Add libsoup-CVE-2026-0716.patch, libsoup-CVE-2026-0719.patch.

Updated libsoup-CVE-2025-11021.patch.
Added libsoup-CVE-2025-11021.patch.
2026-01-14 11:23:49 +08:00 · 2025-10-17 09:41:26 +08:00 · 2025-10-13 17:03:40 +08:00 · 2025-08-20 09:43:35 +02:00
6 changed files with 458 additions and 0 deletions
--- a/libsoup-CVE-2025-11021.patch
+++ b/libsoup-CVE-2025-11021.patch
@@ -0,0 +1,49 @@
+diff --unified --recursive --text --new-file --color libsoup-3.6.5/libsoup/cookies/soup-cookie.c libsoup-3.6.5.new/libsoup/cookies/soup-cookie.c
+--- libsoup-3.6.5/libsoup/cookies/soup-cookie.c	2025-03-22 02:30:16.000000000 +0800
+++ libsoup-3.6.5.new/libsoup/cookies/soup-cookie.c	2025-10-16 11:11:23.233860890 +0800
+@@ -758,12 +758,13 @@
+ 
+ 	if (cookie->expires) {
+ 		char *timestamp;
+-
+-		g_string_append (header, "; expires=");
+ 		timestamp = soup_date_time_to_string (cookie->expires,
+ 						      SOUP_DATE_COOKIE);
+-		g_string_append (header, timestamp);
+-		g_free (timestamp);
+                if (timestamp) {
+                        g_string_append (header, "; expires=");
+                        g_string_append (header, timestamp);
+                        g_free (timestamp);
+                }
+ 	}
+ 	if (cookie->path) {
+ 		g_string_append (header, "; path=");
+diff --unified --recursive --text --new-file --color libsoup-3.6.5/libsoup/server/soup-server.c libsoup-3.6.5.new/libsoup/server/soup-server.c
+--- libsoup-3.6.5/libsoup/server/soup-server.c	2025-03-22 02:30:16.000000000 +0800
+++ libsoup-3.6.5.new/libsoup/server/soup-server.c	2025-10-16 11:12:03.270673884 +0800
+@@ -852,6 +852,11 @@
+ 
+ 	date = g_date_time_new_now_utc ();
+ 	date_string = soup_date_time_to_string (date, SOUP_DATE_HTTP);
+	if (!date_string) {
+		g_date_time_unref (date);
+		return;
+	}
+
+ 	soup_message_headers_replace_common (headers, SOUP_HEADER_DATE, date_string);
+ 	g_free (date_string);
+ 	g_date_time_unref (date);
+diff --unified --recursive --text --new-file --color libsoup-3.6.5/libsoup/soup-date-utils.c libsoup-3.6.5.new/libsoup/soup-date-utils.c
+--- libsoup-3.6.5/libsoup/soup-date-utils.c	2025-03-22 02:30:16.000000000 +0800
+++ libsoup-3.6.5.new/libsoup/soup-date-utils.c	2025-10-16 11:11:23.234306968 +0800
+@@ -92,6 +92,9 @@
+ 		 * @date if it's non-UTC.
+ 		 */
+ 		GDateTime *utcdate = g_date_time_to_utc (date);
+                if (!utcdate)
+                        return NULL;
+
+                 char *date_format;
+                 char *formatted_date;
+ 
--- a/libsoup-CVE-2025-4945.patch
+++ b/libsoup-CVE-2025-4945.patch
@@ -0,0 +1,113 @@
+From 8988379984e33dcc7d3aa58551db13e48755959f Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Thu, 15 May 2025 07:59:14 +0200
+Subject: [PATCH] soup-date-utils: Add value checks for date/time parsing
+
+Reject date/time when it does not represent a valid value.
