Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsoup for openSUSE:Factory checked in at 2026-01-13 21:22:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsoup (Old) and /work/SRC/openSUSE:Factory/.libsoup.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsoup" Tue Jan 13 21:22:58 2026 rev:162 rq:1326753 version:3.6.5 Changes: -------- --- /work/SRC/openSUSE:Factory/libsoup/libsoup.changes 2026-01-09 17:02:37.813783161 +0100 +++ /work/SRC/openSUSE:Factory/.libsoup.new.1928/libsoup.changes 2026-01-13 21:23:26.764409060 +0100 @@ -1,0 +2,12 @@ +Mon Jan 12 02:48:06 UTC 2026 - Alynx Zhou <[email protected]> + +- Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for + websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494). + +------------------------------------------------------------------- +Fri Jan 9 02:37:48 UTC 2026 - Alynx Zhou <[email protected]> + +- Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum + (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). + +------------------------------------------------------------------- New: ---- libsoup-CVE-2026-0716.patch libsoup-CVE-2026-0719.patch ----------(New B)---------- New: - Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494). New: - Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsoup.spec ++++++ --- /var/tmp/diff_new_pack.Jo9oFf/_old 2026-01-13 21:23:28.272471304 +0100 +++ /var/tmp/diff_new_pack.Jo9oFf/_new 2026-01-13 21:23:28.276471469 +0100 @@ -47,6 +47,10 @@ Patch8: libsoup-CVE-2025-12105.patch # PATCH-FIX-UPSTREAM libsoup-CVE-2025-14523.patch bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491 [email protected] -- Reject duplicated Host in headers Patch9: libsoup-CVE-2025-14523.patch +# PATCH-FIX-UPSTREAM libsoup-CVE-2026-0719.patch bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493 [email protected] -- Fix overflow for password md4sum +Patch10: libsoup-CVE-2026-0719.patch +# PATCH-FIX-UPSTREAM libsoup-CVE-2026-0716.patch bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494 [email protected] -- Fix out-of-bounds read for websocket +Patch11: libsoup-CVE-2026-0716.patch BuildRequires: glib-networking BuildRequires: meson >= 0.53 ++++++ libsoup-CVE-2026-0716.patch ++++++ >From 149750d7350c1d25b00bdb8355ad58d3864f902b Mon Sep 17 00:00:00 2001 From: Mike Gorse <[email protected]> Date: Sun, 11 Jan 2026 10:52:14 -0600 Subject: [PATCH] websocket: Fix out-of-bounds read in process_frame If the maximum incoming payload size is unset, then a malicious frame could cause an overflow when calculating the needed amount of data, leading to an out-of-bounds read later. This is CVE-2026-0716. Closes #476 --- libsoup/websocket/soup-websocket-connection.c | 8 +++- tests/websocket-test.c | 44 +++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c index 30df9841..42867be3 100644 --- a/libsoup/websocket/soup-websocket-connection.c +++ b/libsoup/websocket/soup-websocket-connection.c @@ -1028,6 +1028,7 @@ process_frame (SoupWebsocketConnection *self) guint8 opcode; gsize len; gsize at; + gsize required; GBytes *filtered_bytes; GList *l; GError *error = NULL; @@ -1123,7 +1124,12 @@ process_frame (SoupWebsocketConnection *self) payload += 4; at += 4; - if (len < at + payload_len) + if (!g_size_checked_add (&required, (gsize) at, (gsize) payload_len)) { + bad_data_error_and_close (self); + return FALSE; + } + + if (len < required) return FALSE; /* need more data */ xor_with_mask (mask, payload, payload_len); diff --git a/tests/websocket-test.c b/tests/websocket-test.c index 194b966a..e887091d 100644 --- a/tests/websocket-test.c +++ b/tests/websocket-test.c @@ -2215,6 +2215,41 @@ test_connection_error (void) soup_test_session_abort_unref (session); } +static void +test_cve_2026_0716 (Test *test, + gconstpointer unused) +{ + GError *error = NULL; + GIOStream *io; + gsize written; + const char *frame; + gboolean close_event = FALSE; + + g_signal_handlers_disconnect_by_func (test->server, on_error_not_reached, NULL); + g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error); + g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event); + + io = soup_websocket_connection_get_io_stream (test->client); + + soup_websocket_connection_set_max_incoming_payload_size (test->server, 0); + + // Malicious masked frame header (10-byte header + 4-byte mask) */ + frame = "\x82\xff\xff\xff\xff\xff\xff\xff\xff\xf6\xaa\xbb\xcc\xdd"; + if (!g_output_stream_write_all (g_io_stream_get_output_stream (io), + frame, 14, &written, NULL, NULL)) + g_assert_cmpstr ("This code", ==, "should not be reached"); + g_assert_cmpuint (written, ==, 14); + + WAIT_UNTIL (error != NULL); + g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_BAD_DATA); + g_clear_error (&error); + + WAIT_UNTIL (soup_websocket_connection_get_state (test->client) == SOUP_WEBSOCKET_STATE_CLOSED); + g_assert_true (close_event); + + g_assert_cmpuint (soup_websocket_connection_get_close_code (test->client), ==, SOUP_WEBSOCKET_CLOSE_BAD_DATA); +} + int main (int argc, char *argv[]) @@ -2465,6 +2500,15 @@ main (int argc, g_test_add_func ("/websocket/soup/connection-error", test_connection_error); + g_test_add ("/websocket/direct/cve-2026-0716", Test, NULL, + setup_direct_connection, + test_cve_2026_0716, + teardown_direct_connection); + g_test_add ("/websocket/soup/cve-2026-0716", Test, NULL, + setup_soup_connection, + test_cve_2026_0716, + teardown_soup_connection); + ret = g_test_run (); test_cleanup (); -- GitLab ++++++ libsoup-CVE-2026-0719.patch ++++++ >From c8f4979ebf1a701e2222661556b3e735b99b3341 Mon Sep 17 00:00:00 2001 From: Mike Gorse <[email protected]> Date: Thu, 8 Jan 2026 16:19:37 -0600 Subject: [PATCH] soup-auth-ntlm: Use unsigned ints for byte counts in md4sum Otherwise, the variables could overflow if the password is long enough, leading to an out-of-bounds memory access. This is CVE-2026-0719. Closes #477. --- libsoup/auth/soup-auth-ntlm.c | 13 ++++--- tests/ntlm-test.c | 64 +++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 5 deletions(-) diff --git a/libsoup/auth/soup-auth-ntlm.c b/libsoup/auth/soup-auth-ntlm.c index 7108a32c3..ef26ff40a 100644 --- a/libsoup/auth/soup-auth-ntlm.c +++ b/libsoup/auth/soup-auth-ntlm.c @@ -604,7 +604,7 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class) } static void md4sum (const unsigned char *in, - int nbytes, + size_t nbytes, unsigned char digest[16]); typedef guint32 DES_KS[16][2]; /* Single-key DES key schedule */ @@ -650,7 +650,7 @@ soup_ntlm_nt_hash (const char *password, guchar hash[21]) { unsigned char *buf, *p; - p = buf = g_malloc (strlen (password) * 2); + p = buf = g_malloc_n (strlen (password), 2); while (*password) { *p++ = *password++; @@ -1092,15 +1092,16 @@ calc_response (const guchar *key, const guchar *plaintext, guchar *results) #define ROT(val, n) ( ((val) << (n)) | ((val) >> (32 - (n))) ) static void -md4sum (const unsigned char *in, int nbytes, unsigned char digest[16]) +md4sum (const unsigned char *in, size_t nbytes, unsigned char digest[16]) { unsigned char *M; guint32 A, B, C, D, AA, BB, CC, DD, X[16]; - int pbytes, nbits = nbytes * 8, i, j; + size_t pbytes, nbits = nbytes * 8; + int i, j; /* There is *always* padding of at least one bit. */ pbytes = ((119 - (nbytes % 64)) % 64) + 1; - M = alloca (nbytes + pbytes + 8); + M = g_malloc (nbytes + pbytes + 8); memcpy (M, in, nbytes); memset (M + nbytes, 0, pbytes + 8); M[nbytes] = 0x80; @@ -1200,6 +1201,8 @@ md4sum (const unsigned char *in, int nbytes, unsigned char digest[16]) digest[13] = (D >> 8) & 0xFF; digest[14] = (D >> 16) & 0xFF; digest[15] = (D >> 24) & 0xFF; + + g_free (M); } diff --git a/tests/ntlm-test.c b/tests/ntlm-test.c index a92a21c8c..5080f8e61 100644 --- a/tests/ntlm-test.c +++ b/tests/ntlm-test.c @@ -714,6 +714,67 @@ do_retrying_test (TestServer *ts, soup_test_session_abort_unref (session); } +static gboolean +long_password_test_authenticate (SoupMessage *msg, + SoupAuth *auth, + gboolean retrying, + gpointer user) +{ + size_t l = 2147483647; + char *password; + char tmp[10000]; + size_t i; + + password = (char *)g_malloc (l); + + for (i = 0; i < 10000; i++) { + tmp[i] = 'A'; + } + for (i = 0; i < l/10000; i++) { + memcpy (password + i * 10000, tmp, 10000); + } + memcpy (password + l - 1 - 10000, tmp, 10000); + + soup_auth_authenticate (auth, "alice", password); + + g_free (password); + return TRUE; +} + +static void +do_long_password_test (TestServer *ts, + gconstpointer data) +{ + SoupSession *session; + SoupMessage *msg; + GUri *uri; + GBytes *body; + +#ifndef __SANITIZE_ADDRESS__ + g_test_skip ("Slow, allocates a large amount of memory, and needs asan"); + return; +#endif + + session = soup_test_session_new (NULL); + soup_session_add_feature_by_type (session, SOUP_TYPE_AUTH_NTLM); + soup_session_set_proxy_resolver(session, NULL); + + uri = g_uri_parse_relative (ts->uri, "/alice", SOUP_HTTP_URI_FLAGS, NULL); + msg = soup_message_new_from_uri ("GET", uri); + g_signal_connect (msg, "authenticate", + G_CALLBACK (long_password_test_authenticate), NULL); + g_uri_unref (uri); + + body = soup_session_send_and_read (session, msg, NULL, NULL); + + soup_test_assert_message_status (msg, SOUP_STATUS_OK); + + g_bytes_unref (body); + g_object_unref (msg); + + soup_test_session_abort_unref (session); +} + int main (int argc, char **argv) { @@ -737,6 +798,9 @@ main (int argc, char **argv) g_test_add ("/ntlm/retry", TestServer, NULL, setup_server, do_retrying_test, teardown_server); + g_test_add ("/ntlm/long-password", TestServer, NULL, + setup_server, do_long_password_test, teardown_server); + ret = g_test_run (); test_cleanup (); -- GitLab
