diff --git a/1000-CVE-2025-4948.patch b/1000-CVE-2025-4948.patch new file mode 100644 index 0000000000000000000000000000000000000000..3dc4db2d7deefd16a5eeae3754016aef98f1832a --- /dev/null +++ b/1000-CVE-2025-4948.patch @@ -0,0 +1,85 @@ +From 7f478c10aae8c6b01c1c157261a9e2eb6e3f3f1f Mon Sep 17 00:00:00 2001 +From: lzq11122 +Date: Mon, 23 Jun 2025 14:20:10 +0800 +Subject: [PATCH 1/1] fix CVE-2025-4948 + +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 41 ++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 40 insertions(+), 3 deletions(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index 2421c91..9d610f3 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -204,7 +204,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + */ + part_body = g_bytes_new_from_bytes (body, // FIXME + split - body_data, +- end - 2 - split); ++ end - 2 >= split ? end - 2 - split : 0); + g_ptr_array_add (multipart->bodies, part_body); + + start = end; +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index 2c0e7e9..7a69e7a 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -470,7 +470,44 @@ test_multipart (gconstpointer data) + g_main_loop_unref (loop); + loop = NULL; + } +- ++static void ++test_multipart_too_large (void) ++{ ++ const char *raw_body = ++ "-------------------\r\n" ++ "-\n" ++ "Cont\"\r\n" ++ "Content-Tynt----e:n\x8erQK\r\n" ++ "Content-Disposition: name= form-; name=\"file\"; filename=\"ype:i/ -d; ----\xae\r\n" ++ "Content-Typimag\x01/png--\\\n" ++ "\r\n" ++ "---:\n\r\n" ++ "\r\n" ++ "-------------------------------------\r\n" ++ "---------\r\n" ++ "----------------------"; ++ GBytes *body; ++ GHashTable *params; ++ SoupMessageHeaders *headers; ++ SoupMultipart *multipart; ++ ++ params = g_hash_table_new (g_str_hash, g_str_equal); ++ g_hash_table_insert (params, (gpointer) "boundary", (gpointer) "-----------------"); ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_set_content_type (headers, "multipart/form-data", params); ++ g_hash_table_unref (params); ++ ++ body = g_bytes_new_static (raw_body, strlen (raw_body)); ++ multipart = soup_multipart_new_from_message (headers, body); ++ soup_message_headers_free (headers); ++ g_bytes_unref (body); ++ ++ g_assert_nonnull (multipart); ++ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1); ++ g_assert_true (soup_multipart_get_part (multipart, 0, &headers, &body)); ++ g_assert_cmpint (g_bytes_get_size (body), ==, 0); ++ soup_multipart_free (multipart); ++} + int + main (int argc, char **argv) + { +@@ -498,7 +535,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart); + g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart); + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); +- ++ g_test_add_func ("/multipart/too-large", test_multipart_too_large); + ret = g_test_run (); + + g_uri_unref (base_uri); +-- +2.43.5 + diff --git a/libsoup3.spec b/libsoup3.spec index 93f0425dcb4bc56a77fa07521d215f56dbfff8cd..cf503d0411b8efc0f83f83117921797f1f320d2d 100644 --- a/libsoup3.spec +++ b/libsoup3.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %global glib2_version 2.69.1 %{!?with_docs: %global with_docs 1} @@ -12,7 +12,8 @@ Summary: Soup, an HTTP library implementation License: LGPL-2.0-or-later URL: https://wiki.gnome.org/Projects/libsoup Source0: https://download.gnome.org/sources/libsoup/3.6/libsoup-%{version}.tar.xz - +# From https://gitlab.com/redhat/centos-stream/rpms/libsoup3/-/tree/c10s?ref_type=heads +Patch0: 1000-CVE-2025-4948.patch BuildRequires: gcc BuildRequires: gettext BuildRequires: glib-networking @@ -109,6 +110,9 @@ install -m 644 -D tests/libsoup.supp %{buildroot}%{_datadir}/libsoup-3.0/libsoup %doc README NEWS AUTHORS %changelog +* Mon Jun 23 2025 lzq11122 - 3.6.5-2 +- add patch to fix CVE-2025-4948 + * Thu May 22 2025 mgb01105731 - 3.6.5-1 - Update to 3.6.5 to fix CVE-2025-32914 CVE-2025-32906 CVE-2025-32908 CVE-2025-32913 CVE-2025-2784