fix CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-2784

backport-0001-CVE-2024-52532.patch

@@ -9,26 +9,28 @@ validating the data until the all the data was read.
 Fixes #391
 
 Conflict: context adapt and libsoup/websocket/soup-websocket-connection.c -> libsoup/soup-websocket-connection.c
-Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be
----
- libsoup/soup-websocket-connection.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
-index a4095e1..9d5f4f8 100644
---- a/libsoup/soup-websocket-connection.c
-+++ b/libsoup/soup-websocket-connection.c
-@@ -1140,9 +1140,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self)
- 		}
-
- 		pv->incoming->len = len + count;
--	} while (count > 0);
-
--	process_incoming (self);
-+		process_incoming (self);
-+	} while (count > 0 && !pv->close_sent && !pv->io_closing);
-
- 	if (end) {
- 		if (!pv->close_sent || !pv->close_received) {
---
-2.33.0
+Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be
+
+---
+ libsoup/soup-websocket-connection.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
+index a4095e1..ed54e6b 100644
+--- a/libsoup/soup-websocket-connection.c
++++ b/libsoup/soup-websocket-connection.c
+@@ -1140,9 +1140,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self)
+ 		}
+ 
+ 		pv->incoming->len = len + count;
+-	} while (count > 0);
+ 
+-	process_incoming (self);
++		process_incoming (self);
++	} while (count > 0 && !pv->close_sent && !pv->io_closing);
+ 
+ 	if (end) {
+ 		if (!pv->close_sent || !pv->close_received) {
+-- 
+2.46.0
+

backport-0001-CVE-2025-32053.patch

@@ -0,0 +1,38 @@
+From eaed42ca8d40cd9ab63764e3d63641180505f40a Mon Sep 17 00:00:00 2001
+From: Ar Jun <pkillarjun@protonmail.com>
+Date: Mon, 18 Nov 2024 14:59:51 -0600
+Subject: [PATCH] Fix heap buffer overflow in
+ soup-content-sniffer.c:sniff_feed_or_html()
+
+Conflict: Modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c
+Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/eaed42ca8d40cd9ab63764e3d63641180505f40a
+
+---
+ libsoup/soup-content-sniffer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
+index b62e4888..5a181ff1 100644
+--- a/libsoup/soup-content-sniffer.c
++++ b/libsoup/soup-content-sniffer.c
+@@ -641,7 +641,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length)
+ 	       (resource[*pos] == '\x0D')) {
+ 		*pos = *pos + 1;
+ 
+-		if (*pos > resource_length)
++		if (*pos >= resource_length)
+ 			return TRUE;
+ 	}
+ 
+@@ -704,7 +704,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
+ 		do {
+ 			pos++;
+ 
+-			if (pos > resource_length)
++			if ((pos + 1) > resource_length)
+ 				goto text_html;
+ 		} while (resource[pos] != '>');
+ 
+-- 
+GitLab
+

backport-0002-CVE-2024-52532.patch

@@ -1,23 +1,24 @@
-From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001
-From: Ignacio Casal Quinteiro <qignacio@amazon.com>
-Date: Wed, 2 Oct 2024 11:17:19 +0200
-Subject: [PATCH] websocket-test: disconnect error copy after the test ends
-
-Otherwise the server will have already sent a few more wrong
-bytes and the client will continue getting errors to copy
-but the error is already != NULL and it will assert
-
-Conflict: NA
+From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Wed, 2 Oct 2024 11:17:19 +0200
+Subject: [PATCH] websocket-test: disconnect error copy after the test ends
+
+Otherwise the server will have already sent a few more wrong
+bytes and the client will continue getting errors to copy
+but the error is already != NULL and it will assert
+
+Conflict: NA
 Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c
+
 ---
  tests/websocket-test.c | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/tests/websocket-test.c b/tests/websocket-test.c
-index 06c443bb5..6a48c1f9b 100644
+index 5e40cf3..30a1f36 100644
 --- a/tests/websocket-test.c
 +++ b/tests/websocket-test.c
-@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test,
+@@ -1331,8 +1331,9 @@ test_receive_invalid_encode_length_64 (Test *test,
  	GError *error = NULL;
  	InvalidEncodeLengthTest context = { test, NULL };
  	guint i;
@@ -28,7 +29,7 @@ index 06c443bb5..6a48c1f9b 100644
  	g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
  