+
+Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
+---
+ libsoup/soup-date-utils.c | 23 +++++++++++++++--------
+ tests/cookies-test.c      | 10 ++++++++++
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/libsoup/soup-date-utils.c b/libsoup/soup-date-utils.c
+index fd785f50..34ca9950 100644
+--- a/libsoup/soup-date-utils.c
+++ b/libsoup/soup-date-utils.c
+@@ -129,7 +129,7 @@ parse_day (int *day, const char **date_string)
+ 	while (*end == ' ' || *end == '-')
+ 		end++;
+ 	*date_string = end;
+-	return TRUE;
+	return *day >= 1 && *day <= 31;
+ }
+ 
+ static inline gboolean
+@@ -169,7 +169,7 @@ parse_year (int *year, const char **date_string)
+ 	while (*end == ' ' || *end == '-')
+ 		end++;
+ 	*date_string = end;
+-	return TRUE;
+	return *year > 0 && *year < 9999;
+ }
+ 
+ static inline gboolean
+@@ -193,7 +193,7 @@ parse_time (int *hour, int *minute, int *second, const char **date_string)
+ 	while (*p == ' ')
+ 		p++;
+ 	*date_string = p;
+-	return TRUE;
+	return *hour >= 0 && *hour < 24 && *minute >= 0 && *minute < 60 && *second >= 0 && *second < 60;
+ }
+ 
+ static inline gboolean
+@@ -209,9 +209,14 @@ parse_timezone (GTimeZone **timezone, const char **date_string)
+ 		gulong val;
+ 		int sign = (**date_string == '+') ? 1 : -1;
+ 		val = strtoul (*date_string + 1, (char **)date_string, 10);
+-		if (**date_string == ':')
+-			val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10);
+-		else
+		if (val > 9999)
+			return FALSE;
+		if (**date_string == ':') {
+			gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10);
+			if (val > 99 || val2 > 99)
+				return FALSE;
+			val = 60 * val + val2;
+		} else
+ 			val =  60 * (val / 100) + (val % 100);
+ 		offset_minutes = sign * val;
+                 utc = (sign == -1) && !val;
+@@ -264,7 +269,8 @@ parse_textual_date (const char *date_string)
+ 		if (!parse_month (&month, &date_string) ||
+ 		    !parse_day (&day, &date_string) ||
+ 		    !parse_time (&hour, &minute, &second, &date_string) ||
+-		    !parse_year (&year, &date_string))
+		    !parse_year (&year, &date_string) ||
+		    !g_date_valid_dmy (day, month, year))
+ 			return NULL;
+ 
+ 		/* There shouldn't be a timezone, but check anyway */
+@@ -276,7 +282,8 @@ parse_textual_date (const char *date_string)
+ 		if (!parse_day (&day, &date_string) ||
+ 		    !parse_month (&month, &date_string) ||
+ 		    !parse_year (&year, &date_string) ||
+-		    !parse_time (&hour, &minute, &second, &date_string))
+		    !parse_time (&hour, &minute, &second, &date_string) ||
+		    !g_date_valid_dmy (day, month, year))
+ 			return NULL;
+ 
+ 		/* This time there *should* be a timezone, but we
+diff --git a/tests/cookies-test.c b/tests/cookies-test.c
+index 1d2d4563..ff809a40 100644
+--- a/tests/cookies-test.c
+++ b/tests/cookies-test.c
+@@ -460,6 +460,15 @@ do_cookies_parsing_max_age_long_overflow (void)
+ 	soup_cookie_free (cookie);
+ }
+ 
+static void
+do_cookies_parsing_int32_overflow (void)
+{
+	SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9    999:9:9+ 999999999-age=main=gne=", NULL);
+	g_assert_nonnull (cookie);
+	g_assert_null (soup_cookie_get_expires (cookie));
+	soup_cookie_free (cookie);
+}
+
+ static void
+ do_cookies_equal_nullpath (void)
+ {
+@@ -718,6 +727,7 @@ main (int argc, char **argv)
+ 	g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin);
+ 	g_test_add_func ("/cookies/parsing/max-age-int32-overflow", do_cookies_parsing_max_age_int32_overflow);
+ 	g_test_add_func ("/cookies/parsing/max-age-long-overflow", do_cookies_parsing_max_age_long_overflow);
+	g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow);
+ 	g_test_add_func ("/cookies/parsing/equal-nullpath", do_cookies_equal_nullpath);
+ 	g_test_add_func ("/cookies/parsing/control-characters", do_cookies_parsing_control_characters);
+         g_test_add_func ("/cookies/parsing/name-value-max-size", do_cookies_parsing_name_value_max_size);
+-- 
+2.49.0
+
--- a/libsoup-CVE-2026-0716.patch
+++ b/libsoup-CVE-2026-0716.patch
@@ -0,0 +1,108 @@
+From 149750d7350c1d25b00bdb8355ad58d3864f902b Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Sun, 11 Jan 2026 10:52:14 -0600
+Subject: [PATCH] websocket: Fix out-of-bounds read in process_frame
+
+If the maximum incoming payload size is unset, then a malicious frame could
+cause an overflow when calculating the needed amount of data, leading to an
+out-of-bounds read later.
