packages/libsoup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:c92053ef81800816f2ff6b1da337309d55179fd6
Branches Tags
packages:main
...
compare: packages:ce67d64df12c119ef120ad5e324fd321f00400fe
Branches Tags
packages:main

10 Commits
c92053ef81 ... ce67d64df1

Author SHA1 Message Date
openeuler-ci-bot
ce67d64df1
!97 fix CVE-2025-46420 CVE-2025-46421 
From: @zppzhangpan 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2025-05-06 07:03:15 +00:00
zppzhangpan
8a19b8d3de fix CVE-2025-46420 CVE-2025-46421 2025-04-29 18:47:28 +08:00
openeuler-ci-bot
1d7d70cc20
!90 fix CVE-2025-32907 CVE-2025-32914 
From: @zppzhangpan 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2025-04-24 06:51:44 +00:00
zppzhangpan
97107e4981 fix CVE-2025-32907 CVE-2025-32914 2025-04-23 16:00:26 +08:00
openeuler-ci-bot
60a269337d
!80 fix CVE-2025-32906 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32912 CVE-2025-32913 
From: @zppzhangpan 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2025-04-22 08:29:04 +00:00
zhangpan
4b6f6e232e fix CVE-2025-32906 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32912 CVE-2025-32913 2025-04-21 07:36:11 +00:00
openeuler-ci-bot
646cc7b7ed
!63 fix CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-2784 
From: @zppzhangpan 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2025-04-11 08:12:25 +00:00
zhangpan
e3e98bc5f4 fix CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-2784 2025-04-08 11:40:54 +00:00
openeuler-ci-bot
c88d4d9827
!55 fix CVE-2024-52530 CVE-2024-52531 CVE-2024-52532 
From: @xinghe_1 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2024-11-14 06:08:36 +00:00
xh
f971da7329 fix CVE-2024-52530 CVE-2024-52531 CVE-2024-52532 2024-11-14 03:36:10 +00:00
28 changed files with 1894 additions and 3 deletions
Show Stats Expand all files Collapse all files

37
backport-0001-CVE-2024-52531.patch Normal file
View File

@ -0,0 +1,37 @@
From 825fda3425546847b42ad5270544e9388ff349fe Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 27 Aug 2024 13:52:08 -0500
Subject: [PATCH] tests: Add test for passing invalid UTF-8 to
soup_header_parse_semi_param_list()
Conflict: NA
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/825fda3425546847b42ad5270544e9388ff349fe
---
tests/header-parsing-test.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 715c2c6f..5e423d2b 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -825,6 +825,17 @@ static struct ParamListTest {
{ "filename", "t\xC3\xA9st.txt" },
},
},
+
+ /* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */
+ { TRUE,
+ "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo",
+ {
+ { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
+ { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
+ { "foo", NULL },
+
+ },
+ }
};
static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests);
--
GitLab

36
backport-0001-CVE-2024-52532.patch Normal file
View File

@ -0,0 +1,36 @@
From 6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be Mon Sep 17 00:00:00 2001
From: Ignacio Casal Quinteiro <qignacio@amazon.com>
Date: Wed, 11 Sep 2024 11:52:11 +0200
Subject: [PATCH] websocket: process the frame as soon as we read data
Otherwise we can enter in a read loop because we were not
validating the data until the all the data was read.
Fixes #391
Conflict: context adapt and libsoup/websocket/soup-websocket-connection.c -> libsoup/soup-websocket-connection.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be
---
libsoup/soup-websocket-connection.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
index a4095e1..ed54e6b 100644
--- a/libsoup/soup-websocket-connection.c
+++ b/libsoup/soup-websocket-connection.c
@@ -1140,9 +1140,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self)
}
pv->incoming->len = len + count;
- } while (count > 0);
- process_incoming (self);
+ process_incoming (self);
+ } while (count > 0 && !pv->close_sent && !pv->io_closing);
if (end) {
if (!pv->close_sent || !pv->close_received) {
--
2.46.0

38
backport-0001-CVE-2025-32053.patch Normal file
View File

@ -0,0 +1,38 @@
From eaed42ca8d40cd9ab63764e3d63641180505f40a Mon Sep 17 00:00:00 2001
From: Ar Jun <pkillarjun@protonmail.com>
Date: Mon, 18 Nov 2024 14:59:51 -0600
Subject: [PATCH] Fix heap buffer overflow in
soup-content-sniffer.c:sniff_feed_or_html()
Conflict: Modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/eaed42ca8d40cd9ab63764e3d63641180505f40a
---
libsoup/soup-content-sniffer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index b62e4888..5a181ff1 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -641,7 +641,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length)
(resource[*pos] == '\x0D')) {
*pos = *pos + 1;
- if (*pos > resource_length)
+ if (*pos >= resource_length)
return TRUE;
}
@@ -704,7 +704,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
do {
pos++;
- if (pos > resource_length)
+ if ((pos + 1) > resource_length)
goto text_html;
} while (resource[pos] != '>');
--
GitLab

61
backport-0001-CVE-2025-32906.patch Normal file
View File

@ -0,0 +1,61 @@
From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 11 Feb 2025 14:36:26 -0600
Subject: [PATCH] headers: Handle parsing edge case
This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds.
Conflict: NA
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931
---
libsoup/soup-headers.c | 2 +-
tests/header-parsing-test.c | 12 ++++++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 85385cea..9d6d00a3 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str,
!g_ascii_isdigit (version[5]))
return SOUP_STATUS_BAD_REQUEST;
major_version = strtoul (version + 5, &p, 10);
- if (*p != '.' || !g_ascii_isdigit (p[1]))
+ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1]))
return SOUP_STATUS_BAD_REQUEST;
minor_version = strtoul (p + 1, &p, 10);
version_end = p;
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 07ea2866..10ddb684 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -6,6 +6,10 @@ typedef struct {
const char *name, *value;
} Header;
+static char unterminated_http_version[] = {
+ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
+};
+
static struct RequestTest {
const char *description;
const char *bugref;
@@ -383,6 +387,14 @@ static struct RequestTest {
{ { NULL } }
},
+ /* This couldn't be a C string as going one byte over would have been safe. */
+ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
+ unterminated_http_version, sizeof (unterminated_http_version),
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
+ },
+
{ "Non-HTTP request", NULL,
"GET / SOUP/1.1\r\nHost: example.com\r\n", -1,
SOUP_STATUS_BAD_REQUEST,
--
GitLab

