Add libsoup2-CVE-2026-1761.patch

libsoup-CVE-2025-4945.patch

@@ -0,0 +1,97 @@
+Backport of https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f
+
+diff -urp libsoup-2.74.3.orig/libsoup/soup-date.c libsoup-2.74.3/libsoup/soup-date.c
+--- libsoup-2.74.3.orig/libsoup/soup-date.c	2022-10-11 13:27:22.000000000 -0500
++++ libsoup-2.74.3/libsoup/soup-date.c	2025-06-18 11:56:02.916383979 -0500
+@@ -284,7 +284,7 @@ parse_day (SoupDate *date, const char **
+ 	while (*end == ' ' || *end == '-')
+ 		end++;
+ 	*date_string = end;
+-	return TRUE;
++	return date->day >= 1 && date->day <= 31;
+ }
+ 
+ static inline gboolean
+@@ -324,7 +324,7 @@ parse_year (SoupDate *date, const char *
+ 	while (*end == ' ' || *end == '-')
+ 		end++;
+ 	*date_string = end;
+-	return TRUE;
++	return date->year > 0 && date->year < 9999;
+ }
+ 
+ static inline gboolean
+@@ -348,7 +348,7 @@ parse_time (SoupDate *date, const char *
+ 	while (*p == ' ')
+ 		p++;
+ 	*date_string = p;
+-	return TRUE;
++	return date->hour >= 0 && date->hour < 24 && date->minute >= 0 && date->minute < 60 && date->second >= 0 && date->second < 60;
+ }
+ 
+ static inline gboolean
+@@ -361,9 +361,14 @@ parse_timezone (SoupDate *date, const ch
+ 		gulong val;
+ 		int sign = (**date_string == '+') ? -1 : 1;
+ 		val = strtoul (*date_string + 1, (char **)date_string, 10);
+-		if (**date_string == ':')
+-			val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10);
+-		else
++		if (val > 9999)
++			return FALSE;
++		if (**date_string == ':') {
++			gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10);
++			if (val > 99 || val2 > 99)
++				return FALSE;
++			val = 60 * val + val2;
++		} else
+ 			val =  60 * (val / 100) + (val % 100);
+ 		date->offset = sign * val;
+ 		date->utc = (sign == -1) && !val;
+@@ -407,7 +412,8 @@ parse_textual_date (SoupDate *date, cons
+ 		if (!parse_month (date, &date_string) ||
+ 		    !parse_day (date, &date_string) ||
+ 		    !parse_time (date, &date_string) ||
+-		    !parse_year (date, &date_string))
++		    !parse_year (date, &date_string) ||
++		    !g_date_valid_dmy (date->day, date->month, date->year))
+ 			return FALSE;
+ 
+ 		/* There shouldn't be a timezone, but check anyway */
+@@ -419,7 +425,8 @@ parse_textual_date (SoupDate *date, cons
+ 		if (!parse_day (date, &date_string) ||
+ 		    !parse_month (date, &date_string) ||
+ 		    !parse_year (date, &date_string) ||
+-		    !parse_time (date, &date_string))
++		    !parse_time (date, &date_string) ||
++		    !g_date_valid_dmy (date->day, date->month, date->year))
+ 			return FALSE;
+ 
+ 		/* This time there *should* be a timezone, but we
+diff -urp libsoup-2.74.3.orig/tests/cookies-test.c libsoup-2.74.3/tests/cookies-test.c
+--- libsoup-2.74.3.orig/tests/cookies-test.c	2022-10-11 13:27:22.000000000 -0500
++++ libsoup-2.74.3/tests/cookies-test.c	2025-06-18 11:13:49.363862484 -0500
+@@ -389,6 +389,15 @@ send_callback (GObject *source_object,
+ }
+ 
+ static void
++do_cookies_parsing_int32_overflow (void)
++{
++	SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9    999:9:9+ 999999999-age=main=gne=", NULL);
++	g_assert_nonnull (cookie);
++	g_assert_null (soup_cookie_get_expires (cookie));
++	soup_cookie_free (cookie);
++}
++
++static void
+ do_remove_feature_test (void)
+ {
+ 	SoupSession *session;
+@@ -434,6 +443,7 @@ main (int argc, char **argv)
+ 	g_test_add_func ("/cookies/accept-policy-subdomains", do_cookies_subdomain_policy_test);
+ 	g_test_add_func ("/cookies/parsing", do_cookies_parsing_test);
+ 	g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin);
++	g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow);
+ 	g_test_add_func ("/cookies/get-cookies/empty-host", do_get_cookies_empty_host_test);
+ 	g_test_add_func ("/cookies/remove-feature", do_remove_feature_test);
+ 	g_test_add_func ("/cookies/secure-cookies", do_cookies_strict_secure_test);

libsoup2-CVE-2026-1761.patch

@@ -0,0 +1,12 @@
+Index: libsoup-2.74.3/libsoup/soup-filter-input-stream.c
+===================================================================
+--- libsoup-2.74.3.orig/libsoup/soup-filter-input-stream.c
++++ libsoup-2.74.3/libsoup/soup-filter-input-stream.c
+@@ -272,6 +272,6 @@ soup_filter_input_stream_read_until (Sou
+ 	if (eof && !*got_boundary)
+ 		read_length = MIN (fstream->priv->buf->len, length);
+ 	else
+-		read_length = p - buf;
++		read_length = MIN ((gsize)(p - buf), length);
+ 	return read_from_buf (fstream, buffer, read_length);
+ }

libsoup2.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Tue Feb  3 01:52:48 UTC 2026 - Jonathan Kang <songchuan.kang@suse.com>
+
+- Add libsoup2-CVE-2026-1761.patch: multipart: check length of bytes
+  read soup_filter_input_stream_read_until()
+  (bsc#1257598, CVE-2026-1761, glgo#GNOME/libsoup!496).
+
+-------------------------------------------------------------------
+Wed Jun 18 16:47:42 UTC 2025 - Michael Gorse <mgorse@suse.com>
+
+- Add libsoup-CVE-2025-4945.patch: add value checks for date/time
+  parsing (boo#1243314 CVE-2025-4945).
+
 -------------------------------------------------------------------
 Wed May 28 21:28:03 UTC 2025 - Michael Gorse <mgorse@suse.com>
 

libsoup2.spec

@@ -78,6 +78,10 @@ Patch24:        libsoup-CVE-2025-32909.patch
 Patch25:        libsoup-CVE-2025-4948.patch
 # PATCH-FIX-UPSTREAM libsoup-CVE-2025-4969.patch boo#1243423 mgorse@suse.com -- soup-multipart: Verify array bounds before accessing its members.
 Patch26:        libsoup-CVE-2025-4969.patch
+# PATCH-FIX-UPSTREAM libsoup-CVE-2025-4945.patch boo#1243314 mgorse@suse.com -- add value checks for date/time parsing.
+Patch27:        libsoup-CVE-2025-4945.patch
+# PATCH-FIX-UPSTREAM libsoup2-CVE-2026-1761.patch bsc#1257598, CVE-2026-1761, glgo#GNOME/libsoup!496 sckang@suse.com -- multipart: check length of bytes read soup_filter_input_stream_read_until()
+Patch28:        libsoup2-CVE-2026-1761.patch
 
 BuildRequires:  glib-networking
 BuildRequires:  meson >= 0.50