pool/libsoup
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

merge into: pool:slfo-main
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
...
pull from: pool:slfo-1.2
Branches Tags
pool:slfo-1.2 pool:slfo-main pool:factory

3 Commits
slfo-main ... slfo-1.2

Author SHA256 Message Date
Alynx Zhou
f573e2ecff Add libsoup-CVE-2026-0716.patch, libsoup-CVE-2026-0719.patch. 2026-01-14 11:23:49 +08:00
Alynx Zhou
eef1de94fe Updated libsoup-CVE-2025-11021.patch. 2025-10-17 09:41:26 +08:00
Alynx Zhou
5eeee53fa2 Added libsoup-CVE-2025-11021.patch. 2025-10-13 17:03:40 +08:00
5 changed files with 337 additions and 0 deletions
Expand all files Collapse all files

49
libsoup-CVE-2025-11021.patch Normal file
View File

@@ -0,0 +1,49 @@
diff --unified --recursive --text --new-file --color libsoup-3.6.5/libsoup/cookies/soup-cookie.c libsoup-3.6.5.new/libsoup/cookies/soup-cookie.c
--- libsoup-3.6.5/libsoup/cookies/soup-cookie.c 2025-03-22 02:30:16.000000000 +0800
+++ libsoup-3.6.5.new/libsoup/cookies/soup-cookie.c 2025-10-16 11:11:23.233860890 +0800
@@ -758,12 +758,13 @@
if (cookie->expires) {
char *timestamp;
-
- g_string_append (header, "; expires=");
timestamp = soup_date_time_to_string (cookie->expires,
SOUP_DATE_COOKIE);
- g_string_append (header, timestamp);
- g_free (timestamp);
+ if (timestamp) {
+ g_string_append (header, "; expires=");
+ g_string_append (header, timestamp);
+ g_free (timestamp);
+ }
}
if (cookie->path) {
g_string_append (header, "; path=");
diff --unified --recursive --text --new-file --color libsoup-3.6.5/libsoup/server/soup-server.c libsoup-3.6.5.new/libsoup/server/soup-server.c
--- libsoup-3.6.5/libsoup/server/soup-server.c 2025-03-22 02:30:16.000000000 +0800
+++ libsoup-3.6.5.new/libsoup/server/soup-server.c 2025-10-16 11:12:03.270673884 +0800
@@ -852,6 +852,11 @@
date = g_date_time_new_now_utc ();
date_string = soup_date_time_to_string (date, SOUP_DATE_HTTP);
+ if (!date_string) {
+ g_date_time_unref (date);
+ return;
+ }
+
soup_message_headers_replace_common (headers, SOUP_HEADER_DATE, date_string);
g_free (date_string);
g_date_time_unref (date);
diff --unified --recursive --text --new-file --color libsoup-3.6.5/libsoup/soup-date-utils.c libsoup-3.6.5.new/libsoup/soup-date-utils.c
--- libsoup-3.6.5/libsoup/soup-date-utils.c 2025-03-22 02:30:16.000000000 +0800
+++ libsoup-3.6.5.new/libsoup/soup-date-utils.c 2025-10-16 11:11:23.234306968 +0800
@@ -92,6 +92,9 @@
* @date if it's non-UTC.
*/
GDateTime *utcdate = g_date_time_to_utc (date);
+ if (!utcdate)
+ return NULL;
+
char *date_format;
char *formatted_date;

