Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsoup for openSUSE:Factory checked in at 2024-11-13 15:27:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsoup (Old) and /work/SRC/openSUSE:Factory/.libsoup.new.2017 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsoup" Wed Nov 13 15:27:22 2024 rev:146 rq:1223846 version:3.6.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libsoup/libsoup.changes 2024-08-27 19:38:31.138405081 +0200 +++ /work/SRC/openSUSE:Factory/.libsoup.new.2017/libsoup.changes 2024-11-13 15:27:35.127518427 +0100 @@ -1,0 +2,11 @@ +Tue Nov 12 23:07:16 UTC 2024 - Michael Gorse <[email protected]> + +- Add 6adc0e3e.patch: websocket: Process the frame as soon as we + read data (boo#1233287 CVE-2024-52532 glgo#GNOME/libsoup#391). +- Add 29b96fab.patch: websocket-test: disconnect error copy after + the test ends (glgo#GNOME/libsoup#391). +- Add a35222dd.patch: be more robust against invalid input when + parsing params (boo#1233292 CVE-2024-52531 + glgo#GNOME/libsoup!407). + +------------------------------------------------------------------- New: ---- 29b96fab.patch 6adc0e3e.patch a35222dd.patch BETA DEBUG BEGIN: New: read data (boo#1233287 CVE-2024-52532 glgo#GNOME/libsoup#391). - Add 29b96fab.patch: websocket-test: disconnect error copy after the test ends (glgo#GNOME/libsoup#391). New: - Add 6adc0e3e.patch: websocket: Process the frame as soon as we read data (boo#1233287 CVE-2024-52532 glgo#GNOME/libsoup#391). New: the test ends (glgo#GNOME/libsoup#391). - Add a35222dd.patch: be more robust against invalid input when parsing params (boo#1233292 CVE-2024-52531 BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsoup.spec ++++++ --- /var/tmp/diff_new_pack.87QK4M/_old 2024-11-13 15:27:35.663540816 +0100 +++ /var/tmp/diff_new_pack.87QK4M/_new 2024-11-13 15:27:35.663540816 +0100 @@ -26,6 +26,12 @@ URL: https://wiki.gnome.org/Projects/libsoup Source0: https://download.gnome.org/sources/libsoup/3.6/%{name}-%{version}.tar.xz Source99: baselibs.conf +# PATCH-FIX-UPSTREAM 6adc0e3e.patch boo#1233287 [email protected] -- process the frame as soon as we read data. +Patch0: https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3e.patch +# PATCH-FIX-UPSTREAM 29b96fab.patch boo#1233287 [email protected] -- websocket-test: disconnect error copy after the test ends. +Patch1: https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab.patch +# PATCH-FIX-UPSTREAM a35222dd.patch boo#1233292 [email protected] -- be more robust against invalid input when parsing params. +Patch2: https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd.patch BuildRequires: glib-networking BuildRequires: meson >= 0.53 ++++++ 29b96fab.patch ++++++ >From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001 From: Ignacio Casal Quinteiro <[email protected]> Date: Wed, 2 Oct 2024 11:17:19 +0200 Subject: [PATCH] websocket-test: disconnect error copy after the test ends Otherwise the server will have already sent a few more wrong bytes and the client will continue getting errors to copy but the error is already != NULL and it will assert --- tests/websocket-test.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/websocket-test.c b/tests/websocket-test.c index 06c443bb5..6a48c1f9b 100644 --- a/tests/websocket-test.c +++ b/tests/websocket-test.c @@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test, GError *error = NULL; InvalidEncodeLengthTest context = { test, NULL }; guint i; + guint error_id; - g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); + error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received); /* We use 127(\x7f) as payload length with 65535 extended length */ @@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test, WAIT_UNTIL (error != NULL || received != NULL); g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR); g_clear_error (&error); + g_signal_handler_disconnect (test->client, error_id); g_assert_null (received); g_thread_join (thread); -- GitLab ++++++ 6adc0e3e.patch ++++++ >From 6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be Mon Sep 17 00:00:00 2001 From: Ignacio Casal Quinteiro <[email protected]> Date: Wed, 11 Sep 2024 11:52:11 +0200 Subject: [PATCH] websocket: process the frame as soon as we read data Otherwise we can enter in a read loop because we were not validating the data until the all the data was read. Fixes #391 --- libsoup/websocket/soup-websocket-connection.