  	/* We use 127(\x7f) as payload length with 65535 extended length */
-@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test,
+@@ -1345,6 +1346,7 @@ test_receive_invalid_encode_length_64 (Test *test,
  	WAIT_UNTIL (error != NULL || received != NULL);
  	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
  	g_clear_error (&error);
@@ -37,5 +38,5 @@ index 06c443bb5..6a48c1f9b 100644
  
          g_thread_join (thread);
 -- 
-GitLab
+2.46.0
 

backport-0002-CVE-2025-32053.patch

@@ -0,0 +1,69 @@
+From 242a10fbb12dbdc12d254bd8fc8669a0ac055304 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 5 Feb 2025 14:39:42 -0600
+Subject: [PATCH] sniffer: Fix potential overflow
+
+Conflict: Modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c
+Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/242a10fbb12dbdc12d254bd8fc8669a0ac055304
+
+---
+ libsoup/soup-content-sniffer.c                 |   2 +-
+ tests/resources/whitespace.html                | Bin 0 -> 512 bytes
+ tests/sniffing-test.c                          |   5 +++++
+ tests/soup-tests.gresource.xml                 |   1 +
+ 4 files changed, 7 insertions(+), 1 deletions(-)
+ create mode 100644 tests/resources/whitespace.html
+
+diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
+index aeee2e25c..da94e60c3 100644
+--- a/libsoup/soup-content-sniffer.c
++++ b/libsoup/soup-content-sniffer.c
+@@ -669,7 +669,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
+ 		pos = 3;
+ 
+  look_for_tag:
+-	if (pos > resource_length)
++	if (pos >= resource_length)
+ 		goto text_html;
+ 
+ 	if (skip_insignificant_space (resource, &pos, resource_length))
+diff --git a/tests/resources/whitespace.html b/tests/resources/whitespace.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..7f07a0e639a102284d6f7c0c5d5560170f994553
+GIT binary patch
+literal 512
+TcmcCf)YWAe1tT*Abam|ja4Z2(
+
+literal 0
+HcmV?d00001
+
+diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
+index 6116719ae..b5428177f 100644
+--- a/tests/sniffing-test.c
++++ b/tests/sniffing-test.c
+@@ -512,6 +512,11 @@ main (int argc, char **argv)
+ 			      "type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8",
+ 			      do_sniffing_test);
+ 
++        /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */
++	g_test_add_data_func ("/sniffing/whitespace",
++			      "type/text_html/whitespace.html => text/html",
++			      do_sniffing_test);
++
+ 	/* Test that disabling the sniffer works correctly */
+ 	g_test_add_data_func ("/sniffing/disabled",
+ 			      "/text_or_binary/home.gif",
+diff --git a/tests/soup-tests.gresource.xml b/tests/soup-tests.gresource.xml
+index 9c08d170e..cbef1d402 100644
+--- a/tests/soup-tests.gresource.xml
++++ b/tests/soup-tests.gresource.xml
+@@ -25,5 +25,6 @@
+     <file>resources/text.txt</file>
+     <file>resources/text_binary.txt</file>
+     <file>resources/tux.webp</file>
++    <file>resources/whitespace.html</file>
+   </gresource>
+ </gresources>
+-- 
+GitLab
+

