- Add 04df03bc.patch: strictly don't allow NUL bytes in headers

(boo#1233285 CVE-2024-52530 glgo#GNOME/libsoup#377).
- Add libsoup-CVE-2024-52532.patch: websocket: Process the frame as
  soon as we read data (boo#1233287 CVE-2024-52532).
- Add 29b96fab.patch: websocket-test: disconnect error copy after
  the test ends (glgo#GNOME/libsoup#391).
- Add a35222dd.patch: be more robust against invalid input when
  parsing params (boo#1233292 CVE-2024-52531
  glgo#GNOME/libsoup!407).

OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/libsoup2?expand=0&rev=13
This commit is contained in:
Bjørn Lie 2024-11-13 07:23:54 +00:00 committed by Git OBS Bridge
commit 5b8cb29a58
15 changed files with 4408 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

145
04df03bc.patch Normal file
View File

@ -0,0 +1,145 @@
From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Mon, 8 Jul 2024 12:33:15 -0500
Subject: [PATCH] headers: Strictly don't allow NUL bytes
In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.
---
libsoup/soup-headers.c | 15 +++------
tests/header-parsing-test.c | 62 +++++++++++++++++--------------------
2 files changed, 32 insertions(+), 45 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index a0cf351ac..f30ee467a 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -51,13 +51,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
* ignorable trailing whitespace.
*/
+ /* No '\0's are allowed */
+ if (memchr (str, '\0', len))
+ return FALSE;
+
/* Skip over the Request-Line / Status-Line */
headers_start = memchr (str, '\n', len);
if (!headers_start)
return FALSE;
- /* No '\0's in the Request-Line / Status-Line */
- if (memchr (str, '\0', headers_start - str))
- return FALSE;
/* We work on a copy of the headers, which we can write '\0's
* into, so that we don't have to individually g_strndup and
@@ -69,14 +70,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
headers_copy[copy_len] = '\0';
value_end = headers_copy;
- /* There shouldn't be any '\0's in the headers already, but
- * this is the web we're talking about.
- */
- while ((p = memchr (headers_copy, '\0', copy_len))) {
- memmove (p, p + 1, copy_len - (p - headers_copy));
- copy_len--;
- }
-
while (*(value_end + 1)) {
name = value_end + 1;
name_end = strchr (name, ':');
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index edf8eebb3..715c2c6f2 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -358,24 +358,6 @@ static struct RequestTest {
}
},
- { "NUL in header name", "760832",
- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
- SOUP_STATUS_OK,
- "GET", "/", SOUP_HTTP_1_1,
- { { "Host", "example.com" },
- { NULL }
- }
- },
-
- { "NUL in header value", "760832",
- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
- SOUP_STATUS_OK,
- "GET", "/", SOUP_HTTP_1_1,
- { { "Host", "examplecom" },
- { NULL }
- }
- },
-
/************************/
/*** INVALID REQUESTS ***/
/************************/
@@ -448,6 +430,21 @@ static struct RequestTest {
SOUP_STATUS_EXPECTATION_FAILED,
NULL, NULL, -1,
{ { NULL } }
+ },
+
+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+ { "NUL in header name", NULL,
+ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
+ },
+
+ { "NUL in header value", NULL,
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
}
};
static const int num_reqtests = G_N_ELEMENTS (reqtests);
@@ -620,22 +617,6 @@ static struct ResponseTest {
{ NULL } }
},
- { "NUL in header name", "760832",
- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
- { { "Foo", "bar" },
- { NULL }
- }
- },
-
- { "NUL in header value", "760832",
- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
- { { "Foo", "bar" },
- { NULL }
- }
- },
-
/********************************/
/*** VALID CONTINUE RESPONSES ***/
/********************************/
@@ -768,6 +749,19 @@ static struct ResponseTest {
{ { NULL }
}
},
+
+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+ { "NUL in header name", NULL,
+ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
+ -1, 0, NULL,
+ { { NULL } }
+ },
+
+ { "NUL in header value", "760832",
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+ -1, 0, NULL,
+ { { NULL } }
+ },
};
static const int num_resptests = G_N_ELEMENTS (resptests);
--
GitLab

38
29b96fab.patch Normal file
View File

@ -0,0 +1,38 @@
From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001
From: Ignacio Casal Quinteiro <qignacio@amazon.com>
Date: Wed, 2 Oct 2024 11:17:19 +0200
Subject: [PATCH] websocket-test: disconnect error copy after the test ends
Otherwise the server will have already sent a few more wrong
bytes and the client will continue getting errors to copy
but the error is already != NULL and it will assert
---
tests/websocket-test.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/websocket-test.c b/tests/websocket-test.c
index 06c443bb5..6a48c1f9b 100644
--- a/tests/websocket-test.c
+++ b/tests/websocket-test.c
@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test,
GError *error = NULL;
InvalidEncodeLengthTest context = { test, NULL };
guint i;
+ guint error_id;
- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
/* We use 127(\x7f) as payload length with 65535 extended length */
@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test,
WAIT_UNTIL (error != NULL || received != NULL);
g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
g_clear_error (&error);
+ g_signal_handler_disconnect (test->client, error_id);
g_assert_null (received);
g_thread_join (thread);
--
GitLab