+
+This is CVE-2026-0716.
+
+Closes #476
+---
+ libsoup/websocket/soup-websocket-connection.c |  8 +++-
+ tests/websocket-test.c                        | 44 +++++++++++++++++++
+ 2 files changed, 51 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
+index 30df9841..42867be3 100644
+--- a/libsoup/websocket/soup-websocket-connection.c
+++ b/libsoup/websocket/soup-websocket-connection.c
+@@ -1028,6 +1028,7 @@ process_frame (SoupWebsocketConnection *self)
+ 	guint8 opcode;
+ 	gsize len;
+ 	gsize at;
+	gsize required;
+ 	GBytes *filtered_bytes;
+ 	GList *l;
+ 	GError *error = NULL;
+@@ -1123,7 +1124,12 @@ process_frame (SoupWebsocketConnection *self)
+ 		payload += 4;
+ 		at += 4;
+ 
+-		if (len < at + payload_len)
+	if (!g_size_checked_add (&required, (gsize) at, (gsize) payload_len)) {
+		bad_data_error_and_close (self);
+		return FALSE;
+	}
+
+		if (len < required)
+ 			return FALSE; /* need more data */
+ 
+ 		xor_with_mask (mask, payload, payload_len);
+diff --git a/tests/websocket-test.c b/tests/websocket-test.c
+index 194b966a..e887091d 100644
+--- a/tests/websocket-test.c
+++ b/tests/websocket-test.c
+@@ -2215,6 +2215,41 @@ test_connection_error (void)
+ 	soup_test_session_abort_unref (session);
+ }
+ 
+static void
+test_cve_2026_0716 (Test *test,
+                    gconstpointer unused)
+{
+	GError *error = NULL;
+	GIOStream *io;
+	gsize written;
+	const char *frame;
+	gboolean close_event = FALSE;
+
+	g_signal_handlers_disconnect_by_func (test->server, on_error_not_reached, NULL);
+	g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error);
+	g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event);
+
+	io = soup_websocket_connection_get_io_stream (test->client);
+
+	soup_websocket_connection_set_max_incoming_payload_size (test->server, 0);
+
+	// Malicious masked frame header (10-byte header + 4-byte mask) */
+	frame = "\x82\xff\xff\xff\xff\xff\xff\xff\xff\xf6\xaa\xbb\xcc\xdd";
+	if (!g_output_stream_write_all (g_io_stream_get_output_stream (io),
+					frame, 14, &written, NULL, NULL))
+		g_assert_cmpstr ("This code", ==, "should not be reached");
+	g_assert_cmpuint (written, ==, 14);
+
+	WAIT_UNTIL (error != NULL);
+	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
+	g_clear_error (&error);
+
+	WAIT_UNTIL (soup_websocket_connection_get_state (test->client) == SOUP_WEBSOCKET_STATE_CLOSED);
+	g_assert_true (close_event);
+
+	g_assert_cmpuint (soup_websocket_connection_get_close_code (test->client), ==, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
+}
+
+ int
+ main (int argc,
+       char *argv[])
+@@ -2465,6 +2500,15 @@ main (int argc,
+ 
+ 	g_test_add_func ("/websocket/soup/connection-error", test_connection_error);
+ 
+	g_test_add ("/websocket/direct/cve-2026-0716", Test, NULL,
+		    setup_direct_connection,
+		    test_cve_2026_0716,
+		    teardown_direct_connection);
+	g_test_add ("/websocket/soup/cve-2026-0716", Test, NULL,
+		    setup_soup_connection,
+		    test_cve_2026_0716,
+		    teardown_soup_connection);
+
+ 	ret = g_test_run ();
+ 
+ 	test_cleanup ();
+-- 
+GitLab
+
--- a/libsoup-CVE-2026-0719.patch
+++ b/libsoup-CVE-2026-0719.patch
@@ -0,0 +1,152 @@
+From c8f4979ebf1a701e2222661556b3e735b99b3341 Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Thu, 8 Jan 2026 16:19:37 -0600
+Subject: [PATCH] soup-auth-ntlm: Use unsigned ints for byte counts in md4sum
+
+Otherwise, the variables could overflow if the password is long enough,
+leading to an out-of-bounds memory access.
+
+This is CVE-2026-0719.
+
+Closes #477.
