forked from pool/libsoup2
Compare commits
2 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| 1d4d1ab95f | |||
| f9953a3144 |
@@ -11,7 +11,7 @@ CVE-2025-2784
|
||||
3 files changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
|
||||
index 967ec6141..4c8134a7f 100644
|
||||
index 967ec614..4c8134a7 100644
|
||||
--- a/libsoup/soup-content-sniffer.c
|
||||
+++ b/libsoup/soup-content-sniffer.c
|
||||
@@ -642,7 +642,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
|
||||
@@ -24,7 +24,7 @@ index 967ec6141..4c8134a7f 100644
|
||||
|
||||
if (skip_insignificant_space (resource, &pos, resource_length))
|
||||
diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
|
||||
index d2aa86b9d..0a4569a43 100644
|
||||
index d2aa86b9..0a4569a4 100644
|
||||
--- a/tests/sniffing-test.c
|
||||
+++ b/tests/sniffing-test.c
|
||||
@@ -605,6 +605,11 @@ main (int argc, char **argv)
|
||||
@@ -40,7 +40,7 @@ index d2aa86b9d..0a4569a43 100644
|
||||
g_test_add_data_func ("/sniffing/disabled",
|
||||
"/text_or_binary/home.gif",
|
||||
diff --git a/tests/soup-tests.gresource.xml b/tests/soup-tests.gresource.xml
|
||||
index 9c08d170e..cbef1d402 100644
|
||||
index 9c08d170..cbef1d40 100644
|
||||
--- a/tests/soup-tests.gresource.xml
|
||||
+++ b/tests/soup-tests.gresource.xml
|
||||
@@ -25,5 +25,6 @@
|
||||
|
||||
77
libsoup2-CVE-2026-0716.patch
Normal file
77
libsoup2-CVE-2026-0716.patch
Normal file
@@ -0,0 +1,77 @@
|
||||
diff -urp libsoup-2.74.3.orig/libsoup/soup-websocket-connection.c libsoup-2.74.3/libsoup/soup-websocket-connection.c
|
||||
--- libsoup-2.74.3.orig/libsoup/soup-websocket-connection.c 2022-10-11 13:27:22.000000000 -0500
|
||||
+++ libsoup-2.74.3/libsoup/soup-websocket-connection.c 2026-02-06 12:46:44.372111863 -0600
|
||||
@@ -1064,6 +1064,12 @@ process_frame (SoupWebsocketConnection *
|
||||
payload += 4;
|
||||
at += 4;
|
||||
|
||||
+ /* at has a maximum value of 10 + 4 = 14 */
|
||||
+ if (payload_len > G_MAXSIZE - 14) {
|
||||
+ bad_data_error_and_close (self);
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
if (len < at + payload_len)
|
||||
return FALSE; /* need more data */
|
||||
|
||||
diff -urp libsoup-2.74.3.orig/tests/websocket-test.c libsoup-2.74.3/tests/websocket-test.c
|
||||
--- libsoup-2.74.3.orig/tests/websocket-test.c 2022-10-11 13:27:22.000000000 -0500
|
||||
+++ libsoup-2.74.3/tests/websocket-test.c 2026-02-06 12:46:44.372679228 -0600
|
||||
@@ -1861,6 +1861,41 @@ test_cookies_in_response (Test *test,
|
||||
soup_cookie_free (cookie);
|
||||
}
|
||||
|
||||
+static void
|
||||
+test_cve_2026_0716 (Test *test,
|
||||
+ gconstpointer unused)
|
||||
+{
|
||||
+ GError *error = NULL;
|
||||
+ GIOStream *io;
|
||||
+ gsize written;
|
||||
+ const char *frame;
|
||||
+ gboolean close_event = FALSE;
|
||||
+
|
||||
+ g_signal_handlers_disconnect_by_func (test->server, on_error_not_reached, NULL);
|
||||
+ g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error);
|
||||
+ g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event);
|
||||
+
|
||||
+ io = soup_websocket_connection_get_io_stream (test->client);
|
||||
+
|
||||
+ soup_websocket_connection_set_max_incoming_payload_size (test->server, 0);
|
||||
+
|
||||
+ // Malicious masked frame header (10-byte header + 4-byte mask) */
|
||||
+ frame = "\x82\xff\xff\xff\xff\xff\xff\xff\xff\xf6\xaa\xbb\xcc\xdd";
|
||||
+ if (!g_output_stream_write_all (g_io_stream_get_output_stream (io),
|
||||
+ frame, 14, &written, NULL, NULL))
|
||||
+ g_assert_cmpstr ("This code", ==, "should not be reached");
|
||||
+ g_assert_cmpuint (written, ==, 14);
