Bug#1109142: unblock: libsoup3/3.6.5-2

[Simon McVittie]

On Sat, 12 Jul 2025 at 13:21:05 +0100, Simon McVittie wrote:

 [x] attach debdiff against the package in testing


Sigh, of course I constructed this but failed to attach it. Now attached.

smcv
debdiff libsoup3_3.6.5-{1,2}.dsc | filterdiff -p1 -x'debian/patches/*.patch' -x'debian/patches/debian/*.patch'

diff -Nru libsoup3-3.6.5/debian/changelog libsoup3-3.6.5/debian/changelog
--- libsoup3-3.6.5/debian/changelog	2025-03-21 21:04:16.0 +
+++ libsoup3-3.6.5/debian/changelog	2025-07-12 09:52:52.0 +0100
@@ -1,3 +1,76 @@
+libsoup3 (3.6.5-2) unstable; urgency=medium
+
+  * Team upload
+  * d/patches: Re-export patch series (no functional changes)
+  * d/p/multipart-Fix-read-out-of-buffer-bounds-under-soup_multip.patch:
+Add patch from upstream git to fix multipart message parsing.
+Previously this could read outside the buffer.
+This change isn't on upstream's 3.6.x branch yet, so take it from
+3.7.x. Test coverage is included.
+(CVE-2025-32914, Closes: #1103267)
+  * d/p/soup-server-http2-Check-validity-of-the-constructed-conne.patch,
+d/p/soup-server-http2-Correct-check-of-the-validity-of-the-co.patch:
+Add patch from upstream git to fix denial of service in HTTP/2 server.
+The original change does not seem to have been fully correct; a
+follow-up fix for it is also included.
+(CVE-2025-32908, Closes: #1103265)
+  * d/p/auth-digest-fix-crash-in-soup_auth_digest_get_protection_.patch:
+Add patch from upstream git to fix denial of service (a crash)
+if a libsoup client is connected to a malicious server.
+(CVE-2025-4476, Closes: #1105887)
+  * d/p/soup-message-headers-Correct-merge-of-ranges.patch,
+d/p/server-mem-limit-test-Limit-memory-usage-only-when-not-bu.patch:
+Add patch from upstream git fixing server-side DoS in Range requests,
+with a follow-up patch to make the newly added test work when compiled
+with AddressSanitizer.
+(CVE-2025-32907, Closes: #1103264)
+  * d/p/soup-multipart-Verify-boundary-limits-for-multipart-body.patch:
+Add patch from upstream git fixing denial of service with crafted
+multipart body.
+(CVE-2025-4948, Closes: #1106204)
+  * d/p/soup-multipart-Verify-array-bounds-before-accessing-its-m.patch:
+Add patch from upstream git fixing another denial of service with
+crafted multipart body.
+(CVE-2025-4969, Closes: #1106248)
+  * d/p/soup-date-utils-Add-value-checks-for-date-time-parsing.patch,
+d/p/tests-Add-tests-for-date-time-including-timezone-validati.patch:
+Add patch from upstream git fixing date/time validation, and expand
+test coverage for this area.
+(CVE-2025-4945, Closes: #1106205)
+  * d/p/soup-form-Fix-a-possible-memory-leak-in-soup_form_decode_.patch:
+Add patch from upstream git fixing some memory leaks
+  * d/p/websocket-test-Fix-two-memory-leaks.patch,
+d/p/misc-test-Fix-two-memory-leaks.patch,
+d/p/http2-test-Fix-several-memory-leaks.patch,
+d/p/range-test-Fix-a-memory-leak.patch:
+Add patches from upstream git fixing some memory leaks in tests.
+These are certainly not denial-of-service issues, but it makes "real"
+memory leaks harder to detect if there are benign memory leaks in
+the test code.
+  * d/p/test-utils-flush-stdout-after-printing.patch:
+Add patch from upstream git to improve test logging.
+This does not change production code, and should make it somewhat
+less difficult to diagnose the root cause of test failures.
+(Maybe helps: #1035983, #1109107, #1109108, #1109120)
+  * d/p/test-utils-fix-deadlock-in-add_listener_in_thread.patch:
+Add patch from upstream git to fix a deadlock during testing.
+This hopefully addresses one of the many sources of low-probability test
+failures that add up to a noticeable probability of the test suite
+as a whole failing (see also #1035983). (Closes: #1109120)
+  * d/p/tests-Treat-multithread-test-as-an-Apache-test.patch:
+Add patch to treat multithread-test like other Apache-based tests,
+so that it will not be run in parallel with others.
+(Maybe helps: #1035983)
+  * d/rules: Capture test output into the buildd log, even if successful.
+If we don't have the output from successful test logs, it's more
+difficult to assess whether workarounds have helped, because we won't
+see whether the situation needing the workaround was ever triggered.
+  * d/p/debian/docs-Remove-remotely-accessed-logo.patch:
+Remove remote logo references from local documentation, improving privacy
+and fixing a Lintian warning
+
+ -- Simon McVittie   Sat, 12 Jul 2025 09:52:52 +0100
+
 libsoup3 (3.6.5-1) unstable; urgency=high
 
