pattern = 0;
gboolean skip_row = FALSE;
- while ((index_stream < resource_length) &&
+ while ((index_stream < resource_length - 1) &&
(index_pattern <= type_row->pattern_length)) {
/* Skip insignificant white space ("WS" in the spec) */
if (type_row->pattern[index_pattern] == ' ') {
--
2.49.0

35
libsoup-CVE-2025-32053.patch Normal file
View File

@@ -0,0 +1,35 @@
From eaed42ca8d40cd9ab63764e3d63641180505f40a Mon Sep 17 00:00:00 2001
From: Ar Jun <pkillarjun@protonmail.com>
Date: Mon, 18 Nov 2024 14:59:51 -0600
Subject: [PATCH] Fix heap buffer overflow in
soup-content-sniffer.c:sniff_feed_or_html()
---
libsoup/content-sniffer/soup-content-sniffer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
index b62e4888..5a181ff1 100644
--- a/libsoup/content-sniffer/soup-content-sniffer.c
+++ b/libsoup/content-sniffer/soup-content-sniffer.c
@@ -641,7 +641,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length)
(resource[*pos] == '\x0D')) {
*pos = *pos + 1;
- if (*pos > resource_length)
+ if (*pos >= resource_length)
return TRUE;
}
@@ -704,7 +704,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
do {
pos++;
- if (pos > resource_length)
+ if ((pos + 1) > resource_length)
goto text_html;
} while (resource[pos] != '>');
--
2.49.0

134
libsoup-CVE-2025-32906.patch Normal file
View File

@@ -0,0 +1,134 @@
From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 11 Feb 2025 14:36:26 -0600
Subject: [PATCH] headers: Handle parsing edge case
This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds.
---
libsoup/soup-headers.c | 2 +-
tests/header-parsing-test.c | 12 ++++++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 85385cea..9d6d00a3 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str,
!g_ascii_isdigit (version[5]))
return SOUP_STATUS_BAD_REQUEST;
major_version = strtoul (version + 5, &p, 10);
- if (*p != '.' || !g_ascii_isdigit (p[1]))
+ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1]))
return SOUP_STATUS_BAD_REQUEST;
minor_version = strtoul (p + 1, &p, 10);
version_end = p;
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 07ea2866..10ddb684 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -6,6 +6,10 @@ typedef struct {
const char *name, *value;
} Header;
+static char unterminated_http_version[] = {
+ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
+};
+
static struct RequestTest {
const char *description;
const char *bugref;
@@ -383,6 +387,14 @@ static struct RequestTest {
{ { NULL } }
},
+ /* This couldn't be a C string as going one byte over would have been safe. */
+ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
+ unterminated_http_version, sizeof (unterminated_http_version),
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
+ },
+
{ "Non-HTTP request", NULL,
"GET / SOUP/1.1\r\nHost: example.com\r\n", -1,
SOUP_STATUS_BAD_REQUEST,
--
From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 12 Feb 2025 11:30:02 -0600
Subject: [PATCH] headers: Handle parsing only newlines
Closes #404
Closes #407
---
libsoup/soup-headers.c | 4 ++--
tests/header-parsing-test.c | 13 ++++++++++++-
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 9d6d00a3..52ef2ece 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str,
/* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
* received where a Request-Line is expected."
*/
- while ((*str == '\r' || *str == '\n') && len > 0) {
+ while (len > 0 && (*str == '\r' || *str == '\n')) {
str++;
len--;
}
@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str,
* after a response, which we then see prepended to the next
* response on that connection.
*/
- while ((*str == '\r' || *str == '\n') && len > 0) {
+ while (len > 0 && (*str == '\r' || *str == '\n')) {
str++;
len--;
}
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 10ddb684..4faafbd6 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -6,10 +6,15 @@ typedef struct {
const char *name, *value;
} Header;
+/* These are not C strings to ensure going one byte over is not safe. */
static char unterminated_http_version[] = {
'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
};
+static char only_newlines[] = {
+ '\n', '\n', '\n', '\n'
+};
+
static struct RequestTest {
const char *description;
const char *bugref;
@@ -387,7 +392,6 @@ static struct RequestTest {
{ { NULL } }
},
- /* This couldn't be a C string as going one byte over would have been safe. */
{ "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
unterminated_http_version, sizeof (unterminated_http_version),
SOUP_STATUS_BAD_REQUEST,
@@ -457,6 +461,13 @@ static struct RequestTest {
SOUP_STATUS_BAD_REQUEST,
NULL, NULL, -1,
{ { NULL } }
+ },
+
+ { "Only newlines", NULL,
+ only_newlines, sizeof (only_newlines),
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
}
};
static const int num_reqtests = G_N_ELEMENTS (reqtests);
--
2.49.0

12
libsoup-CVE-2025-32907.patch Normal file
View File

@@ -0,0 +1,12 @@
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index ee7a3cb1..f101d4b4 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1244,6 +1244,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs,
if (cur->start <= prev->end) {
prev->end = MAX (prev->end, cur->end);
g_array_remove_index (array, i);
+ i--;
}
}
}