165
48b3b611.patch Normal file
View File

@ -0,0 +1,165 @@
From 48b3b61154389b377f6cd20ea72e57b62c9256e8 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@endlessos.org>
Date: Thu, 13 Apr 2023 12:32:04 +0100
Subject: [PATCH] lib: Add names to various GSources
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This helps in identifying whats attached to a `GMainContext` when
debugging runtime problems with libsoup.
The names added in `soup-misc.c` are fairly rough; if they turn out to
not be specific enough, those methods could be changed to accept a
`const gchar *name` argument so the caller can provide a more specific
name.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
---
libsoup/soup-message-io.c | 4 ++++
libsoup/soup-misc.c | 20 ++++++++++++++++++++
libsoup/soup-socket.c | 7 +++++++
libsoup/soup-websocket-connection.c | 20 ++++++++++++++++++++
4 files changed, 51 insertions(+)
diff --git a/libsoup/soup-message-io.c b/libsoup/soup-message-io.c
index c5412abb2..8d69f18d6 100644
--- a/libsoup/soup-message-io.c
+++ b/libsoup/soup-message-io.c
@@ -927,7 +927,11 @@ soup_message_io_get_source (SoupMessage *msg, GCancellable *cancellable,
source = g_source_new (&message_source_funcs,
sizeof (SoupMessageSource));
+#if GLIB_CHECK_VERSION(2, 70, 0)
+ g_source_set_static_name (source, "SoupMessageSource");
+#else
g_source_set_name (source, "SoupMessageSource");
+#endif
message_source = (SoupMessageSource *)source;
message_source->msg = g_object_ref (msg);
message_source->paused = io && io->paused;
diff --git a/libsoup/soup-misc.c b/libsoup/soup-misc.c
index 2cf6b0f6a..170fa15a2 100644
--- a/libsoup/soup-misc.c
+++ b/libsoup/soup-misc.c
@@ -83,6 +83,11 @@ soup_add_io_watch (GMainContext *async_context,
GIOFunc function, gpointer data)
{
GSource *watch = g_io_create_watch (chan, condition);
+#if GLIB_CHECK_VERSION(2, 70, 0)
+ g_source_set_static_name (watch, "SoupIOWatch");
+#else
+ g_source_set_name (watch, "SoupIOWatch");
+#endif
g_source_set_callback (watch, (GSourceFunc) function, data, NULL);
g_source_attach (watch, async_context);
g_source_unref (watch);
@@ -111,6 +116,11 @@ soup_add_idle (GMainContext *async_context,
GSourceFunc function, gpointer data)
{
GSource *source = g_idle_source_new ();
+#if GLIB_CHECK_VERSION(2, 70, 0)
+ g_source_set_static_name (source, "SoupIdle");
+#else
+ g_source_set_name (source, "SoupIdle");
+#endif
g_source_set_callback (source, function, data, NULL);
g_source_attach (source, async_context);
g_source_unref (source);
@@ -125,6 +135,11 @@ soup_add_completion_reffed (GMainContext *async_context,
{
GSource *source = g_idle_source_new ();
+#if GLIB_CHECK_VERSION(2, 70, 0)
+ g_source_set_static_name (source, "SoupCompletion");
+#else
+ g_source_set_name (source, "SoupCompletion");
+#endif
g_source_set_priority (source, G_PRIORITY_DEFAULT);
g_source_set_callback (source, function, data, dnotify);
g_source_attach (source, async_context);
@@ -178,6 +193,11 @@ soup_add_timeout (GMainContext *async_context,
GSourceFunc function, gpointer data)
{
GSource *source = g_timeout_source_new (interval);
+#if GLIB_CHECK_VERSION(2, 70, 0)
+ g_source_set_static_name (source, "SoupTimeout");
+#else
+ g_source_set_name (source, "SoupTimeout");
+#endif
g_source_set_callback (source, function, data, NULL);
g_source_attach (source, async_context);
g_source_unref (source);
diff --git a/libsoup/soup-socket.c b/libsoup/soup-socket.c
index 0ec451032..53b5c584b 100644
--- a/libsoup/soup-socket.c
+++ b/libsoup/soup-socket.c
@@ -1203,6 +1203,13 @@ soup_socket_create_watch (SoupSocketPrivate *priv, GIOCondition cond,
watch = g_pollable_input_stream_create_source (G_POLLABLE_INPUT_STREAM (priv->istream), cancellable);
else
watch = g_pollable_output_stream_create_source (G_POLLABLE_OUTPUT_STREAM (priv->ostream), cancellable);
+
+#if GLIB_CHECK_VERSION(2, 70, 0)
+ g_source_set_static_name (watch, "SoupSocket watch");
+#else
+ g_source_set_name (watch, "SoupSocket watch");
+#endif
+
g_source_set_callback (watch, (GSourceFunc)callback, user_data, NULL);
g_source_attach (watch, priv->async_context);
diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
index a4095e1c9..6d136d411 100644
--- a/libsoup/soup-websocket-connection.c
+++ b/libsoup/soup-websocket-connection.c
@@ -306,6 +306,11 @@ soup_websocket_connection_start_input_source (SoupWebsocketConnection *self)
return;
pv->input_source = g_pollable_input_stream_create_source (pv->input, NULL);
+#if GLIB_CHECK_VERSION(2, 70, 0)
+ g_source_set_static_name (pv->input_source, "SoupWebsocketConnection input");
+#else
+ g_source_set_name (pv->input_source, "SoupWebsocketConnection input");
+#endif
g_source_set_callback (pv->input_source, (GSourceFunc)on_web_socket_input, self, NULL);
g_source_attach (pv->input_source, pv->main_context);
}
@@ -332,6 +337,11 @@ soup_websocket_connection_start_output_source (SoupWebsocketConnection *self)
return;
pv->output_source = g_pollable_output_stream_create_source (pv->output, NULL);
+#if GLIB_CHECK_VERSION(2, 70, 0)
+ g_source_set_static_name (pv->output_source, "SoupWebsocketConnection output");
+#else
+ g_source_set_name (pv->output_source, "SoupWebsocketConnection output");
+#endif
g_source_set_callback (pv->output_source, (GSourceFunc)on_web_socket_output, self, NULL);
g_source_attach (pv->output_source, pv->main_context);
}
@@ -444,6 +454,11 @@ close_io_after_timeout (SoupWebsocketConnection *self)
g_debug ("waiting %d seconds for peer to close io", timeout);
pv->close_timeout = g_timeout_source_new_seconds (timeout);
+#if GLIB_CHECK_VERSION(2, 70, 0)
+ g_source_set_static_name (pv->close_timeout, "SoupWebsocketConnection close timeout");
+#else
+ g_source_set_name (pv->close_timeout, "SoupWebsocketConnection close timeout");
+#endif
g_source_set_callback (pv->close_timeout, on_timeout_close_io, self, NULL);
g_source_attach (pv->close_timeout, pv->main_context);
}
@@ -2207,6 +2222,11 @@ soup_websocket_connection_set_keepalive_interval (SoupWebsocketConnection *self,
if (interval > 0) {
pv->keepalive_timeout = g_timeout_source_new_seconds (interval);
+#if GLIB_CHECK_VERSION(2, 70, 0)
+ g_source_set_static_name (pv->keepalive_timeout, "SoupWebsocketConnection keepalive timeout");
+#else
+ g_source_set_name (pv->keepalive_timeout, "SoupWebsocketConnection keepalive timeout");
+#endif
g_source_set_callback (pv->keepalive_timeout, on_queue_ping, self, NULL);
g_source_attach (pv->keepalive_timeout, pv->main_context);
}
--
GitLab