   * New upstream release
diff -Nru libsoup3-3.6.5/debian/patches/series libsoup3-3.6.5/debian/patches/series
--- libsoup3-3.6.5/debian/patches/series	2025-03-21 21:04:16.0 +
+++ libsoup3-3.6.5/debian/patches/series	2025-07-12 09:52:52.0 +0100
@@ -2,3 +2,22 @@
 Record-Apac

Bug#1109142: unblock: libsoup3/3.6.5-2

[Simon McVittie]

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libso...@packages.debian.org, t...@security.debian.org, 
spwhit...@spwhitton.name, andr...@fatal.se
Control: affects -1 + src:libsoup3
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libsoup3

[ Reason ]

Fix a bunch of no-dsa CVEs that have not yet been fixed in any upstream 
release, in preparation for maybe backporting their fixes to bookworm 
later.

[ Impact ]

The most serious impact is that if not fixed, there are several denial 
of service issues which can crash applications that use libsoup3 as a 
http client (notably epiphany-browser, aka GNOME Web).
(CVE-2025-4476, CVE-2025-32914?, CVE-2025-4948?, CVE-2025-4969?, 
CVE-2025-4945?, and some memory leaks with no CVE associated.)

A secondary impact is that there are several more denial of service 
issues which can crash applications that use libsoup3 as a http 
*server* (CVE-2025-32908, plus all of the above except for 
CVE-2025-4476). A mitigation for these issues is that upstream does not 
recommend exposing SoupServer to untrusted networks (see #1109118) and 
if application developers and users have followed this advice, these 
issues would not be practically exploitable.

A sufficiently creative attacker might possibly be able to use 
out-of-bounds accesses to get a worse impact, but I am not aware of 
ways to make this happen.

I also included some changes to improve logging and reduce parallelism 
in the (flaky) test suite, in the hope that it will help to make the 
test suite more stable.

[ Tests ]

Manual tests:

- ran epiphany-browser (GNOME Web) and used it to browse debian.org;
- deleted ~/.cache/gnome-calculator and ran gnome-calculator, causing it
  to download currency conversion rate data (successfully)

Automated tests: build-time tests (sbuild+unshare in a qemu VM on my 
laptop) and autopkgtest (in a qemu VM on my laptop) were successful. I 
expect that they will need some retries on official Debian 
infrastructure because of pre-existing instability in the test suite.

Some of the CVE fixes include new automated test coverage, which passed. 
I have not attempted to test the CVE fixes manually.

[ Risks ]

libsoup3 is a key package in our default desktop environment,

I am not an expert on libsoup (and you will notice that my name 
intentionally does not appear in Uploaders), only a GNOME team member 
trying my best to keep our distro working. As a result I do not have a 
deep understanding of the finer points of http or the quirks of this 
particular codebase: I have done my best, but I might have made 
mistakes.

The patches to the production code in this update were all 
straightforward cherry-picks from upstream git master, with no conflict 
resolution required. I only took CVE fixes and obviously-valid memleak 
fixes, excluding upstream merge requests that have not yet been accepted 
(even if they are aiming to fix other similar CVEs).

Some of the upstream changes had known regressions, so I have tried to 
identify and include the relevant regression fixes as the very next 
thing in the patch series alongside the change that they are fixing. It 
is possible that there are unfixed regressions, or regression fixes that 
I didn't spot. If there are, applying regression fixes or reverting 
patches should be straightforward.

The non-upstream changes in this update only touch the test suite and 
documentation, and are straightforward/obvious changes. I can revert 
them if required.

Unfortunately the libsoup test suite is known to be flaky in several 
ways, so it might require some retries to herd it through the official 
Debian infrastructure. We still run it, because it's better than nothing 
and in particular is our only opportunity to detect RC regressions on 
platforms that have few users (especially big-endian or 32-bit), but we 
cannot expect it to go completely smoothly.

One root cause for test suite instability is that the scaffolding for 
testing against an Apache server sometimes fails startup for unknown 
reasons (see #1035983). As far as I can see, disabling the affected 
tests or ignoring their failures would result in a significant loss of 
test coverage, so we have been reluctant to do that. I've opened 
#1109107 and #1109108 for some more known failure modes that are 
orthogonal to that one and would benefit from being investigated 
separately. All of these are intermittent and individually rare, making 
them frustrating to debug, but there are enough test-cases that the 
cumulative effect of several rare failure modes adds up to a common 
failure for the test suite as a whole.

I am sorry that I do not have a solution for these issues, but this 
update shouldn't make them any worse, so it seems like a net positive 
for Debian 13 (and I know that isn't ideal but it's the best I have been 
able to do).

[ Checklist ]

  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them