packages/libsoup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2025-32906 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32912 CVE-2025-32913

Browse Source
This commit is contained in:
zhangpan 2025-04-21 07:19:28 +00:00
parent b9db14476d
commit 9bf8c22134
15 changed files with 797 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
backport-0001-CVE-2025-32906.patch Normal file
View File

@ -0,0 +1,61 @@
From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 11 Feb 2025 14:36:26 -0600
Subject: [PATCH] headers: Handle parsing edge case
This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds.
Conflict: NA
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931
---
libsoup/soup-headers.c | 2 +-
tests/header-parsing-test.c | 12 ++++++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 85385cea..9d6d00a3 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str,
!g_ascii_isdigit (version[5]))
return SOUP_STATUS_BAD_REQUEST;
major_version = strtoul (version + 5, &p, 10);
- if (*p != '.' || !g_ascii_isdigit (p[1]))
+ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1]))
return SOUP_STATUS_BAD_REQUEST;
minor_version = strtoul (p + 1, &p, 10);
version_end = p;
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 07ea2866..10ddb684 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -6,6 +6,10 @@ typedef struct {
const char *name, *value;
} Header;
+static char unterminated_http_version[] = {
+ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
+};
+
static struct RequestTest {
const char *description;
const char *bugref;
@@ -383,6 +387,14 @@ static struct RequestTest {
{ { NULL } }
},
+ /* This couldn't be a C string as going one byte over would have been safe. */
+ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
+ unterminated_http_version, sizeof (unterminated_http_version),
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
+ },
+
{ "Non-HTTP request", NULL,
"GET / SOUP/1.1\r\nHost: example.com\r\n", -1,
SOUP_STATUS_BAD_REQUEST,
--
GitLab

98
backport-0001-CVE-2025-32910-CVE-2025-32912.patch Normal file
View File

@ -0,0 +1,98 @@
From e40df6d48a1cbab56f5d15016cc861a503423cfe Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sun, 8 Dec 2024 20:00:35 -0600
Subject: [PATCH] auth-digest: Handle missing realm in authenticate header
Conflict: tests/auth-test.c file context adaptation and modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe
---
libsoup/soup-auth-digest.c | 3 +++
tests/auth-test.c | 50 ++++++++++++++++++++++++++++++++++++++
2 files changed, 53 insertions(+)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index e8ba990..263a15a 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
+ if (!soup_auth_get_realm (auth))
+ return FALSE;
+
g_free (priv->domain);
g_free (priv->nonce);
g_free (priv->opaque);
diff --git a/tests/auth-test.c b/tests/auth-test.c
index 8295ec3..dfc6b09 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1549,6 +1549,55 @@ do_cancel_after_retry_test (void)
soup_test_session_abort_unref (session);
}
+static void
+on_request_read_for_missing_realm (SoupServer *server,
+ SoupServerMessage *msg,
+ gpointer user_data)
+{
+ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
+ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
+}
+
+static void
+do_missing_realm_test (void)
+{
+ SoupSession *session;
+ SoupMessage *msg;
+ SoupServer *server;
+ SoupAuthDomain *digest_auth_domain;
+ gint status;
+ GUri *uri;
+
+ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+ soup_server_add_handler (server, NULL,
+ server_callback, NULL, NULL);
+ uri = soup_test_server_get_uri (server, "http", NULL);
+
+ digest_auth_domain = soup_auth_domain_digest_new (
+ "realm", "auth-test",
+ "auth-callback", server_digest_auth_callback,
+ NULL);
+ soup_auth_domain_add_path (digest_auth_domain, "/");
+ soup_server_add_auth_domain (server, digest_auth_domain);
+ g_object_unref (digest_auth_domain);
+
+ g_signal_connect (server, "request-read",
+ G_CALLBACK (on_request_read_for_missing_realm),
+ NULL);
+
+ session = soup_test_session_new (NULL);
+ msg = soup_message_new_from_uri ("GET", uri);
+ g_signal_connect (msg, "authenticate",
+ G_CALLBACK (on_digest_authenticate),
+ NULL);
+
+ status = soup_test_session_send_message (session, msg);
+
+ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
+ g_uri_unref (uri);
+ soup_test_server_quit_unref (server);
+}
+
int
main (int argc, char **argv)
{
@@ -1576,6 +1625,7 @@ main (int argc, char **argv)
g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
+ g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
ret = g_test_run ();
--
2.48.1