98
backport-0001-CVE-2025-32910-CVE-2025-32912.patch Normal file
View File

@ -0,0 +1,98 @@
From e40df6d48a1cbab56f5d15016cc861a503423cfe Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sun, 8 Dec 2024 20:00:35 -0600
Subject: [PATCH] auth-digest: Handle missing realm in authenticate header
Conflict: tests/auth-test.c file context adaptation and modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe
---
libsoup/soup-auth-digest.c | 3 +++
tests/auth-test.c | 50 ++++++++++++++++++++++++++++++++++++++
2 files changed, 53 insertions(+)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index e8ba990..263a15a 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
+ if (!soup_auth_get_realm (auth))
+ return FALSE;
+
g_free (priv->domain);
g_free (priv->nonce);
g_free (priv->opaque);
diff --git a/tests/auth-test.c b/tests/auth-test.c
index 8295ec3..dfc6b09 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1549,6 +1549,55 @@ do_cancel_after_retry_test (void)
soup_test_session_abort_unref (session);
}
+static void
+on_request_read_for_missing_realm (SoupServer *server,
+ SoupServerMessage *msg,
+ gpointer user_data)
+{
+ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
+ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
+}
+
+static void
+do_missing_realm_test (void)
+{
+ SoupSession *session;
+ SoupMessage *msg;
+ SoupServer *server;
+ SoupAuthDomain *digest_auth_domain;
+ gint status;
+ GUri *uri;
+
+ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+ soup_server_add_handler (server, NULL,
+ server_callback, NULL, NULL);
+ uri = soup_test_server_get_uri (server, "http", NULL);
+
+ digest_auth_domain = soup_auth_domain_digest_new (
+ "realm", "auth-test",
+ "auth-callback", server_digest_auth_callback,
+ NULL);
+ soup_auth_domain_add_path (digest_auth_domain, "/");
+ soup_server_add_auth_domain (server, digest_auth_domain);
+ g_object_unref (digest_auth_domain);
+
+ g_signal_connect (server, "request-read",
+ G_CALLBACK (on_request_read_for_missing_realm),
+ NULL);
+
+ session = soup_test_session_new (NULL);
+ msg = soup_message_new_from_uri ("GET", uri);
+ g_signal_connect (msg, "authenticate",
+ G_CALLBACK (on_digest_authenticate),
+ NULL);
+
+ status = soup_test_session_send_message (session, msg);
+
+ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
+ g_uri_unref (uri);
+ soup_test_server_quit_unref (server);
+}
+
int
main (int argc, char **argv)
{
@@ -1576,6 +1625,7 @@ main (int argc, char **argv)
g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
+ g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
ret = g_test_run ();
--
2.48.1

72
backport-0001-CVE-2025-32911-CVE-2025-32913.patch Normal file
View File

@ -0,0 +1,72 @@
From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 17:53:50 -0600
Subject: [PATCH] soup_message_headers_get_content_disposition: Fix NULL deref
Conflict: tests/header-parsing-test.c file context adaptation
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34
---
libsoup/soup-message-headers.c | 13 +++++++++----
tests/header-parsing-test.c | 14 ++++++++++++++
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 39ad14a..a577169 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1454,10 +1454,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
*/
if (params && g_hash_table_lookup_extended (*params, "filename",
&orig_key, &orig_value)) {
- char *filename = strrchr (orig_value, '/');
-
- if (filename)
- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ if (orig_value) {
+ char *filename = strrchr (orig_value, '/');
+
+ if (filename)
+ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ } else {
+ /* filename with no value isn't valid. */
+ g_hash_table_remove (*params, "filename");
+ }
}
return TRUE;
}
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 03ea34d..45316c5 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -1062,6 +1062,7 @@ do_param_list_tests (void)
#define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\""
#define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\""
#define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar"
+#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename"
static void
do_content_disposition_tests (void)
@@ -1163,6 +1164,19 @@ do_content_disposition_tests (void)
g_assert_cmpstr (parameter2, ==, "bar");
g_hash_table_destroy (params);
+ /* Empty filename */
+ soup_message_headers_clear (hdrs);
+ soup_message_headers_append (hdrs, "Content-Disposition",
+ RFC5987_TEST_HEADER_EMPTY_FILENAME);
+ if (!soup_message_headers_get_content_disposition (hdrs,
+ &disposition,
+ &params)) {
+ soup_test_assert (FALSE, "empty filename decoding FAILED");
+ return;
+ }
+ g_assert_false (g_hash_table_contains (params, "filename"));
+ g_hash_table_destroy (params);
+
soup_message_headers_free (hdrs);
/* Ensure that soup-multipart always quotes filename */
--
2.48.1

132
backport-0002-CVE-2024-52531.patch Normal file
View File

@ -0,0 +1,132 @@
From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 27 Aug 2024 13:53:26 -0500
Subject: [PATCH] headers: Be more robust against invalid input when parsing
params
If you pass invalid input to a function such as soup_header_parse_param_list_strict()
it can cause an overflow if it decodes the input to UTF-8.
This should never happen with valid UTF-8 input which libsoup's client API
ensures, however it's server API does not currently.
Conflict: NA
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283
---
libsoup/soup-headers.c | 46 ++++++++++++++++++++++--------------------
1 file changed, 24 insertions(+), 22 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index f30ee467..613e1905 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -646,8 +646,9 @@ soup_header_contains (const char *header, const char *token)
}
static void
-decode_quoted_string (char *quoted_string)
+decode_quoted_string_inplace (GString *quoted_gstring)
{
+ char *quoted_string = quoted_gstring->str;
char *src, *dst;
src = quoted_string + 1;
@@ -661,10 +662,11 @@ decode_quoted_string (char *quoted_string)
}
static gboolean
-decode_rfc5987 (char *encoded_string)
+decode_rfc5987_inplace (GString *encoded_gstring)
{
char *q, *decoded;
gboolean iso_8859_1 = FALSE;
+ const char *encoded_string = encoded_gstring->str;
q = strchr (encoded_string, '\'');
if (!q)
@@ -696,14 +698,7 @@ decode_rfc5987 (char *encoded_string)
decoded = utf8;
}
- /* If encoded_string was UTF-8, then each 3-character %-escape
- * will be converted to a single byte, and so decoded is
- * shorter than encoded_string. If encoded_string was
- * iso-8859-1, then each 3-character %-escape will be
- * converted into at most 2 bytes in UTF-8, and so it's still
- * shorter.
- */
- strcpy (encoded_string, decoded);
+ g_string_assign (encoded_gstring, decoded);
g_free (decoded);
return TRUE;
}
@@ -713,15 +708,17 @@ parse_param_list (const char *header, char delim, gboolean strict)
{
GHashTable *params;
GSList *list, *iter;
- char *item, *eq, *name_end, *value;
- gboolean override, duplicated;
params = g_hash_table_new_full (soup_str_case_hash,
soup_str_case_equal,
- g_free, NULL);
+ g_free, g_free);
list = parse_list (header, delim);
for (iter = list; iter; iter = iter->next) {
+ char *item, *eq, *name_end;
+ gboolean override, duplicated;
+ GString *parsed_value = NULL;
+
item = iter->data;
override = FALSE;
@@ -736,19 +733,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
*name_end = '\0';
- value = (char *)skip_lws (eq + 1);
+ parsed_value = g_string_new ((char *)skip_lws (eq + 1));
if (name_end[-1] == '*' && name_end > item + 1) {
name_end[-1] = '\0';
- if (!decode_rfc5987 (value)) {
+ if (!decode_rfc5987_inplace (parsed_value)) {
+ g_string_free (parsed_value, TRUE);
g_free (item);
continue;
}
override = TRUE;
- } else if (*value == '"')
- decode_quoted_string (value);
- } else
- value = NULL;
+ } else if (parsed_value->str[0] == '"')
+ decode_quoted_string_inplace (parsed_value);
+ }
duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
@@ -756,11 +753,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
soup_header_free_param_list (params);
params = NULL;
g_slist_foreach (iter, (GFunc)g_free, NULL);
+ if (parsed_value)
+ g_string_free (parsed_value, TRUE);
break;
- } else if (override || !duplicated)
- g_hash_table_replace (params, item, value);
- else
+ } else if (override || !duplicated) {
+ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
+ } else {
+ if (parsed_value)
+ g_string_free (parsed_value, TRUE);
g_free (item);
+ }
}
g_slist_free (list);
--
GitLab