191
4d12c3e5.patch Normal file
View File

@ -0,0 +1,191 @@
From 4d12c3e5769952ad0bfa318f4569d90a9d9a5085 Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@endlessos.org>
Date: Thu, 13 Apr 2023 12:25:37 +0100
Subject: [PATCH] lib: Add g_task_set_source_tag() everywhere
This makes it easier to identify what a `GTask` instance is when
debugging a running process.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
---
libsoup/soup-address.c | 2 ++
libsoup/soup-client-input-stream.c | 1 +
libsoup/soup-connection.c | 2 ++
libsoup/soup-io-stream.c | 1 +
libsoup/soup-multipart-input-stream.c | 1 +
libsoup/soup-proxy-resolver-wrapper.c | 1 +
libsoup/soup-request-file.c | 1 +
libsoup/soup-request-http.c | 1 +
libsoup/soup-request.c | 1 +
libsoup/soup-session.c | 3 +++
libsoup/soup-socket.c | 2 ++
11 files changed, 16 insertions(+)
diff --git a/libsoup/soup-address.c b/libsoup/soup-address.c
index 574e982f2..bcd3e9e7f 100644
--- a/libsoup/soup-address.c
+++ b/libsoup/soup-address.c
@@ -1209,6 +1209,8 @@ soup_address_address_enumerator_next_async (GSocketAddressEnumerator *enumerato
GTask *task;
task = g_task_new (enumerator, cancellable, callback, user_data);
+ g_task_set_source_tag (task, soup_address_address_enumerator_next_async);
+
if (!priv->sockaddr) {
soup_address_resolve_async (addr_enum->addr,
g_main_context_get_thread_default (),
diff --git a/libsoup/soup-client-input-stream.c b/libsoup/soup-client-input-stream.c
index e73ec9e63..c5484501e 100644
--- a/libsoup/soup-client-input-stream.c
+++ b/libsoup/soup-client-input-stream.c
@@ -189,6 +189,7 @@ soup_client_input_stream_close_async (GInputStream *stream,
GSource *source;
task = g_task_new (stream, cancellable, callback, user_data);
+ g_task_set_source_tag (task, soup_client_input_stream_close_async);
g_task_set_priority (task, priority);
if (close_async_ready (cistream->priv->msg, task) == G_SOURCE_CONTINUE) {
diff --git a/libsoup/soup-connection.c b/libsoup/soup-connection.c
index 1b9a4fee8..8d4fee8d1 100644
--- a/libsoup/soup-connection.c
+++ b/libsoup/soup-connection.c
@@ -418,6 +418,7 @@ soup_connection_connect_async (SoupConnection *conn,
soup_socket_properties_push_async_context (priv->socket_props);
task = g_task_new (conn, cancellable, callback, user_data);
+ g_task_set_source_tag (task, soup_connection_connect_async);
soup_socket_connect_async_internal (priv->socket, cancellable,
socket_connect_complete, task);
@@ -546,6 +547,7 @@ soup_connection_start_ssl_async (SoupConnection *conn,
soup_socket_properties_push_async_context (priv->socket_props);
task = g_task_new (conn, cancellable, callback, user_data);
+ g_task_set_source_tag (task, soup_connection_start_ssl_async);
soup_socket_handshake_async (priv->socket, priv->remote_uri->host,
cancellable, start_ssl_completed, task);
diff --git a/libsoup/soup-io-stream.c b/libsoup/soup-io-stream.c
index 8daca38d6..3da1d614b 100644
--- a/libsoup/soup-io-stream.c
+++ b/libsoup/soup-io-stream.c
@@ -160,6 +160,7 @@ soup_io_stream_close_async (GIOStream *stream,
GTask *task;
task = g_task_new (stream, cancellable, callback, user_data);
+ g_task_set_source_tag (task, soup_io_stream_close_async);
g_io_stream_close_async (SOUP_IO_STREAM (stream)->priv->base_iostream,
io_priority, cancellable,
close_async_complete, task);
diff --git a/libsoup/soup-multipart-input-stream.c b/libsoup/soup-multipart-input-stream.c
index 535dd6ec4..209eb9a32 100644
--- a/libsoup/soup-multipart-input-stream.c
+++ b/libsoup/soup-multipart-input-stream.c
@@ -528,6 +528,7 @@ soup_multipart_input_stream_next_part_async (SoupMultipartInputStream *multipart
g_return_if_fail (SOUP_IS_MULTIPART_INPUT_STREAM (multipart));
task = g_task_new (multipart, cancellable, callback, data);
+ g_task_set_source_tag (task, soup_multipart_input_stream_next_part_async);
g_task_set_priority (task, io_priority);
if (!g_input_stream_set_pending (stream, &error)) {
diff --git a/libsoup/soup-proxy-resolver-wrapper.c b/libsoup/soup-proxy-resolver-wrapper.c
index e07664ca9..e787ff095 100644
--- a/libsoup/soup-proxy-resolver-wrapper.c
