Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsoup2 for openSUSE:Factory checked in at 2026-02-16 13:23:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsoup2 (Old) and /work/SRC/openSUSE:Factory/.libsoup2.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsoup2" Mon Feb 16 13:23:08 2026 rev:20 rq:1333049 version:2.74.3 Changes: -------- --- /work/SRC/openSUSE:Factory/libsoup2/libsoup2.changes 2026-02-10 21:11:55.678319605 +0100 +++ /work/SRC/openSUSE:Factory/.libsoup2.new.1977/libsoup2.changes 2026-02-16 13:23:33.177629156 +0100 @@ -1,0 +2,11 @@ +Sat Feb 14 13:39:29 UTC 2026 - Michael Gorse <[email protected]> + +- Add more CVE fixes: + + libsoup2-CVE-2025-32049.patch (bsc#1240751 CVE-2025-32049 + glgo#GNOME/libsoup#390) + + libsoup2-CVE-2026-2443.patch (bsc#1258170 CVE-2026-2443 + glgo#GNOME/libsoup#487) + + libsoup2-CVE-2026-2369.patch (bsc#1258120 CVE-2026-2369 + glgo#GNOME/libsoup!508) + +------------------------------------------------------------------- New: ---- libsoup2-CVE-2025-32049.patch libsoup2-CVE-2026-2369.patch libsoup2-CVE-2026-2443.patch ----------(New B)---------- New:- Add more CVE fixes: + libsoup2-CVE-2025-32049.patch (bsc#1240751 CVE-2025-32049 glgo#GNOME/libsoup#390) New: glgo#GNOME/libsoup#487) + libsoup2-CVE-2026-2369.patch (bsc#1258120 CVE-2026-2369 glgo#GNOME/libsoup!508) New: glgo#GNOME/libsoup#390) + libsoup2-CVE-2026-2443.patch (bsc#1258170 CVE-2026-2443 glgo#GNOME/libsoup#487) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsoup2.spec ++++++ --- /var/tmp/diff_new_pack.JqN5CT/_old 2026-02-16 13:23:34.145669426 +0100 +++ /var/tmp/diff_new_pack.JqN5CT/_new 2026-02-16 13:23:34.145669426 +0100 @@ -90,6 +90,12 @@ Patch31: libsoup2-CVE-2026-0716.patch # PATCH-FIX-UPSTREAM libsoup2-CVE-2025-4476.patch boo#1243422 [email protected] -- fix crash in soup_auth_digest_get_protection_space. Patch32: libsoup2-CVE-2025-4476.patch +# PATCH-FIX-OPENSUSE libsoup2-CVE-2025-32049.patch bsc#1240751 [email protected] -- add size limit for total message size. +Patch33: libsoup2-CVE-2025-32049.patch +# PATCH-FIX-UPSTREAM libsoup2-CVE-2026-2443.patch bsc#1243170 [email protected] -- fix out-of-bounds read when processing range headers. +Patch34: libsoup2-CVE-2026-2443.patch +# PATCH-FIX-UPSTREAM libsoup2-CVE-2026-2369.patch bsc#1258120 [email protected] -- handle potential underflow in the content sniffer. +Patch35: libsoup2-CVE-2026-2369.patch BuildRequires: glib-networking BuildRequires: meson >= 0.50 ++++++ libsoup2-CVE-2025-32049.patch ++++++ >From 6ec7c5be50b48d6ce0a09aa3468f2c5725406a97 Mon Sep 17 00:00:00 2001 From: Michael Catanzaro <[email protected]> Date: Wed, 21 May 2025 10:42:51 -0500 Subject: [PATCH] Add size limit for total message size This size limit could break applications, but it will close the denial of service issue. --- libsoup/soup-websocket-connection.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c index 36524d04..f8764aff 100644 --- a/libsoup/soup-websocket-connection.c +++ b/libsoup/soup-websocket-connection.c @@ -913,6 +913,11 @@ process_contents (SoupWebsocketConnection *self, switch (pv->message_opcode) { case 0x01: case 0x02: + /* Safety valve */ + if (pv->message_data->len + payload_len > pv->max_incoming_payload_size) { + too_big_error_and_close (self, (pv->message_data->len + payload_len)); + return; + } g_byte_array_append (pv->message_data, payload, payload_len); break; default: -- 2.49.0 ++++++ libsoup2-CVE-2026-2369.patch ++++++ diff -urp libsoup-2.74.3.orig/libsoup/soup-content-sniffer.c libsoup-2.74.3/libsoup/soup-content-sniffer.c --- libsoup-2.74.3.orig/libsoup/soup-content-sniffer.c 2022-10-11 13:27:22.000000000 -0500 +++ libsoup-2.74.3/libsoup/soup-content-sniffer.c 2026-02-14 07:38:14.229419082 -0600 @@ -499,6 +499,10 @@ sniff_unknown (SoupContentSniffer *sniff if (!sniff_scriptable && type_row->scriptable) continue; + /* Ensure we have data to sniff - prevents underflow in resource_length - 1 */ + if (resource_length == 0) + continue; + if (type_row->has_ws) { guint index_stream = 0; guint index_pattern = 0; ++++++ libsoup2-CVE-2026-2443.patch ++++++ diff -urp libsoup-3.6.5.orig/libsoup/soup-message-headers.c libsoup-3.6.5/libsoup/soup-message-headers.c --- libsoup-3.6.5.orig/libsoup/soup-message-headers.c 2026-02-14 04:14:09.575357979 -0600 +++ libsoup-3.6.5/libsoup/soup-message-headers.c 2026-02-14 04:17:20.278921604 -0600 @@ -1176,10 +1176,16 @@ sort_ranges (gconstpointer a, gconstpoin } /* like soup_message_headers_get_ranges(), except it returns: - * SOUP_STATUS_OK if there is no Range or it should be ignored. - * SOUP_STATUS_PARTIAL_CONTENT if there is at least one satisfiable range. - * SOUP_STATUS_REQUESTED_RANGE_NOT_SATISFIABLE if @check_satisfiable - * is %TRUE and the request is not satisfiable given @total_length. + * - SOUP_STATUS_OK if there is no Range or it should be ignored due to being + * entirely invalid. + * - SOUP_STATUS_PARTIAL_CONTENT if there is at least one satisfiable range. + * - SOUP_STATUS_REQUESTED_RANGE_NOT_SATISFIABLE if @check_satisfiable + * is %TRUE, the Range is valid, but no part of the request is satisfiable + * given @total_length. + * + * @ranges and @length are only set if SOUP_STATUS_PARTIAL_CONTENT is returned. + * + * See https://httpwg.org/specs/rfc9110.html#field.range */ guint soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs, @@ -1193,22 +1199,28 @@ soup_message_headers_get_ranges_internal GArray *array; char *spec, *end; guint status = SOUP_STATUS_OK; + gboolean is_all_valid = TRUE; if (!range || strncmp (range, "bytes", 5) != 0) - return status; + return SOUP_STATUS_OK; /* invalid header or unknown range unit */ range += 5; while (g_ascii_isspace (*range)) range++; if (*range++ != '=') - return status; + return SOUP_STATUS_OK; /* invalid header */ while (g_ascii_isspace (*range)) range++; range_list = soup_header_parse_list (range); if (!range_list) - return status; + return SOUP_STATUS_OK; /* invalid list */ + /* Loop through the ranges and modify the status accordingly. Default to + * status 200 (OK, ignoring the ranges). Switch to status 206 (Partial + * Content) if there is at least one partially valid range. Switch to + * status 416 (Range Not Satisfiable) if there are no partially valid + * ranges at all. */ array = g_array_new (FALSE, FALSE, sizeof (SoupRange)); for (r = range_list; r; r = r->next) { SoupRange cur; @@ -1221,30 +1233,44 @@ soup_message_headers_get_ranges_internal cur.start = g_ascii_strtoull (spec, &end, 10); if (*end == '-') end++; - if (*end) { + if (*end) cur.end = g_ascii_strtoull (end, &end, 10); - if (cur.end < cur.start) { - status = SOUP_STATUS_OK; - break; - } - } else + else cur.end = total_length - 1; } + if (*end) { - status = SOUP_STATUS_OK; - break; - } else if (check_satisfiable && cur.start >= total_length) { - if (status == SOUP_STATUS_OK) - status = SOUP_STATUS_REQUESTED_RANGE_NOT_SATISFIABLE; + /* Junk after the range */ + is_all_valid = FALSE; + continue; + } + + if (cur.end < cur.start) { + is_all_valid = FALSE; continue; } + g_assert (cur.start >= 0); + if (cur.end >= total_length) + cur.end = total_length - 1; + + if (cur.start >= total_length) { + /* Range is valid, but unsatisfiable */ + continue; + } + + /* We have at least one (at least partially) satisfiable range */ g_array_append_val (array, cur); status = SOUP_STATUS_PARTIAL_CONTENT; } soup_header_free_list (range_list); if (status != SOUP_STATUS_PARTIAL_CONTENT) { + g_assert (status == SOUP_STATUS_OK); + + if (is_all_valid && check_satisfiable) + status = SOUP_STATUS_REQUESTED_RANGE_NOT_SATISFIABLE; + g_array_free (array, TRUE); return status; }
