Hello community, here is the log from the commit of package libsoup for openSUSE:Factory checked in at 2018-07-23 17:58:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsoup (Old) and /work/SRC/openSUSE:Factory/.libsoup.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsoup" Mon Jul 23 17:58:00 2018 rev:109 rq:624334 version:2.62.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libsoup/libsoup.changes 2018-05-10 15:47:26.653564485 +0200 +++ /work/SRC/openSUSE:Factory/.libsoup.new/libsoup.changes 2018-07-23 17:58:03.525150779 +0200 @@ -1,0 +2,6 @@ +Fri Jul 20 19:16:31 UTC 2018 - [email protected] + +- Add libsoup-boo1100097-empty-string.patch: fix crash when + handling empty hostnames (boo#1100097 CVE-2018-12910). + +------------------------------------------------------------------- New: ---- libsoup-boo1100097-empty-string.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsoup.spec ++++++ --- /var/tmp/diff_new_pack.nbsudL/_old 2018-07-23 17:58:04.229149900 +0200 +++ /var/tmp/diff_new_pack.nbsudL/_new 2018-07-23 17:58:04.229149900 +0200 @@ -25,6 +25,8 @@ URL: https://wiki.gnome.org/Projects/libsoup Source: http://download.gnome.org/sources/libsoup/2.62/%{name}-%{version}.tar.xz Source99: baselibs.conf +# PATCH-FIX-UPSTREAM libsoup-boo1100097-empty-string.patch boo#1100097 [email protected] -- fix crash when handling empty hostnames (CVE-2018-12910). +Patch0: libsoup-boo1100097-empty-string.patch BuildRequires: glib-networking BuildRequires: intltool >= 0.35.0 @@ -115,6 +117,7 @@ %prep %setup -q translation-update-upstream +%patch0 -p1 %build %configure\ ++++++ libsoup-boo1100097-empty-string.patch ++++++ >From db2b0d5809d5f8226d47312b40992cadbcde439f Mon Sep 17 00:00:00 2001 From: Michael Catanzaro <[email protected]> Date: Sun, 24 Jun 2018 19:46:19 -0500 Subject: [PATCH] cookie-jar: bail if hostname is an empty string There are several other ways to fix the problem with this function, but skipping over all of the code is probably the simplest. Fixes #3 --- libsoup/soup-cookie-jar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libsoup/soup-cookie-jar.c b/libsoup/soup-cookie-jar.c index 2369c8a7..b2b78909 100644 --- a/libsoup/soup-cookie-jar.c +++ b/libsoup/soup-cookie-jar.c @@ -307,7 +307,7 @@ get_cookies (SoupCookieJar *jar, SoupURI *uri, gboolean for_http, gboolean copy_ priv = soup_cookie_jar_get_instance_private (jar); - if (!uri->host) + if (!uri->host || !uri->host[0]) return NULL; /* The logic here is a little weird, but the plan is that if -- 2.18.0