83
libsoup-CVE-2025-32908.patch Normal file
View File

@@ -0,0 +1,83 @@
From a792b23ab87cacbf4dd9462bf7b675fa678efbae Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Tue, 15 Apr 2025 09:59:05 +0200
Subject: [PATCH] soup-server-http2: Check validity of the constructed
connection URI
The HTTP/2 pseudo-headers can contain invalid values, which the GUri rejects
and returns NULL, but the soup-server did not check the validity and could
abort the server itself later in the code.
Closes #429
---
.../http2/soup-server-message-io-http2.c | 4 +++
tests/http2-test.c | 28 +++++++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c
index 943ecfd3..f1fe2d5c 100644
--- a/libsoup/server/http2/soup-server-message-io-http2.c
+++ b/libsoup/server/http2/soup-server-message-io-http2.c
@@ -771,9 +771,13 @@ on_frame_recv_callback (nghttp2_session *session,
char *uri_string;
GUri *uri;
+ if (msg_io->scheme == NULL || msg_io->authority == NULL || msg_io->path == NULL)
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path);
uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL);
g_free (uri_string);
+ if (uri == NULL)
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
soup_server_message_set_uri (msg_io->msg, uri);
g_uri_unref (uri);
diff --git a/tests/http2-test.c b/tests/http2-test.c
index 5b6da5e4..ec7972fe 100644
--- a/tests/http2-test.c
+++ b/tests/http2-test.c
@@ -1341,6 +1341,30 @@ do_connection_closed_test (Test *test, gconstpointer data)
g_uri_unref (uri);
}
+static void
+do_broken_pseudo_header_test (Test *test, gconstpointer data)
+{
+ char *path;
+ SoupMessage *msg;
+ GUri *uri;
+ GBytes *body = NULL;
+ GError *error = NULL;
+
+ uri = g_uri_parse_relative (base_uri, "/ag", SOUP_HTTP_URI_FLAGS, NULL);
+
+ /* an ugly cheat to construct a broken URI, which can be sent from other libs */
+ path = (char *) g_uri_get_path (uri);
+ path[1] = '%';
+
+ msg = soup_message_new_from_uri (SOUP_METHOD_GET, uri);
+ body = soup_test_session_async_send (test->session, msg, NULL, &error);
+ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_PARTIAL_INPUT);
+ g_assert_null (body);
+ g_clear_error (&error);
+ g_object_unref (msg);
+ g_uri_unref (uri);
+}
+
static gboolean
unpause_message (SoupServerMessage *msg)
{
@@ -1662,6 +1686,10 @@ main (int argc, char **argv)
setup_session,
do_connection_closed_test,
teardown_session);
+ g_test_add ("/http2/broken-pseudo-header", Test, NULL,
+ setup_session,
+ do_broken_pseudo_header_test,
+ teardown_session);
ret = g_test_run ();
--
2.49.0

33
libsoup-CVE-2025-32909.patch Normal file
View File

@@ -0,0 +1,33 @@
From ba4c3a6f988beff59e45801ab36067293d24ce92 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 8 Jan 2025 16:30:17 -0600
Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than 4
bytes
---
libsoup/content-sniffer/soup-content-sniffer.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
index 5a181ff1..aeee2e25 100644
--- a/libsoup/content-sniffer/soup-content-sniffer.c
+++ b/libsoup/content-sniffer/soup-content-sniffer.c
@@ -243,9 +243,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, GBytes *buffer)
gsize resource_length;
const char *resource = g_bytes_get_data (buffer, &resource_length);
resource_length = MIN (512, resource_length);
- guint32 box_size = *((guint32*)resource);
+ guint32 box_size;
guint i;
+ if (resource_length < sizeof (guint32))
+ return FALSE;
+
+ box_size = *((guint32*)resource);
+
#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
box_size = ((box_size >> 24) |
((box_size << 8) & 0x00FF0000) |
--
2.49.0

267
libsoup-CVE-2025-32910.patch Normal file
View File

@@ -0,0 +1,267 @@
From e40df6d48a1cbab56f5d15016cc861a503423cfe Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sun, 8 Dec 2024 20:00:35 -0600
Subject: [PATCH 1/3] auth-digest: Handle missing realm in authenticate header
---
libsoup/auth/soup-auth-digest.c | 3 ++
tests/auth-test.c | 50 +++++++++++++++++++++++++++++++++
2 files changed, 53 insertions(+)
diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
index 2e81849af..4f12e87a5 100644
--- a/libsoup/auth/soup-auth-digest.c
+++ b/libsoup/auth/soup-auth-digest.c
@@ -148,6 +148,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
+ if (!soup_auth_get_realm (auth))
+ return FALSE;
+
g_free (priv->domain);
g_free (priv->nonce);
g_free (priv->opaque);
diff --git a/tests/auth-test.c b/tests/auth-test.c
index 158fdac10..3066e904a 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1866,6 +1866,55 @@ do_multiple_digest_algorithms (void)
soup_test_server_quit_unref (server);
}
+static void
+on_request_read_for_missing_realm (SoupServer *server,
+ SoupServerMessage *msg,
+ gpointer user_data)
+{
+ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
+ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
+}
+
+static void
+do_missing_realm_test (void)
+{
+ SoupSession *session;
+ SoupMessage *msg;
+ SoupServer *server;
+ SoupAuthDomain *digest_auth_domain;
+ gint status;
+ GUri *uri;
+
+ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+ soup_server_add_handler (server, NULL,
+ server_callback, NULL, NULL);
+ uri = soup_test_server_get_uri (server, "http", NULL);
+
+ digest_auth_domain = soup_auth_domain_digest_new (
+ "realm", "auth-test",
+ "auth-callback", server_digest_auth_callback,
+ NULL);
+ soup_auth_domain_add_path (digest_auth_domain, "/");
+ soup_server_add_auth_domain (server, digest_auth_domain);
+ g_object_unref (digest_auth_domain);
+
+ g_signal_connect (server, "request-read",
+ G_CALLBACK (on_request_read_for_missing_realm),
+ NULL);
+
+ session = soup_test_session_new (NULL);
+ msg = soup_message_new_from_uri ("GET", uri);
+ g_signal_connect (msg, "authenticate",
+ G_CALLBACK (on_digest_authenticate),
+ NULL);
+
+ status = soup_test_session_send_message (session, msg);
+
+ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
+ g_uri_unref (uri);
+ soup_test_server_quit_unref (server);
+}
+
int
main (int argc, char **argv)
{
@@ -1899,6 +1948,7 @@ main (int argc, char **argv)
g_test_add_func ("/auth/auth-uri", do_auth_uri_test);
g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate);
g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms);
+ g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
ret = g_test_run ();
--
GitLab
From 405a8a34597a44bd58c4759e7d5e23f02c3b556a Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Thu, 26 Dec 2024 18:18:35 -0600
Subject: [PATCH 2/3] auth-digest: Handle missing nonce
---
libsoup/auth/soup-auth-digest.c | 45 +++++++++++++++++++++++++--------
tests/auth-test.c | 19 ++++++++------
2 files changed, 46 insertions(+), 18 deletions(-)
diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
index 4f12e87a5..350bfde69 100644
--- a/libsoup/auth/soup-auth-digest.c
+++ b/libsoup/auth/soup-auth-digest.c
@@ -138,6 +138,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
return g_string_free (out, FALSE);
}
+static gboolean
+validate_params (SoupAuthDigest *auth_digest)
+{
+ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
+
+ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
+ if (!priv->nonce)
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
static gboolean
soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
GHashTable *auth_params)
@@ -175,16 +188,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
if (priv->algorithm == -1)
ok = FALSE;
- stale = g_hash_table_lookup (auth_params, "stale");
- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
- recompute_hex_a1 (priv);
- else {
- g_free (priv->user);
- priv->user = NULL;
- g_free (priv->cnonce);
- priv->cnonce = NULL;
- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+ if (!validate_params (auth_digest))
+ ok = FALSE;
+
+ if (ok) {
+ stale = g_hash_table_lookup (auth_params, "stale");
+ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+ recompute_hex_a1 (priv);
+ else {
+ g_free (priv->user);
+ priv->user = NULL;
+ g_free (priv->cnonce);
+ priv->cnonce = NULL;
+ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+ }
}
return ok;
@@ -276,6 +294,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp,
/* In MD5-sess, A1 is hex_urp:nonce:cnonce */
+ g_assert (nonce && cnonce);
+
checksum = g_checksum_new (G_CHECKSUM_MD5);
g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));
g_checksum_update (checksum, (guchar *)":", 1);
@@ -366,6 +386,8 @@ soup_auth_digest_compute_response (const char *method,
if (qop) {
char tmp[9];
+ g_assert (cnonce);
+
g_snprintf (tmp, 9, "%.8x", nc);
g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
g_checksum_update (checksum, (guchar *)":", 1);
@@ -429,6 +451,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
g_return_val_if_fail (uri != NULL, NULL);
url = soup_uri_get_path_and_query (uri);
+ g_assert (priv->nonce);
+ g_assert (!priv->qop || priv->cnonce);
+
soup_auth_digest_compute_response (soup_message_get_method (msg), url, priv->hex_a1,
priv->qop, priv->nonce,
priv->cnonce, priv->nc,
diff --git a/tests/auth-test.c b/tests/auth-test.c
index 3066e904a..c651c7cd9 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1867,16 +1867,17 @@ do_multiple_digest_algorithms (void)
}
static void
-on_request_read_for_missing_realm (SoupServer *server,
- SoupServerMessage *msg,
- gpointer user_data)
+on_request_read_for_missing_params (SoupServer *server,
+ SoupServerMessage *msg,
+ gpointer user_data)
{
+ const char *auth_header = user_data;
SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
+ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
}
static void
-do_missing_realm_test (void)
+do_missing_params_test (gconstpointer auth_header)
{
SoupSession *session;
SoupMessage *msg;
@@ -1899,8 +1900,8 @@ do_missing_realm_test (void)
g_object_unref (digest_auth_domain);
g_signal_connect (server, "request-read",
- G_CALLBACK (on_request_read_for_missing_realm),
- NULL);
+ G_CALLBACK (on_request_read_for_missing_params),
+ (gpointer)auth_header);
session = soup_test_session_new (NULL);
msg = soup_message_new_from_uri ("GET", uri);
@@ -1948,7 +1949,9 @@ main (int argc, char **argv)
g_test_add_func ("/auth/auth-uri", do_auth_uri_test);
g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate);
g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms);
- g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
+ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
ret = g_test_run ();
--
GitLab
From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 13:52:52 -0600
Subject: [PATCH 3/3] auth-digest: Fix leak
---
libsoup/auth/soup-auth-digest.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
index 350bfde69..9eb7fa0e2 100644
--- a/libsoup/auth/soup-auth-digest.c
+++ b/libsoup/auth/soup-auth-digest.c
@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object)
g_free (priv->nonce);
g_free (priv->domain);
g_free (priv->cnonce);
+ g_free (priv->opaque);
memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
--
GitLab

