import libsoup-2.72.0-8.el9_5.3

SOURCES/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch

@@ -1,15 +0,0 @@
-diff -up libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 libsoup-2.62.3/libsoup/soup-websocket-connection.c
---- libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532	2024-11-12 12:00:27.183570627 +0100
-+++ libsoup-2.62.3/libsoup/soup-websocket-connection.c	2024-11-12 12:01:02.334987409 +0100
-@@ -1041,9 +1041,9 @@ soup_websocket_connection_read (SoupWebs
- 		}
- 
- 		pv->incoming->len = len + count;
--	} while (count > 0);
-+		process_incoming (self);
-+	} while (count > 0 && !pv->close_sent && !pv->io_closing);
- 
--	process_incoming (self);
- 
- 	if (end) {
- 		if (!pv->close_sent || !pv->close_received) {

SOURCES/0002-websocket-test-disconnect-error-copy-after-the-test-.patch

@@ -1,38 +0,0 @@
-From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001
-From: Ignacio Casal Quinteiro <qignacio@amazon.com>
-Date: Wed, 2 Oct 2024 11:17:19 +0200
-Subject: [PATCH 2/2] websocket-test: disconnect error copy after the test ends
-
-Otherwise the server will have already sent a few more wrong
-bytes and the client will continue getting errors to copy
-but the error is already != NULL and it will assert
----
- tests/websocket-test.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/tests/websocket-test.c b/tests/websocket-test.c
-index 06c443bb..6a48c1f9 100644
---- a/tests/websocket-test.c
-+++ b/tests/websocket-test.c
-@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test,
- 	GError *error = NULL;
- 	InvalidEncodeLengthTest context = { test, NULL };
- 	guint i;
-+	guint error_id;
- 
--	g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
-+	error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
- 	g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
- 
- 	/* We use 127(\x7f) as payload length with 65535 extended length */
-@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test,
- 	WAIT_UNTIL (error != NULL || received != NULL);
- 	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
- 	g_clear_error (&error);
-+        g_signal_handler_disconnect (test->client, error_id);
- 	g_assert_null (received);
- 
-         g_thread_join (thread);
--- 
-2.45.2
-

