Debian Patches

Status for libsoup2.4/2.72.0-2+deb11u1

Patch Description Author Forwarded Bugs Origin Last update
skip-tls_interaction-test.patch skip tls_interaction test
This test is too unreliable on Debian architectures
and this package is too critical to not get timely updates

[smcv: Allow running it anyway, by setting an environment variable]
Jeremy Bicha <jbicha@ubuntu.com> yes upstream 2018-10-08
tests-Skip-tests-if-unable-to-start-Apache.patch tests: Skip tests if unable to start Apache
This is a workaround for Apache not always being able to bind to its
hard-coded ports, which happens often enough to be a problem for Debian
QA infrastructure, but not often enough to be able to debug it.
Simon McVittie <smcv@debian.org> yes 2020-03-11
gitlab_tests_fix.patch tests: fix SSL test with glib-networking >= 2.65.90
To make SSL tests fail with our testing certificate we create and empty
GTlsDatabase passing /dev/null to g_tls_file_database_new(). This no
longer works with newer glib-networking, since an empty file is
considered an error by gnutls and
g_tls_file_database_gnutls_populate_trust_list() now handles gnutls
errors properly. Instead, we can just use the system CA file that won't
contain our testing certificate for sure.
Carlos Garcia Campos <cgarcia@igalia.com> yes debian upstream 2020-09-09
tests-ensure-we-use-an-absolute-path-for-apache-server-ro.patch tests: ensure we use an absolute path for apache server root parameter

For some reason apache silently fails now if a relative path is passed.
Carlos Garcia Campos <cgarcia@igalia.com> no upstream, 2.72.1, commit:8088ba659b6984d4502315ff7173080a9711c8e5 2020-09-07
CVE-2024-52530.patch headers: Strictly don't allow NUL bytes
In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.

(cherry picked from commit 04df03bc092ac20607f3e150936624d4f536e68b)
Patrick Griffis <pgriffis@igalia.com> no 2024-07-08
CVE-2024-52531-2.patch headers: Be more robust against invalid input when parsing params
If you pass invalid input to a function such as soup_header_parse_param_list_strict()
it can cause an overflow if it decodes the input to UTF-8.

This should never happen with valid UTF-8 input which libsoup's client API
ensures, however it's server API does not currently.

(cherry picked from commit a35222dd0bfab2ac97c10e86b95f762456628283)

LTS note: We skip upstream commit 3c540336 for LTS because we have older GLib.
<https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407#note_2274396>
says that we shouldn't need it, and we have a test case to confirm the
vulnerability is fixed without it.
Patrick Griffis <pgriffis@igalia.com> no 2024-08-27
CVE-2024-52531-3.patch tests: Add test for passing invalid UTF-8 to soup_header_parse_semi_param_list()

(cherry picked from commit 825fda3425546847b42ad5270544e9388ff349fe)
Patrick Griffis <pgriffis@igalia.com> no 2024-08-27
CVE-2024-52532-1.patch websocket: process the frame as soon as we read data
Otherwise we can enter in a read loop because we were not
validating the data until the all the data was read.

Fixes #391

(cherry picked from commit 6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be)
Ignacio Casal Quinteiro <qignacio@amazon.com> no 2024-09-11
CVE-2024-52532-2.patch websocket-test: disconnect error copy after the test ends
Otherwise the server will have already sent a few more wrong
bytes and the client will continue getting errors to copy
but the error is already != NULL and it will assert

(cherry picked from commit 29b96fab2512666d7241e46c98cc45b60b795c0c)
Ignacio Casal Quinteiro <qignacio@amazon.com> no 2024-10-02
CVE-2024-52532-3.patch websocket-test: Disconnect error signal in another place
This is the same change as commit 29b96fab "websocket-test: disconnect
error copy after the test ends", and is done for the same reason, but
replicating it into a different function.

(cherry picked from commit 4c9e75c6676a37b6485620c332e568e1a3f530ff)
Simon McVittie <smcv@debian.org> no 2024-11-13

All known versions for source package 'libsoup2.4'

Links