108
libsoup-CVE-2026-0716.patch Normal file
View File

@@ -0,0 +1,108 @@
From 149750d7350c1d25b00bdb8355ad58d3864f902b Mon Sep 17 00:00:00 2001
From: Mike Gorse <mgorse@suse.com>
Date: Sun, 11 Jan 2026 10:52:14 -0600
Subject: [PATCH] websocket: Fix out-of-bounds read in process_frame
If the maximum incoming payload size is unset, then a malicious frame could
cause an overflow when calculating the needed amount of data, leading to an
out-of-bounds read later.
This is CVE-2026-0716.
Closes #476
---
libsoup/websocket/soup-websocket-connection.c | 8 +++-
tests/websocket-test.c | 44 +++++++++++++++++++
2 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
index 30df9841..42867be3 100644
--- a/libsoup/websocket/soup-websocket-connection.c
+++ b/libsoup/websocket/soup-websocket-connection.c
@@ -1028,6 +1028,7 @@ process_frame (SoupWebsocketConnection *self)
guint8 opcode;
gsize len;
gsize at;
+ gsize required;
GBytes *filtered_bytes;
GList *l;
GError *error = NULL;
@@ -1123,7 +1124,12 @@ process_frame (SoupWebsocketConnection *self)
payload += 4;
at += 4;
- if (len < at + payload_len)
+ if (!g_size_checked_add (&required, (gsize) at, (gsize) payload_len)) {
+ bad_data_error_and_close (self);
+ return FALSE;
+ }
+
+ if (len < required)
return FALSE; /* need more data */
xor_with_mask (mask, payload, payload_len);
diff --git a/tests/websocket-test.c b/tests/websocket-test.c
index 194b966a..e887091d 100644
--- a/tests/websocket-test.c
+++ b/tests/websocket-test.c
@@ -2215,6 +2215,41 @@ test_connection_error (void)
soup_test_session_abort_unref (session);
}
+static void
+test_cve_2026_0716 (Test *test,
+ gconstpointer unused)
+{
+ GError *error = NULL;
+ GIOStream *io;
+ gsize written;
+ const char *frame;
+ gboolean close_event = FALSE;
+
+ g_signal_handlers_disconnect_by_func (test->server, on_error_not_reached, NULL);
+ g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error);
+ g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event);
+
+ io = soup_websocket_connection_get_io_stream (test->client);
+
+ soup_websocket_connection_set_max_incoming_payload_size (test->server, 0);
+
+ // Malicious masked frame header (10-byte header + 4-byte mask) */
+ frame = "\x82\xff\xff\xff\xff\xff\xff\xff\xff\xf6\xaa\xbb\xcc\xdd";
+ if (!g_output_stream_write_all (g_io_stream_get_output_stream (io),
+ frame, 14, &written, NULL, NULL))
+ g_assert_cmpstr ("This code", ==, "should not be reached");
+ g_assert_cmpuint (written, ==, 14);
+
+ WAIT_UNTIL (error != NULL);
+ g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
+ g_clear_error (&error);
+
+ WAIT_UNTIL (soup_websocket_connection_get_state (test->client) == SOUP_WEBSOCKET_STATE_CLOSED);
+ g_assert_true (close_event);
+
+ g_assert_cmpuint (soup_websocket_connection_get_close_code (test->client), ==, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
+}
+
int
main (int argc,
char *argv[])
@@ -2465,6 +2500,15 @@ main (int argc,
g_test_add_func ("/websocket/soup/connection-error", test_connection_error);
+ g_test_add ("/websocket/direct/cve-2026-0716", Test, NULL,
+ setup_direct_connection,
+ test_cve_2026_0716,
+ teardown_direct_connection);
+ g_test_add ("/websocket/soup/cve-2026-0716", Test, NULL,
+ setup_soup_connection,
+ test_cve_2026_0716,
+ teardown_soup_connection);
+
ret = g_test_run ();
test_cleanup ();
--
GitLab