38
libsoup-CVE-2025-32912.patch Normal file
View File

@@ -0,0 +1,38 @@
From cd077513f267e43ce4b659eb18a1734d8a369992 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 14:03:05 -0600
Subject: [PATCH] auth-digest: Handle missing nonce
---
libsoup/auth/soup-auth-digest.c | 2 +-
tests/auth-test.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
index 9eb7fa0e..d69a4013 100644
--- a/libsoup/auth/soup-auth-digest.c
+++ b/libsoup/auth/soup-auth-digest.c
@@ -162,7 +162,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
- if (!soup_auth_get_realm (auth))
+ if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
return FALSE;
g_free (priv->domain);
diff --git a/tests/auth-test.c b/tests/auth-test.c
index c651c7cd..484097f1 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1952,6 +1952,7 @@ main (int argc, char **argv)
g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test);
ret = g_test_run ();
--
GitLab

108
libsoup-CVE-2025-32913.patch Normal file
View File

@@ -0,0 +1,108 @@
From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 17:53:50 -0600
Subject: [PATCH 1/2] soup_message_headers_get_content_disposition: Fix NULL
deref
---
libsoup/soup-message-headers.c | 13 +++++++++----
tests/header-parsing-test.c | 14 ++++++++++++++
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 56cc1e9d..04f4c302 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1660,10 +1660,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
*/
if (params && g_hash_table_lookup_extended (*params, "filename",
&orig_key, &orig_value)) {
- char *filename = strrchr (orig_value, '/');
-
- if (filename)
- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ if (orig_value) {
+ char *filename = strrchr (orig_value, '/');
+
+ if (filename)
+ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ } else {
+ /* filename with no value isn't valid. */
+ g_hash_table_remove (*params, "filename");
+ }
}
return TRUE;
}
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 5e423d2b..d0b360c8 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -1039,6 +1039,7 @@ do_param_list_tests (void)
#define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\""
#define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\""
#define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar"
+#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename"
static void
do_content_disposition_tests (void)
@@ -1139,6 +1140,19 @@ do_content_disposition_tests (void)
g_assert_cmpstr (parameter2, ==, "bar");
g_hash_table_destroy (params);
+ /* Empty filename */
+ soup_message_headers_clear (hdrs);
+ soup_message_headers_append (hdrs, "Content-Disposition",
+ RFC5987_TEST_HEADER_EMPTY_FILENAME);
+ if (!soup_message_headers_get_content_disposition (hdrs,
+ &disposition,
+ &params)) {
+ soup_test_assert (FALSE, "empty filename decoding FAILED");
+ return;
+ }
+ g_assert_false (g_hash_table_contains (params, "filename"));
+ g_hash_table_destroy (params);
+
soup_message_headers_unref (hdrs);
/* Ensure that soup-multipart always quotes filename */
--
From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 18:00:39 -0600
Subject: [PATCH 2/2] soup_message_headers_get_content_disposition: strdup
truncated filenames
This table frees the strings it contains.
---
libsoup/soup-message-headers.c | 2 +-
tests/header-parsing-test.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 04f4c302..ee7a3cb1 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1664,7 +1664,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
char *filename = strrchr (orig_value, '/');
if (filename)
- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1));
} else {
/* filename with no value isn't valid. */
g_hash_table_remove (*params, "filename");
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index d0b360c8..07ea2866 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -1150,6 +1150,7 @@ do_content_disposition_tests (void)
soup_test_assert (FALSE, "empty filename decoding FAILED");
return;
}
+ g_free (disposition);
g_assert_false (g_hash_table_contains (params, "filename"));
g_hash_table_destroy (params);
--
2.49.0