+++ b/libsoup/soup-proxy-resolver-wrapper.c
@@ -92,6 +92,7 @@ soup_proxy_resolver_wrapper_lookup_async (GProxyResolver *resolver,
SoupURI *source_uri;
task = g_task_new (resolver, cancellable, callback, user_data);
+ g_task_set_source_tag (task, soup_proxy_resolver_wrapper_lookup_async);
source_uri = soup_uri_new (uri);
g_task_set_task_data (task, source_uri, (GDestroyNotify) soup_uri_free);
diff --git a/libsoup/soup-request-file.c b/libsoup/soup-request-file.c
index c402a5b4c..6d3e9fa3b 100644
--- a/libsoup/soup-request-file.c
+++ b/libsoup/soup-request-file.c
@@ -301,6 +301,7 @@ soup_request_file_send_async (SoupRequest *request,
GError *error = NULL;
task = g_task_new (request, cancellable, callback, user_data);
+ g_task_set_source_tag (task, soup_request_file_send_async);
if (!soup_request_file_ensure_file (file, cancellable, &error)) {
g_task_return_error (task, error);
diff --git a/libsoup/soup-request-http.c b/libsoup/soup-request-http.c
index 285f59d7a..a608d3a2d 100644
--- a/libsoup/soup-request-http.c
+++ b/libsoup/soup-request-http.c
@@ -140,6 +140,7 @@ soup_request_http_send_async (SoupRequest *request,
g_return_if_fail (!SOUP_IS_SESSION_SYNC (session));
task = g_task_new (request, cancellable, callback, user_data);
+ g_task_set_source_tag (task, soup_request_http_send_async);
soup_session_send_async (session, http->priv->msg, cancellable,
http_input_stream_ready_cb, task);
}
diff --git a/libsoup/soup-request.c b/libsoup/soup-request.c
index 61980c78a..6c11c32c4 100644
--- a/libsoup/soup-request.c
+++ b/libsoup/soup-request.c
@@ -177,6 +177,7 @@ soup_request_default_send_async (SoupRequest *request,
GError *error = NULL;
task = g_task_new (request, cancellable, callback, user_data);
+ g_task_set_source_tag (task, soup_request_default_send_async);
stream = soup_request_send (request, cancellable, &error);
if (stream)
diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
index 83421ef9d..c74b1b886 100644
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -4355,6 +4355,7 @@ soup_session_send_async (SoupSession *session,
item->new_api = TRUE;
item->task = g_task_new (session, item->cancellable, callback, user_data);
+ g_task_set_source_tag (item->task, soup_session_send_async);
g_task_set_task_data (item->task, item, (GDestroyNotify) soup_message_queue_item_unref);
/* Do not check for cancellations as we do not want to
@@ -4961,6 +4962,7 @@ soup_session_websocket_connect_async (SoupSession *session,
soup_message_set_flags (msg, flags | SOUP_MESSAGE_NEW_CONNECTION);
task = g_task_new (session, cancellable, callback, user_data);
+ g_task_set_source_tag (task, soup_session_websocket_connect_async);
item = soup_session_append_queue_item (session, msg, TRUE, FALSE,
websocket_connect_async_complete, task);
g_task_set_task_data (task, item, (GDestroyNotify) soup_message_queue_item_unref);
@@ -5108,6 +5110,7 @@ soup_session_connect_async (SoupSession *session,
g_return_if_fail (uri != NULL);
task = g_task_new (session, cancellable, callback, user_data);
+ g_task_set_source_tag (task, soup_session_connect_async);
msg = soup_message_new_from_uri (SOUP_METHOD_HEAD, uri);
soup_message_set_flags (msg, SOUP_MESSAGE_NEW_CONNECTION);
diff --git a/libsoup/soup-socket.c b/libsoup/soup-socket.c
index 7ad484308..0ec451032 100644
--- a/libsoup/soup-socket.c
+++ b/libsoup/soup-socket.c
@@ -970,6 +970,7 @@ soup_socket_connect_async_internal (SoupSocket *sock,
priv->connect_cancel = cancellable ? g_object_ref (cancellable) : g_cancellable_new ();
task = g_task_new (sock, priv->connect_cancel, callback, user_data);
+ g_task_set_source_tag (task, soup_socket_connect_async_internal);
client = new_socket_client (sock);
g_socket_client_connect_async (client,
@@ -1536,6 +1537,7 @@ soup_socket_handshake_async (SoupSocket *sock,
GError *error = NULL;
task = g_task_new (sock, cancellable, callback, user_data);
+ g_task_set_source_tag (task, soup_socket_handshake_async);
if (!soup_socket_setup_ssl (sock, ssl_host, cancellable, &error)) {
g_task_return_error (task, error);
--
GitLab