backport-CVE-2025-2784.patch

@@ -0,0 +1,152 @@
+From c415ad0b6771992e66c70edf373566c6e247089d Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 18 Feb 2025 14:29:50 -0600
+Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space()
+
+Conflict: context adaptation and Modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c
+Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/c415ad0b6771992e66c70edf373566c6e247089d
+
+---
+ libsoup/soup-content-sniffer.c  |  10 +++---
+ tests/resources/whitespace.html | Bin 512 -> 0 bytes
+ tests/sniffing-test.c           |  53 +++++++++++++++++++++++++++++---
+ tests/soup-tests.gresource.xml  |   1 -
+ 4 files changed, 53 insertions(+), 11 deletions(-)
+ delete mode 100644 tests/resources/whitespace.html
+
+diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
+index c52d2d0..3fb29ad 100644
+--- a/libsoup/soup-content-sniffer.c
++++ b/libsoup/soup-content-sniffer.c
+@@ -612,8 +612,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+ }
+ 
+ static gboolean
+-skip_insignificant_space (const char *resource, int *pos, int resource_length)
++skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
+ {
++        if (*pos >= resource_length)
++	        return TRUE;
++
+ 	while ((resource[*pos] == '\x09') ||
+ 	       (resource[*pos] == '\x20') ||
+ 	       (resource[*pos] == '\x0A') ||
+@@ -632,7 +635,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+ {
+ 	const char *resource = (const char *)buffer->data;
+ 	int resource_length = MIN (512, buffer->length);
+-	int pos = 0;
++	gsize pos = 0;
+ 
+ 	if (resource_length < 3)
+ 		goto text_html;
+@@ -642,9 +645,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+ 		pos = 3;
+ 
+  look_for_tag:
+-	if (pos >= resource_length)
+-		goto text_html;
+-
+ 	if (skip_insignificant_space (resource, &pos, resource_length))
+ 		goto text_html;
+ 
+diff --git a/tests/resources/whitespace.html b/tests/resources/whitespace.html
+deleted file mode 100644
+index 7f07a0e639a102284d6f7c0c5d5560170f994553..0000000000000000000000000000000000000000
+GIT binary patch
+literal 0
+HcmV?d00001
+
+literal 512
+TcmcCf)YWAe1tT*Abam|ja4Z2(
+
+diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
+index 0a4569a..e2dfed4 100644
+--- a/tests/sniffing-test.c
++++ b/tests/sniffing-test.c
+@@ -436,6 +436,52 @@ test_disabled (gconstpointer data)
+ 	soup_uri_free (uri);
+ }
+ 
++static const gsize MARKUP_LENGTH = strlen ("<!--") + strlen ("-->");
++
++static void
++do_skip_whitespace_test (void)
++{
++        SoupContentSniffer *sniffer = soup_content_sniffer_new ();
++        SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org");
++        const char *test_cases[] = {
++                "",
++                "<rdf:RDF",
++                "<rdf:RDFxmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"",
++                "<rdf:RDFxmlns=\"http://purl.org/rss/1.0/\"",
++        };
++
++        soup_message_headers_set_content_type (msg->response_headers, "text/html", NULL);
++
++        for (guint i = 0; i < G_N_ELEMENTS (test_cases); i++) {
++                const char *trailing_data = test_cases[i];
++                gsize leading_zeros = 512 - MARKUP_LENGTH - strlen (trailing_data);
++                gsize testsize = MARKUP_LENGTH + leading_zeros + strlen (trailing_data);
++                guint8 *data = g_malloc0 (testsize);
++                guint8 *p = data;
++                char *content_type;
++                GBytes *buffer;
++
++                // Format of <!--[0x00 * $leading_zeros]-->$trailing_data
++                memcpy (p, "<!--", strlen ("<!--"));
++                p += strlen ("<!--");
++                p += leading_zeros;
++                memcpy (p, "-->", strlen ("-->"));
++                p += strlen ("-->");
++                if (strlen (trailing_data))
++                        memcpy (p, trailing_data, strlen (trailing_data));
++                // Purposefully not NUL terminated.
++
++                buffer = g_bytes_new_take (g_steal_pointer (&data), testsize);
++                content_type = soup_content_sniffer_sniff (sniffer, msg, buffer, NULL);
++
++                g_free (content_type);
++                g_bytes_unref (buffer);
++        }
++
++        g_object_unref (msg);
++        g_object_unref (sniffer);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -605,16 +651,13 @@ main (int argc, char **argv)
+ 			      "type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8",
+ 			      do_sniffing_test);
+ 
+-        /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */
+-	g_test_add_data_func ("/sniffing/whitespace",
+-			      "type/text_html/whitespace.html => text/html",
+-			      do_sniffing_test);
+-
+ 	/* Test that disabling the sniffer works correctly */
+ 	g_test_add_data_func ("/sniffing/disabled",
+ 			      "/text_or_binary/home.gif",
+ 			      test_disabled);
+ 
++	g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test);
++
+ 	ret = g_test_run ();
+ 
+ 	soup_uri_free (base_uri);
+diff --git a/tests/soup-tests.gresource.xml b/tests/soup-tests.gresource.xml
+index cbef1d4..9c08d17 100644
+--- a/tests/soup-tests.gresource.xml
++++ b/tests/soup-tests.gresource.xml
+@@ -25,6 +25,5 @@
+     <file>resources/text.txt</file>
+     <file>resources/text_binary.txt</file>
+     <file>resources/tux.webp</file>
+-    <file>resources/whitespace.html</file>
+   </gresource>
+ </gresources>
+-- 
+2.46.0
+