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c index a1a730473..a14481340 100644 --- a/libsoup/websocket/soup-websocket-connection.c +++ b/libsoup/websocket/soup-websocket-connection.c @@ -1199,9 +1199,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self) } priv->incoming->len = len + count; - } while (count > 0); - process_incoming (self); + process_incoming (self); + } while (count > 0 && !priv->close_sent && !priv->io_closing); if (end) { if (!priv->close_sent || !priv->close_received) { -- GitLab ++++++ a35222dd.patch ++++++ >From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001 From: Patrick Griffis <[email protected]> Date: Tue, 27 Aug 2024 13:53:26 -0500 Subject: [PATCH] headers: Be more robust against invalid input when parsing params If you pass invalid input to a function such as soup_header_parse_param_list_strict() it can cause an overflow if it decodes the input to UTF-8. This should never happen with valid UTF-8 input which libsoup's client API ensures, however it's server API does not currently. --- libsoup/soup-headers.c | 46 ++++++++++++++++++++++-------------------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c index f30ee467..613e1905 100644 --- a/libsoup/soup-headers.c +++ b/libsoup/soup-headers.c @@ -646,8 +646,9 @@ soup_header_contains (const char *header, const char *token) } static void -decode_quoted_string (char *quoted_string) +decode_quoted_string_inplace (GString *quoted_gstring) { + char *quoted_string = quoted_gstring->str; char *src, *dst; src = quoted_string + 1; @@ -661,10 +662,11 @@ decode_quoted_string (char *quoted_string) } static gboolean -decode_rfc5987 (char *encoded_string) +decode_rfc5987_inplace (GString *encoded_gstring) { char *q, *decoded; gboolean iso_8859_1 = FALSE; + const char *encoded_string = encoded_gstring->str; q = strchr (encoded_string, '\''); if (!q) @@ -696,14 +698,7 @@ decode_rfc5987 (char *encoded_string) decoded = utf8; } - /* If encoded_string was UTF-8, then each 3-character %-escape - * will be converted to a single byte, and so decoded is - * shorter than encoded_string. If encoded_string was - * iso-8859-1, then each 3-character %-escape will be - * converted into at most 2 bytes in UTF-8, and so it's still - * shorter. - */ - strcpy (encoded_string, decoded); + g_string_assign (encoded_gstring, decoded); g_free (decoded); return TRUE; } @@ -713,15 +708,17 @@ parse_param_list (const char *header, char delim, gboolean strict) { GHashTable *params; GSList *list, *iter; - char *item, *eq, *name_end, *value; - gboolean override, duplicated; params = g_hash_table_new_full (soup_str_case_hash, soup_str_case_equal, - g_free, NULL); + g_free, g_free); list = parse_list (header, delim); for (iter = list; iter; iter = iter->next) { + char *item, *eq, *name_end; + gboolean override, duplicated; + GString *parsed_value = NULL; + item = iter->data; override = FALSE; @@ -736,19 +733,19 @@ parse_param_list (const char *header, char delim, gboolean strict) *name_end = '\0'; - value = (char *)skip_lws (eq + 1); + parsed_value = g_string_new ((char *)skip_lws (eq + 1)); if (name_end[-1] == '*' && name_end > item + 1) { name_end[-1] = '\0'; - if (!decode_rfc5987 (value)) { + if (!decode_rfc5987_inplace (parsed_value)) { + g_string_free (parsed_value, TRUE); g_free (item); continue; } override = TRUE; - } else if (*value == '"') - decode_quoted_string (value); - } else - value = NULL; + } else if (parsed_value->str[0] == '"') + decode_quoted_string_inplace (parsed_value); + } duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL); @@ -756,11 +753,16 @@ parse_param_list (const char *header, char delim, gboolean strict) soup_header_free_param_list (params); params = NULL; g_slist_foreach (iter, (GFunc)g_free, NULL); + if (parsed_value) + g_string_free (parsed_value, TRUE); break; - } else if (override || !duplicated) - g_hash_table_replace (params, item, value); - else + } else if (override || !duplicated) { + g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL); + } else { + if (parsed_value) + g_string_free (parsed_value, TRUE); g_free (item); + } } g_slist_free (list); -- GitLab