SOURCES/CVE-2024-52531.patch

@@ -0,0 +1,129 @@
+From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 27 Aug 2024 13:53:26 -0500
+Subject: [PATCH] headers: Be more robust against invalid input when parsing
+ params
+
+If you pass invalid input to a function such as soup_header_parse_param_list_strict()
+it can cause an overflow if it decodes the input to UTF-8.
+
+This should never happen with valid UTF-8 input which libsoup's client API
+ensures, however it's server API does not currently.
+---
+ libsoup/soup-headers.c | 46 ++++++++++++++++++++++--------------------
+ 1 file changed, 24 insertions(+), 22 deletions(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index f30ee467..613e1905 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -646,8 +646,9 @@ soup_header_contains (const char *header, const char *token)
+ }
+ 
+ static void
+-decode_quoted_string (char *quoted_string)
++decode_quoted_string_inplace (GString *quoted_gstring)
+ {
++	char *quoted_string = quoted_gstring->str;
+ 	char *src, *dst;
+ 
+ 	src = quoted_string + 1;
+@@ -661,10 +662,11 @@ decode_quoted_string (char *quoted_string)
+ }
+ 
+ static gboolean
+-decode_rfc5987 (char *encoded_string)
++decode_rfc5987_inplace (GString *encoded_gstring)
+ {
+ 	char *q, *decoded;
+ 	gboolean iso_8859_1 = FALSE;
++	const char *encoded_string = encoded_gstring->str;
+ 
+ 	q = strchr (encoded_string, '\'');
+ 	if (!q)
+@@ -696,14 +698,7 @@ decode_rfc5987 (char *encoded_string)
+ 		decoded = utf8;
+ 	}
+ 
+-	/* If encoded_string was UTF-8, then each 3-character %-escape
+-	 * will be converted to a single byte, and so decoded is
+-	 * shorter than encoded_string. If encoded_string was
+-	 * iso-8859-1, then each 3-character %-escape will be
+-	 * converted into at most 2 bytes in UTF-8, and so it's still
+-	 * shorter.
+-	 */
+-	strcpy (encoded_string, decoded);
++	g_string_assign (encoded_gstring, decoded);
+ 	g_free (decoded);
+ 	return TRUE;
+ }
+@@ -713,15 +708,17 @@ parse_param_list (const char *header, char delim, gboolean strict)
+ {
+ 	GHashTable *params;
+ 	GSList *list, *iter;
+-	char *item, *eq, *name_end, *value;
+-	gboolean override, duplicated;
+ 
+ 	params = g_hash_table_new_full (soup_str_case_hash, 
+ 					soup_str_case_equal,
+-					g_free, NULL);
++					g_free, g_free);
+ 
+ 	list = parse_list (header, delim);
+ 	for (iter = list; iter; iter = iter->next) {
++		char *item, *eq, *name_end;
++		gboolean override, duplicated;
++		GString *parsed_value = NULL;
++
+ 		item = iter->data;
+ 		override = FALSE;
+ 
+@@ -736,19 +733,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
+ 
+ 			*name_end = '\0';
+ 
+-			value = (char *)skip_lws (eq + 1);
++			parsed_value = g_string_new ((char *)skip_lws (eq + 1));
+ 
+ 			if (name_end[-1] == '*' && name_end > item + 1) {
+ 				name_end[-1] = '\0';
+-				if (!decode_rfc5987 (value)) {
++				if (!decode_rfc5987_inplace (parsed_value)) {
++					g_string_free (parsed_value, TRUE);
+ 					g_free (item);
+ 					continue;
+ 				}
+ 				override = TRUE;
+-			} else if (*value == '"')
+-				decode_quoted_string (value);
+-		} else
+-			value = NULL;
++			} else if (parsed_value->str[0] == '"')
++				decode_quoted_string_inplace (parsed_value);
++		}
+ 
+ 		duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
+ 
+@@ -756,11 +753,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
+ 			soup_header_free_param_list (params);
+ 			params = NULL;
+ 			g_slist_foreach (iter, (GFunc)g_free, NULL);
++			if (parsed_value)
++				g_string_free (parsed_value, TRUE);
+ 			break;
+-		} else if (override || !duplicated)
+-			g_hash_table_replace (params, item, value);
+-		else
++		} else if (override || !duplicated) {
++			g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
++		} else {
++			if (parsed_value)
++				g_string_free (parsed_value, TRUE);
+ 			g_free (item);
++		}
+ 	}
+ 
+ 	g_slist_free (list);
+-- 
+GitLab
+

SOURCES/CVE-2024-52532.patch

@@ -0,0 +1,96 @@
+diff -up libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 libsoup-2.62.3/libsoup/soup-websocket-connection.c
+--- libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532	2024-11-12 12:00:27.183570627 +0100
++++ libsoup-2.62.3/libsoup/soup-websocket-connection.c	2024-11-12 12:01:02.334987409 +0100
+@@ -1041,9 +1041,9 @@ soup_websocket_connection_read (SoupWebs
+ 		}
+ 
+ 		pv->incoming->len = len + count;
+-	} while (count > 0);
++		process_incoming (self);
++	} while (count > 0 && !pv->close_sent && !pv->io_closing);
+ 
+-	process_incoming (self);
+ 
+ 	if (end) {
+ 		if (!pv->close_sent || !pv->close_received) {
+
+From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Wed, 2 Oct 2024 11:17:19 +0200
+Subject: [PATCH 2/2] websocket-test: disconnect error copy after the test ends
+
+Otherwise the server will have already sent a few more wrong
+bytes and the client will continue getting errors to copy
+but the error is already != NULL and it will assert
+---
+ tests/websocket-test.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tests/websocket-test.c b/tests/websocket-test.c
+index 06c443bb..6a48c1f9 100644
+--- a/tests/websocket-test.c
++++ b/tests/websocket-test.c
+@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test,
+ 	GError *error = NULL;
+ 	InvalidEncodeLengthTest context = { test, NULL };
+ 	guint i;
++	guint error_id;
+ 
+-	g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
++	error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+ 	g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
+ 
+ 	/* We use 127(\x7f) as payload length with 65535 extended length */
+@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test,
+ 	WAIT_UNTIL (error != NULL || received != NULL);
+ 	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
+ 	g_clear_error (&error);
++        g_signal_handler_disconnect (test->client, error_id);
+ 	g_assert_null (received);
+ 
+         g_thread_join (thread);
+-- 
+2.45.2
+
+From 4c9e75c6676a37b6485620c332e568e1a3f530ff Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@debian.org>
+Date: Wed, 13 Nov 2024 14:14:23 +0000
+Subject: [PATCH] websocket-test: Disconnect error signal in another place
+
+This is the same change as commit 29b96fab "websocket-test: disconnect
+error copy after the test ends", and is done for the same reason, but
+replicating it into a different function.
+
+Fixes: 6adc0e3e "websocket: process the frame as soon as we read data"
+Resolves: https://gitlab.gnome.org/GNOME/libsoup/-/issues/399
+Signed-off-by: Simon McVittie <smcv@debian.org>
+---
+ tests/websocket-test.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tests/websocket-test.c b/tests/websocket-test.c
+index 6a48c1f9..723f2857 100644
+--- a/tests/websocket-test.c
++++ b/tests/websocket-test.c
+@@ -1508,8 +1508,9 @@ test_receive_invalid_encode_length_16 (Test *test,
+ 	GError *error = NULL;
+ 	InvalidEncodeLengthTest context = { test, NULL };
+ 	guint i;
++	guint error_id;
+ 
+-	g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
++	error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+ 	g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
+ 
+ 	/* We use 126(~) as payload length with 125 extended length */
+@@ -1522,6 +1523,7 @@ test_receive_invalid_encode_length_16 (Test *test,
+ 	WAIT_UNTIL (error != NULL || received != NULL);
+ 	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
+ 	g_clear_error (&error);
++        g_signal_handler_disconnect (test->client, error_id);
+ 	g_assert_null (received);
+ 
+ 	g_thread_join (thread);
+-- 
+GitLab
+