+---
+ libsoup/auth/soup-auth-ntlm.c | 13 ++++---
+ tests/ntlm-test.c             | 64 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 72 insertions(+), 5 deletions(-)
+
+diff --git a/libsoup/auth/soup-auth-ntlm.c b/libsoup/auth/soup-auth-ntlm.c
+index 7108a32c3..ef26ff40a 100644
+--- a/libsoup/auth/soup-auth-ntlm.c
+++ b/libsoup/auth/soup-auth-ntlm.c
+@@ -604,7 +604,7 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class)
+ }
+ 
+ static void md4sum                (const unsigned char *in, 
+-				   int                  nbytes, 
+				   size_t               nbytes, 
+ 				   unsigned char        digest[16]);
+ 
+ typedef guint32 DES_KS[16][2]; /* Single-key DES key schedule */
+@@ -650,7 +650,7 @@ soup_ntlm_nt_hash (const char *password, guchar hash[21])
+ {
+ 	unsigned char *buf, *p;
+ 
+-	p = buf = g_malloc (strlen (password) * 2);
+	p = buf = g_malloc_n (strlen (password), 2);
+ 
+ 	while (*password) {
+ 		*p++ = *password++;
+@@ -1092,15 +1092,16 @@ calc_response (const guchar *key, const guchar *plaintext, guchar *results)
+ #define ROT(val, n) ( ((val) << (n)) | ((val) >> (32 - (n))) )
+ 
+ static void
+-md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
+md4sum (const unsigned char *in, size_t nbytes, unsigned char digest[16])
+ {
+ 	unsigned char *M;
+ 	guint32 A, B, C, D, AA, BB, CC, DD, X[16];
+-	int pbytes, nbits = nbytes * 8, i, j;
+	size_t pbytes, nbits = nbytes * 8;
+	int i, j;
+ 
+ 	/* There is *always* padding of at least one bit. */
+ 	pbytes = ((119 - (nbytes % 64)) % 64) + 1;
+-	M = alloca (nbytes + pbytes + 8);
+	M = g_malloc (nbytes + pbytes + 8);
+ 	memcpy (M, in, nbytes);
+ 	memset (M + nbytes, 0, pbytes + 8);
+ 	M[nbytes] = 0x80;
+@@ -1200,6 +1201,8 @@ md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
+ 	digest[13] = (D >>  8) & 0xFF;
+ 	digest[14] = (D >> 16) & 0xFF;
+ 	digest[15] = (D >> 24) & 0xFF;
+
+	g_free (M);
+ }
+ 
+ 
+diff --git a/tests/ntlm-test.c b/tests/ntlm-test.c
+index a92a21c8c..5080f8e61 100644
+--- a/tests/ntlm-test.c
+++ b/tests/ntlm-test.c
+@@ -714,6 +714,67 @@ do_retrying_test (TestServer *ts,
+ 	soup_test_session_abort_unref (session);
+ }
+ 
+static gboolean
+long_password_test_authenticate (SoupMessage *msg,
+			         SoupAuth    *auth,
+			         gboolean     retrying,
+			          gpointer user)
+{
+	size_t l = 2147483647;
+	char *password;
+	char tmp[10000];
+	size_t i;
+
+	password = (char *)g_malloc (l);
+
+	for (i = 0; i < 10000; i++) {
+		tmp[i] = 'A';
+	}
+	for (i = 0; i < l/10000; i++) {
+		memcpy (password + i * 10000, tmp, 10000);
+	}
+	memcpy (password + l - 1 - 10000, tmp, 10000);
+        
+	soup_auth_authenticate (auth, "alice", password);
+
+	g_free (password);
+	return TRUE;
+}
+
+static void
+do_long_password_test (TestServer *ts,
+		  gconstpointer data)
+{
+	SoupSession *session;
+	SoupMessage *msg;
+	GUri *uri;
+	GBytes *body;
+
+#ifndef __SANITIZE_ADDRESS__
+        g_test_skip ("Slow, allocates a large amount of memory, and needs asan");
+        return;
+#endif
+
+	session = soup_test_session_new (NULL);
+        soup_session_add_feature_by_type (session, SOUP_TYPE_AUTH_NTLM);
+        soup_session_set_proxy_resolver(session, NULL);
+
+	uri = g_uri_parse_relative (ts->uri, "/alice", SOUP_HTTP_URI_FLAGS, NULL);
+	msg = soup_message_new_from_uri ("GET", uri);
+	g_signal_connect (msg, "authenticate",
+			  G_CALLBACK (long_password_test_authenticate), NULL);
+	g_uri_unref (uri);
+
+	body = soup_session_send_and_read (session, msg, NULL, NULL);
+
+	soup_test_assert_message_status (msg, SOUP_STATUS_OK);
+
+	g_bytes_unref (body);
+	g_object_unref (msg);
+
+	soup_test_session_abort_unref (session);
+}
+
+ int
+ main (int argc, char **argv)
+ {
+@@ -737,6 +798,9 @@ main (int argc, char **argv)
+ 	g_test_add ("/ntlm/retry", TestServer, NULL,
+ 		    setup_server, do_retrying_test, teardown_server);
+ 
+	g_test_add ("/ntlm/long-password", TestServer, NULL,
+		    setup_server, do_long_password_test, teardown_server);
+
+ 	ret = g_test_run ();
+ 
+ 	test_cleanup ();
+-- 
+GitLab
+
--- a/libsoup.changes
+++ b/libsoup.changes
@@ -1,3 +1,31 @@
+-------------------------------------------------------------------
+Wed Jan 14 03:23:23 UTC 2026 - Alynx Zhou <alynx.zhou@suse.com>
+
+- Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for
+  websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494).
+- Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum
+  (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493).
+
+-------------------------------------------------------------------
+Thu Oct 16 03:31:36 UTC 2025 - Alynx Zhou <alynx.zhou@suse.com>
+
+- Update libsoup-CVE-2025-11021.patch: Add NULL check for
+  soup_date_time_to_string() (bsc#1250562, CVE-2025-11021,
+  glgo#GNOME/libsoup!483).
+
+-------------------------------------------------------------------
+Sat Oct 11 08:43:16 UTC 2025 - Alynx Zhou <alynx.zhou@suse.com>
+
+- Add libsoup-CVE-2025-11021.patch: Ignore invalid date when
+  processing cookies to prevent out-of-bounds read (bsc#1250562,
+  CVE-2025-11021, glgo#GNOME/libsoup!482).
+
+-------------------------------------------------------------------
+Wed Jun 18 14:56:51 UTC 2025 - Michael Gorse <mgorse@suse.com>
+
+- Add libsoup-CVE-2025-4945.patch: add value checks for date/time
+  parsing (boo#1243314 CVE-2025-4945).
+
 -------------------------------------------------------------------
 Wed May 28 15:42:56 UTC 2025 - Michael Gorse <mgorse@suse.com>

--- a/libsoup.spec
+++ b/libsoup.spec
@@ -38,6 +38,14 @@ Patch3:         libsoup-CVE-2025-4476.patch
 Patch4:         libsoup-CVE-2025-4948.patch
 # PATCH-FIX-UPSTREAM libsoup-CVE-2025-4969.patch boo#1243423 mgorse@suse.com -- soup-multipart: Verify array bounds before accessing its members.
 Patch5:         libsoup-CVE-2025-4969.patch
+# PATCH-FIX-UPSTREAM libsoup-CVE-2025-4945.patch boo#1243314 mgorse@suse.com -- add value checks for date/time parsing.
+Patch6:         libsoup-CVE-2025-4945.patch
+# PATCH-FIX-UPSTREAM libsoup-CVE-2025-11021.patch bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!482 alynx.zhou@suse.com -- Ignore invalid date when processing cookie
+Patch7:         libsoup-CVE-2025-11021.patch
+# PATCH-FIX-UPSTREAM libsoup-CVE-2026-0719.patch bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493 alynx.zhou@suse.com -- Fix overflow for password md4sum
+Patch9:         libsoup-CVE-2026-0719.patch
+# PATCH-FIX-UPSTREAM libsoup-CVE-2026-0716.patch bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494 alynx.zhou@suse.com -- Fix out-of-bounds read for websocket
+Patch10:        libsoup-CVE-2026-0716.patch

 BuildRequires:  glib-networking
 BuildRequires:  meson >= 0.53
Author	SHA256	Message	Date
Alynx Zhou	f573e2ecff	Add libsoup-CVE-2026-0716.patch, libsoup-CVE-2026-0719.patch.	2026-01-14 11:23:49 +08:00
Alynx Zhou	eef1de94fe	Updated libsoup-CVE-2025-11021.patch.	2025-10-17 09:41:26 +08:00
Alynx Zhou	5eeee53fa2	Added libsoup-CVE-2025-11021.patch.	2025-10-13 17:03:40 +08:00
Adrian Schröter	39531c69a1	Sync changes to SLFO-1.2 branch	2025-08-20 09:43:35 +02:00