diff --git a/SOURCES/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch b/SOURCES/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch deleted file mode 100644 index cc2d173..0000000 --- a/SOURCES/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 libsoup-2.62.3/libsoup/soup-websocket-connection.c ---- libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 2024-11-12 12:00:27.183570627 +0100 -+++ libsoup-2.62.3/libsoup/soup-websocket-connection.c 2024-11-12 12:01:02.334987409 +0100 -@@ -1041,9 +1041,9 @@ soup_websocket_connection_read (SoupWebs - } - - pv->incoming->len = len + count; -- } while (count > 0); -+ process_incoming (self); -+ } while (count > 0 && !pv->close_sent && !pv->io_closing); - -- process_incoming (self); - - if (end) { - if (!pv->close_sent || !pv->close_received) { diff --git a/SOURCES/0002-websocket-test-disconnect-error-copy-after-the-test-.patch b/SOURCES/0002-websocket-test-disconnect-error-copy-after-the-test-.patch deleted file mode 100644 index 6bdf4b5..0000000 --- a/SOURCES/0002-websocket-test-disconnect-error-copy-after-the-test-.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001 -From: Ignacio Casal Quinteiro -Date: Wed, 2 Oct 2024 11:17:19 +0200 -Subject: [PATCH 2/2] websocket-test: disconnect error copy after the test ends - -Otherwise the server will have already sent a few more wrong -bytes and the client will continue getting errors to copy -but the error is already != NULL and it will assert ---- - tests/websocket-test.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/tests/websocket-test.c b/tests/websocket-test.c -index 06c443bb..6a48c1f9 100644 ---- a/tests/websocket-test.c -+++ b/tests/websocket-test.c -@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test, - GError *error = NULL; - InvalidEncodeLengthTest context = { test, NULL }; - guint i; -+ guint error_id; - -- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); -+ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); - g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received); - - /* We use 127(\x7f) as payload length with 65535 extended length */ -@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test, - WAIT_UNTIL (error != NULL || received != NULL); - g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR); - g_clear_error (&error); -+ g_signal_handler_disconnect (test->client, error_id); - g_assert_null (received); - - g_thread_join (thread); --- -2.45.2 - diff --git a/SOURCES/0001-headers-Strictly-don-t-allow-NUL-bytes.patch b/SOURCES/CVE-2024-52530.patch similarity index 100% rename from SOURCES/0001-headers-Strictly-don-t-allow-NUL-bytes.patch rename to SOURCES/CVE-2024-52530.patch diff --git a/SOURCES/CVE-2024-52531.patch b/SOURCES/CVE-2024-52531.patch new file mode 100644 index 0000000..fe48ae4 --- /dev/null +++ b/SOURCES/CVE-2024-52531.patch @@ -0,0 +1,129 @@ +From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 27 Aug 2024 13:53:26 -0500 +Subject: [PATCH] headers: Be more robust against invalid input when parsing + params + +If you pass invalid input to a function such as soup_header_parse_param_list_strict() +it can cause an overflow if it decodes the input to UTF-8. + +This should never happen with valid UTF-8 input which libsoup's client API +ensures, however it's server API does not currently. +--- + libsoup/soup-headers.c | 46 ++++++++++++++++++++++-------------------- + 1 file changed, 24 insertions(+), 22 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index f30ee467..613e1905 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -646,8 +646,9 @@ soup_header_contains (const char *header, const char *token) + } + + static void +-decode_quoted_string (char *quoted_string) ++decode_quoted_string_inplace (GString *quoted_gstring) + { ++ char *quoted_string = quoted_gstring->str; + char *src, *dst; + + src = quoted_string + 1; +@@ -661,10 +662,11 @@ decode_quoted_string (char *quoted_string) + } + + static gboolean +-decode_rfc5987 (char *encoded_string) ++decode_rfc5987_inplace (GString *encoded_gstring) + { + char *q, *decoded; + gboolean iso_8859_1 = FALSE; ++ const char *encoded_string = encoded_gstring->str; + + q = strchr (encoded_string, '\''); + if (!q) +@@ -696,14 +698,7 @@ decode_rfc5987 (char *encoded_string) + decoded = utf8; + } + +- /* If encoded_string was UTF-8, then each 3-character %-escape +- * will be converted to a single byte, and so decoded is +- * shorter than encoded_string. If encoded_string was +- * iso-8859-1, then each 3-character %-escape will be +- * converted into at most 2 bytes in UTF-8, and so it's still +- * shorter. +- */ +- strcpy (encoded_string, decoded); ++ g_string_assign (encoded_gstring, decoded); + g_free (decoded); + return TRUE; + } +@@ -713,15 +708,17 @@ parse_param_list (const char *header, char delim, gboolean strict) + { + GHashTable *params; + GSList *list, *iter; +- char *item, *eq, *name_end, *value; +- gboolean override, duplicated; + + params = g_hash_table_new_full (soup_str_case_hash, + soup_str_case_equal, +- g_free, NULL); ++ g_free, g_free); + + list = parse_list (header, delim); + for (iter = list; iter; iter = iter->next) { ++ char *item, *eq, *name_end; ++ gboolean override, duplicated; ++ GString *parsed_value = NULL; ++ + item = iter->data; + override = FALSE; + +@@ -736,19 +733,19 @@ parse_param_list (const char *header, char delim, gboolean strict) + + *name_end = '\0'; + +- value = (char *)skip_lws (eq + 1); ++ parsed_value = g_string_new ((char *)skip_lws (eq + 1)); + + if (name_end[-1] == '*' && name_end > item + 1) { + name_end[-1] = '\0'; +- if (!decode_rfc5987 (value)) { ++ if (!decode_rfc5987_inplace (parsed_value)) { ++ g_string_free (parsed_value, TRUE); + g_free (item); + continue; + } + override = TRUE; +- } else if (*value == '"') +- decode_quoted_string (value); +- } else +- value = NULL; ++ } else if (parsed_value->str[0] == '"') ++ decode_quoted_string_inplace (parsed_value); ++ } + + duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL); + +@@ -756,11 +753,16 @@ parse_param_list (const char *header, char delim, gboolean strict) + soup_header_free_param_list (params); + params = NULL; + g_slist_foreach (iter, (GFunc)g_free, NULL); ++ if (parsed_value) ++ g_string_free (parsed_value, TRUE); + break; +- } else if (override || !duplicated) +- g_hash_table_replace (params, item, value); +- else ++ } else if (override || !duplicated) { ++ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL); ++ } else { ++ if (parsed_value) ++ g_string_free (parsed_value, TRUE); + g_free (item); ++ } + } + + g_slist_free (list); +-- +GitLab + diff --git a/SOURCES/CVE-2024-52532.patch b/SOURCES/CVE-2024-52532.patch new file mode 100644 index 0000000..5f0428e --- /dev/null +++ b/SOURCES/CVE-2024-52532.patch @@ -0,0 +1,96 @@ +diff -up libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 libsoup-2.62.3/libsoup/soup-websocket-connection.c +--- libsoup-2.62.3/libsoup/soup-websocket-connection.c.cve-2024-52532 2024-11-12 12:00:27.183570627 +0100 ++++ libsoup-2.62.3/libsoup/soup-websocket-connection.c 2024-11-12 12:01:02.334987409 +0100 +@@ -1041,9 +1041,9 @@ soup_websocket_connection_read (SoupWebs + } + + pv->incoming->len = len + count; +- } while (count > 0); ++ process_incoming (self); ++ } while (count > 0 && !pv->close_sent && !pv->io_closing); + +- process_incoming (self); + + if (end) { + if (!pv->close_sent || !pv->close_received) { + +From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Wed, 2 Oct 2024 11:17:19 +0200 +Subject: [PATCH 2/2] websocket-test: disconnect error copy after the test ends + +Otherwise the server will have already sent a few more wrong +bytes and the client will continue getting errors to copy +but the error is already != NULL and it will assert +--- + tests/websocket-test.