Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsoup2 for openSUSE:Factory checked in at 2026-01-13 21:22:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsoup2 (Old) and /work/SRC/openSUSE:Factory/.libsoup2.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsoup2" Tue Jan 13 21:22:41 2026 rev:18 rq:1326752 version:2.74.3 Changes: -------- --- /work/SRC/openSUSE:Factory/libsoup2/libsoup2.changes 2026-01-09 17:02:34.473644330 +0100 +++ /work/SRC/openSUSE:Factory/.libsoup2.new.1928/libsoup2.changes 2026-01-13 21:23:16.551987557 +0100 @@ -1,0 +2,6 @@ +Fri Jan 9 02:52:21 UTC 2026 - Alynx Zhou <[email protected]> + +- Add libsoup2-CVE-2026-0719.patch: Fix overflow for password + md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). + +------------------------------------------------------------------- New: ---- libsoup2-CVE-2026-0719.patch ----------(New B)---------- New: - Add libsoup2-CVE-2026-0719.patch: Fix overflow for password md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsoup2.spec ++++++ --- /var/tmp/diff_new_pack.86O4z4/_old 2026-01-13 21:23:21.344185348 +0100 +++ /var/tmp/diff_new_pack.86O4z4/_new 2026-01-13 21:23:21.360186008 +0100 @@ -82,6 +82,8 @@ Patch27: libsoup-CVE-2025-4945.patch # PATCH-FIX-UPSTREAM libsoup2-CVE-2025-14523.patch bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491 [email protected] -- Reject duplicated Host in headers Patch28: libsoup2-CVE-2025-14523.patch +# PATCH-FIX-UPSTREAM libsoup2-CVE-2026-0719.patch bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493 [email protected] -- Fix overflow for password md4sum +Patch29: libsoup2-CVE-2026-0719.patch BuildRequires: glib-networking BuildRequires: meson >= 0.50 ++++++ libsoup2-CVE-2026-0719.patch ++++++ diff --unified --recursive --text --new-file --color libsoup-2.74.3/libsoup/soup-auth-ntlm.c libsoup-2.74.3.new/libsoup/soup-auth-ntlm.c --- libsoup-2.74.3/libsoup/soup-auth-ntlm.c 2022-10-12 02:27:22.000000000 +0800 +++ libsoup-2.74.3.new/libsoup/soup-auth-ntlm.c 2026-01-12 10:26:03.168118541 +0800 @@ -594,7 +594,7 @@ } static void md4sum (const unsigned char *in, - int nbytes, + size_t nbytes, unsigned char digest[16]); typedef guint32 DES_KS[16][2]; /* Single-key DES key schedule */ @@ -640,7 +640,7 @@ { unsigned char *buf, *p; - p = buf = g_malloc (strlen (password) * 2); + p = buf = g_malloc_n (strlen (password), 2); while (*password) { *p++ = *password++; @@ -1079,15 +1079,16 @@ #define ROT(val, n) ( ((val) << (n)) | ((val) >> (32 - (n))) ) static void -md4sum (const unsigned char *in, int nbytes, unsigned char digest[16]) +md4sum (const unsigned char *in, size_t nbytes, unsigned char digest[16]) { unsigned char *M; guint32 A, B, C, D, AA, BB, CC, DD, X[16]; - int pbytes, nbits = nbytes * 8, i, j; + size_t pbytes, nbits = nbytes * 8; + int i, j; /* There is *always* padding of at least one bit. */ pbytes = ((119 - (nbytes % 64)) % 64) + 1; - M = alloca (nbytes + pbytes + 8); + M = g_malloc (nbytes + pbytes + 8); memcpy (M, in, nbytes); memset (M + nbytes, 0, pbytes + 8); M[nbytes] = 0x80; @@ -1187,6 +1188,8 @@ digest[13] = (D >> 8) & 0xFF; digest[14] = (D >> 16) & 0xFF; digest[15] = (D >> 24) & 0xFF; + + g_free (M); }