42
backport-0002-CVE-2024-52532.patch Normal file
View File

@ -0,0 +1,42 @@
From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001
From: Ignacio Casal Quinteiro <qignacio@amazon.com>
Date: Wed, 2 Oct 2024 11:17:19 +0200
Subject: [PATCH] websocket-test: disconnect error copy after the test ends
Otherwise the server will have already sent a few more wrong
bytes and the client will continue getting errors to copy
but the error is already != NULL and it will assert
Conflict: NA
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c
---
tests/websocket-test.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/websocket-test.c b/tests/websocket-test.c
index 5e40cf3..30a1f36 100644
--- a/tests/websocket-test.c
+++ b/tests/websocket-test.c
@@ -1331,8 +1331,9 @@ test_receive_invalid_encode_length_64 (Test *test,
GError *error = NULL;
InvalidEncodeLengthTest context = { test, NULL };
guint i;
+ guint error_id;
- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
/* We use 127(\x7f) as payload length with 65535 extended length */
@@ -1345,6 +1346,7 @@ test_receive_invalid_encode_length_64 (Test *test,
WAIT_UNTIL (error != NULL || received != NULL);
g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
g_clear_error (&error);
+ g_signal_handler_disconnect (test->client, error_id);
g_assert_null (received);
g_thread_join (thread);
--
2.46.0

69
backport-0002-CVE-2025-32053.patch Normal file
View File

@ -0,0 +1,69 @@
From 242a10fbb12dbdc12d254bd8fc8669a0ac055304 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 14:39:42 -0600
Subject: [PATCH] sniffer: Fix potential overflow
Conflict: Modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/242a10fbb12dbdc12d254bd8fc8669a0ac055304
---
libsoup/soup-content-sniffer.c | 2 +-
tests/resources/whitespace.html | Bin 0 -> 512 bytes
tests/sniffing-test.c | 5 +++++
tests/soup-tests.gresource.xml | 1 +
4 files changed, 7 insertions(+), 1 deletions(-)
create mode 100644 tests/resources/whitespace.html
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index aeee2e25c..da94e60c3 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -669,7 +669,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
pos = 3;
look_for_tag:
- if (pos > resource_length)
+ if (pos >= resource_length)
goto text_html;
if (skip_insignificant_space (resource, &pos, resource_length))
diff --git a/tests/resources/whitespace.html b/tests/resources/whitespace.html
new file mode 100644
index 0000000000000000000000000000000000000000..7f07a0e639a102284d6f7c0c5d5560170f994553
GIT binary patch
literal 512
TcmcCf)YWAe1tT*Abam|ja4Z2(
literal 0
HcmV?d00001
diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
index 6116719ae..b5428177f 100644
--- a/tests/sniffing-test.c
+++ b/tests/sniffing-test.c
@@ -512,6 +512,11 @@ main (int argc, char **argv)
"type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8",
do_sniffing_test);
+ /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */
+ g_test_add_data_func ("/sniffing/whitespace",
+ "type/text_html/whitespace.html => text/html",
+ do_sniffing_test);
+
/* Test that disabling the sniffer works correctly */
g_test_add_data_func ("/sniffing/disabled",
"/text_or_binary/home.gif",
diff --git a/tests/soup-tests.gresource.xml b/tests/soup-tests.gresource.xml
index 9c08d170e..cbef1d402 100644
--- a/tests/soup-tests.gresource.xml
+++ b/tests/soup-tests.gresource.xml
@@ -25,5 +25,6 @@
<file>resources/text.txt</file>
<file>resources/text_binary.txt</file>
<file>resources/tux.webp</file>
+ <file>resources/whitespace.html</file>
</gresource>
</gresources>
--
GitLab

83
backport-0002-CVE-2025-32906.patch Normal file
View File

@ -0,0 +1,83 @@
From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 12 Feb 2025 11:30:02 -0600
Subject: [PATCH] headers: Handle parsing only newlines
Closes #404
Closes #407
Conflict: NA
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f
---
libsoup/soup-headers.c | 4 ++--
tests/header-parsing-test.c | 13 ++++++++++++-
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 9d6d00a3..52ef2ece 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str,
/* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
* received where a Request-Line is expected."
*/
- while ((*str == '\r' || *str == '\n') && len > 0) {
+ while (len > 0 && (*str == '\r' || *str == '\n')) {
str++;
len--;
}
@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str,
* after a response, which we then see prepended to the next
* response on that connection.
*/
- while ((*str == '\r' || *str == '\n') && len > 0) {
+ while (len > 0 && (*str == '\r' || *str == '\n')) {
str++;
len--;
}
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 10ddb684..4faafbd6 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -6,10 +6,15 @@ typedef struct {
const char *name, *value;
} Header;
+/* These are not C strings to ensure going one byte over is not safe. */
static char unterminated_http_version[] = {
'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
};
+static char only_newlines[] = {
+ '\n', '\n', '\n', '\n'
+};
+
static struct RequestTest {
const char *description;
const char *bugref;
@@ -387,7 +392,6 @@ static struct RequestTest {
{ { NULL } }
},
- /* This couldn't be a C string as going one byte over would have been safe. */
{ "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
unterminated_http_version, sizeof (unterminated_http_version),
SOUP_STATUS_BAD_REQUEST,
@@ -457,6 +461,13 @@ static struct RequestTest {
SOUP_STATUS_BAD_REQUEST,
NULL, NULL, -1,
{ { NULL } }
+ },
+
+ { "Only newlines", NULL,
+ only_newlines, sizeof (only_newlines),
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
}
};
static const int num_reqtests = G_N_ELEMENTS (reqtests);
--
GitLab

