diff --git a/.gitignore b/.gitignore index d111bfa..01387ee 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libsoup-2.72.0.tar.xz +SOURCES/libsoup-2.74.3.tar.xz diff --git a/.libsoup.metadata b/.libsoup.metadata index 132605c..71b33ae 100644 --- a/.libsoup.metadata +++ b/.libsoup.metadata @@ -1 +1 @@ -6aaed6b49b13e287b7c3bba546ba49fec4ea72a5 SOURCES/libsoup-2.72.0.tar.xz +657ce6cbfacbc7ab175de5207f80c1235d2f8092 SOURCES/libsoup-2.74.3.tar.xz diff --git a/SOURCES/0001-headers-Strictly-don-t-allow-NUL-bytes.patch b/SOURCES/0001-headers-Strictly-don-t-allow-NUL-bytes.patch deleted file mode 100644 index f0f6dbf..0000000 --- a/SOURCES/0001-headers-Strictly-don-t-allow-NUL-bytes.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001 -From: Patrick Griffis -Date: Mon, 8 Jul 2024 12:33:15 -0500 -Subject: [PATCH] headers: Strictly don't allow NUL bytes - -In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem. ---- - libsoup/soup-headers.c | 15 +++------ - tests/header-parsing-test.c | 62 +++++++++++++++++-------------------- - 2 files changed, 32 insertions(+), 45 deletions(-) - -diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c -index a0cf351a..f30ee467 100644 ---- a/libsoup/soup-headers.c -+++ b/libsoup/soup-headers.c -@@ -51,13 +51,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) - * ignorable trailing whitespace. - */ - -+ /* No '\0's are allowed */ -+ if (memchr (str, '\0', len)) -+ return FALSE; -+ - /* Skip over the Request-Line / Status-Line */ - headers_start = memchr (str, '\n', len); - if (!headers_start) - return FALSE; -- /* No '\0's in the Request-Line / Status-Line */ -- if (memchr (str, '\0', headers_start - str)) -- return FALSE; - - /* We work on a copy of the headers, which we can write '\0's - * into, so that we don't have to individually g_strndup and -@@ -69,14 +70,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) - headers_copy[copy_len] = '\0'; - value_end = headers_copy; - -- /* There shouldn't be any '\0's in the headers already, but -- * this is the web we're talking about. -- */ -- while ((p = memchr (headers_copy, '\0', copy_len))) { -- memmove (p, p + 1, copy_len - (p - headers_copy)); -- copy_len--; -- } -- - while (*(value_end + 1)) { - name = value_end + 1; - name_end = strchr (name, ':'); -diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c -index edf8eebb..715c2c6f 100644 ---- a/tests/header-parsing-test.c -+++ b/tests/header-parsing-test.c -@@ -358,24 +358,6 @@ static struct RequestTest { - } - }, - -- { "NUL in header name", "760832", -- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, -- SOUP_STATUS_OK, -- "GET", "/", SOUP_HTTP_1_1, -- { { "Host", "example.com" }, -- { NULL } -- } -- }, -- -- { "NUL in header value", "760832", -- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35, -- SOUP_STATUS_OK, -- "GET", "/", SOUP_HTTP_1_1, -- { { "Host", "examplecom" }, -- { NULL } -- } -- }, -- - /************************/ - /*** INVALID REQUESTS ***/ - /************************/ -@@ -448,6 +430,21 @@ static struct RequestTest { - SOUP_STATUS_EXPECTATION_FAILED, - NULL, NULL, -1, - { { NULL } } -+ }, -+ -+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 -+ { "NUL in header name", NULL, -+ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, -+ SOUP_STATUS_BAD_REQUEST, -+ NULL, NULL, -1, -+ { { NULL } } -+ }, -+ -+ { "NUL in header value", NULL, -+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, -+ SOUP_STATUS_BAD_REQUEST, -+ NULL, NULL, -1, -+ { { NULL } } - } - }; - static const int num_reqtests = G_N_ELEMENTS (reqtests); -@@ -620,22 +617,6 @@ static struct ResponseTest { - { NULL } } - }, - -- { "NUL in header name", "760832", -- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28, -- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK", -- { { "Foo", "bar" }, -- { NULL } -- } -- }, -- -- { "NUL in header