152
libsoup-CVE-2026-0719.patch Normal file
View File

@@ -0,0 +1,152 @@
From c8f4979ebf1a701e2222661556b3e735b99b3341 Mon Sep 17 00:00:00 2001
From: Mike Gorse <mgorse@suse.com>
Date: Thu, 8 Jan 2026 16:19:37 -0600
Subject: [PATCH] soup-auth-ntlm: Use unsigned ints for byte counts in md4sum
Otherwise, the variables could overflow if the password is long enough,
leading to an out-of-bounds memory access.
This is CVE-2026-0719.
Closes #477.
---
libsoup/auth/soup-auth-ntlm.c | 13 ++++---
tests/ntlm-test.c | 64 +++++++++++++++++++++++++++++++++++
2 files changed, 72 insertions(+), 5 deletions(-)
diff --git a/libsoup/auth/soup-auth-ntlm.c b/libsoup/auth/soup-auth-ntlm.c
index 7108a32c3..ef26ff40a 100644
--- a/libsoup/auth/soup-auth-ntlm.c
+++ b/libsoup/auth/soup-auth-ntlm.c
@@ -604,7 +604,7 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class)
}
static void md4sum (const unsigned char *in,
- int nbytes,
+ size_t nbytes,
unsigned char digest[16]);
typedef guint32 DES_KS[16][2]; /* Single-key DES key schedule */
@@ -650,7 +650,7 @@ soup_ntlm_nt_hash (const char *password, guchar hash[21])
{
unsigned char *buf, *p;
- p = buf = g_malloc (strlen (password) * 2);
+ p = buf = g_malloc_n (strlen (password), 2);
while (*password) {
*p++ = *password++;
@@ -1092,15 +1092,16 @@ calc_response (const guchar *key, const guchar *plaintext, guchar *results)
#define ROT(val, n) ( ((val) << (n)) | ((val) >> (32 - (n))) )
static void
-md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
+md4sum (const unsigned char *in, size_t nbytes, unsigned char digest[16])
{
unsigned char *M;
guint32 A, B, C, D, AA, BB, CC, DD, X[16];
- int pbytes, nbits = nbytes * 8, i, j;
+ size_t pbytes, nbits = nbytes * 8;
+ int i, j;
/* There is *always* padding of at least one bit. */
pbytes = ((119 - (nbytes % 64)) % 64) + 1;
- M = alloca (nbytes + pbytes + 8);
+ M = g_malloc (nbytes + pbytes + 8);
memcpy (M, in, nbytes);
memset (M + nbytes, 0, pbytes + 8);
M[nbytes] = 0x80;
@@ -1200,6 +1201,8 @@ md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
digest[13] = (D >> 8) & 0xFF;
digest[14] = (D >> 16) & 0xFF;
digest[15] = (D >> 24) & 0xFF;
+
+ g_free (M);
}
diff --git a/tests/ntlm-test.c b/tests/ntlm-test.c
index a92a21c8c..5080f8e61 100644
--- a/tests/ntlm-test.c
+++ b/tests/ntlm-test.c
@@ -714,6 +714,67 @@ do_retrying_test (TestServer *ts,
soup_test_session_abort_unref (session);
}
+static gboolean
+long_password_test_authenticate (SoupMessage *msg,
+ SoupAuth *auth,
+ gboolean retrying,
+ gpointer user)
+{
+ size_t l = 2147483647;
+ char *password;
+ char tmp[10000];
+ size_t i;
+
+ password = (char *)g_malloc (l);
+
+ for (i = 0; i < 10000; i++) {
+ tmp[i] = 'A';
+ }
+ for (i = 0; i < l/10000; i++) {
+ memcpy (password + i * 10000, tmp, 10000);
+ }
+ memcpy (password + l - 1 - 10000, tmp, 10000);
+
+ soup_auth_authenticate (auth, "alice", password);
+
+ g_free (password);
+ return TRUE;
+}
+
+static void
+do_long_password_test (TestServer *ts,
+ gconstpointer data)
+{
+ SoupSession *session;
+ SoupMessage *msg;
+ GUri *uri;
+ GBytes *body;
+
+#ifndef __SANITIZE_ADDRESS__
+ g_test_skip ("Slow, allocates a large amount of memory, and needs asan");
+ return;
+#endif
+
+ session = soup_test_session_new (NULL);
+ soup_session_add_feature_by_type (session, SOUP_TYPE_AUTH_NTLM);
+ soup_session_set_proxy_resolver(session, NULL);
+
+ uri = g_uri_parse_relative (ts->uri, "/alice", SOUP_HTTP_URI_FLAGS, NULL);
+ msg = soup_message_new_from_uri ("GET", uri);
+ g_signal_connect (msg, "authenticate",
+ G_CALLBACK (long_password_test_authenticate), NULL);
+ g_uri_unref (uri);
+
+ body = soup_session_send_and_read (session, msg, NULL, NULL);
+
+ soup_test_assert_message_status (msg, SOUP_STATUS_OK);
+
+ g_bytes_unref (body);
+ g_object_unref (msg);
+
+ soup_test_session_abort_unref (session);
+}
+
int
main (int argc, char **argv)
{
@@ -737,6 +798,9 @@ main (int argc, char **argv)
g_test_add ("/ntlm/retry", TestServer, NULL,
setup_server, do_retrying_test, teardown_server);
+ g_test_add ("/ntlm/long-password", TestServer, NULL,
+ setup_server, do_long_password_test, teardown_server);
+
ret = g_test_run ();
test_cleanup ();
--
GitLab

22
libsoup.changes
View File

@@ -1,3 +1,25 @@
-------------------------------------------------------------------
Wed Jan 14 03:23:23 UTC 2026 - Alynx Zhou <alynx.zhou@suse.com>
- Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for
websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494).
- Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum
(bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493).
-------------------------------------------------------------------
Thu Oct 16 03:31:36 UTC 2025 - Alynx Zhou <alynx.zhou@suse.com>
- Update libsoup-CVE-2025-11021.patch: Add NULL check for
soup_date_time_to_string() (bsc#1250562, CVE-2025-11021,
glgo#GNOME/libsoup!483).
-------------------------------------------------------------------
Sat Oct 11 08:43:16 UTC 2025 - Alynx Zhou <alynx.zhou@suse.com>
- Add libsoup-CVE-2025-11021.patch: Ignore invalid date when
processing cookies to prevent out-of-bounds read (bsc#1250562,
CVE-2025-11021, glgo#GNOME/libsoup!482).
-------------------------------------------------------------------
Wed Jun 18 14:56:51 UTC 2025 - Michael Gorse <mgorse@suse.com>

6
libsoup.spec
View File

@@ -40,6 +40,12 @@ Patch4: libsoup-CVE-2025-4948.patch
Patch5: libsoup-CVE-2025-4969.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-4945.patch boo#1243314 mgorse@suse.com -- add value checks for date/time parsing.
Patch6: libsoup-CVE-2025-4945.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2025-11021.patch bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!482 alynx.zhou@suse.com -- Ignore invalid date when processing cookie
Patch7: libsoup-CVE-2025-11021.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2026-0719.patch bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493 alynx.zhou@suse.com -- Fix overflow for password md4sum
Patch9: libsoup-CVE-2026-0719.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2026-0716.patch bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494 alynx.zhou@suse.com -- Fix out-of-bounds read for websocket
Patch10: libsoup-CVE-2026-0716.patch
BuildRequires: glib-networking
BuildRequires: meson >= 0.53