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tests/websocket-test.c b/tests/websocket-test.c +index 06c443bb..6a48c1f9 100644 +--- a/tests/websocket-test.c ++++ b/tests/websocket-test.c +@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test, + GError *error = NULL; + InvalidEncodeLengthTest context = { test, NULL }; + guint i; ++ guint error_id; + +- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); ++ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); + g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received); + + /* We use 127(\x7f) as payload length with 65535 extended length */ +@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test, + WAIT_UNTIL (error != NULL || received != NULL); + g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR); + g_clear_error (&error); ++ g_signal_handler_disconnect (test->client, error_id); + g_assert_null (received); + + g_thread_join (thread); +-- +2.45.2 + +From 4c9e75c6676a37b6485620c332e568e1a3f530ff Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 13 Nov 2024 14:14:23 +0000 +Subject: [PATCH] websocket-test: Disconnect error signal in another place + +This is the same change as commit 29b96fab "websocket-test: disconnect +error copy after the test ends", and is done for the same reason, but +replicating it into a different function. + +Fixes: 6adc0e3e "websocket: process the frame as soon as we read data" +Resolves: https://gitlab.gnome.org/GNOME/libsoup/-/issues/399 +Signed-off-by: Simon McVittie +--- + tests/websocket-test.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tests/websocket-test.c b/tests/websocket-test.c +index 6a48c1f9..723f2857 100644 +--- a/tests/websocket-test.c ++++ b/tests/websocket-test.c +@@ -1508,8 +1508,9 @@ test_receive_invalid_encode_length_16 (Test *test, + GError *error = NULL; + InvalidEncodeLengthTest context = { test, NULL }; + guint i; ++ guint error_id; + +- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); ++ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); + g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received); + + /* We use 126(~) as payload length with 125 extended length */ +@@ -1522,6 +1523,7 @@ test_receive_invalid_encode_length_16 (Test *test, + WAIT_UNTIL (error != NULL || received != NULL); + g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR); + g_clear_error (&error); ++ g_signal_handler_disconnect (test->client, error_id); + g_assert_null (received); + + g_thread_join (thread); +-- +GitLab + diff --git a/SOURCES/fix-ssl-test.patch b/SOURCES/fix-ssl-test.patch new file mode 100644 index 0000000..97d4ae7 --- /dev/null +++ b/SOURCES/fix-ssl-test.patch @@ -0,0 +1,123 @@ +From c720f9c696b3b39d8c386abf8c8a9ddad447cda0 Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos +Date: Wed, 9 Sep 2020 14:44:25 +0200 +Subject: [PATCH 1/2] tests: fix SSL test with glib-networking >= 2.65.90 + +To make SSL tests fail with our testing certificate we create and empty +GTlsDatabase passing /dev/null to g_tls_file_database_new(). This no +longer works with newer glib-networking, since an empty file is +considered an error by gnutls and +g_tls_file_database_gnutls_populate_trust_list() now handles gnutls +errors properly. Instead, we can just use the system CA file that won't +contain our testing certificate for sure. + +Fixes #201 +--- + tests/ssl-test.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/tests/ssl-test.c b/tests/ssl-test.c +index 735ba416..2c93ca85 100644 +--- a/tests/ssl-test.c ++++ b/tests/ssl-test.c +@@ -3,7 +3,6 @@ + #include "test-utils.h" + + SoupURI *uri; +-GTlsDatabase *null_tlsdb; + + static void + do_properties_test_for_session (SoupSession *session) +@@ -37,7 +36,7 @@ do_async_properties_tests (void) + + session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL); + g_object_set (G_OBJECT (session), +- SOUP_SESSION_TLS_DATABASE, null_tlsdb, ++ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, + SOUP_SESSION_SSL_STRICT, FALSE, + NULL); + do_properties_test_for_session (session); +@@ -53,7 +52,7 @@ do_sync_properties_tests (void) + + session = soup_test_session_new (SOUP_TYPE_SESSION_SYNC, NULL); + g_object_set (G_OBJECT (session), +- SOUP_SESSION_TLS_DATABASE, null_tlsdb, ++ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, + SOUP_SESSION_SSL_STRICT, FALSE, + NULL); + do_properties_test_for_session (session); +@@ -106,7 +105,7 @@ do_strictness_test (gconstpointer data) + } + if (!test->with_ca_list) { + g_object_set (G_OBJECT (session), +- SOUP_SESSION_TLS_DATABASE, null_tlsdb, ++ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, + NULL); + } + +@@ -433,7 +432,6 @@ main (int argc, char **argv) + { + SoupServer *server = NULL; + int i, ret; +- GError *error = NULL; + + test_init (argc, argv, NULL); + +@@ -441,9 +439,6 @@ main (int argc, char **argv) + server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); + soup_server_add_handler (server, NULL, server_handler, NULL, NULL); + uri = soup_test_server_get_uri (server, "https", "127.0.0.1"); +- +- null_tlsdb = g_tls_file_database_new ("/dev/null", &error); +- g_assert_no_error (error); + } else + uri = NULL; + +@@ -463,7 +458,6 @@ main (int argc, char **argv) + if (tls_available) { + soup_uri_free (uri); + soup_test_server_quit_unref (server); +- g_object_unref (null_tlsdb); + } + + test_cleanup (); +-- +2.43.5 + + +From 0fbc7e8220c32f4848d6f1407efe81cc13ab18ef Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Sat, 18 Jan 2025 01:20:24 -0600 +Subject: [PATCH 2/2] Add workaround for flaky ssl-test connection failures + +--- + tests/ssl-test.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/tests/ssl-test.c b/tests/ssl-test.c +index 2c93ca85..1b48c6aa 100644 +--- a/tests/ssl-test.c ++++ b/tests/ssl-test.c +@@ -348,6 +348,19 @@ got_connection (GThreadedSocketService *service, + g_clear_error (&error); + } + ++ // Work around a race condition where do_tls_interaction_test's call to ++ // soup_session_send_message() fails due to the server having closed the ++ // connection: ++ // ++ // ERROR:../tests/ssl-test.c:405:do_tls_interaction_test: Unexpected status 7 Connection terminated unexpectedly (expected 200 OK) ++ // ++ // This bug is already fixed upstream, so no sense in spending a bunch ++ // of time trying to find a proper fix. ++ // ++ // I'm not certain, but I suspect it's fixed by: ++ // https://gitlab.gnome.org/GNOME/libsoup/-/commit/bd6de90343839125bd07c43c97e1000deb0b40c3 ++ sleep (1); ++ + g_io_stream_close (tls, NULL, &error); + g_assert_no_error (error); + +-- +2.43.5 + diff --git a/SPECS/libsoup.spec b/SPECS/libsoup.spec index 42e4c9c..f8ed2ae 100644 --- a/SPECS/libsoup.spec +++ b/SPECS/libsoup.spec @@ -5,16 +5,23 @@ Name: libsoup Version: 2.72.0 -Release: 8%{?dist}.2 +Release: 8%{?dist}.3 Summary: Soup, an HTTP library implementation License: LGPLv2 URL: https://wiki.gnome.org/Projects/libsoup Source0: https://download.gnome.org/sources/%{name}/2.72/%{name}-%{version}.tar.xz -Patch: 0001-headers-Strictly-don-t-allow-NUL-bytes.patch -Patch: 0001-websocket-process-the-frame-as-soon-as-we-read-data.patch -Patch: 0002-websocket-test-disconnect-error-copy-after-the-test-.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/402 +Patch: CVE-2024-52530.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407 +Patch: CVE-2024-52531.patch +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/410 +# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/414 +Patch: CVE-2024-52532.patch + +# https://issues.redhat.com/browse/RHEL-76426 +Patch: fix-ssl-test.patch BuildRequires: gettext BuildRequires: glib2-devel >= %{glib2_version} @@ -83,6 +90,9 @@ This package contains developer documentation for %{name}. %install %meson_install +%check +%meson_test + %find_lang libsoup %files -f libsoup.lang @@ -116,6 +126,10 @@ This package contains developer documentation for %{name}. %endif %changelog +* Tue Jan 28 2025 Michael Catanzaro - 2.72.0-8.3 +- Backport upstream patch for CVE-2024-52531 - buffer overflow via UTF-8 conversion in soup_header_parse_param_list_strict + Resolves: RHEL-76381 + * Tue Nov 12 2024 Tomas Popela - 2.72.0-8.el9_5.2 - Backport upstream patch for CVE-2024-52532 - infinite loop while reading websocket data - Resolves: RHEL-67068