value", "760832", -- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, -- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK", -- { { "Foo", "bar" }, -- { NULL } -- } -- }, -- - /********************************/ - /*** VALID CONTINUE RESPONSES ***/ - /********************************/ -@@ -768,6 +749,19 @@ static struct ResponseTest { - { { NULL } - } - }, -+ -+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 -+ { "NUL in header name", NULL, -+ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28, -+ -1, 0, NULL, -+ { { NULL } } -+ }, -+ -+ { "NUL in header value", "760832", -+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, -+ -1, 0, NULL, -+ { { NULL } } -+ }, - }; - static const int num_resptests = G_N_ELEMENTS (resptests); - --- -2.45.2 - diff --git a/SOURCES/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch b/SOURCES/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch deleted file mode 100644 index cc2d173..0000000 --- a/SOURCES/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 libsoup-2.62.3/libsoup/soup-websocket-connection.c ---- libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 2024-11-12 12:00:27.183570627 +0100 -+++ libsoup-2.62.3/libsoup/soup-websocket-connection.c 2024-11-12 12:01:02.334987409 +0100 -@@ -1041,9 +1041,9 @@ soup_websocket_connection_read (SoupWebs - } - - pv->incoming->len = len + count; -- } while (count > 0); -+ process_incoming (self); -+ } while (count > 0 && !pv->close_sent && !pv->io_closing); - -- process_incoming (self); - - if (end) { - if (!pv->close_sent || !pv->close_received) { diff --git a/SOURCES/0002-websocket-test-disconnect-error-copy-after-the-test-.patch b/SOURCES/0002-websocket-test-disconnect-error-copy-after-the-test-.patch deleted file mode 100644 index 6bdf4b5..0000000 --- a/SOURCES/0002-websocket-test-disconnect-error-copy-after-the-test-.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001 -From: Ignacio Casal Quinteiro -Date: Wed, 2 Oct 2024 11:17:19 +0200 -Subject: [PATCH 2/2] websocket-test: disconnect error copy after the test ends - -Otherwise the server will have already sent a few more wrong -bytes and the client will continue getting errors to copy -but the error is already != NULL and it will assert ---- - tests/websocket-test.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/tests/websocket-test.c b/tests/websocket-test.c -index 06c443bb..6a48c1f9 100644 ---- a/tests/websocket-test.c -+++ b/tests/websocket-test.c -@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test, - GError *error = NULL; - InvalidEncodeLengthTest context = { test, NULL }; - guint i; -+ guint error_id; - -- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); -+ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); - g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received); - - /* We use 127(\x7f) as payload length with 65535 extended length */ -@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test, - WAIT_UNTIL (error != NULL || received != NULL); - g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR); - g_clear_error (&error); -+ g_signal_handler_disconnect (test->client, error_id); - g_assert_null (received); - - g_thread_join (thread); --- -2.45.2 - diff --git a/SOURCES/libsoup-2.74.3-libxml2-2.12.0-includes.patch b/SOURCES/libsoup-2.74.3-libxml2-2.12.0-includes.patch new file mode 100644 index 0000000..4aba535 --- /dev/null +++ b/SOURCES/libsoup-2.74.3-libxml2-2.12.0-includes.patch @@ -0,0 +1,43 @@ +From ced3c5d8cad0177b297666343f1561799dfefb0d Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Wed, 22 Nov 2023 18:49:10 -0800 +Subject: [PATCH] Fix build with libxml2-2.12.0 and clang-17 + +Fixes build errors about missing function prototypes with clang-17 + +Fixes +| ../libsoup-2.74.3/libsoup/soup-xmlrpc-old.c:512:8: error: call to undeclared function 'xmlParseMemory'; ISO C99 and later do not support implicit function declarations + +Signed-off-by: Khem Raj +--- + libsoup/soup-xmlrpc-old.c | 1 + + libsoup/soup-xmlrpc.