107
libsoup-CVE-2025-32914.patch Normal file
View File

@@ -0,0 +1,107 @@
From 5bfcf8157597f2d327050114fb37ff600004dbcf Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Tue, 15 Apr 2025 09:03:00 +0200
Subject: [PATCH] multipart: Fix read out of buffer bounds under
soup_multipart_new_from_message()
This is CVE-2025-32914, special crafted input can cause read out of buffer bounds
of the body argument.
Closes #436
---
libsoup/soup-multipart.c | 2 +-
tests/multipart-test.c | 58 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 59 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
index 2421c91f..102ce372 100644
--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
@@ -173,7 +173,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
return NULL;
}
- split = strstr (start, "\r\n\r\n");
+ split = g_strstr_len (start, body_end - start, "\r\n\r\n");
if (!split || split > end) {
soup_multipart_free (multipart);
return NULL;
diff --git a/tests/multipart-test.c b/tests/multipart-test.c
index 2c0e7e96..f5b98688 100644
--- a/tests/multipart-test.c
+++ b/tests/multipart-test.c
@@ -471,6 +471,62 @@ test_multipart (gconstpointer data)
loop = NULL;
}
+static void
+test_multipart_bounds_good (void)
+{
+ #define TEXT "line1\r\nline2"
+ SoupMultipart *multipart;
+ SoupMessageHeaders *headers, *set_headers = NULL;
+ GBytes *bytes, *set_bytes = NULL;
+ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\n\r\n" TEXT "\r\n--123--\r\n";
+ gboolean success;
+
+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
+
+ bytes = g_bytes_new (raw_data, strlen (raw_data));
+
+ multipart = soup_multipart_new_from_message (headers, bytes);
+
+ g_assert_nonnull (multipart);
+ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1);
+ success = soup_multipart_get_part (multipart, 0, &set_headers, &set_bytes);
+ g_assert_true (success);
+ g_assert_nonnull (set_headers);
+ g_assert_nonnull (set_bytes);
+ g_assert_cmpint (strlen (TEXT), ==, g_bytes_get_size (set_bytes));
+ g_assert_cmpstr ("text/plain", ==, soup_message_headers_get_content_type (set_headers, NULL));
+ g_assert_cmpmem (TEXT, strlen (TEXT), g_bytes_get_data (set_bytes, NULL), g_bytes_get_size (set_bytes));
+
+ soup_message_headers_unref (headers);
+ g_bytes_unref (bytes);
+
+ soup_multipart_free (multipart);
+
+ #undef TEXT
+}
+
+static void
+test_multipart_bounds_bad (void)
+{
+ SoupMultipart *multipart;
+ SoupMessageHeaders *headers;
+ GBytes *bytes;
+ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\nline1\r\nline2\r\n--123--\r\n";
+
+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
+
+ bytes = g_bytes_new (raw_data, strlen (raw_data));
+
+ /* it did read out of raw_data/bytes bounds */
+ multipart = soup_multipart_new_from_message (headers, bytes);
+ g_assert_null (multipart);
+
+ soup_message_headers_unref (headers);
+ g_bytes_unref (bytes);
+}
+
int
main (int argc, char **argv)
{
@@ -498,6 +554,8 @@ main (int argc, char **argv)
g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart);
g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart);
g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
+ g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
+ g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
ret = g_test_run ();
--
2.49.0

33
libsoup-CVE-2025-4476.patch Normal file
View File

@@ -0,0 +1,33 @@
From e64c221f9c7d09b48b610c5626b3b8c400f0907c Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Thu, 8 May 2025 09:27:01 -0500
Subject: [PATCH] auth-digest: fix crash in
soup_auth_digest_get_protection_space()
We need to validate the Domain parameter in the WWW-Authenticate header.
Unfortunately this crash only occurs when listening on default ports 80
and 443, so there's no good way to test for this. The test would require
running as root.
Fixes #440
---
libsoup/auth/soup-auth-digest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
index d8bb2910..292f2045 100644
--- a/libsoup/auth/soup-auth-digest.c
+++ b/libsoup/auth/soup-auth-digest.c
@@ -220,7 +220,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, GUri *source_uri)
if (uri &&
g_strcmp0 (g_uri_get_scheme (uri), g_uri_get_scheme (source_uri)) == 0 &&
g_uri_get_port (uri) == g_uri_get_port (source_uri) &&
- !strcmp (g_uri_get_host (uri), g_uri_get_host (source_uri)))
+ !g_strcmp0 (g_uri_get_host (uri), g_uri_get_host (source_uri)))
dir = g_strdup (g_uri_get_path (uri));
else
dir = NULL;
--
GitLab

56
libsoup-CVE-2025-46420.patch Normal file
View File

@@ -0,0 +1,56 @@
From c9083869ec2a3037e6df4bd86b45c419ba295f8e Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Thu, 26 Dec 2024 18:31:42 -0600
Subject: [PATCH] soup_header_parse_quality_list: Fix leak
When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings.
---
libsoup/soup-headers.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index a5f7a7f6..85385cea 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -530,7 +530,7 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
GSList *unsorted;
QualityItem *array;
GSList *sorted, *iter;
- char *item, *semi;
+ char *semi;
const char *param, *equal, *value;
double qval;
int n;
@@ -543,9 +543,8 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
unsorted = soup_header_parse_list (header);
array = g_new0 (QualityItem, g_slist_length (unsorted));
for (iter = unsorted, n = 0; iter; iter = iter->next) {
- item = iter->data;
qval = 1.0;
- for (semi = strchr (item, ';'); semi; semi = strchr (semi + 1, ';')) {
+ for (semi = strchr (iter->data, ';'); semi; semi = strchr (semi + 1, ';')) {
param = skip_lws (semi + 1);
if (*param != 'q')
continue;
@@ -577,15 +576,15 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
if (qval == 0.0) {
if (unacceptable) {
*unacceptable = g_slist_prepend (*unacceptable,
- item);
+ g_steal_pointer (&iter->data));
}
} else {
- array[n].item = item;
+ array[n].item = g_steal_pointer (&iter->data);
array[n].qval = qval;
n++;
}
}
- g_slist_free (unsorted);
+ g_slist_free_full (unsorted, g_free);
qsort (array, n, sizeof (QualityItem), sort_by_qval);
sorted = NULL;
--
2.49.0