149
backport-0002-CVE-2025-32910-CVE-2025-32912.patch Normal file
View File

@ -0,0 +1,149 @@
From 405a8a34597a44bd58c4759e7d5e23f02c3b556a Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Thu, 26 Dec 2024 18:18:35 -0600
Subject: [PATCH] auth-digest: Handle missing nonce
Conflict: tests/auth-test.c file context adaptation and modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a
---
libsoup/soup-auth-digest.c | 45 +++++++++++++++++++++++++++++---------
tests/auth-test.c | 19 +++++++++-------
2 files changed, 46 insertions(+), 18 deletions(-)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 263a15a..a97e4bb 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
return g_string_free (out, FALSE);
}
+static gboolean
+validate_params (SoupAuthDigest *auth_digest)
+{
+ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
+
+ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
+ if (!priv->nonce)
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
static gboolean
soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
GHashTable *auth_params)
@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
if (priv->algorithm == -1)
ok = FALSE;
- stale = g_hash_table_lookup (auth_params, "stale");
- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
- recompute_hex_a1 (priv);
- else {
- g_free (priv->user);
- priv->user = NULL;
- g_free (priv->cnonce);
- priv->cnonce = NULL;
- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+ if (!validate_params (auth_digest))
+ ok = FALSE;
+
+ if (ok) {
+ stale = g_hash_table_lookup (auth_params, "stale");
+ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+ recompute_hex_a1 (priv);
+ else {
+ g_free (priv->user);
+ priv->user = NULL;
+ g_free (priv->cnonce);
+ priv->cnonce = NULL;
+ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+ }
}
return ok;
@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp,
/* In MD5-sess, A1 is hex_urp:nonce:cnonce */
+ g_assert (nonce && cnonce);
+
checksum = g_checksum_new (G_CHECKSUM_MD5);
g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));
g_checksum_update (checksum, (guchar *)":", 1);
@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char *method,
if (qop) {
char tmp[9];
+ g_assert (cnonce);
+
g_snprintf (tmp, 9, "%.8x", nc);
g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
g_checksum_update (checksum, (guchar *)":", 1);
@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
g_return_val_if_fail (uri != NULL, NULL);
url = soup_uri_to_string (uri, TRUE);
+ g_assert (priv->nonce);
+ g_assert (!priv->qop || priv->cnonce);
+
soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
priv->qop, priv->nonce,
priv->cnonce, priv->nc,
diff --git a/tests/auth-test.c b/tests/auth-test.c
index dfc6b09..6fb1e4a 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void)
}
static void
-on_request_read_for_missing_realm (SoupServer *server,
- SoupServerMessage *msg,
- gpointer user_data)
+on_request_read_for_missing_params (SoupServer *server,
+ SoupServerMessage *msg,
+ gpointer user_data)
{
+ const char *auth_header = user_data;
SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
+ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
}
static void
-do_missing_realm_test (void)
+do_missing_params_test (gconstpointer auth_header)
{
SoupSession *session;
SoupMessage *msg;
@@ -1582,8 +1583,8 @@ do_missing_realm_test (void)
g_object_unref (digest_auth_domain);
g_signal_connect (server, "request-read",
- G_CALLBACK (on_request_read_for_missing_realm),
- NULL);
+ G_CALLBACK (on_request_read_for_missing_params),
+ (gpointer)auth_header);
session = soup_test_session_new (NULL);
msg = soup_message_new_from_uri ("GET", uri);
@@ -1625,7 +1626,9 @@ main (int argc, char **argv)
g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
- g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
+ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
ret = g_test_run ();
--
2.48.1

44
backport-0002-CVE-2025-32911-CVE-2025-32913.patch Normal file
View File

@ -0,0 +1,44 @@
From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 18:00:39 -0600
Subject: [PATCH] soup_message_headers_get_content_disposition: strdup
truncated filenames
This table frees the strings it contains.
Conflict: NA
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0
---
libsoup/soup-message-headers.c | 2 +-
tests/header-parsing-test.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index a577169..81e7cea 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1458,7 +1458,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
char *filename = strrchr (orig_value, '/');
if (filename)
- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1));
} else {
/* filename with no value isn't valid. */
g_hash_table_remove (*params, "filename");
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 45316c5..c3a62f9 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -1174,6 +1174,7 @@ do_content_disposition_tests (void)
soup_test_assert (FALSE, "empty filename decoding FAILED");
return;
}
+ g_free (disposition);
g_assert_false (g_hash_table_contains (params, "filename"));
g_hash_table_destroy (params);
--
2.48.1

27
backport-0003-CVE-2025-32910-CVE-2025-32912.patch Normal file
View File

@ -0,0 +1,27 @@
From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 13:52:52 -0600
Subject: [PATCH] auth-digest: Fix leak
Conflict: Modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832
---
libsoup/soup-auth-digest.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 350bfde6..9eb7fa0e 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object)
g_free (priv->nonce);
g_free (priv->domain);
g_free (priv->cnonce);
+ g_free (priv->opaque);
memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
--
GitLab

41
backport-0004-CVE-2025-32912.patch Normal file
View File

@ -0,0 +1,41 @@
From cd077513f267e43ce4b659eb18a1734d8a369992 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 14:03:05 -0600
Subject: [PATCH] auth-digest: Handle missing nonce
Conflict: Modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992
---
libsoup/soup-auth-digest.c | 2 +-
tests/auth-test.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 83069ef..b79e6f8 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
- if (!soup_auth_get_realm (auth))
+ if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
return FALSE;
g_free (priv->domain);
diff --git a/tests/auth-test.c b/tests/auth-test.c
index 6fb1e4a..548ac94 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1629,6 +1629,7 @@ main (int argc, char **argv)
g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test);
ret = g_test_run ();
--
2.48.1

30
backport-0005-CVE-2025-32912.patch Normal file
View File

@ -0,0 +1,30 @@
From 910ebdcd3dd82386717a201c13c834f3a63eed7f Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sat, 8 Feb 2025 12:30:13 -0600
Subject: [PATCH] digest-auth: Handle NULL nonce
`contains` only handles a missing nonce, `lookup` handles both missing and empty.
Conflict: Modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f
---
libsoup/soup-auth-digest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index d69a4013..dc4dbfc5 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -162,7 +162,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
- if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
+ if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce"))
return FALSE;
g_free (priv->domain);
--
GitLab

51
backport-0006-CVE-2025-32912.patch Normal file
View File

@ -0,0 +1,51 @@
From e2e3d1cf16a15d725289e3f5a8a6503de08fc63f Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 11 Feb 2025 10:32:39 -0600
Subject: [PATCH] Remove redundant function
The nonce is validated earlier now.
Conflict: Modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/e2e3d1cf16a15d725289e3f5a8a6503de08fc63f
---
libsoup/soup-auth-digest.c | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 40b470b..318ebe2 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -133,19 +133,6 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
return g_string_free (out, FALSE);
}
-static gboolean
-validate_params (SoupAuthDigest *auth_digest)
-{
- SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
-
- if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
- if (!priv->nonce)
- return FALSE;
- }
-
- return TRUE;
-}
-
static gboolean
soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
GHashTable *auth_params)
@@ -183,9 +170,6 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
if (priv->algorithm == -1)
ok = FALSE;
- if (!validate_params (auth_digest))
- ok = FALSE;
-
if (ok) {
stale = g_hash_table_lookup (auth_params, "stale");
if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
--
2.48.1