72
backport-0001-CVE-2025-32911-CVE-2025-32913.patch Normal file
View File

@ -0,0 +1,72 @@
From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 17:53:50 -0600
Subject: [PATCH] soup_message_headers_get_content_disposition: Fix NULL deref
Conflict: tests/header-parsing-test.c file context adaptation
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34
---
libsoup/soup-message-headers.c | 13 +++++++++----
tests/header-parsing-test.c | 14 ++++++++++++++
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 39ad14a..a577169 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1454,10 +1454,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
*/
if (params && g_hash_table_lookup_extended (*params, "filename",
&orig_key, &orig_value)) {
- char *filename = strrchr (orig_value, '/');
-
- if (filename)
- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ if (orig_value) {
+ char *filename = strrchr (orig_value, '/');
+
+ if (filename)
+ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ } else {
+ /* filename with no value isn't valid. */
+ g_hash_table_remove (*params, "filename");
+ }
}
return TRUE;
}
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 03ea34d..45316c5 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -1062,6 +1062,7 @@ do_param_list_tests (void)
#define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\""
#define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\""
#define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar"
+#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename"
static void
do_content_disposition_tests (void)
@@ -1163,6 +1164,19 @@ do_content_disposition_tests (void)
g_assert_cmpstr (parameter2, ==, "bar");
g_hash_table_destroy (params);
+ /* Empty filename */
+ soup_message_headers_clear (hdrs);
+ soup_message_headers_append (hdrs, "Content-Disposition",
+ RFC5987_TEST_HEADER_EMPTY_FILENAME);
+ if (!soup_message_headers_get_content_disposition (hdrs,
+ &disposition,
+ &params)) {
+ soup_test_assert (FALSE, "empty filename decoding FAILED");
+ return;
+ }
+ g_assert_false (g_hash_table_contains (params, "filename"));
+ g_hash_table_destroy (params);
+
soup_message_headers_free (hdrs);
/* Ensure that soup-multipart always quotes filename */
--
2.48.1

83
backport-0002-CVE-2025-32906.patch Normal file
View File

@ -0,0 +1,83 @@
From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 12 Feb 2025 11:30:02 -0600
Subject: [PATCH] headers: Handle parsing only newlines
Closes #404
Closes #407
Conflict: NA
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f
---
libsoup/soup-headers.c | 4 ++--
tests/header-parsing-test.c | 13 ++++++++++++-
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 9d6d00a3..52ef2ece 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str,
/* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
* received where a Request-Line is expected."
*/
- while ((*str == '\r' || *str == '\n') && len > 0) {
+ while (len > 0 && (*str == '\r' || *str == '\n')) {
str++;
len--;
}
@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str,
* after a response, which we then see prepended to the next
* response on that connection.
*/
- while ((*str == '\r' || *str == '\n') && len > 0) {
+ while (len > 0 && (*str == '\r' || *str == '\n')) {
str++;
len--;
}
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 10ddb684..4faafbd6 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -6,10 +6,15 @@ typedef struct {
const char *name, *value;
} Header;
+/* These are not C strings to ensure going one byte over is not safe. */
static char unterminated_http_version[] = {
'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
};
+static char only_newlines[] = {
+ '\n', '\n', '\n', '\n'
+};
+
static struct RequestTest {
const char *description;
const char *bugref;
@@ -387,7 +392,6 @@ static struct RequestTest {
{ { NULL } }
},
- /* This couldn't be a C string as going one byte over would have been safe. */
{ "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
unterminated_http_version, sizeof (unterminated_http_version),
SOUP_STATUS_BAD_REQUEST,
@@ -457,6 +461,13 @@ static struct RequestTest {
SOUP_STATUS_BAD_REQUEST,
NULL, NULL, -1,
{ { NULL } }
+ },
+
+ { "Only newlines", NULL,
+ only_newlines, sizeof (only_newlines),
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
}
};
static const int num_reqtests = G_N_ELEMENTS (reqtests);
--
GitLab

