Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsoup for openSUSE:Factory checked in at 2025-04-22 17:25:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsoup (Old) and /work/SRC/openSUSE:Factory/.libsoup.new.30101 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsoup" Tue Apr 22 17:25:53 2025 rev:153 rq:1271272 version:3.6.5 Changes: -------- --- /work/SRC/openSUSE:Factory/libsoup/libsoup.changes 2025-03-25 22:08:28.584859890 +0100 +++ /work/SRC/openSUSE:Factory/.libsoup.new.30101/libsoup.changes 2025-04-22 17:26:11.593819007 +0200 @@ -1,0 +2,13 @@ +Mon Apr 21 21:54:02 UTC 2025 - Michael Gorse <mgo...@suse.com> + +- Add CVE fixes: + + libsoup-CVE-2025-32914.patch (boo#1241164 CVE-2025-32914) + + libsoup-CVE-2025-32908.patch (boo#1241223 CVE-2025-32908) + +------------------------------------------------------------------- +Sun Apr 6 11:14:14 UTC 2025 - Bjørn Lie <bjorn....@gmail.com> + +- Rerun tests once for s390x should they fail, tests for this arch + is very flaky. + +------------------------------------------------------------------- New: ---- libsoup-CVE-2025-32908.patch libsoup-CVE-2025-32914.patch BETA DEBUG BEGIN: New: + libsoup-CVE-2025-32914.patch (boo#1241164 CVE-2025-32914) + libsoup-CVE-2025-32908.patch (boo#1241223 CVE-2025-32908) New:- Add CVE fixes: + libsoup-CVE-2025-32914.patch (boo#1241164 CVE-2025-32914) + libsoup-CVE-2025-32908.patch (boo#1241223 CVE-2025-32908) BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsoup.spec ++++++ --- /var/tmp/diff_new_pack.mt3NFx/_old 2025-04-22 17:26:13.629904452 +0200 +++ /var/tmp/diff_new_pack.mt3NFx/_new 2025-04-22 17:26:13.649905291 +0200 @@ -26,6 +26,10 @@ URL: https://wiki.gnome.org/Projects/libsoup Source0: %{name}-%{version}.tar.zst Source99: baselibs.conf +# PATCH-FIX-UPSTREAM libsoup-CVE-2025-32914.patch boo#1241164 mgo...@suse.com -- fix read out of buffer bounds under soup_multipart_new_from_message. +Patch0: libsoup-CVE-2025-32914.patch +# PATCH-FIX-UPSTREAM libsoup-CVE-2025-32908.patch boo#1241223 mgo...@suse.com -- soup-server-http2: Check validity of the constructed connection URI. +Patch1: libsoup-CVE-2025-32908.patch BuildRequires: glib-networking BuildRequires: meson >= 0.53 @@ -140,7 +144,7 @@ # Run the regression tests using GnuTLS NORMAL priority export G_TLS_GNUTLS_PRIORITY=NORMAL %ifarch s390x -%meson_test -t 5 +%meson_test -t 5 || (%meson_test -t 5) %else %meson_test %endif ++++++ libsoup-CVE-2025-32908.patch ++++++ >From a792b23ab87cacbf4dd9462bf7b675fa678efbae Mon Sep 17 00:00:00 2001 From: Milan Crha <mc...@redhat.com> Date: Tue, 15 Apr 2025 09:59:05 +0200 Subject: [PATCH] soup-server-http2: Check validity of the constructed connection URI The HTTP/2 pseudo-headers can contain invalid values, which the GUri rejects and returns NULL, but the soup-server did not check the validity and could abort the server itself later in the code. Closes #429 --- .../http2/soup-server-message-io-http2.c | 4 +++ tests/http2-test.c | 28 +++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c index 943ecfd3..f1fe2d5c 100644 --- a/libsoup/server/http2/soup-server-message-io-http2.c +++ b/libsoup/server/http2/soup-server-message-io-http2.c @@ -771,9 +771,13 @@ on_frame_recv_callback (nghttp2_session *session, char *uri_string; GUri *uri; + if (msg_io->scheme == NULL || msg_io->authority == NULL || msg_io->path == NULL) + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path); uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL); g_free (uri_string); + if (uri == NULL) + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; soup_server_message_set_uri (msg_io->msg, uri); g_uri_unref (uri); diff --git a/tests/http2-test.c b/tests/http2-test.c index 5b6da5e4..ec7972fe 100644 --- a/tests/http2-test.c +++ b/tests/http2-test.c @@ -1341,6 +1341,30 @@ do_connection_closed_test (Test *test, gconstpointer data) g_uri_unref (uri); } +static void +do_broken_pseudo_header_test (Test *test, gconstpointer data) +{ + char *path; + SoupMessage *msg; + GUri *uri; + GBytes *body = NULL; + GError *error = NULL; + + uri = g_uri_parse_relative (base_uri, "/ag", SOUP_HTTP_URI_FLAGS, NULL); + + /* an ugly cheat to construct a broken URI, which can be sent from other libs */ + path = (char *) g_uri_get_path (uri); + path[1] = '%'; + + msg = soup_message_new_from_uri (SOUP_METHOD_GET, uri); + body = soup_test_session_async_send (test->session, msg, NULL, &error); + g_assert_error (error, G_IO_ERROR, G_IO_ERROR_PARTIAL_INPUT); + g_assert_null (body); + g_clear_error (&error); + g_object_unref (msg); + g_uri_unref (uri); +} + static gboolean unpause_message (SoupServerMessage *msg) { @@ -1662,6 +1686,10 @@ main (int argc, char **argv) setup_session, do_connection_closed_test, teardown_session); + g_test_add ("/http2/broken-pseudo-header", Test, NULL, + setup_session, + do_broken_pseudo_header_test, + teardown_session); ret = g_test_run (); -- 2.49.0 ++++++ libsoup-CVE-2025-32914.patch ++++++ >From 5bfcf8157597f2d327050114fb37ff600004dbcf Mon Sep 17 00:00:00 2001 From: Milan Crha <mc...@redhat.com> Date: Tue, 15 Apr 2025 09:03:00 +0200 Subject: [PATCH] multipart: Fix read out of buffer bounds under soup_multipart_new_from_message() This is CVE-2025-32914, special crafted input can cause read out of buffer bounds of the body argument. Closes #436 --- libsoup/soup-multipart.c | 2 +- tests/multipart-test.c | 58 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+), 1 deletion(-) diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c index 2421c91f..102ce372 100644 --- a/libsoup/soup-multipart.c +++ b/libsoup/soup-multipart.c @@ -173,7 +173,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, return NULL; } - split = strstr (start, "\r\n\r\n"); + split = g_strstr_len (start, body_end - start, "\r\n\r\n"); if (!split || split > end) { soup_multipart_free (multipart); return NULL; diff --git a/tests/multipart-test.c b/tests/multipart-test.c index 2c0e7e96..f5b98688 100644 --- a/tests/multipart-test.c +++ b/tests/multipart-test.c @@ -471,6 +471,62 @@ test_multipart (gconstpointer data) loop = NULL; } +static void +test_multipart_bounds_good (void) +{ + #define TEXT "line1\r\nline2" + SoupMultipart *multipart; + SoupMessageHeaders *headers, *set_headers = NULL; + GBytes *bytes, *set_bytes = NULL; + const char *raw_data = "--123\r\nContent-Type: text/plain;\r\n\r\n" TEXT "\r\n--123--\r\n"; + gboolean success; + + headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); + soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); + + bytes = g_bytes_new (raw_data, strlen (raw_data)); + + multipart = soup_multipart_new_from_message (headers, bytes); + + g_assert_nonnull (multipart); + g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1); + success = soup_multipart_get_part (multipart, 0, &set_headers, &set_bytes); + g_assert_true (success); + g_assert_nonnull (set_headers); + g_assert_nonnull (set_bytes); + g_assert_cmpint (strlen (TEXT), ==, g_bytes_get_size (set_bytes)); + g_assert_cmpstr ("text/plain", ==, soup_message_headers_get_content_type (set_headers, NULL)); + g_assert_cmpmem (TEXT, strlen (TEXT), g_bytes_get_data (set_bytes, NULL), g_bytes_get_size (set_bytes)); + + soup_message_headers_unref (headers); + g_bytes_unref (bytes); + + soup_multipart_free (multipart); + + #undef TEXT +} + +static void +test_multipart_bounds_bad (void) +{ + SoupMultipart *multipart; + SoupMessageHeaders *headers; + GBytes *bytes; + const char *raw_data = "--123\r\nContent-Type: text/plain;\r\nline1\r\nline2\r\n--123--\r\n"; + + headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); + soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); + + bytes = g_bytes_new (raw_data, strlen (raw_data)); + + /* it did read out of raw_data/bytes bounds */ + multipart = soup_multipart_new_from_message (headers, bytes); + g_assert_null (multipart); + + soup_message_headers_unref (headers); + g_bytes_unref (bytes); +} + int main (int argc, char **argv) { @@ -498,6 +554,8 @@ main (int argc, char **argv) g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart); g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart); g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); ret = g_test_run (); -- 2.49.0
