diff --git a/SPECS/libsoup/CVE-2025-4969.patch b/SPECS/libsoup/CVE-2025-4969.patch new file mode 100644 index 00000000000..7f18332301a --- /dev/null +++ b/SPECS/libsoup/CVE-2025-4969.patch @@ -0,0 +1,75 @@ +From 41e93c07278ce3d2f353c396045d757a7c4ed824 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Mon, 19 May 2025 17:48:27 +0200 +Subject: [PATCH] soup-multipart: Verify array bounds before accessing its + members + +The boundary could be at a place which, calculated, pointed +before the beginning of the array. Check the bounds, to avoid +read out of the array bounds. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/467.patch +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 22 ++++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index a587fe7..27257e4 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -104,7 +104,7 @@ find_boundary (const char *start, const char *end, + continue; + + /* Check that it's at start of line */ +- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r'))) ++ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r'))) + continue; + + /* Check for "--" or "\r\n" after boundary */ +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index a3a0b36..b07e4db 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -527,6 +527,27 @@ test_multipart_bounds_bad (void) + g_bytes_unref (bytes); + } + ++static void ++test_multipart_bounds_bad_2 (void) ++{ ++ SoupMultipart *multipart; ++ SoupMessageHeaders *headers; ++ GBytes *bytes; ++ const char *raw_data = "\n--123\r\nline\r\n--123--\r"; ++ ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); ++ ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); ++ ++ multipart = soup_multipart_new_from_message (headers, bytes); ++ g_assert_nonnull (multipart); ++ ++ soup_multipart_free (multipart); ++ soup_message_headers_unref (headers); ++ g_bytes_unref (bytes); ++} ++ + static void + test_multipart_too_large (void) + { +@@ -595,6 +616,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); ++ g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2); + g_test_add_func ("/multipart/too-large", test_multipart_too_large); + + ret = g_test_run (); +-- +2.45.4 + diff --git a/SPECS/libsoup/libsoup.spec b/SPECS/libsoup/libsoup.spec index 237759dc517..49df913c886 100644 --- a/SPECS/libsoup/libsoup.spec +++ b/SPECS/libsoup/libsoup.spec @@ -4,7 +4,7 @@ Summary: libsoup HTTP client/server library Name: libsoup Version: 3.4.4 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -66,6 +66,7 @@ Patch16: CVE-2025-32053.patch Patch17: CVE-2025-4476.patch Patch18: CVE-2025-32907.patch Patch19: CVE-2025-4948.patch +Patch20: CVE-2025-4969.patch %description libsoup is HTTP client/server library for GNOME @@ -133,6 +134,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %defattr(-,root,root) %changelog +* Tue Aug 12 2025 Azure Linux Security Servicing Account - 3.4.4-9 +- Patch for CVE-2025-4969 + * Tue Jul 29 2025 Azure Linux Security Servicing Account - 3.4.4-8 - Patch for CVE-2025-4948