149
backport-0002-CVE-2025-32910-CVE-2025-32912.patch Normal file
View File

@ -0,0 +1,149 @@
From 405a8a34597a44bd58c4759e7d5e23f02c3b556a Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Thu, 26 Dec 2024 18:18:35 -0600
Subject: [PATCH] auth-digest: Handle missing nonce
Conflict: tests/auth-test.c file context adaptation and modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a
---
libsoup/soup-auth-digest.c | 45 +++++++++++++++++++++++++++++---------
tests/auth-test.c | 19 +++++++++-------
2 files changed, 46 insertions(+), 18 deletions(-)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 263a15a..a97e4bb 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
return g_string_free (out, FALSE);
}
+static gboolean
+validate_params (SoupAuthDigest *auth_digest)
+{
+ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
+
+ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
+ if (!priv->nonce)
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
static gboolean
soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
GHashTable *auth_params)
@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
if (priv->algorithm == -1)
ok = FALSE;
- stale = g_hash_table_lookup (auth_params, "stale");
- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
- recompute_hex_a1 (priv);
- else {
- g_free (priv->user);
- priv->user = NULL;
- g_free (priv->cnonce);
- priv->cnonce = NULL;
- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+ if (!validate_params (auth_digest))
+ ok = FALSE;
+
+ if (ok) {
+ stale = g_hash_table_lookup (auth_params, "stale");
+ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+ recompute_hex_a1 (priv);
+ else {
+ g_free (priv->user);
+ priv->user = NULL;
+ g_free (priv->cnonce);
+ priv->cnonce = NULL;
+ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+ }
}
return ok;
@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp,
/* In MD5-sess, A1 is hex_urp:nonce:cnonce */
+ g_assert (nonce && cnonce);
+
checksum = g_checksum_new (G_CHECKSUM_MD5);
g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));
g_checksum_update (checksum, (guchar *)":", 1);
@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char *method,
if (qop) {
char tmp[9];
+ g_assert (cnonce);
+
g_snprintf (tmp, 9, "%.8x", nc);
g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
g_checksum_update (checksum, (guchar *)":", 1);
@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
g_return_val_if_fail (uri != NULL, NULL);
url = soup_uri_to_string (uri, TRUE);
+ g_assert (priv->nonce);
+ g_assert (!priv->qop || priv->cnonce);
+
soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
priv->qop, priv->nonce,
priv->cnonce, priv->nc,
diff --git a/tests/auth-test.c b/tests/auth-test.c
index dfc6b09..6fb1e4a 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void)
}
static void
-on_request_read_for_missing_realm (SoupServer *server,
- SoupServerMessage *msg,
- gpointer user_data)
+on_request_read_for_missing_params (SoupServer *server,
+ SoupServerMessage *msg,
+ gpointer user_data)
{
+ const char *auth_header = user_data;
SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
+ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
}
static void
-do_missing_realm_test (void)
+do_missing_params_test (gconstpointer auth_header)
{
SoupSession *session;
SoupMessage *msg;
@@ -1582,8 +1583,8 @@ do_missing_realm_test (void)
g_object_unref (digest_auth_domain);
g_signal_connect (server, "request-read",
- G_CALLBACK (on_request_read_for_missing_realm),
- NULL);
+ G_CALLBACK (on_request_read_for_missing_params),
+ (gpointer)auth_header);
session = soup_test_session_new (NULL);
msg = soup_message_new_from_uri ("GET", uri);
@@ -1625,7 +1626,9 @@ main (int argc, char **argv)
g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
- g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
+ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
ret = g_test_run ();
--
2.48.1

44
backport-0002-CVE-2025-32911-CVE-2025-32913.patch Normal file
View File

@ -0,0 +1,44 @@
From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 18:00:39 -0600
Subject: [PATCH] soup_message_headers_get_content_disposition: strdup
truncated filenames
This table frees the strings it contains.
Conflict: NA
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0
---
libsoup/soup-message-headers.c | 2 +-
tests/header-parsing-test.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index a577169..81e7cea 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1458,7 +1458,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
char *filename = strrchr (orig_value, '/');
if (filename)
- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1));
} else {
/* filename with no value isn't valid. */
g_hash_table_remove (*params, "filename");
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 45316c5..c3a62f9 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -1174,6 +1174,7 @@ do_content_disposition_tests (void)
soup_test_assert (FALSE, "empty filename decoding FAILED");
return;
}
+ g_free (disposition);
g_assert_false (g_hash_table_contains (params, "filename"));
g_hash_table_destroy (params);
--
2.48.1

27
backport-0003-CVE-2025-32910-CVE-2025-32912.patch Normal file
View File

@ -0,0 +1,27 @@
From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 13:52:52 -0600
Subject: [PATCH] auth-digest: Fix leak
Conflict: Modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832
---
libsoup/soup-auth-digest.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 350bfde6..9eb7fa0e 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object)
g_free (priv->nonce);
g_free (priv->domain);
g_free (priv->cnonce);
+ g_free (priv->opaque);
memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
--
GitLab