134
libsoup-CVE-2025-46421.patch Normal file
View File

@@ -0,0 +1,134 @@
From 3e5c26415811f19e7737238bb23305ffaf96f66b Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 16:18:10 -0600
Subject: [PATCH] session: Strip authentication credentails on cross-origin
redirect
This should match the behavior of Firefox and Safari but not of Chromium.
---
libsoup/soup-session.c | 6 ++++
tests/auth-test.c | 77 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 83 insertions(+)
diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
index 38435fd1..cbe4c46f 100644
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -1230,6 +1230,12 @@ soup_session_redirect_message (SoupSession *session,
SOUP_ENCODING_NONE);
}
+ /* Strip all credentials on cross-origin redirect. */
+ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
+ soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION);
+ soup_message_set_auth (msg, NULL);
+ }
+
soup_message_set_request_host_from_uri (msg, new_uri);
soup_message_set_uri (msg, new_uri);
g_uri_unref (new_uri);
diff --git a/tests/auth-test.c b/tests/auth-test.c
index 484097f1..7c3b5510 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1,6 +1,7 @@
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
#include "test-utils.h"
+#include "soup-uri-utils-private.h"
static const char *base_uri;
static GMainLoop *loop;
@@ -1916,6 +1917,81 @@ do_missing_params_test (gconstpointer auth_header)
soup_test_server_quit_unref (server);
}
+static void
+redirect_server_callback (SoupServer *server,
+ SoupServerMessage *msg,
+ const char *path,
+ GHashTable *query,
+ gpointer user_data)
+{
+ static gboolean redirected = FALSE;
+
+ if (!redirected) {
+ char *redirect_uri = g_uri_to_string (user_data);
+ soup_server_message_set_redirect (msg, SOUP_STATUS_MOVED_PERMANENTLY, redirect_uri);
+ g_free (redirect_uri);
+ redirected = TRUE;
+ return;
+ }
+
+ g_assert_not_reached ();
+}
+
+static gboolean
+auth_for_redirect_callback (SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer user_data)
+{
+ GUri *known_server_uri = user_data;
+
+ if (!soup_uri_host_equal (known_server_uri, soup_message_get_uri (msg)))
+ return FALSE;
+
+ soup_auth_authenticate (auth, "user", "good-basic");
+
+ return TRUE;
+}
+
+static void
+do_strip_on_crossorigin_redirect (void)
+{
+ SoupSession *session;
+ SoupMessage *msg;
+ SoupServer *server1, *server2;
+ SoupAuthDomain *auth_domain;
+ GUri *uri;
+ gint status;
+
+ server1 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+ server2 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+
+ /* Both servers have the same credentials. */
+ auth_domain = soup_auth_domain_basic_new ("realm", "auth-test", "auth-callback", server_basic_auth_callback, NULL);
+ soup_auth_domain_add_path (auth_domain, "/");
+ soup_server_add_auth_domain (server1, auth_domain);
+ soup_server_add_auth_domain (server2, auth_domain);
+ g_object_unref (auth_domain);
+
+ /* Server 1 asks for auth, then redirects to Server 2. */
+ soup_server_add_handler (server1, NULL,
+ redirect_server_callback,
+ soup_test_server_get_uri (server2, "http", NULL), (GDestroyNotify)g_uri_unref);
+ /* Server 2 requires auth. */
+ soup_server_add_handler (server2, NULL, server_callback, NULL, NULL);
+
+ session = soup_test_session_new (NULL);
+ uri = soup_test_server_get_uri (server1, "http", NULL);
+ msg = soup_message_new_from_uri ("GET", uri);
+ /* The client only sends credentials for the host it knows. */
+ g_signal_connect (msg, "authenticate", G_CALLBACK (auth_for_redirect_callback), uri);
+
+ status = soup_test_session_send_message (session, msg);
+
+ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
+
+ g_uri_unref (uri);
+ soup_test_server_quit_unref (server1);
+ soup_test_server_quit_unref (server2);
+}
+
int
main (int argc, char **argv)
{
@@ -1949,6 +2025,7 @@ main (int argc, char **argv)
g_test_add_func ("/auth/auth-uri", do_auth_uri_test);
g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate);
g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms);
+ g_test_add_func ("/auth/strip-on-crossorigin-redirect", do_strip_on_crossorigin_redirect);
g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
--
2.49.0

