[AutoPR- Security] Patch libsoup for CVE-2026-0716, CVE-2026-2443 [MEDIUM] (#15878)

Co-authored-by: akhila-guruju <v-guakhila@microsoft.com>

Author: azurelinux-security

SPECS/libsoup/CVE-2025-32907.patch

@@ -144,9 +144,9 @@ index 00000000..98f1c40f
 +	return;
 +	#endif
 +
-+	range = g_string_sized_new (99 * 1024);
++	range = g_string_sized_new (60 * 1024);
 +	g_string_append (range, "bytes=1024");
-+	while (range->len < 99 * 1024)
++	while (range->len < 60 * 1024)
 +		g_string_append (range, chunk);
 +
 +	session = soup_test_session_new (NULL);

SPECS/libsoup/CVE-2026-0716.patch

@@ -0,0 +1,102 @@
+From cdb82443caf077486dfefa7db3057bd571e392c6 Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Mon, 2 Feb 2026 10:46:00 -0600
+Subject: [PATCH] websocket: Fix out-of-bounds read in process_frame
+
+If the maximum incoming payload size is unset, then a malicious frame could
+cause an overflow when calculating the needed amount of data, leading to an
+out-of-bounds read later.
+
+This is CVE-2026-0716.
+
+Closes #476
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/494.patch
+---
+ libsoup/websocket/soup-websocket-connection.c |  6 +++
+ tests/websocket-test.c                        | 44 +++++++++++++++++++
+ 2 files changed, 50 insertions(+)
+
+diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
+index a185b5f..066720e 100644
+--- a/libsoup/websocket/soup-websocket-connection.c
++++ b/libsoup/websocket/soup-websocket-connection.c
+@@ -1115,6 +1115,12 @@ process_frame (SoupWebsocketConnection *self)
+ 		payload += 4;
+ 		at += 4;
+ 
++		/* at has a maximum value of 10 + 4 = 14 */
++		if (payload_len > G_MAXSIZE - 14) {
++			bad_data_error_and_close (self);
++			return FALSE;
++		}
++
+ 		if (len < at + payload_len)
+ 			return FALSE; /* need more data */
+ 
+diff --git a/tests/websocket-test.c b/tests/websocket-test.c
+index 2dcbcb3..62a6850 100644
+--- a/tests/websocket-test.c
++++ b/tests/websocket-test.c
+@@ -2244,6 +2244,41 @@ test_connection_error (void)
+ 	soup_test_session_abort_unref (session);
+ }
+ 
++static void
++test_cve_2026_0716 (Test *test,
++                    gconstpointer unused)
++{
++	GError *error = NULL;
++	GIOStream *io;
++	gsize written;
++	const char *frame;
++	gboolean close_event = FALSE;
++
++	g_signal_handlers_disconnect_by_func (test->server, on_error_not_reached, NULL);
++	g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error);
++	g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event);
++
++	io = soup_websocket_connection_get_io_stream (test->client);
++
++	soup_websocket_connection_set_max_incoming_payload_size (test->server, 0);
++
++	// Malicious masked frame header (10-byte header + 4-byte mask) */
++	frame = "\x82\xff\xff\xff\xff\xff\xff\xff\xff\xf6\xaa\xbb\xcc\xdd";
++	if (!g_output_stream_write_all (g_io_stream_get_output_stream (io),
++					frame, 14, &written, NULL, NULL))
++		g_assert_cmpstr ("This code", ==, "should not be reached");
++	g_assert_cmpuint (written, ==, 14);
++
++	WAIT_UNTIL (error != NULL);
++	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
++	g_clear_error (&error);
++
++	WAIT_UNTIL (soup_websocket_connection_get_state (test->client) == SOUP_WEBSOCKET_STATE_CLOSED);
++	g_assert_true (close_event);
++
++	g_assert_cmpuint (soup_websocket_connection_get_close_code (test->client), ==, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
++}
++
+ int
+ main (int argc,
+       char *argv[])
+@@ -2521,6 +2556,15 @@ main (int argc,
+ 
+ 	g_test_add_func ("/websocket/soup/connection-error", test_connection_error);
+ 
++	g_test_add ("/websocket/direct/cve-2026-0716", Test, NULL,
++		    setup_direct_connection,
++		    test_cve_2026_0716,
++		    teardown_direct_connection);
++	g_test_add ("/websocket/soup/cve-2026-0716", Test, NULL,
++		    setup_soup_connection,
++		    test_cve_2026_0716,
++		    teardown_soup_connection);
++
+ 	ret = g_test_run ();
+ 
+ 	test_cleanup ();
+-- 
+2.45.4
+