SOURCES/fix-ssl-test.patch

@@ -0,0 +1,123 @@
+From c720f9c696b3b39d8c386abf8c8a9ddad447cda0 Mon Sep 17 00:00:00 2001
+From: Carlos Garcia Campos <cgarcia@igalia.com>
+Date: Wed, 9 Sep 2020 14:44:25 +0200
+Subject: [PATCH 1/2] tests: fix SSL test with glib-networking >= 2.65.90
+
+To make SSL tests fail with our testing certificate we create and empty
+GTlsDatabase passing /dev/null to g_tls_file_database_new(). This no
+longer works with newer glib-networking, since an empty file is
+considered an error by gnutls and
+g_tls_file_database_gnutls_populate_trust_list() now handles gnutls
+errors properly. Instead, we can just use the system CA file that won't
+contain our testing certificate for sure.
+
+Fixes #201
+---
+ tests/ssl-test.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/tests/ssl-test.c b/tests/ssl-test.c
+index 735ba416..2c93ca85 100644
+--- a/tests/ssl-test.c
++++ b/tests/ssl-test.c
+@@ -3,7 +3,6 @@
+ #include "test-utils.h"
+ 
+ SoupURI *uri;
+-GTlsDatabase *null_tlsdb;
+ 
+ static void
+ do_properties_test_for_session (SoupSession *session)
+@@ -37,7 +36,7 @@ do_async_properties_tests (void)
+ 
+ 	session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL);
+ 	g_object_set (G_OBJECT (session),
+-		      SOUP_SESSION_TLS_DATABASE, null_tlsdb,
++		      SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+ 		      SOUP_SESSION_SSL_STRICT, FALSE,
+ 		      NULL);
+ 	do_properties_test_for_session (session);
+@@ -53,7 +52,7 @@ do_sync_properties_tests (void)
+ 
+ 	session = soup_test_session_new (SOUP_TYPE_SESSION_SYNC, NULL);
+ 	g_object_set (G_OBJECT (session),
+-		      SOUP_SESSION_TLS_DATABASE, null_tlsdb,
++		      SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+ 		      SOUP_SESSION_SSL_STRICT, FALSE,
+ 		      NULL);
+ 	do_properties_test_for_session (session);
+@@ -106,7 +105,7 @@ do_strictness_test (gconstpointer data)
+ 	}
+ 	if (!test->with_ca_list) {
+ 		g_object_set (G_OBJECT (session),
+-			      SOUP_SESSION_TLS_DATABASE, null_tlsdb,
++			      SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+ 			      NULL);
+ 	}
+ 
+@@ -433,7 +432,6 @@ main (int argc, char **argv)
+ {
+ 	SoupServer *server = NULL;
+ 	int i, ret;
+-	GError *error = NULL;
+ 
+ 	test_init (argc, argv, NULL);
+ 
+@@ -441,9 +439,6 @@ main (int argc, char **argv)
+ 		server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+ 		soup_server_add_handler (server, NULL, server_handler, NULL, NULL);
+ 		uri = soup_test_server_get_uri (server, "https", "127.0.0.1");
+-
+-		null_tlsdb = g_tls_file_database_new ("/dev/null", &error);
+-		g_assert_no_error (error);
+ 	} else
+ 		uri = NULL;
+ 
+@@ -463,7 +458,6 @@ main (int argc, char **argv)
+ 	if (tls_available) {
+ 		soup_uri_free (uri);
+ 		soup_test_server_quit_unref (server);
+-		g_object_unref (null_tlsdb);
+ 	}
+ 
+ 	test_cleanup ();
+-- 
+2.43.5
+
+
+From 0fbc7e8220c32f4848d6f1407efe81cc13ab18ef Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Sat, 18 Jan 2025 01:20:24 -0600
+Subject: [PATCH 2/2] Add workaround for flaky ssl-test connection failures
+
+---
+ tests/ssl-test.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/tests/ssl-test.c b/tests/ssl-test.c
+index 2c93ca85..1b48c6aa 100644
+--- a/tests/ssl-test.c
++++ b/tests/ssl-test.c
+@@ -348,6 +348,19 @@ got_connection (GThreadedSocketService *service,
+ 		g_clear_error (&error);
+ 	}
+ 
++	// Work around a race condition where do_tls_interaction_test's call to
++	// soup_session_send_message() fails due to the server having closed the
++	// connection:
++	//
++	// ERROR:../tests/ssl-test.c:405:do_tls_interaction_test: Unexpected status 7 Connection terminated unexpectedly (expected 200 OK)
++	//
++	// This bug is already fixed upstream, so no sense in spending a bunch
++	// of time trying to find a proper fix.
++	//
++	// I'm not certain, but I suspect it's fixed by:
++	// https://gitlab.gnome.org/GNOME/libsoup/-/commit/bd6de90343839125bd07c43c97e1000deb0b40c3
++	sleep (1);
++
+ 	g_io_stream_close (tls, NULL, &error);
+ 	g_assert_no_error (error);
+ 
+-- 
+2.43.5
+