97
libsoup-CVE-2025-4945.patch Normal file
View File

@@ -0,0 +1,97 @@
Backport of https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f
diff -urp libsoup-3.4.4.orig/libsoup/soup-date-utils.c libsoup-3.4.4/libsoup/soup-date-utils.c
--- libsoup-3.4.4.orig/libsoup/soup-date-utils.c 2023-10-26 14:03:53.000000000 -0500
+++ libsoup-3.4.4/libsoup/soup-date-utils.c 2025-06-18 12:11:11.680027374 -0500
@@ -129,7 +129,7 @@ parse_day (int *day, const char **date_s
while (*end == ' ' || *end == '-')
end++;
*date_string = end;
- return TRUE;
+ return *day >= 1 && *day <= 31;
}
static inline gboolean
@@ -169,7 +169,7 @@ parse_year (int *year, const char **date
while (*end == ' ' || *end == '-')
end++;
*date_string = end;
- return TRUE;
+ return *year > 0 && *year < 9999;
}
static inline gboolean
@@ -193,7 +193,7 @@ parse_time (int *hour, int *minute, int
while (*p == ' ')
p++;
*date_string = p;
- return TRUE;
+ return *hour >= 0 && *hour < 24 && *minute >= 0 && *minute < 60 && *second >= 0 && *second < 60;
}
static inline gboolean
@@ -209,9 +209,14 @@ parse_timezone (GTimeZone **timezone, co
gulong val;
int sign = (**date_string == '+') ? 1 : -1;
val = strtoul (*date_string + 1, (char **)date_string, 10);
- if (**date_string == ':')
- val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10);
- else
+ if (val > 9999)
+ return FALSE;
+ if (**date_string == ':') {
+ gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10);
+ if (val > 99 || val2 > 99)
+ return FALSE;
+ val = 60 * val + val2;
+ } else
val = 60 * (val / 100) + (val % 100);
offset_minutes = sign * val;
utc = (sign == -1) && !val;
@@ -264,7 +269,8 @@ parse_textual_date (const char *date_str
if (!parse_month (&month, &date_string) ||
!parse_day (&day, &date_string) ||
!parse_time (&hour, &minute, &second, &date_string) ||
- !parse_year (&year, &date_string))
+ !parse_year (&year, &date_string) ||
+ !g_date_valid_dmy (day, month, year))
return NULL;
/* There shouldn't be a timezone, but check anyway */
@@ -276,7 +282,8 @@ parse_textual_date (const char *date_str
if (!parse_day (&day, &date_string) ||
!parse_month (&month, &date_string) ||
!parse_year (&year, &date_string) ||
- !parse_time (&hour, &minute, &second, &date_string))
+ !parse_time (&hour, &minute, &second, &date_string) ||
+ !g_date_valid_dmy (day, month, year))
return NULL;
/* This time there *should* be a timezone, but we
diff -urp libsoup-3.4.4.orig/tests/cookies-test.c libsoup-3.4.4/tests/cookies-test.c
--- libsoup-3.4.4.orig/tests/cookies-test.c 2023-10-26 14:03:53.000000000 -0500
+++ libsoup-3.4.4/tests/cookies-test.c 2025-06-18 12:12:06.334277212 -0500
@@ -435,6 +435,15 @@ do_cookies_parsing_nopath_nullorigin (vo
}
static void
+do_cookies_parsing_int32_overflow (void)
+{
+ SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9 999:9:9+ 999999999-age=main=gne=", NULL);
+ g_assert_nonnull (cookie);
+ g_assert_null (soup_cookie_get_expires (cookie));
+ soup_cookie_free (cookie);
+}
+
+static void
do_cookies_equal_nullpath (void)
{
SoupCookie *cookie1, *cookie2;
@@ -655,6 +664,7 @@ main (int argc, char **argv)
g_test_add_func ("/cookies/accept-policy-subdomains", do_cookies_subdomain_policy_test);
g_test_add_func ("/cookies/parsing", do_cookies_parsing_test);
g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin);
+ g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow);
g_test_add_func ("/cookies/parsing/equal-nullpath", do_cookies_equal_nullpath);
g_test_add_func ("/cookies/parsing/control-characters", do_cookies_parsing_control_characters);
g_test_add_func ("/cookies/get-cookies/empty-host", do_get_cookies_empty_host_test);

91
libsoup-CVE-2025-4948.patch Normal file
View File

@@ -0,0 +1,91 @@
From f2f28afe0b3b2b3009ab67d6874457ec6bac70c0 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Thu, 15 May 2025 17:49:11 +0200
Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body
It could happen that the boundary started at a place which resulted into
a negative number, which in an unsigned integer is a very large value.
Check the body size is not a negative value before setting it.
Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
Part-of: <https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463>
---
libsoup/soup-multipart.c | 2 +-
tests/multipart-test.c | 40 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
index 7b1e20cf..e526369e 100644
--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
@@ -204,7 +204,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
*/
part_body = g_bytes_new_from_bytes (body, // FIXME
split - body_data,
- end - 2 - split);
+ end - 2 >= split ? end - 2 - split : 0);
g_ptr_array_add (multipart->bodies, part_body);
start = end;
diff --git a/tests/multipart-test.c b/tests/multipart-test.c
index c4e996ae..e7c28dfb 100644
--- a/tests/multipart-test.c
+++ b/tests/multipart-test.c
@@ -527,6 +527,45 @@ test_multipart_bounds_bad (void)
g_bytes_unref (bytes);
}
+static void
+test_multipart_too_large (void)
+{
+ const char *raw_body =
+ "-------------------\r\n"
+ "-\n"
+ "Cont\"\r\n"
+ "Content-Tynt----e:n\x8erQK\r\n"
+ "Content-Disposition: name= form-; name=\"file\"; filename=\"ype:i/ -d; ----\xae\r\n"
+ "Content-Typimag\x01/png--\\\n"
+ "\r\n"
+ "---:\n\r\n"
+ "\r\n"
+ "-------------------------------------\r\n"
+ "---------\r\n"
+ "----------------------";
+ GBytes *body;
+ GHashTable *params;
+ SoupMessageHeaders *headers;
+ SoupMultipart *multipart;
+
+ params = g_hash_table_new (g_str_hash, g_str_equal);
+ g_hash_table_insert (params, (gpointer) "boundary", (gpointer) "-----------------");
+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+ soup_message_headers_set_content_type (headers, "multipart/form-data", params);
+ g_hash_table_unref (params);
+
+ body = g_bytes_new_static (raw_body, strlen (raw_body));
+ multipart = soup_multipart_new_from_message (headers, body);
+ soup_message_headers_unref (headers);
+ g_bytes_unref (body);
+
+ g_assert_nonnull (multipart);
+ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1);
+ g_assert_true (soup_multipart_get_part (multipart, 0, &headers, &body));
+ g_assert_cmpint (g_bytes_get_size (body), ==, 0);
+ soup_multipart_free (multipart);
+}
+
int
main (int argc, char **argv)
{
@@ -556,6 +595,7 @@ main (int argc, char **argv)
g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
+ g_test_add_func ("/multipart/too-large", test_multipart_too_large);
ret = g_test_run ();
--
2.49.0

72
libsoup-CVE-2025-4969.patch Normal file
View File

@@ -0,0 +1,72 @@
From b5b4dd10d4810f0c87b4eaffe88504f06e502f33 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Mon, 19 May 2025 17:48:27 +0200
Subject: [PATCH] soup-multipart: Verify array bounds before accessing its
members
The boundary could be at a place which, calculated, pointed
before the beginning of the array. Check the bounds, to avoid
read out of the array bounds.
Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447
---
libsoup/soup-multipart.c | 2 +-
tests/multipart-test.c | 22 ++++++++++++++++++++++
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
index e526369e..664b0f04 100644
--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
@@ -104,7 +104,7 @@ find_boundary (const char *start, const char *end,
continue;
/* Check that it's at start of line */
- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r')))
+ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r')))
continue;
/* Check for "--" or "\r\n" after boundary */
diff --git a/tests/multipart-test.c b/tests/multipart-test.c
index e7c28dfb..a39d8aab 100644
--- a/tests/multipart-test.c
+++ b/tests/multipart-test.c
@@ -527,6 +527,27 @@ test_multipart_bounds_bad (void)
g_bytes_unref (bytes);
}
+static void
+test_multipart_bounds_bad_2 (void)
+{
+ SoupMultipart *multipart;
+ SoupMessageHeaders *headers;
+ GBytes *bytes;
+ const char *raw_data = "\n--123\r\nline\r\n--123--\r";
+
+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
+
+ bytes = g_bytes_new (raw_data, strlen (raw_data));
+
+ multipart = soup_multipart_new_from_message (headers, bytes);
+ g_assert_nonnull (multipart);
+
+ soup_multipart_free (multipart);
+ soup_message_headers_unref (headers);
+ g_bytes_unref (bytes);
+}
+
static void
test_multipart_too_large (void)
{
@@ -595,6 +616,7 @@ main (int argc, char **argv)
g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
+ g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2);
g_test_add_func ("/multipart/too-large", test_multipart_too_large);
ret = g_test_run ();
--
2.49.0