148
backport-CVE-2024-52530.patch Normal file
View File

@ -0,0 +1,148 @@
From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Mon, 8 Jul 2024 12:33:15 -0500
Subject: [PATCH] headers: Strictly don't allow NUL bytes
In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.
Conflict: NA
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b
---
libsoup/soup-headers.c | 15 +++------
tests/header-parsing-test.c | 62 +++++++++++++++++--------------------
2 files changed, 32 insertions(+), 45 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index a0cf351ac..f30ee467a 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -51,13 +51,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
* ignorable trailing whitespace.
*/
+ /* No '\0's are allowed */
+ if (memchr (str, '\0', len))
+ return FALSE;
+
/* Skip over the Request-Line / Status-Line */
headers_start = memchr (str, '\n', len);
if (!headers_start)
return FALSE;
- /* No '\0's in the Request-Line / Status-Line */
- if (memchr (str, '\0', headers_start - str))
- return FALSE;
/* We work on a copy of the headers, which we can write '\0's
* into, so that we don't have to individually g_strndup and
@@ -69,14 +70,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
headers_copy[copy_len] = '\0';
value_end = headers_copy;
- /* There shouldn't be any '\0's in the headers already, but
- * this is the web we're talking about.
- */
- while ((p = memchr (headers_copy, '\0', copy_len))) {
- memmove (p, p + 1, copy_len - (p - headers_copy));
- copy_len--;
- }
-
while (*(value_end + 1)) {
name = value_end + 1;
name_end = strchr (name, ':');
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index edf8eebb3..715c2c6f2 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -358,24 +358,6 @@ static struct RequestTest {
}
},
- { "NUL in header name", "760832",
- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
- SOUP_STATUS_OK,
- "GET", "/", SOUP_HTTP_1_1,
- { { "Host", "example.com" },
- { NULL }
- }
- },
-
- { "NUL in header value", "760832",
- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
- SOUP_STATUS_OK,
- "GET", "/", SOUP_HTTP_1_1,
- { { "Host", "examplecom" },
- { NULL }
- }
- },
-
/************************/
/*** INVALID REQUESTS ***/
/************************/
@@ -448,6 +430,21 @@ static struct RequestTest {
SOUP_STATUS_EXPECTATION_FAILED,
NULL, NULL, -1,
{ { NULL } }
+ },
+
+ /* https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 */
+ { "NUL in header name", NULL,
+ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
+ },
+
+ { "NUL in header value", NULL,
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
}
};
static const int num_reqtests = G_N_ELEMENTS (reqtests);
@@ -620,22 +617,6 @@ static struct ResponseTest {
{ NULL } }
},
- { "NUL in header name", "760832",
- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
- { { "Foo", "bar" },
- { NULL }
- }
- },
-
- { "NUL in header value", "760832",
- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
- { { "Foo", "bar" },
- { NULL }
- }
- },
-
/********************************/
/*** VALID CONTINUE RESPONSES ***/
/********************************/
@@ -768,6 +749,19 @@ static struct ResponseTest {
{ { NULL }
}
},
+
+ /* https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 */
+ { "NUL in header name", NULL,
+ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
+ -1, 0, NULL,
+ { { NULL } }
+ },
+
+ { "NUL in header value", "760832",
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+ -1, 0, NULL,
+ { { NULL } }
+ },
};
static const int num_resptests = G_N_ELEMENTS (resptests);
--
GitLab

152
backport-CVE-2025-2784.patch Normal file
View File

@ -0,0 +1,152 @@
From c415ad0b6771992e66c70edf373566c6e247089d Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 18 Feb 2025 14:29:50 -0600
Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space()
Conflict: context adaptation and Modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/c415ad0b6771992e66c70edf373566c6e247089d
---
libsoup/soup-content-sniffer.c | 10 +++---
tests/resources/whitespace.html | Bin 512 -> 0 bytes
tests/sniffing-test.c | 53 +++++++++++++++++++++++++++++---
tests/soup-tests.gresource.xml | 1 -
4 files changed, 53 insertions(+), 11 deletions(-)
delete mode 100644 tests/resources/whitespace.html
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index c52d2d0..3fb29ad 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -612,8 +612,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer)
}
static gboolean
-skip_insignificant_space (const char *resource, int *pos, int resource_length)
+skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
{
+ if (*pos >= resource_length)
+ return TRUE;
+
while ((resource[*pos] == '\x09') ||
(resource[*pos] == '\x20') ||
(resource[*pos] == '\x0A') ||
@@ -632,7 +635,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
{
const char *resource = (const char *)buffer->data;
int resource_length = MIN (512, buffer->length);
- int pos = 0;
+ gsize pos = 0;
if (resource_length < 3)
goto text_html;
@@ -642,9 +645,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
pos = 3;
look_for_tag:
- if (pos >= resource_length)
- goto text_html;
-
if (skip_insignificant_space (resource, &pos, resource_length))
goto text_html;
diff --git a/tests/resources/whitespace.html b/tests/resources/whitespace.html
deleted file mode 100644
index 7f07a0e639a102284d6f7c0c5d5560170f994553..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 512
TcmcCf)YWAe1tT*Abam|ja4Z2(
diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
index 0a4569a..e2dfed4 100644
--- a/tests/sniffing-test.c
+++ b/tests/sniffing-test.c
@@ -436,6 +436,52 @@ test_disabled (gconstpointer data)
soup_uri_free (uri);
}
+static const gsize MARKUP_LENGTH = strlen ("<!--") + strlen ("-->");
+
+static void
+do_skip_whitespace_test (void)
+{
+ SoupContentSniffer *sniffer = soup_content_sniffer_new ();
+ SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org");
+ const char *test_cases[] = {
+ "",
+ "<rdf:RDF",
+ "<rdf:RDFxmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"",
+ "<rdf:RDFxmlns=\"http://purl.org/rss/1.0/\"",
+ };
+
+ soup_message_headers_set_content_type (msg->response_headers, "text/html", NULL);
+
+ for (guint i = 0; i < G_N_ELEMENTS (test_cases); i++) {
+ const char *trailing_data = test_cases[i];
+ gsize leading_zeros = 512 - MARKUP_LENGTH - strlen (trailing_data);
+ gsize testsize = MARKUP_LENGTH + leading_zeros + strlen (trailing_data);
+ guint8 *data = g_malloc0 (testsize);
+ guint8 *p = data;
+ char *content_type;
+ GBytes *buffer;
+
+ // Format of <!--[0x00 * $leading_zeros]-->$trailing_data
+ memcpy (p, "<!--", strlen ("<!--"));
+ p += strlen ("<!--");
+ p += leading_zeros;
+ memcpy (p, "-->", strlen ("-->"));
+ p += strlen ("-->");
+ if (strlen (trailing_data))
+ memcpy (p, trailing_data, strlen (trailing_data));
+ // Purposefully not NUL terminated.
+
+ buffer = g_bytes_new_take (g_steal_pointer (&data), testsize);
+ content_type = soup_content_sniffer_sniff (sniffer, msg, buffer, NULL);
+
+ g_free (content_type);
+ g_bytes_unref (buffer);
+ }
+
+ g_object_unref (msg);
+ g_object_unref (sniffer);
+}
+
int
main (int argc, char **argv)
{
@@ -605,16 +651,13 @@ main (int argc, char **argv)
"type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8",
do_sniffing_test);
- /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */
- g_test_add_data_func ("/sniffing/whitespace",
- "type/text_html/whitespace.html => text/html",
- do_sniffing_test);
-
/* Test that disabling the sniffer works correctly */
g_test_add_data_func ("/sniffing/disabled",
"/text_or_binary/home.gif",
test_disabled);
+ g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test);
+
ret = g_test_run ();
soup_uri_free (base_uri);
diff --git a/tests/soup-tests.gresource.xml b/tests/soup-tests.gresource.xml
index cbef1d4..9c08d17 100644
--- a/tests/soup-tests.gresource.xml
+++ b/tests/soup-tests.gresource.xml
@@ -25,6 +25,5 @@
<file>resources/text.txt</file>
<file>resources/text_binary.txt</file>
<file>resources/tux.webp</file>
- <file>resources/whitespace.html</file>
</gresource>
</gresources>
--
2.46.0