129
a35222dd.patch Normal file
View File

@ -0,0 +1,129 @@
From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 27 Aug 2024 13:53:26 -0500
Subject: [PATCH] headers: Be more robust against invalid input when parsing
params
If you pass invalid input to a function such as soup_header_parse_param_list_strict()
it can cause an overflow if it decodes the input to UTF-8.
This should never happen with valid UTF-8 input which libsoup's client API
ensures, however it's server API does not currently.
---
libsoup/soup-headers.c | 46 ++++++++++++++++++++++--------------------
1 file changed, 24 insertions(+), 22 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index f30ee467..613e1905 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -646,8 +646,9 @@ soup_header_contains (const char *header, const char *token)
}
static void
-decode_quoted_string (char *quoted_string)
+decode_quoted_string_inplace (GString *quoted_gstring)
{
+ char *quoted_string = quoted_gstring->str;
char *src, *dst;
src = quoted_string + 1;
@@ -661,10 +662,11 @@ decode_quoted_string (char *quoted_string)
}
static gboolean
-decode_rfc5987 (char *encoded_string)
+decode_rfc5987_inplace (GString *encoded_gstring)
{
char *q, *decoded;
gboolean iso_8859_1 = FALSE;
+ const char *encoded_string = encoded_gstring->str;
q = strchr (encoded_string, '\'');
if (!q)
@@ -696,14 +698,7 @@ decode_rfc5987 (char *encoded_string)
decoded = utf8;
}
- /* If encoded_string was UTF-8, then each 3-character %-escape
- * will be converted to a single byte, and so decoded is
- * shorter than encoded_string. If encoded_string was
- * iso-8859-1, then each 3-character %-escape will be
- * converted into at most 2 bytes in UTF-8, and so it's still
- * shorter.
- */
- strcpy (encoded_string, decoded);
+ g_string_assign (encoded_gstring, decoded);
g_free (decoded);
return TRUE;
}
@@ -713,15 +708,17 @@ parse_param_list (const char *header, char delim, gboolean strict)
{
GHashTable *params;
GSList *list, *iter;
- char *item, *eq, *name_end, *value;
- gboolean override, duplicated;
params = g_hash_table_new_full (soup_str_case_hash,
soup_str_case_equal,
- g_free, NULL);
+ g_free, g_free);
list = parse_list (header, delim);
for (iter = list; iter; iter = iter->next) {
+ char *item, *eq, *name_end;
+ gboolean override, duplicated;
+ GString *parsed_value = NULL;
+
item = iter->data;
override = FALSE;
@@ -736,19 +733,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
*name_end = '\0';
- value = (char *)skip_lws (eq + 1);
+ parsed_value = g_string_new ((char *)skip_lws (eq + 1));
if (name_end[-1] == '*' && name_end > item + 1) {
name_end[-1] = '\0';
- if (!decode_rfc5987 (value)) {
+ if (!decode_rfc5987_inplace (parsed_value)) {
+ g_string_free (parsed_value, TRUE);
g_free (item);
continue;
}
override = TRUE;
- } else if (*value == '"')
- decode_quoted_string (value);
- } else
- value = NULL;
+ } else if (parsed_value->str[0] == '"')
+ decode_quoted_string_inplace (parsed_value);
+ }
duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
@@ -756,11 +753,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
soup_header_free_param_list (params);
params = NULL;
g_slist_foreach (iter, (GFunc)g_free, NULL);
+ if (parsed_value)
+ g_string_free (parsed_value, TRUE);
break;
- } else if (override || !duplicated)
- g_hash_table_replace (params, item, value);
- else
+ } else if (override || !duplicated) {
+ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
+ } else {
+ if (parsed_value)
+ g_string_free (parsed_value, TRUE);
g_free (item);
+ }
}
g_slist_free (list);
--
GitLab