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/libsoup/soup-xmlrpc-old.c b/libsoup/soup-xmlrpc-old.c +index c57086b6a..527e3b235 100644 +--- a/libsoup/soup-xmlrpc-old.c ++++ b/libsoup/soup-xmlrpc-old.c +@@ -11,6 +11,7 @@ + + #include + ++#include + #include + + #include "soup-xmlrpc-old.h" +diff --git a/libsoup/soup-xmlrpc.c b/libsoup/soup-xmlrpc.c +index 42dcda9c7..e991cbf01 100644 +--- a/libsoup/soup-xmlrpc.c ++++ b/libsoup/soup-xmlrpc.c +@@ -17,6 +17,7 @@ + + #include + #include ++#include + #include + #include "soup-xmlrpc.h" + #include "soup.h" +-- +GitLab + diff --git a/SPECS/libsoup.spec b/SPECS/libsoup.spec index 42e4c9c..c536c35 100644 --- a/SPECS/libsoup.spec +++ b/SPECS/libsoup.spec @@ -3,21 +3,19 @@ # Coverity scan can override this to 0, to skip checking in gtk-doc generated code %{!?with_docs: %global with_docs 1} -Name: libsoup -Version: 2.72.0 -Release: 8%{?dist}.2 +Name: libsoup +Version: 2.74.3 +Release: 7%{?dist} Summary: Soup, an HTTP library implementation -License: LGPLv2 +License: LGPL-2.0-only URL: https://wiki.gnome.org/Projects/libsoup -Source0: https://download.gnome.org/sources/%{name}/2.72/%{name}-%{version}.tar.xz - -Patch: 0001-headers-Strictly-don-t-allow-NUL-bytes.patch -Patch: 0001-websocket-process-the-frame-as-soon-as-we-read-data.patch -Patch: 0002-websocket-test-disconnect-error-copy-after-the-test-.patch +Source0: https://download.gnome.org/sources/%{name}/2.74/%{name}-%{version}.tar.xz +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/385 +Patch: libsoup-2.74.3-libxml2-2.12.0-includes.patch BuildRequires: gettext -BuildRequires: glib2-devel >= %{glib2_version} +BuildRequires: pkgconfig(glib-2.0) >= %{glib2_version} BuildRequires: glib-networking %if %{with_docs} BuildRequires: gtk-doc @@ -116,20 +114,47 @@ This package contains developer documentation for %{name}. %endif %changelog -* Tue Nov 12 2024 Tomas Popela - 2.72.0-8.el9_5.2 -- Backport upstream patch for CVE-2024-52532 - infinite loop while reading websocket data -- Resolves: RHEL-67068 +* Tue Dec 24 2024 Arkady L. Shane - 2.74.3-7 +- Rebuilt for MSVSphere 10 + +* Thu Jul 18 2024 Fedora Release Engineering - 2.74.3-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Thu Jan 25 2024 Fedora Release Engineering - 2.74.3-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 2.74.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Nov 29 2023 David King - 2.74.3-4 +- Fix building against libxml2 2.12.0 + +* Thu Jul 20 2023 Fedora Release Engineering - 2.74.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jan 19 2023 Fedora Release Engineering - 2.74.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Oct 28 2022 David King - 2.74.3-1 +- Update to 2.74.3 + +* Thu Jul 21 2022 Fedora Release Engineering - 2.74.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 2.74.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Dec 07 2021 Kalev Lember - 2.74.2-1 +- Update to 2.74.2 -* Tue Nov 12 2024 Tomas Popela - 2.72.0-8.el9_5.1 -- Backport upstream patch for CVE-2024-52530 - HTTP request smuggling via stripping null bytes from the ends of header names -- Resolves: RHEL-67080 +* Wed Oct 27 2021 Kalev Lember - 2.74.1-1 +- Update to 2.74.1 -* Mon Aug 09 2021 Mohan Boddu - 2.72.0-8 -- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Related: rhbz#1991688 +* Wed Sep 08 2021 Kalev Lember - 2.74.0-1 +- Update to 2.74.0 -* Fri Apr 16 2021 Mohan Boddu - 2.72.0-7 -- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 +* Thu Jul 22 2021 Fedora Release Engineering - 2.72.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild * Fri Mar 26 2021 Kalev Lember - 2.72.0-6 - Rebuild to fix sysprof-capture symbols leaking into libraries consuming it