28
backport-CVE-2025-32050.patch Normal file
View File

@ -0,0 +1,28 @@
From 9bb0a55de55c6940ced811a64fbca82fe93a9323 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Mon, 28 Oct 2024 12:29:48 -0500
Subject: [PATCH] Fix using int instead of size_t for strcspn return
Conflict: NA
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323
---
libsoup/soup-headers.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 613e1905..a5f7a7f6 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -907,7 +907,7 @@ append_param_quoted (GString *string,
const char *name,
const char *value)
{
- int len;
+ gsize len;
g_string_append (string, name);
g_string_append (string, "=\"");
--
GitLab

30
backport-CVE-2025-32052.patch Normal file
View File

@ -0,0 +1,30 @@
From f182429e5b1fc034050510da20c93256c4fa9652 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sat, 16 Nov 2024 12:07:30 -0600
Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff
Co-Author: Ar Jun <pkillarjun@protonmail.com>
Conflict: Modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652
---
libsoup/soup-content-sniffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index de0985eac..b62e48889 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -524,7 +524,7 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer,
guint index_pattern = 0;
gboolean skip_row = FALSE;
- while ((index_stream < resource_length) &&
+ while ((index_stream < resource_length - 1) &&
(index_pattern <= type_row->pattern_length)) {
/* Skip insignificant white space ("WS" in the spec) */
if (type_row->pattern[index_pattern] == ' ') {
--
GitLab

32
backport-CVE-2025-32907.patch Normal file
View File

@ -0,0 +1,32 @@
From 446b2e0a97ac1c241e9c58545f1b0f5f962d98e2 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Tue, 15 Apr 2025 12:17:39 +0200
Subject: [PATCH] soup-message-headers: Correct merge of ranges
It had been skipping every second range, which generated an array
of a lot of insane ranges, causing large memory usage by the server.
Closes #428
Conflict: The new test case community is still in discussion and it is recommended not to merge
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/446b2e0a97ac1c241e9c58545f1b0f5f962d98e2
---
libsoup/soup-message-headers.c | 1 +
1 files changed, 1 insertions(+)
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index ee7a3cb1..f101d4b4 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1244,6 +1244,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs,
if (cur->start <= prev->end) {
prev->end = MAX (prev->end, cur->end);
g_array_remove_index (array, i);
+ i--;
}
}
}
--
GitLab

36
backport-CVE-2025-32909.patch Normal file
View File

@ -0,0 +1,36 @@
From ba4c3a6f988beff59e45801ab36067293d24ce92 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 8 Jan 2025 16:30:17 -0600
Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than 4
bytes
Conflict: context adaptation and modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92
---
libsoup/soup-content-sniffer.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index c52d2d0..ee32971 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -227,9 +227,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, SoupBuffer *buffer)
{
const char *resource = (const char *)buffer->data;
guint resource_length = MIN (512, buffer->length);
- guint32 box_size = *((guint32*)resource);
+ guint32 box_size;
guint i;
+ if (resource_length < sizeof (guint32))
+ return FALSE;
+
+ box_size = *((guint32*)resource);
+
#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
box_size = ((box_size >> 24) |
((box_size << 8) & 0x00FF0000) |
--
2.48.1

115
backport-CVE-2025-32914.patch Normal file
View File

@ -0,0 +1,115 @@
From 5bfcf8157597f2d327050114fb37ff600004dbcf Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Tue, 15 Apr 2025 09:03:00 +0200
Subject: [PATCH] multipart: Fix read out of buffer bounds under
soup_multipart_new_from_message()
This is CVE-2025-32914, special crafted input can cause read out of buffer bounds
of the body argument.
Closes #436
Conflict: Context Adaptation and Test Case Adaptation
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf
---
libsoup/soup-multipart.c | 2 +-
tests/multipart-test.c | 62 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 63 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
index a7e550f..dd93973 100644
--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
return NULL;
}
- split = strstr (start, "\r\n\r\n");
+ split = g_strstr_len (start, body_end - start, "\r\n\r\n");
if (!split || split > end) {
soup_multipart_free (multipart);
soup_buffer_free (flattened);
diff --git a/tests/multipart-test.c b/tests/multipart-test.c
index 64a5ebf..79c2190 100644
--- a/tests/multipart-test.c
+++ b/tests/multipart-test.c
@@ -479,6 +479,66 @@ test_multipart (gconstpointer data)
g_main_loop_unref (loop);
}
+static void
+test_multipart_bounds_good (void)
+{
+ #define TEXT "line1\r\nline2"
+ SoupMultipart *multipart;
+ SoupMessageHeaders *headers, *set_headers = NULL;
+ SoupBuffer *set_bytes = NULL;
+ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\n\r\n" TEXT "\r\n--123--\r\n";
+ gboolean success;
+
+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
+
+
+ SoupMessageBody *message_body = soup_message_body_new ();
+ SoupBuffer *part_body = soup_buffer_new (SOUP_MEMORY_COPY, raw_data, strlen(raw_data));
+ soup_message_body_append_buffer (message_body, part_body);
+ multipart = soup_multipart_new_from_message (headers, message_body);
+
+ g_assert_nonnull (multipart);
+ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1);
+ success = soup_multipart_get_part (multipart, 0, &set_headers, &set_bytes);
+ g_assert_true (success);
+ g_assert_nonnull (set_headers);
+ g_assert_nonnull (set_bytes);
+ g_assert_cmpint (strlen (TEXT), ==, set_bytes->length);
+ g_assert_cmpstr ("text/plain", ==, soup_message_headers_get_content_type (set_headers, NULL));
+ g_assert_cmpmem (TEXT, strlen (TEXT), set_bytes->data, set_bytes->length);
+
+ soup_message_headers_free (headers);
+ soup_message_body_free (message_body);
+ soup_buffer_free (part_body);
+ soup_multipart_free (multipart);
+
+ #undef TEXT
+}
+
+static void
+test_multipart_bounds_bad (void)
+{
+ SoupMultipart *multipart;
+ SoupMessageHeaders *headers;
+ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\nline1\r\nline2\r\n--123--\r\n";
+
+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
+
+ SoupMessageBody *message_body = soup_message_body_new ();
+ SoupBuffer *part_body = soup_buffer_new (SOUP_MEMORY_COPY, raw_data, strlen(raw_data));
+ soup_message_body_append_buffer (message_body, part_body);
+ /* it did read out of raw_data/bytes bounds */
+ multipart = soup_multipart_new_from_message (headers, message_body);
+
+ g_assert_null (multipart);
+
+ soup_message_headers_free (headers);
+ soup_message_body_free (message_body);
+ soup_buffer_free (part_body);
+}
+
int
main (int argc, char **argv)
{
@@ -508,6 +568,8 @@ main (int argc, char **argv)
g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart);
g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart);
g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
+ g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
+ g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
ret = g_test_run ();
--
2.33.0