SPECS/libsoup.spec

@@ -5,16 +5,23 @@
 
 Name: libsoup
 Version: 2.72.0
-Release: 8%{?dist}.2
+Release: 8%{?dist}.3
 Summary: Soup, an HTTP library implementation
 
 License: LGPLv2
 URL: https://wiki.gnome.org/Projects/libsoup
 Source0: https://download.gnome.org/sources/%{name}/2.72/%{name}-%{version}.tar.xz
 
-Patch: 0001-headers-Strictly-don-t-allow-NUL-bytes.patch
-Patch: 0001-websocket-process-the-frame-as-soon-as-we-read-data.patch
-Patch: 0002-websocket-test-disconnect-error-copy-after-the-test-.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/402
+Patch: CVE-2024-52530.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407
+Patch: CVE-2024-52531.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/410
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/414
+Patch: CVE-2024-52532.patch
+
+# https://issues.redhat.com/browse/RHEL-76426
+Patch: fix-ssl-test.patch 
 
 BuildRequires: gettext
 BuildRequires: glib2-devel >= %{glib2_version}
@@ -83,6 +90,9 @@ This package contains developer documentation for %{name}.
 %install
 %meson_install
 
+%check
+%meson_test
+
 %find_lang libsoup
 
 %files -f libsoup.lang
@@ -116,6 +126,10 @@ This package contains developer documentation for %{name}.
 %endif
 
 %changelog
+* Tue Jan 28 2025 Michael Catanzaro <mcatanzaro@redhat.com> - 2.72.0-8.3
+- Backport upstream patch for CVE-2024-52531 - buffer overflow via UTF-8 conversion in soup_header_parse_param_list_strict
+  Resolves: RHEL-76381
+
 * Tue Nov 12 2024 Tomas Popela <tpopela@redhat.com> - 2.72.0-8.el9_5.2
 - Backport upstream patch for CVE-2024-52532 - infinite loop while reading websocket data
 - Resolves: RHEL-67068