[AutoPR- Security] Patch libsoup for CVE-2026-0716 [MEDIUM] (#15866)

Author: azurelinux-security

SPECS/libsoup/CVE-2026-0716.patch

@@ -0,0 +1,102 @@
+From dc633990f3750e09fd70583c9c976c9562b475ec Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Mon, 2 Feb 2026 10:46:00 -0600
+Subject: [PATCH] websocket: Fix out-of-bounds read in process_frame
+
+If the maximum incoming payload size is unset, then a malicious frame could
+cause an overflow when calculating the needed amount of data, leading to an
+out-of-bounds read later.
+
+This is CVE-2026-0716.
+
+Closes #476
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/494.patch
+---
+ libsoup/websocket/soup-websocket-connection.c |  6 +++
+ tests/websocket-test.c                        | 44 +++++++++++++++++++
+ 2 files changed, 50 insertions(+)
+
+diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
+index ef54ab6..5d14006 100644
+--- a/libsoup/websocket/soup-websocket-connection.c
++++ b/libsoup/websocket/soup-websocket-connection.c
+@@ -1096,6 +1096,12 @@ process_frame (SoupWebsocketConnection *self)
+ 		payload += 4;
+ 		at += 4;
+ 
++		/* at has a maximum value of 10 + 4 = 14 */
++		if (payload_len > G_MAXSIZE - 14) {
++			bad_data_error_and_close (self);
++			return FALSE;
++		}
++
+ 		if (len < at + payload_len)
+ 			return FALSE; /* need more data */
+ 
+diff --git a/tests/websocket-test.c b/tests/websocket-test.c
+index a7fc7e9..bd866d4 100644
+--- a/tests/websocket-test.c
++++ b/tests/websocket-test.c
+@@ -2170,6 +2170,41 @@ test_connection_error (void)
+ 	soup_test_session_abort_unref (session);
+ }
+ 
++static void
++test_cve_2026_0716 (Test *test,
++                    gconstpointer unused)
++{
++	GError *error = NULL;
++	GIOStream *io;
++	gsize written;
++	const char *frame;
++	gboolean close_event = FALSE;
++
++	g_signal_handlers_disconnect_by_func (test->server, on_error_not_reached, NULL);
++	g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error);
++	g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event);
++
++	io = soup_websocket_connection_get_io_stream (test->client);
++
++	soup_websocket_connection_set_max_incoming_payload_size (test->server, 0);
++
++	// Malicious masked frame header (10-byte header + 4-byte mask) */
++	frame = "\x82\xff\xff\xff\xff\xff\xff\xff\xff\xf6\xaa\xbb\xcc\xdd";
++	if (!g_output_stream_write_all (g_io_stream_get_output_stream (io),
++					frame, 14, &written, NULL, NULL))
++		g_assert_cmpstr ("This code", ==, "should not be reached");
++	g_assert_cmpuint (written, ==, 14);
++
++	WAIT_UNTIL (error != NULL);
++	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
++	g_clear_error (&error);
++
++	WAIT_UNTIL (soup_websocket_connection_get_state (test->client) == SOUP_WEBSOCKET_STATE_CLOSED);
++	g_assert_true (close_event);
++
++	g_assert_cmpuint (soup_websocket_connection_get_close_code (test->client), ==, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
++}
++
+ int
+ main (int argc,
+       char *argv[])
+@@ -2441,6 +2476,15 @@ main (int argc,
+ 
+ 	g_test_add_func ("/websocket/soup/connection-error", test_connection_error);
+ 
++	g_test_add ("/websocket/direct/cve-2026-0716", Test, NULL,
++		    setup_direct_connection,
++		    test_cve_2026_0716,
++		    teardown_direct_connection);
++	g_test_add ("/websocket/soup/cve-2026-0716", Test, NULL,
++		    setup_soup_connection,
++		    test_cve_2026_0716,
++		    teardown_soup_connection);
++
+ 	ret = g_test_run ();
+ 
+ 	test_cleanup ();
+-- 
+2.45.4
+

SPECS/libsoup/libsoup.spec

@@ -2,7 +2,7 @@
 Summary:        libsoup HTTP client/server library
 Name:           libsoup
 Version:        %{BaseVersion}.4
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -38,6 +38,7 @@ Patch19:         CVE-2025-4969.patch
 Patch20:         CVE-2025-11021.patch
 Patch21:         CVE-2025-32049.patch
 Patch22:         CVE-2026-1536.patch
+Patch23:         CVE-2026-0716.patch
 
 
 BuildRequires:  meson
@@ -150,6 +151,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %defattr(-,root,root)
 
 %changelog
+* Tue Feb 17 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.0.4-12
+- Patch for CVE-2026-0716
+
 * Thu Feb 12 2026 Jyoti Kanase <v-jykanase@microsoft.com> - 3.0.4-11
 - Patch for CVE-2025-32049, CVE-2025-1536