5
baselibs.conf Normal file
View File

@ -0,0 +1,5 @@
libsoup-2_4-1
obsoletes "libsoup-<targettype>"
libsoup2-devel
requires -libsoup-<targettype>
requires "libsoup-2_4-1-<targettype> = <version>"

43
ced3c5d8.patch Normal file
View File

@ -0,0 +1,43 @@
From ced3c5d8cad0177b297666343f1561799dfefb0d Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Wed, 22 Nov 2023 18:49:10 -0800
Subject: [PATCH] Fix build with libxml2-2.12.0 and clang-17
Fixes build errors about missing function prototypes with clang-17
Fixes
| ../libsoup-2.74.3/libsoup/soup-xmlrpc-old.c:512:8: error: call to undeclared function 'xmlParseMemory'; ISO C99 and later do not support implicit function declarations
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
libsoup/soup-xmlrpc-old.c | 1 +
libsoup/soup-xmlrpc.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/libsoup/soup-xmlrpc-old.c b/libsoup/soup-xmlrpc-old.c
index c57086b6a..527e3b235 100644
--- a/libsoup/soup-xmlrpc-old.c
+++ b/libsoup/soup-xmlrpc-old.c
@@ -11,6 +11,7 @@
#include <string.h>
+#include <libxml/parser.h>
#include <libxml/tree.h>
#include "soup-xmlrpc-old.h"
diff --git a/libsoup/soup-xmlrpc.c b/libsoup/soup-xmlrpc.c
index 42dcda9c7..e991cbf01 100644
--- a/libsoup/soup-xmlrpc.c
+++ b/libsoup/soup-xmlrpc.c
@@ -17,6 +17,7 @@
#include <string.h>
#include <errno.h>
+#include <libxml/parser.h>
#include <libxml/tree.h>
#include "soup-xmlrpc.h"
#include "soup.h"
--
GitLab

BIN
libsoup-2.74.3.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -0,0 +1,34 @@
From f84fc43fe62e25ca807975fa758f2e3d7737db4f Mon Sep 17 00:00:00 2001
From: Mike Gorse <mgorse@suse.com>
Date: Tue, 12 Nov 2024 17:20:25 -0600
Subject: [PATCH] websocket: process the frame as soon as we read data
Otherwise we can enter in a read loop because we were not
validating the data until the all the data was read.
Fixes #391
Backport of https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3e.patch
---
libsoup/soup-websocket-connection.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
index 6d136d41..2db34d3c 100644
--- a/libsoup/soup-websocket-connection.c
+++ b/libsoup/soup-websocket-connection.c
@@ -1155,9 +1155,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self)
}
pv->incoming->len = len + count;
- } while (count > 0);
- process_incoming (self);
+ process_incoming (self);
+ } while (count > 0 && !pv->close_sent && !pv->io_closing);
if (end) {
if (!pv->close_sent || !pv->close_received) {
--
2.47.0

View File

@ -0,0 +1,14 @@
Index: libsoup-2.72.0/tests/ssl-test.c
===================================================================
--- libsoup-2.72.0.orig/tests/ssl-test.c
+++ libsoup-2.72.0/tests/ssl-test.c
@@ -370,6 +370,9 @@ do_tls_interaction_test (void)
SOUP_TEST_SKIP_IF_NO_TLS;
+ g_test_skip ("Not reliable? See https://gitlab.gnome.org/GNOME/libsoup/issues/120");
+ return;
+
service = g_threaded_socket_service_new (1);
address = g_inet_socket_address_new_from_string ("127.0.0.1", 0);
g_socket_listener_add_address (G_SOCKET_LISTENER (service), address,