60
backport-CVE-2025-46420.patch Normal file
View File

@ -0,0 +1,60 @@
From c9083869ec2a3037e6df4bd86b45c419ba295f8e Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Thu, 26 Dec 2024 18:31:42 -0600
Subject: [PATCH] soup_header_parse_quality_list: Fix leak
When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings.
Conflict: NA
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/c9083869ec2a3037e6df4bd86b45c419ba295f8e
---
libsoup/soup-headers.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index a5f7a7f6..85385cea 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -530,7 +530,7 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
GSList *unsorted;
QualityItem *array;
GSList *sorted, *iter;
- char *item, *semi;
+ char *semi;
const char *param, *equal, *value;
double qval;
int n;
@@ -543,9 +543,8 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
unsorted = soup_header_parse_list (header);
array = g_new0 (QualityItem, g_slist_length (unsorted));
for (iter = unsorted, n = 0; iter; iter = iter->next) {
- item = iter->data;
qval = 1.0;
- for (semi = strchr (item, ';'); semi; semi = strchr (semi + 1, ';')) {
+ for (semi = strchr (iter->data, ';'); semi; semi = strchr (semi + 1, ';')) {
param = skip_lws (semi + 1);
if (*param != 'q')
continue;
@@ -577,15 +576,15 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
if (qval == 0.0) {
if (unacceptable) {
*unacceptable = g_slist_prepend (*unacceptable,
- item);
+ g_steal_pointer (&iter->data));
}
} else {
- array[n].item = item;
+ array[n].item = g_steal_pointer (&iter->data);
array[n].qval = qval;
n++;
}
}
- g_slist_free (unsorted);
+ g_slist_free_full (unsorted, g_free);
qsort (array, n, sizeof (QualityItem), sort_by_qval);
sorted = NULL;
--
GitLab

138
backport-CVE-2025-46421.patch Normal file
View File

@ -0,0 +1,138 @@
From 3e5c26415811f19e7737238bb23305ffaf96f66b Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 16:18:10 -0600
Subject: [PATCH] session: Strip authentication credentails on cross-origin
redirect
This should match the behavior of Firefox and Safari but not of Chromium.
Conflict: Context Adaptation and Test Case Adaptation and soup_message_headers_remove_common->soup_message_headers_remove,soup_message_get_request_headers (msg)->msg->request_headers,SOUP_HEADER_AUTHORIZATION->"Authorization"
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/3e5c26415811f19e7737238bb23305ffaf96f66b
---
libsoup/soup-session.c | 6 ++++
tests/auth-test.c | 77 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 83 insertions(+)
diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
index 83421ef..7ff53ab 100644
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -1189,6 +1189,12 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg)
SOUP_ENCODING_NONE);
}
+ /* Strip all credentials on cross-origin redirect. */
+ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
+ soup_message_headers_remove (msg->request_headers, "Authorization");
+ soup_message_set_auth (msg, NULL);
+ }
+
soup_message_set_uri (msg, new_uri);
soup_uri_free (new_uri);
diff --git a/tests/auth-test.c b/tests/auth-test.c
index 548ac94..e71f986 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1,6 +1,7 @@
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
#include "test-utils.h"
+#include "soup-uri-utils-private.h"
static const char *base_uri;
static GMainLoop *loop;
@@ -1599,6 +1600,81 @@ do_missing_params_test (gconstpointer auth_header)
soup_test_server_quit_unref (server);
}
+static void
+redirect_server_callback (SoupServer *server,
+ SoupServerMessage *msg,
+ const char *path,
+ GHashTable *query,
+ gpointer user_data)
+{
+ static gboolean redirected = FALSE;
+
+ if (!redirected) {
+ char *redirect_uri = g_uri_to_string (user_data);
+ soup_server_message_set_redirect (msg, SOUP_STATUS_MOVED_PERMANENTLY, redirect_uri);
+ g_free (redirect_uri);
+ redirected = TRUE;
+ return;
+ }
+
+ g_assert_not_reached ();
+}
+
+static gboolean
+auth_for_redirect_callback (SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer user_data)
+{
+ GUri *known_server_uri = user_data;
+
+ if (!soup_uri_host_equal (known_server_uri, soup_message_get_uri (msg)))
+ return FALSE;
+
+ soup_auth_authenticate (auth, "user", "good-basic");
+
+ return TRUE;
+}
+
+static void
+do_strip_on_crossorigin_redirect (void)
+{
+ SoupSession *session;
+ SoupMessage *msg;
+ SoupServer *server1, *server2;
+ SoupAuthDomain *auth_domain;
+ GUri *uri;
+ gint status;
+
+ server1 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+ server2 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+
+ /* Both servers have the same credentials. */
+ auth_domain = soup_auth_domain_basic_new ("realm", "auth-test", "auth-callback", server_basic_auth_callback, NULL);
+ soup_auth_domain_add_path (auth_domain, "/");
+ soup_server_add_auth_domain (server1, auth_domain);
+ soup_server_add_auth_domain (server2, auth_domain);
+ g_object_unref (auth_domain);
+
+ /* Server 1 asks for auth, then redirects to Server 2. */
+ soup_server_add_handler (server1, NULL,
+ redirect_server_callback,
+ soup_test_server_get_uri (server2, "http", NULL), (GDestroyNotify)g_uri_unref);
+ /* Server 2 requires auth. */
+ soup_server_add_handler (server2, NULL, server_callback, NULL, NULL);
+
+ session = soup_test_session_new (NULL);
+ uri = soup_test_server_get_uri (server1, "http", NULL);
+ msg = soup_message_new_from_uri ("GET", uri);
+ /* The client only sends credentials for the host it knows. */
+ g_signal_connect (msg, "authenticate", G_CALLBACK (auth_for_redirect_callback), uri);
+
+ status = soup_test_session_send_message (session, msg);
+
+ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
+
+ g_uri_unref (uri);
+ soup_test_server_quit_unref (server1);
+ soup_test_server_quit_unref (server2);
+}
+
int
main (int argc, char **argv)
{
@@ -1626,6 +1702,7 @@ main (int argc, char **argv)
g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
+ g_test_add_func ("/auth/strip-on-crossorigin-redirect", do_strip_on_crossorigin_redirect);
g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
--
2.33.0

25
backport-Handle-sniffing-bytes-with-0-size.patch Normal file
View File

@ -0,0 +1,25 @@
From b0fd7e1f65049b7efdf50febe6765039de4289ed Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 16 Dec 2020 15:54:32 -0600
Subject: [PATCH] Handle sniffing bytes with 0 size
---
libsoup/soup-content-sniffer.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index cb4255ade..cf5da7e1f 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -507,6 +507,9 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer,
guint resource_length = MIN (512, buffer->length);
guint i;
+ if (resource_length == 0)
+ return g_strdup ("application/octet-stream");
+
for (i = 0; i < G_N_ELEMENTS (types_table); i++) {
SoupContentSnifferPattern *type_row = &(types_table[i]);
--
GitLab

