Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsoup for openSUSE:Factory checked in at 2026-02-03 21:26:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsoup (Old) and /work/SRC/openSUSE:Factory/.libsoup.new.1995 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsoup" Tue Feb 3 21:26:28 2026 rev:163 rq:1330729 version:3.6.5 Changes: -------- --- /work/SRC/openSUSE:Factory/libsoup/libsoup.changes 2026-01-13 21:23:26.764409060 +0100 +++ /work/SRC/openSUSE:Factory/.libsoup.new.1995/libsoup.changes 2026-02-03 21:26:46.856743383 +0100 @@ -1,0 +2,10 @@ +Tue Feb 3 01:52:48 UTC 2026 - Jonathan Kang <[email protected]> + +- Add libsoup-CVE-2026-1536.patch: Always validate the headers + value when coming from untrusted source + (bsc#1257440, CVE-2026-1536, glgo#GNOME/libsoup/commit/5c1a2e9c). +- Add libsoup-CVE-2026-1761.patch: multipart: check length of bytes + read soup_filter_input_stream_read_until() + (bsc#1257598, CVE-2026-1761, glgo#GNOME/libsoup!496). + +------------------------------------------------------------------- New: ---- libsoup-CVE-2026-1536.patch libsoup-CVE-2026-1761.patch ----------(New B)---------- New: - Add libsoup-CVE-2026-1536.patch: Always validate the headers value when coming from untrusted source New: (bsc#1257440, CVE-2026-1536, glgo#GNOME/libsoup/commit/5c1a2e9c). - Add libsoup-CVE-2026-1761.patch: multipart: check length of bytes read soup_filter_input_stream_read_until() ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsoup.spec ++++++ --- /var/tmp/diff_new_pack.OcbPtI/_old 2026-02-03 21:26:47.644776544 +0100 +++ /var/tmp/diff_new_pack.OcbPtI/_new 2026-02-03 21:26:47.648776713 +0100 @@ -1,8 +1,7 @@ # # spec file for package libsoup # -# Copyright (c) 2026 SUSE LLC -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -51,6 +50,10 @@ Patch10: libsoup-CVE-2026-0719.patch # PATCH-FIX-UPSTREAM libsoup-CVE-2026-0716.patch bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494 [email protected] -- Fix out-of-bounds read for websocket Patch11: libsoup-CVE-2026-0716.patch +# PATCH-FIX-UPSTREAM libsoup-CVE-2026-1536.patch bsc#1257440, CVE-2026-1536, glgo#GNOME/libsoup/commit/5c1a2e9c [email protected] -- Always validate the headers value when coming from untrusted source +Patch12: libsoup-CVE-2026-1536.patch +# PATCH-FIX-UPSTREAM libsoup-CVE-2026-1761.patch bsc#1257598, CVE-2026-1761, glgo#GNOME/libsoup!496 [email protected] -- multipart: check length of bytes read soup_filter_input_stream_read_until() +Patch13: libsoup-CVE-2026-1761.patch BuildRequires: glib-networking BuildRequires: meson >= 0.53 ++++++ libsoup-CVE-2026-1536.patch ++++++ ++++ 695 lines (skipped) ++++++ libsoup-CVE-2026-1761.patch ++++++ >From cfa9d90d1a5c274233554a264c56551c13d6a6f0 Mon Sep 17 00:00:00 2001 From: Carlos Garcia Campos <[email protected]> Date: Mon, 19 Jan 2026 15:14:58 +0100 Subject: [PATCH] multipart: check length of bytes read soup_filter_input_stream_read_until() We do make sure the read length is smaller than the buffer length when the boundary is not found, but we should do the same when the boundary is found. Spotted in #YWH-PGM9867-149 Closes #493 --- libsoup/soup-filter-input-stream.c | 3 +- tests/multipart-test.c | 46 ++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 1 deletion(-) diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c index b1e616c7..22541aa0 100644 --- a/libsoup/soup-filter-input-stream.c +++ b/libsoup/soup-filter-input-stream.c @@ -337,6 +337,7 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream, if (eof && !*got_boundary) read_length = MIN (priv->buf->len, length); else - read_length = p - buf; + read_length = MIN ((gsize)(p - buf), length); + return read_from_buf (fstream, buffer, read_length); } diff --git a/tests/multipart-test.c b/tests/multipart-test.c index a39d8aab..7f53898f 100644 --- a/tests/multipart-test.c +++ b/tests/multipart-test.c @@ -548,6 +548,51 @@ test_multipart_bounds_bad_2 (void) g_bytes_unref (bytes); } +static void +test_multipart_bounds_bad_3 (void) +{ + SoupMessage *msg; + SoupMessageHeaders *headers; + GInputStream *in; + SoupMultipartInputStream *multipart; + GError *error = NULL; + const char raw_data[] = "\0$--A\r\nContent-Disposition: form-data; name=\"f\"\r\n\r\nXXXXXXXXX\r\n--A--\r\n"; + + msg = soup_message_new(SOUP_METHOD_POST, "http://foo/upload";); + headers = soup_message_get_response_headers (msg); + soup_message_headers_replace (headers, "Content-Type", "multipart/form-data; boundary=\"A\""); + + in = g_memory_input_stream_new_from_data (raw_data + 2, sizeof(raw_data) - 2, NULL); + multipart = soup_multipart_input_stream_new (msg, in); + g_object_unref (in); + + while (TRUE) { + in = soup_multipart_input_stream_next_part (multipart, NULL, &error); + g_assert_no_error (error); + if (!in) { + g_clear_error (&error); + break; + } + + char buffer[10]; + while (TRUE) { + gssize bytes_read; + + bytes_read = g_input_stream_read (in, buffer, sizeof(buffer), NULL, &error); + g_assert_no_error (error); + if (bytes_read <= 0) { + g_clear_error (&error); + break; + } + } + + g_object_unref (in); + } + + g_object_unref (multipart); + g_object_unref (msg); +} + static void test_multipart_too_large (void) { @@ -617,6 +662,7 @@ main (int argc, char **argv) g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2); + g_test_add_func ("/multipart/bounds-bad-3", test_multipart_bounds_bad_3); g_test_add_func ("/multipart/too-large", test_multipart_too_large); ret = g_test_run (); -- 2.52.0