View File

@ -0,0 +1,59 @@
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/177
From 38a65f080a3168e8af78bdd3e4928debeea2dbd8 Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
Date: Thu, 18 Feb 2021 09:13:40 +0100
Subject: [PATCH] Extend test cert to 2049
used certtool -u \
--load-ca-privkey ./tests/test-key.pem \
--load-ca-certificate ./tests/test-cert.pem \
--load-certificate ./tests/test-cert.pem
Without this patch, 3 tests failed in 2027
11/29 misc-test FAIL 0.67s (exit status 1)
21/29 server-test FAIL 0.12s (exit status 1)
25/29 timeout-test FAIL 4.08s (killed by signal 5 SIGTRAP)
Background:
As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future.
The usual offset is +15 years, because that is how long I expect some software will be used in some places.
This showed up failing tests in our package build.
See https://reproducible-builds.org/ for why this matters.
---
tests/test-cert.pem | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/tests/test-cert.pem b/tests/test-cert.pem
index ff863b4d..4b8b180d 100644
--- a/tests/test-cert.pem
+++ b/tests/test-cert.pem
@@ -1,6 +1,6 @@
-----BEGIN CERTIFICATE-----
MIIC2zCCAcOgAwIBAgIJALRbg2WnuAAqMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
-BAMMCTEyNy4wLjAuMTAeFw0xNzA2MjAxNDI3MzBaFw0yNzA2MTgxNDI3MzBaMBQx
+BAMMCTEyNy4wLjAuMTAeFw0yMTAyMTgwODA3MzBaFw00OTEyMzEwODA3MzRaMBQx
EjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAKs4fuRuW77nORhOT9kbbU6BsjKW3GEsMc+ZSmXjINQWpfkES2hV+DQyzhm5
qh4OLi1vYtXoSbdQNDCbA8ybZJqR8m9F3ed8vobdSSQGxWpPdXTgz27x+TpiAc9P
@@ -8,11 +8,11 @@ w83UuPvlu/0AxHJBFXVAg+id0yFu3wmGWYJHoAtvFi2xeRtAXurNuPtjZyO+gfM9
BKTRCkGsRSmPpJyGbU2Q96fjxnVfV9oYvQXeugUcSx/pTUCM/kDgD9QZCxG2rflX
NWcqDFY3uO6ZR68Qwi/KouOa8rzrgAcwhFUI6Wz0Zwi1rzRtWK5WqC24aBUYz/tK
hl8i88UDXSMh7spChdYDBGLhZyUCAwEAAaMwMC4wLAYDVR0RBCUwI4IJbG9jYWxo
-b3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IBAQBj
-+U8tebwg5/pof5Rht6TMHqeg6Fcr4OJkL2ph2g+T/AMTS7kEGeFIKJN5AZ+S/qIY
-cdoDKHwc8+bCK/mG6DPmJ4z/2Eamb85YhplOLVrLRwfxRebTK9CtnjcjnflAiU9H
-7vPVwXIvkwebhBSQNKTdkBlPXKaTNWXuygeFG2OVQkPf/KAxSdtg2R+owv/s802Z
-HISk26wY9oFIQz6AiXWdrY1QqNOltZ7rlU5iofAH7X+9ryZlxPWj/gHg2YQRvvLl
-dq6nCF+ED0ke7h0lg5nU0beKEygwli8DlLVbu0JK0PkARFp5t7wUtzC9DCjzvfOc
-gxR44PyZX7/2oaTDm4PS
+b3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IBAQAz
+/qYTUuBGHgp7T1cfaJPnhx6U1SMfdJRtFoWOXDx+MNCK9GYkdMEabzRGUP5uNHO+
+PiZP/bMIHlpsbRA5AyyVf9Xv8JCujvYh24qYcBbwgZrfvNTm0D52P9JJm0SalTXS
+kwwTj00DWGVfVzJR+wiwYGHRIlyXbHqQSRzv6+z9f/xY5gXw/KpCNYTuOJcXW7w6
+JfMrUnc9pphRUpcLkuuzOMKuB0dtWRc0mZIr7PZHt+0gitNZWA0bDYI3JI9tlK17
+nxBUSpGtJwDgH//b8ek/P0P9a5VzQbBC6lXtQUMdxg7ovfAI//IS8ekBoRKI0Wde
+r2IpM9hKSBU3c2gGXcJC
-----END CERTIFICATE-----
--
GitLab