41
backport-0004-CVE-2025-32912.patch Normal file
View File

@ -0,0 +1,41 @@
From cd077513f267e43ce4b659eb18a1734d8a369992 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 14:03:05 -0600
Subject: [PATCH] auth-digest: Handle missing nonce
Conflict: Modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992
---
libsoup/soup-auth-digest.c | 2 +-
tests/auth-test.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 83069ef..b79e6f8 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
- if (!soup_auth_get_realm (auth))
+ if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
return FALSE;
g_free (priv->domain);
diff --git a/tests/auth-test.c b/tests/auth-test.c
index 6fb1e4a..548ac94 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1629,6 +1629,7 @@ main (int argc, char **argv)
g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test);
ret = g_test_run ();
--
2.48.1

30
backport-0005-CVE-2025-32912.patch Normal file
View File

@ -0,0 +1,30 @@
From 910ebdcd3dd82386717a201c13c834f3a63eed7f Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sat, 8 Feb 2025 12:30:13 -0600
Subject: [PATCH] digest-auth: Handle NULL nonce
`contains` only handles a missing nonce, `lookup` handles both missing and empty.
Conflict: Modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f
---
libsoup/soup-auth-digest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index d69a4013..dc4dbfc5 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -162,7 +162,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
- if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
+ if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce"))
return FALSE;
g_free (priv->domain);
--
GitLab

51
backport-0006-CVE-2025-32912.patch Normal file
View File

@ -0,0 +1,51 @@
From e2e3d1cf16a15d725289e3f5a8a6503de08fc63f Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 11 Feb 2025 10:32:39 -0600
Subject: [PATCH] Remove redundant function
The nonce is validated earlier now.
Conflict: Modify file path adaptation: libsoup/auth/soup-auth-digest.c->libsoup/soup-auth-digest.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/e2e3d1cf16a15d725289e3f5a8a6503de08fc63f
---
libsoup/soup-auth-digest.c | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 40b470b..318ebe2 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -133,19 +133,6 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
return g_string_free (out, FALSE);
}
-static gboolean
-validate_params (SoupAuthDigest *auth_digest)
-{
- SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
-
- if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
- if (!priv->nonce)
- return FALSE;
- }
-
- return TRUE;
-}
-
static gboolean
soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
GHashTable *auth_params)
@@ -183,9 +170,6 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
if (priv->algorithm == -1)
ok = FALSE;
- if (!validate_params (auth_digest))
- ok = FALSE;
-
if (ok) {
stale = g_hash_table_lookup (auth_params, "stale");
if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
--
2.48.1

36
backport-CVE-2025-32909.patch Normal file
View File

@ -0,0 +1,36 @@
From ba4c3a6f988beff59e45801ab36067293d24ce92 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 8 Jan 2025 16:30:17 -0600
Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than 4
bytes
Conflict: context adaptation and modify file path adaptation: libsoup/content-sniffer/soup-content-sniffer.c->libsoup/soup-content-sniffer.c
Reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92
---
libsoup/soup-content-sniffer.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index c52d2d0..ee32971 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -227,9 +227,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, SoupBuffer *buffer)
{
const char *resource = (const char *)buffer->data;
guint resource_length = MIN (512, buffer->length);
- guint32 box_size = *((guint32*)resource);
+ guint32 box_size;
guint i;
+ if (resource_length < sizeof (guint32))
+ return FALSE;
+
+ box_size = *((guint32*)resource);
+
#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
box_size = ((box_size >> 24) |
((box_size << 8) & 0x00FF0000) |
--
2.48.1

24
backport-CVE-2025-32912.patch
View File

@ -1,24 +0,0 @@
From acc0e7c802758934ce0a51c4db4e7ea5c3e91ef6 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 17 Apr 2025 19:58:08 +0800
Subject: [PATCH] backport-CVE-2025-32912
---
libsoup/soup-auth-digest.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index e8ba990..c249f02 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object)
g_free (priv->nonce);
g_free (priv->domain);
g_free (priv->cnonce);
+ g_free (priv->opaque);
memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
--
2.33.0

25
backport-Handle-sniffing-bytes-with-0-size.patch Normal file
View File

@ -0,0 +1,25 @@
From b0fd7e1f65049b7efdf50febe6765039de4289ed Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 16 Dec 2020 15:54:32 -0600
Subject: [PATCH] Handle sniffing bytes with 0 size
---
libsoup/soup-content-sniffer.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index cb4255ade..cf5da7e1f 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -507,6 +507,9 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer,
guint resource_length = MIN (512, buffer->length);
guint i;
+ if (resource_length == 0)
+ return g_strdup ("application/octet-stream");
+
for (i = 0; i < G_N_ELEMENTS (types_table); i++) {
SoupContentSnifferPattern *type_row = &(types_table[i]);
--
GitLab