60
backport-content-sniffer-empty-resources-should-be-considered-text-plain.patch Normal file
View File

@ -0,0 +1,60 @@
From f7df4e4e1f7314ff309e4d26fcd7f352c33870ef Mon Sep 17 00:00:00 2001
From: Carlos Garcia Campos <cgarcia@igalia.com>
Date: Wed, 17 Feb 2021 14:08:40 +0100
Subject: [PATCH] content-sniffer: empty resources should be considered
text/plain
Instead of application/octet-stream according to the HTML5 spec
---
libsoup/soup-content-sniffer.c | 2 +-
tests/sniffing-test.c | 13 +++++++++----
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index f5a13d18c..948dc182d 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -507,7 +507,7 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer,
guint i;
if (resource_length == 0)
- return g_strdup ("application/octet-stream");
+ return g_strdup ("text/plain");
for (i = 0; i < G_N_ELEMENTS (types_table); i++) {
SoupContentSnifferPattern *type_row = &(types_table[i]);
diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
index 1f2bb9115..23e05c1a3 100644
--- a/tests/sniffing-test.c
+++ b/tests/sniffing-test.c
@@ -79,11 +79,13 @@ server_callback (SoupServer *server,
}
if (g_str_has_prefix (path, "/unknown/")) {
- char *base_name = g_path_get_basename (path);
+ if (!empty_response) {
+ char *base_name = g_path_get_basename (path);
- response = soup_test_load_resource (base_name, &error);
- g_assert_no_error (error);
- g_free (base_name);
+ response = soup_test_load_resource (base_name, &error);
+ g_assert_no_error (error);
+ g_free (base_name);
+ }
soup_message_headers_append (msg->response_headers,
"Content-Type", "UNKNOWN/unknown");
@@ -439,6 +441,9 @@ main (int argc, char **argv)
g_test_add_data_func ("/sniffing/type/unknown-mbox",
"unknown/mbox => text/plain",
do_sniffing_test);
+ g_test_add_data_func ("/sniffing/type/unknown-empty",
+ "unknown/mbox?empty_response=yes => text/plain",
+ do_sniffing_test);
g_test_add_data_func ("/sniffing/type/unknown-binary",
"unknown/text_binary.txt => application/octet-stream",
do_sniffing_test);
--
GitLab

63
libsoup.spec
View File

@ -1,18 +1,45 @@
Name: libsoup
Version: 2.74.2
Release: 4
Release: 9
Summary: An HTTP library implementation
License: LGPLv2
URL: https://wiki.gnome.org/Projects/libsoup
Source0: https://download.gnome.org/sources/%{name}/2.74/%{name}-%{version}.tar.xz
BuildRequires: glib2-devel glib-networking krb5-devel gobject-introspection-devel gettext
BuildRequires: libxml2-devel libpsl-devel sqlite-devel vala gtk-doc meson libxslt
BuildRequires: samba-winbind-clients brotli-devel
BuildRequires: samba-winbind-clients brotli-devel git
BuildRequires: pkgconfig(sysprof-capture-4)
Requires: glib2 glib-networking
Patch6000: backport-skip-tls_interaction-test.patch
Patch6001: backport-CVE-2024-52530.patch
Patch6002: backport-0001-CVE-2024-52531.patch
Patch6003: backport-0002-CVE-2024-52531.patch
Patch6004: backport-0001-CVE-2024-52532.patch
Patch6005: backport-0002-CVE-2024-52532.patch
Patch6006: backport-CVE-2025-32050.patch
Patch6007: backport-CVE-2025-32052.patch
Patch6008: backport-0001-CVE-2025-32053.patch
Patch6009: backport-0002-CVE-2025-32053.patch
Patch6010: backport-CVE-2025-2784.patch
patch6011: backport-0001-CVE-2025-32906.patch
Patch6012: backport-0002-CVE-2025-32906.patch
Patch6013: backport-0001-CVE-2025-32910-CVE-2025-32912.patch
Patch6014: backport-0002-CVE-2025-32910-CVE-2025-32912.patch
Patch6015: backport-0003-CVE-2025-32910-CVE-2025-32912.patch
Patch6016: backport-0001-CVE-2025-32911-CVE-2025-32913.patch
Patch6017: backport-0002-CVE-2025-32911-CVE-2025-32913.patch
Patch6018: backport-0004-CVE-2025-32912.patch
Patch6019: backport-0005-CVE-2025-32912.patch
Patch6020: backport-0006-CVE-2025-32912.patch
Patch6021: backport-Handle-sniffing-bytes-with-0-size.patch
Patch6022: backport-content-sniffer-empty-resources-should-be-considered-text-plain.patch
Patch6023: backport-CVE-2025-32909.patch
Patch6024: backport-CVE-2025-32914.patch
Patch6025: backport-CVE-2025-32907.patch
Patch6026: backport-CVE-2025-46420.patch
Patch6027: backport-CVE-2025-46421.patch
%description
libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop,
@ -29,7 +56,7 @@ The %{name}-devel package contains libraries and header files for %{name}.
%package_help
%prep
%autosetup -n %{name}-%{version} -p1
%autosetup -n %{name}-%{version} -p1 -S git
%build
%meson -Dgtk_doc=true
@ -64,6 +91,36 @@ sed -i 's/idm[0-9]\{5,32\}/idm12345678912345/g' %{buildroot}%{_datadir}/gtk-doc/
%{_datadir}/gtk-doc/html/libsoup-2.4/*
%changelog
* Tue Apr 29 2025 zhangpan <zhangpan103@h-partners.com> - 2.74.2-9
- Type:cves
- ID:CVE-2025-46420 CVE-2025-46421
- SUG:NA
- DESC:fix CVE-2025-46420 CVE-2025-46421
* Wed Apr 23 2025 zhangpan <zhangpan103@h-partners.com> - 2.74.2-8
- Type:cves
- ID:CVE-2025-32907 CVE-2025-32914
- SUG:NA
- DESC:fix CVE-2025-32907 CVE-2025-32914
* Mon Apr 21 2025 zhangpan <zhangpan103@h-partners.com> - 2.74.2-7
- Type:cves
- ID:CVE-2025-32906 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32912 CVE-2025-32913
- SUG:NA
- DESC:fix CVE-2025-32906 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32912 CVE-2025-32913
* Tue Apr 8 2025 zhangpan <zhangpan103@h-partners.com> - 2.74.2-6
- Type:cves
- ID:CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-2784
- SUG:NA
- DESC:fix CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-2784
* Thu Nov 14 2024 xinghe <xinghe2@h-partners.com> - 2.74.2-5
- Type:cves
- ID:CVE-2024-52530 CVE-2024-52531 CVE-2024-52532
- SUG:NA
- DESC:fix CVE-2024-52530 CVE-2024-52531 CVE-2024-52532
* Thu Apr 18 2024 zhangpan <zhangpan103@h-partners.com> - 2.74.2-4
- Rebuild for next release