116
libsoup.changes
View File

@@ -1,67 +1,43 @@
-------------------------------------------------------------------
Thu Jan 16 22:43:37 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
Wed Jun 18 17:14:37 UTC 2025 - Michael Gorse <mgorse@suse.com>
- Update to version 3.6.4:
+ http2: Fix regression on 32bit systems when reading response
data.
- Add libsoup-CVE-2025-4945.patch: add value checks for date/time
parsing (boo#1243314 CVE-2025-4945).
-------------------------------------------------------------------
Sat Jan 11 21:15:48 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
Thu May 29 00:52:00 UTC 2025 - Michael Gorse <mgorse@suse.com>
- Update to version 3.6.3:
+ http2: Significantly reduce memory usage of large requests
+ server: Treat `ECONNREFUSED` when listening on IPv6 as
unsupported
+ auth-digest: Fix handling missing nonce/realm in responses, as
well as a leak
+ In `soup_uri_decode_data_uri()` fix handling of URIs with a
path beginning with `//`
+ In `soup_message_headers_get_content_disposition()` fix
possibility of NULL-deref and double-free
+ In `soup_header_parse_quality_list()` fix leak
+ In `soup_form_decode_multipart()` fix ownership annotation for
the multipart object
- Add more CVE fixes:
+ libsoup-CVE-2025-4476.patch (boo#1243422 CVE-2025-4476)
+ libsoup-CVE-2025-4948.patch (boo#1243332 CVE-2025-4948)
+ libsoup-CVE-2025-4969.patch (boo#1243423 CVE-2025-4969)
-------------------------------------------------------------------
Thu Dec 12 13:13:19 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
Tue Apr 29 21:41:45 UTC 2025 - Michael Gorse <mgorse@suse.com>
- Update to version 3.6.1+4:
+ Fix ownership annotatin for soup_form_decode_multipart().
- Convert to obs_scm source service: allow for easier maintenance.
- Add more CVE fixes:
+ libsoup-CVE-2025-32050.patch (boo#1240752 CVE-2025-32050)
+ libsoup-CVE-2025-32051.patch (boo#1240754 CVE-2025-32051)
+ libsoup-CVE-2025-32052.patch (boo#1240756 CVE-2025-32052)
+ libsoup-CVE-2025-32053.patch (boo#1240757 CVE-2025-32053)
+ libsoup-CVE-2025-46420.patch (boo#1241686 CVE-2025-46420)
+ libsoup-CVE-2025-32913.patch (boo#1241162 boo#1241238
CVE-2025-32913 CVE-2025-32911)
+ libsoup-CVE-2025-32910.patch (boo#1241252 CVE-2025-32910)
+ libsoup-CVE-2025-32909.patch (boo#1241226 CVE-2025-32909)
+ libsoup-CVE-2025-2784.patch (boo#1240750 CVE-2025-2784)
+ libsoup-CVE-2025-46421.patch (boo#1241688 CVE-2025-46421)
+ libsoup-CVE-2025-32912.patch (boo#1241214 CVE-2025-32912)
+ libsoup-CVE-2025-32906.patch (boo#1241263 CVE-2025-32906)
+ libsoup-CVE-2025-32914.patch (boo#1241164 CVE-2025-32914)
+ libsoup-CVE-2025-32908.patch (boo#1241223 CVE-2025-32908)
+ libsoup-CVE-2025-32907.patch (boo#1241222 CVE-2025-32907)
-------------------------------------------------------------------
Wed Dec 4 22:17:12 UTC 2024 - Michael Gorse <mgorse@suse.com>
- Increase test timeout on s390x. The http2-body-stream test can be
slow and sometimes times out in our builds.
-------------------------------------------------------------------
Fri Nov 22 20:25:12 UTC 2024 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 3.6.1:
+ Fix `soup_uri_copy()` reading port as a long instead of an int
+ Fix possible NULL deref in `soup_uri_decode_data_uri()`
+ Fix possible overflow in `SoupContentSniffer`
+ Fix assertion in `soup_uri_decode_data_uri()` on URLs with a
path starting with `//`
+ headers: Be more robust against invalid input when parsing
params
+ websocket: Fix possibility of being stuck in a read loop
- Drop patches fixed upstream:
+ 6adc0e3e.patch
+ 29b96fab.patch
+ a35222dd.patch
+ 4c9e75c6.patch
-------------------------------------------------------------------
Wed Nov 13 19:48:22 UTC 2024 - Michael Gorse <mgorse@suse.com>
- Add 4c9e75c6.patch: fix an intermittent test failure
(glgo#GNOME/libsoup#399).
-------------------------------------------------------------------
Tue Nov 12 23:07:16 UTC 2024 - Michael Gorse <mgorse@suse.com>
Wed Dec 4 17:51:58 UTC 2024 - Michael Gorse <mgorse@suse.com>
- Add 04df03bc.patch: strictly don't allow NUL bytes in headers
(boo#1233285 CVE-2024-52530 glgo#GNOME/libsoup#377).
- Add 6adc0e3e.patch: websocket: Process the frame as soon as we
read data (boo#1233287 CVE-2024-52532 glgo#GNOME/libsoup#391).
- Add 29b96fab.patch: websocket-test: disconnect error copy after
@@ -69,34 +45,10 @@ Tue Nov 12 23:07:16 UTC 2024 - Michael Gorse <mgorse@suse.com>
- Add a35222dd.patch: be more robust against invalid input when
parsing params (boo#1233292 CVE-2024-52531
glgo#GNOME/libsoup!407).
-------------------------------------------------------------------
Mon Aug 26 08:07:19 UTC 2024 - Bjørn Lie <bjorn.lie@gmail.com>
6adc0e3e.patch
- Update to version 3.6.0:
+ Allow HTTP/2 to be used with non-HTTP proxies
- Changes from version 3.5.2:
+ Strictly forbid NUL bytes in headers
+ Fix minor leaks
- Changes from version 3.5.1:
+ Add `SOUP_METHOD_PATCH`
+ websocket: Add `SoupWebsocketConnection:keepalive-pong-timeout`
property
+ Increase maxmimum size of HTTP headers
+ Fix `soup_uri_copy()` in Vala
+ Fix leak in `soup_message_new_from_encoded_form()`
+ multipart: Improve handling of messages missing termination
+ logger:
- Fix request filter function being called with response user
data
- Fix response bodies never being logged if request bodies
aren't
- Add Soup-Host to logged headers for when Host is missing
+ cookies:
- Fix incorrect logic in determining same-site cookies
- Limit the Max-Age to 1 year
+ cookie-jar-db: Explicitly handle old databases lacking
same-site column
- Add 4c9e75c6.patch: fix an intermittent test failure
(glgo#GNOME/soup#399).
- Increase test timeout on s390x. The http2-body-stream test can be
slow and sometimes times out in our builds.
-------------------------------------------------------------------
Thu Oct 26 19:15:00 UTC 2023 - Bjørn Lie <bjorn.lie@gmail.com>
@@ -3188,7 +3140,7 @@ Tue Oct 21 19:28:57 EST 2008 - mboman@suse.de
+ Updated generated documentation
-------------------------------------------------------------------
Fri Oct 3 15:28:27 WST 2008 - mboman@suse.de
Fri Oct 3 15:28:27 EST 2008 - mboman@suse.de
- Update to version 2.24.0.1:
+ Reverted part of the fix for bgo#528882, which caused the DAAP