60
backport-content-sniffer-empty-resources-should-be-considered-text-plain.patch Normal file
View File

@ -0,0 +1,60 @@
From f7df4e4e1f7314ff309e4d26fcd7f352c33870ef Mon Sep 17 00:00:00 2001
From: Carlos Garcia Campos <cgarcia@igalia.com>
Date: Wed, 17 Feb 2021 14:08:40 +0100
Subject: [PATCH] content-sniffer: empty resources should be considered
text/plain
Instead of application/octet-stream according to the HTML5 spec
---
libsoup/soup-content-sniffer.c | 2 +-
tests/sniffing-test.c | 13 +++++++++----
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index f5a13d18c..948dc182d 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -507,7 +507,7 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer,
guint i;
if (resource_length == 0)
- return g_strdup ("application/octet-stream");
+ return g_strdup ("text/plain");
for (i = 0; i < G_N_ELEMENTS (types_table); i++) {
SoupContentSnifferPattern *type_row = &(types_table[i]);
diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
index 1f2bb9115..23e05c1a3 100644
--- a/tests/sniffing-test.c
+++ b/tests/sniffing-test.c
@@ -79,11 +79,13 @@ server_callback (SoupServer *server,
}
if (g_str_has_prefix (path, "/unknown/")) {
- char *base_name = g_path_get_basename (path);
+ if (!empty_response) {
+ char *base_name = g_path_get_basename (path);
- response = soup_test_load_resource (base_name, &error);
- g_assert_no_error (error);
- g_free (base_name);
+ response = soup_test_load_resource (base_name, &error);
+ g_assert_no_error (error);
+ g_free (base_name);
+ }
soup_message_headers_append (msg->response_headers,
"Content-Type", "UNKNOWN/unknown");
@@ -439,6 +441,9 @@ main (int argc, char **argv)
g_test_add_data_func ("/sniffing/type/unknown-mbox",
"unknown/mbox => text/plain",
do_sniffing_test);
+ g_test_add_data_func ("/sniffing/type/unknown-empty",
+ "unknown/mbox?empty_response=yes => text/plain",
+ do_sniffing_test);
g_test_add_data_func ("/sniffing/type/unknown-binary",
"unknown/text_binary.txt => application/octet-stream",
do_sniffing_test);
--
GitLab

22
libsoup.spec
View File

@ -1,6 +1,6 @@
Name: libsoup
Version: 2.74.3
Release: 6
Release: 7
Summary: An HTTP library implementation
License: LGPLv2
URL: https://wiki.gnome.org/Projects/libsoup
@ -23,7 +23,19 @@ Patch6008: backport-CVE-2025-32052.patch
Patch6009: backport-0001-CVE-2025-32053.patch
Patch6010: backport-0002-CVE-2025-32053.patch
Patch6011: backport-CVE-2025-2784.patch
Patch6012: backport-CVE-2025-32912.patch
Patch6012: backport-0001-CVE-2025-32906.patch
Patch6013: backport-0002-CVE-2025-32906.patch
Patch6014: backport-0001-CVE-2025-32910-CVE-2025-32912.patch
Patch6015: backport-0002-CVE-2025-32910-CVE-2025-32912.patch
Patch6016: backport-0003-CVE-2025-32910-CVE-2025-32912.patch
Patch6017: backport-0001-CVE-2025-32911-CVE-2025-32913.patch
Patch6018: backport-0002-CVE-2025-32911-CVE-2025-32913.patch
Patch6019: backport-0004-CVE-2025-32912.patch
Patch6020: backport-0005-CVE-2025-32912.patch
Patch6021: backport-0006-CVE-2025-32912.patch
Patch6022: backport-Handle-sniffing-bytes-with-0-size.patch
Patch6023: backport-content-sniffer-empty-resources-should-be-considered-text-plain.patch
Patch6024: backport-CVE-2025-32909.patch
%description
libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop,
@ -75,6 +87,12 @@ sed -i 's/idm[0-9]\{5,32\}/idm12345678912345/g' %{buildroot}%{_datadir}/gtk-doc/
%{_datadir}/gtk-doc/html/libsoup-2.4/*
%changelog
* Mon Apr 21 2025 zhangpan <zhangpan103@h-partners.com> - 2.74.3-7
- Type:cves
- ID:CVE-2025-32906 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32912 CVE-2025-32913
- SUG:NA
- DESC:fix CVE-2025-32906 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32912 CVE-2025-32913
* Thu Apr 17 2025 maoyanping <maoyanping@xfusion.com> - 2.74.3-6
- Type:cves
- ID:CVE-2025-32912