|
||||
+
|
||||
+ WAIT_UNTIL (error != NULL);
|
||||
+ g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
|
||||
+ g_clear_error (&error);
|
||||
+
|
||||
+ WAIT_UNTIL (soup_websocket_connection_get_state (test->client) == SOUP_WEBSOCKET_STATE_CLOSED);
|
||||
+ g_assert_true (close_event);
|
||||
+
|
||||
+ g_assert_cmpuint (soup_websocket_connection_get_close_code (test->client), ==, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
|
||||
+}
|
||||
+
|
||||
int
|
||||
main (int argc,
|
||||
char *argv[])
|
||||
@@ -2094,6 +2129,15 @@ main (int argc,
|
||||
test_cookies_in_response,
|
||||
teardown_soup_connection);
|
||||
|
||||
+ g_test_add ("/websocket/direct/cve-2026-0716", Test, NULL,
|
||||
+ setup_direct_connection,
|
||||
+ test_cve_2026_0716,
|
||||
+ teardown_direct_connection);
|
||||
+ g_test_add ("/websocket/soup/cve-2026-0716", Test, NULL,
|
||||
+ setup_soup_connection,
|
||||
+ test_cve_2026_0716,
|
||||
+ teardown_soup_connection);
|
||||
+
|
||||
ret = g_test_run ();
|
||||
|
||||
test_cleanup ();
|
||||
12
libsoup2-CVE-2026-1761.patch
Normal file
12
libsoup2-CVE-2026-1761.patch
Normal file
@@ -0,0 +1,12 @@
|
||||
Index: libsoup-2.74.3/libsoup/soup-filter-input-stream.c
|
||||
===================================================================
|
||||
--- libsoup-2.74.3.orig/libsoup/soup-filter-input-stream.c
|
||||
+++ libsoup-2.74.3/libsoup/soup-filter-input-stream.c
|
||||
@@ -272,6 +272,6 @@ soup_filter_input_stream_read_until (Sou
|
||||
if (eof && !*got_boundary)
|
||||
read_length = MIN (fstream->priv->buf->len, length);
|
||||
else
|
||||
- read_length = p - buf;
|
||||
+ read_length = MIN ((gsize)(p - buf), length);
|
||||
return read_from_buf (fstream, buffer, read_length);
|
||||
}
|
||||
@@ -1,3 +1,17 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 6 18:52:17 UTC 2026 - Michael Gorse <mgorse@suse.com>
|
||||
|
||||
- Add libsoup2-CVE-2026-0716.patch: Fix out-of-bounds read for
|
||||
websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 3 01:52:48 UTC 2026 - Jonathan Kang <songchuan.kang@suse.com>
|
||||
|
||||
- Add libsoup2-CVE-2026-1761.patch: multipart: check length of bytes
|
||||
read soup_filter_input_stream_read_until()
|
||||
(bsc#1257598, CVE-2026-1761, glgo#GNOME/libsoup!496).
|
||||
- Refresh ef6c4bf6.patch from upstream git.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 9 02:52:21 UTC 2026 - Alynx Zhou <alynx.zhou@suse.com>
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package libsoup2
|
||||
#
|
||||
# Copyright (c) 2026 SUSE LLC
|
||||
# Copyright (c) 2026 SUSE LLC and contributors
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -84,6 +84,10 @@ Patch27: libsoup-CVE-2025-4945.patch
|
||||
Patch28: libsoup2-CVE-2025-14523.patch
|
||||
# PATCH-FIX-UPSTREAM libsoup2-CVE-2026-0719.patch bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493 alynx.zhou@suse.com -- Fix overflow for password md4sum
|
||||
Patch29: libsoup2-CVE-2026-0719.patch
|
||||
# PATCH-FIX-UPSTREAM libsoup2-CVE-2026-1761.patch bsc#1257598, CVE-2026-1761, glgo#GNOME/libsoup!496 sckang@suse.com -- multipart: check length of bytes read soup_filter_input_stream_read_until()
|
||||
Patch30: libsoup2-CVE-2026-1761.patch
|
||||
# PATCH-FIX-UPSTREAM libsoup2-CVE-2026-0716.patch bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494 mgorse@suse.com -- Fix out-of-bounds read for websocket
|
||||
Patch31: libsoup2-CVE-2026-0716.patch
|
||||
|
||||
BuildRequires: glib-networking
|
||||
BuildRequires: meson >= 0.50
|
||||
|
||||
Reference in New Issue
Block a user