backport-CVE-2025-32050.patch

@@ -0,0 +1,28 @@
+From 9bb0a55de55c6940ced811a64fbca82fe93a9323 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Mon, 28 Oct 2024 12:29:48 -0500
+Subject: [PATCH] Fix using int instead of size_t for strcspn return
+
+Conflict: NA
+Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323
+
+---
+ libsoup/soup-headers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 613e1905..a5f7a7f6 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -907,7 +907,7 @@ append_param_quoted (GString    *string,
+ 		     const char *name,
+ 		     const char *value)
+ {
+-	int len;
++	gsize len;
+ 
+ 	g_string_append (string, name);
+ 	g_string_append (string, "=\"");
+-- 
+GitLab
+

backport-CVE-2025-32052.patch

@@ -0,0 +1,30 @@
+From f182429e5b1fc034050510da20c93256c4fa9652 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Sat, 16 Nov 2024 12:07:30 -0600
+Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff
+
+Co-Author: Ar Jun <pkillarjun@protonmail.com>
+
+Conflict: Modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c
+Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652
+
+---
+ libsoup/soup-content-sniffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
+index de0985eac..b62e48889 100644
+--- a/libsoup/soup-content-sniffer.c
++++ b/libsoup/soup-content-sniffer.c
+@@ -524,7 +524,7 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer,
+ 			guint index_pattern = 0;
+ 			gboolean skip_row = FALSE;
+ 
+-			while ((index_stream < resource_length) &&
++			while ((index_stream < resource_length - 1) &&
+ 			       (index_pattern <= type_row->pattern_length)) {
+ 				/* Skip insignificant white space ("WS" in the spec) */
+ 				if (type_row->pattern[index_pattern] == ' ') {
+-- 
+GitLab
+

libsoup.spec

@@ -1,13 +1,13 @@
 Name:           libsoup
 Version:        2.74.3
-Release:        4
+Release:        5
 Summary:        An HTTP library implementation
 License:        LGPLv2
 URL:            https://wiki.gnome.org/Projects/libsoup
 Source0:        https://download.gnome.org/sources/%{name}/2.74/%{name}-%{version}.tar.xz
 BuildRequires:  glib2-devel glib-networking krb5-devel gobject-introspection-devel gettext
 BuildRequires:  libxml2-devel libpsl-devel sqlite-devel vala gtk-doc meson libxslt
-BuildRequires:  samba-winbind-clients brotli-devel 
+BuildRequires:  samba-winbind-clients brotli-devel git
 BuildRequires:  pkgconfig(sysprof-capture-4)
 
 Requires:       glib2 glib-networking
@@ -18,6 +18,11 @@ Patch6002:      backport-0001-CVE-2024-52531.patch
 Patch6003:      backport-0002-CVE-2024-52531.patch
 Patch6004:      backport-0001-CVE-2024-52532.patch
 Patch6005:      backport-0002-CVE-2024-52532.patch
+Patch6007:      backport-CVE-2025-32050.patch
+Patch6008:      backport-CVE-2025-32052.patch
+Patch6009:      backport-0001-CVE-2025-32053.patch
+Patch6010:      backport-0002-CVE-2025-32053.patch
+Patch6011:      backport-CVE-2025-2784.patch
 
 %description
 libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop,
@@ -34,7 +39,7 @@ The %{name}-devel package contains libraries and header files for %{name}.
 %package_help
 
 %prep
-%autosetup -n %{name}-%{version} -p1
+%autosetup -n %{name}-%{version} -p1 -S git
 
 %build
 %meson -Dgtk_doc=true
@@ -69,6 +74,12 @@ sed -i 's/idm[0-9]\{5,32\}/idm12345678912345/g' %{buildroot}%{_datadir}/gtk-doc/
 %{_datadir}/gtk-doc/html/libsoup-2.4/*
 
 %changelog
+* Tue Apr 8 2025 zhangpan <zhangpan103@h-partners.com> - 2.74.3-5
+- Type:cves
+- ID:CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-2784
+- SUG:NA
+- DESC:fix CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-2784
+
 * Thu Nov 14 2024 xinghe <xinghe2@h-partners.com> - 2.74.3-4
 - Type:cves
 - ID:CVE-2024-52530 CVE-2024-52531 CVE-2024-52532