4
libsoup.obsinfo
View File

@@ -1,4 +0,0 @@
name: libsoup
version: 3.6.4
mtime: 1737061399
commit: 052850fc8d88fbd256e7303acca0710380f8d259

54
libsoup.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package libsoup
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,14 +18,62 @@
%define api_version 3.0
Name: libsoup
Version: 3.6.4
Version: 3.4.4
Release: 0
Summary: HTTP client/server library for GNOME
License: LGPL-2.1-or-later
Group: Development/Libraries/GNOME
URL: https://wiki.gnome.org/Projects/libsoup
Source0: %{name}-%{version}.tar.zst
Source0: https://download.gnome.org/sources/libsoup/3.4/%{name}-%{version}.tar.xz
Source99: baselibs.conf
# PATCH-FIX-UPSTREAM 04df03bc.patch boo#1233285 mgorse@suse.com -- strictly don't allow NUL bytes in headers.
Patch0: https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc.patch
# PATCH-FIX-UPSTREAM 6adc0e3e.patch boo#1233287 mgorse@suse.com -- process the frame as soon as we read data.
Patch1: https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3e.patch
# PATCH-FIX-UPSTREAM 29b96fab.patch boo#1233287 mgorse@suse.com -- websocket-test: disconnect error copy after the test ends.
Patch2: https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab.patch
# PATCH-FIX-UPSTREAM a35222dd.patch boo#1233292 mgorse@suse.com -- be more robust against invalid input when parsing params.
Patch3: https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd.patch
# PATCH-FIX-UPSTREAM 4c9e75c6.patch boo#1233287 mgorse@suse.com -- fix an intermittent test failure.
Patch4: https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-32050.patch boo#1240752 mgorse@suse.com -- fix using int instead of size_t for strcspn return.
Patch5: libsoup-CVE-2025-32050.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-32051.patch boo#1240754 mgorse@suse.com -- fix possible NULL deref in soup_uri_decode_data_uri().
Patch6: libsoup-CVE-2025-32051.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-32052.patch boo#1240756 mgorse@suse.com -- fix heap buffer overflow in soup_content_sniffer_sniff.
Patch7: libsoup-CVE-2025-32052.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-32053.patch boo#1240757 mgorse@suse.com -- fix heap buffer overflow in soup_content_sniffer.c:sniff_feed_or_html
Patch8: libsoup-CVE-2025-32053.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-46420.patch boo#1241686 mgorse@suse.com -- fix leak in soup_header_parse_quality_list.
Patch9: libsoup-CVE-2025-46420.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-32913.patch boo#1241162 mgorse@suse.com -- fix NULL deref in soup_message_headers_get_content_disposition.
Patch10: libsoup-CVE-2025-32913.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-32910.patch boo#1241252 mgorse@suse.com -- fix NULL deref with missing realm in authenticate header.
Patch11: libsoup-CVE-2025-32910.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-32909.patch boo#1241226 mgorse@suse.com -- handle sniffing resource shorter than 4 bytes.
Patch12: libsoup-CVE-2025-32909.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-2784.patch boo#1240750 mgorse@suse.com -- sniffer: fix potential overflow.
Patch13: libsoup-CVE-2025-2784.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-46421.patch boo#1241688 mgorse@suse.com -- strip authorization credentials on cross-origin redirect.
Patch14: libsoup-CVE-2025-46421.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-32912.patch boo#1241214 mgorse@suse.com -- fix NULL pointer deref in SoupAuthDigest.
Patch15: libsoup-CVE-2025-32912.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-32906.patch boo#1241263 mgorse@suse.com -- fix an out-of-bounds read parsing headers.
Patch16: libsoup-CVE-2025-32906.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-32914.patch boo#1241164 mgorse@suse.com -- fix read out of buffer bounds under soup_multipart_new_from_message.
Patch17: libsoup-CVE-2025-32914.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-32908.patch boo#1241223 mgorse@suse.com -- soup-server-http2: Check validity of the constructed connection URI.
Patch18: libsoup-CVE-2025-32908.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-32907.patch boo#1241222 mgorse@suse.com -- correct merge of ranges.
Patch19: libsoup-CVE-2025-32907.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-4476.patch boo#1243422 mgorse@suse.com -- fix crash in soup_auth_digest_get_protection_space.
Patch20: libsoup-CVE-2025-4476.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-4948.patch boo#1243332 mgorse@suse.com -- verify boundary limits for multipart body.
Patch21: libsoup-CVE-2025-4948.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-4969.patch boo#1243423 mgorse@suse.com -- soup-multipart: Verify array bounds before accessing its members.
Patch22: libsoup-CVE-2025-4969.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-4945.patch boo#1243314 mgorse@suse.com -- add value checks for date/time parsing.
Patch23: libsoup-CVE-2025-4945.patch
BuildRequires: glib-networking
BuildRequires: meson >= 0.53