3376
libsoup2.changes Normal file

File diff suppressed because it is too large Load Diff

182
libsoup2.spec Normal file
View File

@ -0,0 +1,182 @@
#
# spec file for package libsoup2
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: libsoup2
%define _name libsoup
Version: 2.74.3
Release: 0
Summary: HTTP client/server library for GNOME
License: LGPL-2.1-or-later
Group: Development/Libraries/GNOME
URL: https://wiki.gnome.org/Projects/libsoup
Source0: https://download.gnome.org/sources/libsoup/2.74/%{_name}-%{version}.tar.xz
Source99: baselibs.conf
# PATCH-FIX-OPENSUSE disable tls_interaction-test https://gitlab.gnome.org/GNOME/libsoup/issues/120
Patch1: libsoup-skip-tls_interaction-test.patch
# PATCH-FIX-UPSTREAM libsoup2-extend-test-cert.patch boo#1102840 -- Fix tests after 2027
Patch2: libsoup2-extend-test-cert.patch
# PATCH-FIX-UPSTREAM 4d12c3e5.patch -- lib: Add g_task_set_source_tag() everywhere
Patch3: https://gitlab.gnome.org/GNOME/libsoup/-/commit/4d12c3e5.patch
# PATCH-FIX-UPSTREAM 48b3b611.patch -- lib: Add names to various GSources
Patch4: https://gitlab.gnome.org/GNOME/libsoup/-/commit/48b3b611.patch
# PATCH-FIX-UPSTREAM ced3c5d8.patch -- Fix build with libxml2-2.12.0 and clang-17
Patch5: https://gitlab.gnome.org/GNOME/libsoup/-/commit/ced3c5d8.patch
# PATCH-FIX-UPSTREAM 04df03bc.patch boo#1233285 mgorse@suse.com -- strictly don't allow NUL bytes in headers.
Patch6: https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc.patch
# PATCH-FIX-UPSTREAM libsoup-CVE-2024-52532.patch boo#1233287 mgorse@suse.com -- process the frame as soon as we read data.
Patch7: libsoup-CVE-2024-52532.patch
# PATCH-FIX-UPSTREAM 29b96fab.patch boo#1233287 mgorse@suse.com -- websocket-test: disconnect error copy after the test ends.
Patch8: https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab.patch
# PATCH-FIX-UPSTREAM a35222dd.patch boo#1233292 mgorse@suse.com -- be more robust against invalid input when parsing params.
Patch9: https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd.patch
BuildRequires: glib-networking
BuildRequires: meson >= 0.50
BuildRequires: pkgconfig
BuildRequires: pkgconfig(gio-2.0) >= 2.58.0
BuildRequires: pkgconfig(glib-2.0) >= 2.58.0
BuildRequires: pkgconfig(gobject-2.0) >= 2.58.0
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 0.9.5
BuildRequires: pkgconfig(gtk-doc) >= 1.20
BuildRequires: pkgconfig(krb5)
BuildRequires: pkgconfig(libbrotlidec)
BuildRequires: pkgconfig(libpsl) >= 0.20
BuildRequires: pkgconfig(libxml-2.0)
BuildRequires: pkgconfig(sqlite3)
BuildRequires: pkgconfig(vapigen)
# We do not need these dependencies needed only for tests.
#BuildRequires: apache2-mod_php5 php5-xmlrpc
%description
Libsoup is an HTTP client/server library for GNOME. It uses GObjects
and the glib main loop, to integrate well with GNOME applications.
Features:
* Both asynchronous (GMainLoop and callback-based) and synchronous APIs
* Automatically caches connections
* SSL Support using GnuTLS
* Proxy support, including authentication and SSL tunneling
* Client support for Digest, NTLM, and Basic authentication
* Server support for Digest and Basic authentication
* XML-RPC support
%package -n %{_name}-2_4-1
Summary: HTTP client/server library for GNOME
Group: Development/Libraries/GNOME
Requires: glib-networking >= 2.27.90
# For NTLM single sign on
Suggests: samba-winbind
# Needed to make the lang package installable
Provides: %{name} = %{version}
%description -n %{_name}-2_4-1
Libsoup is an HTTP client/server library for GNOME. It uses GObjects
and the glib main loop, to integrate well with GNOME applications.
Features:
* Both asynchronous (GMainLoop and callback-based) and synchronous APIs
* Automatically caches connections
* SSL Support using GnuTLS
* Proxy support, including authentication and SSL tunneling
* Client support for Digest, NTLM, and Basic authentication
* Server support for Digest and Basic authentication
* XML-RPC support
%package -n typelib-1_0-Soup-2_4
Summary: HTTP client/server library for GNOME -- Introspection bindings
Group: System/Libraries
%description -n typelib-1_0-Soup-2_4
Libsoup is an HTTP client/server library for GNOME. It uses GObjects
and the glib main loop, to integrate well with GNOME applications.
This package provides the GObject Introspection bindings for libsoup.
%package devel
Summary: HTTP client/server library for GNOME - Development Files
Group: Development/Libraries/GNOME
Requires: libsoup-2_4-1 = %{version}
Requires: typelib-1_0-Soup-2_4 = %{version}
Provides: %{_name}-doc = %{version}
Obsoletes: %{_name}-doc < %{version}
%description devel
Libsoup is an HTTP client/server library for GNOME. It uses GObjects
and the glib main loop, to integrate well with GNOME applications.
Features:
* Both asynchronous (GMainLoop and callback-based) and synchronous APIs
* Automatically caches connections
* SSL Support using GnuTLS
* Proxy support, including authentication and SSL tunneling
* Client support for Digest, NTLM, and Basic authentication
* Server support for Digest and Basic authentication
* XML-RPC support
%lang_package
%prep
%autosetup -p1 -n %{_name}-%{version}
%build
%meson \
-Dgssapi=enabled \
-Dkrb5_config="$(which krb5-config)" \
-Dvapi=enabled \
-Dgtk_doc=true \
-Dntlm=disabled \
-Dsysprof=disabled \
%{nil}
%meson_build
%check
# Run the regression tests using GnuTLS NORMAL priority
export G_TLS_GNUTLS_PRIORITY=NORMAL
%meson_test
%install
%meson_install
%find_lang %{_name} %{?no_lang_C}
%ldconfig_scriptlets -n %{_name}-2_4-1
%files -n %{_name}-2_4-1
%license COPYING
%doc NEWS
%{_libdir}/*.so.*
%files -n typelib-1_0-Soup-2_4
%{_libdir}/girepository-1.0/Soup-2.4.typelib
%{_libdir}/girepository-1.0/SoupGNOME-2.4.typelib
%files devel
%doc AUTHORS README
%{_includedir}/libsoup-2.4
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%{_includedir}/libsoup-gnome-2.4
%doc %{_datadir}/gtk-doc/html/libsoup-2.4
%{_datadir}/gir-1.0/Soup-2.4.gir
%{_datadir}/gir-1.0/SoupGNOME-2.4.gir
%dir %{_datadir}/vala/vapi/
%{_datadir}/vala/vapi/libsoup-2.4.vapi
%{_datadir}/vala/vapi/libsoup-2.4.deps
%files lang -f %{_name}.lang
%changelog