SPECS/libsoup/CVE-2026-1536.patch

@@ -29,9 +29,9 @@ Upstream Patch Reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_request
  libsoup/soup-multipart.c                      |   4 +-
  libsoup/soup-session.c                        |   4 +-
  libsoup/websocket/soup-websocket.c            |  28 +-
- tests/header-parsing-test.c                   | 257 +++++++++++++-----
+ tests/header-parsing-test.c                   | 252 +++++++++++++-----
  tests/http2-test.c                            |   4 +-
- 20 files changed, 317 insertions(+), 160 deletions(-)
+ 20 files changed, 311 insertions(+), 161 deletions(-)
 
 diff --git a/libsoup/auth/soup-auth-manager.c b/libsoup/auth/soup-auth-manager.c
 index 402967d..1800190 100644
@@ -535,7 +535,7 @@ index 27257e4..c75b4da 100644
 
  	g_ptr_array_add (multipart->headers, headers);
 diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
-index 9f00b05..0017cdb 100644
+index 649902f..4bca2a4 100644
 --- a/libsoup/soup-session.c
 +++ b/libsoup/soup-session.c
 @@ -1386,10 +1386,10 @@ soup_session_send_queue_item (SoupSession *session,
@@ -651,7 +651,7 @@ index 64e66fd..9863e94 100644
  				soup_message_headers_remove_common (response_headers,
                                                                      SOUP_HEADER_SEC_WEBSOCKET_EXTENSIONS);
 diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
-index 5e423d2..e81d3b7 100644
+index 5e423d2..838baa6 100644
 --- a/tests/header-parsing-test.c
 +++ b/tests/header-parsing-test.c
 @@ -15,6 +15,7 @@ static struct RequestTest {
@@ -1038,7 +1038,7 @@ index 5e423d2..e81d3b7 100644
  	},
 
  	// https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
-@@ -437,15 +438,42 @@ static struct RequestTest {
+@@ -437,15 +438,35 @@ static struct RequestTest {
  	  "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
  	  SOUP_STATUS_BAD_REQUEST,
  	  NULL, NULL, -1,
@@ -1051,39 +1051,33 @@ index 5e423d2..e81d3b7 100644
  	  SOUP_STATUS_BAD_REQUEST,
             NULL, NULL, -1,
 -	  { { NULL } }
+-	}
 +	  { { NULL } }, 0
- 	}
++	},
 +
-+	{ "Only newlines", NULL,
-+          only_newlines, sizeof (only_newlines),
-+          SOUP_STATUS_BAD_REQUEST,
-+            NULL, NULL, -1,
-+         { { NULL } }, 0
-+       },
++	{ "Duplicate Host headers",
++	  "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472",
++	  "GET / HTTP/1.1\r\nHost: example.com\r\nHost: example.org\r\n",
++	  -1,
++	  SOUP_STATUS_BAD_REQUEST,
++	  NULL, NULL, -1,
++	  { { NULL } },
++	  G_LOG_LEVEL_WARNING
++	},
 +
-+       { "Duplicate Host headers",
-+         "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472",
-+         "GET / HTTP/1.1\r\nHost: example.com\r\nHost: example.org\r\n",
-+         -1,
-+         SOUP_STATUS_BAD_REQUEST,
-+         NULL, NULL, -1,
-+         { { NULL } },
-+         G_LOG_LEVEL_WARNING
-+       },
-+
-+       { "Duplicate Host headers, case insensitive",
-+         "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472",
-+         "GET / HTTP/1.1\r\nHost: example.com\r\nhost: example.org\r\n",
-+         -1,
-+         SOUP_STATUS_BAD_REQUEST,
-+         NULL, NULL, -1,
-+         { { NULL } },
-+         G_LOG_LEVEL_WARNING
-+        }
++	{ "Duplicate Host headers, case insensitive",
++	  "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472",
++	  "GET / HTTP/1.1\r\nHost: example.com\r\nhost: example.org\r\n",
++	  -1,
++	  SOUP_STATUS_BAD_REQUEST,
++	  NULL, NULL, -1,
++	  { { NULL } },
++	  G_LOG_LEVEL_WARNING
++ 	}
  };
  static const int num_reqtests = G_N_ELEMENTS (reqtests);
 
-@@ -892,10 +920,17 @@ do_request_tests (void)
+@@ -892,10 +913,17 @@ do_request_tests (void)
  			len = strlen (reqtests[i].request);
  		else
  			len = reqtests[i].length;
@@ -1101,7 +1095,7 @@ index 5e423d2..e81d3b7 100644
  		if (SOUP_STATUS_IS_SUCCESSFUL (status)) {
  			g_assert_cmpstr (method, ==, reqtests[i].method);
  			g_assert_cmpstr (path, ==, reqtests[i].path);
-@@ -1245,16 +1280,21 @@ do_append_param_tests (void)
+@@ -1245,16 +1273,21 @@ do_append_param_tests (void)
 
  static const struct {
  	const char *description, *name, *value;
@@ -1133,7 +1127,7 @@ index 5e423d2..e81d3b7 100644
  };
 
  static void
-@@ -1264,15 +1304,105 @@ do_bad_header_tests (void)
+@@ -1264,15 +1297,105 @@ do_bad_header_tests (void)
  	int i;
 
  	hdrs = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
@@ -1166,7 +1160,7 @@ index 5e423d2..e81d3b7 100644
 +		soup_message_headers_append (hdrs, bad_header_values[i].name,
 +					     bad_header_values[i].value);
 +                g_test_assert_expected_messages ();
- 	}
++	}
 +
 +        /* soup_message_headers_replace: bad values */
 +        for (i = 0; i < G_N_ELEMENTS (bad_header_values); i++) {
@@ -1177,7 +1171,7 @@ index 5e423d2..e81d3b7 100644
 +		soup_message_headers_replace (hdrs, bad_header_values[i].name,
 +                                              bad_header_values[i].value);
 +                g_test_assert_expected_messages ();
-+	}
+ 	}
 +
 +        /* soup_message_headers_set_content_type: bad values */
 +        for (i = 0; i < G_N_ELEMENTS (bad_header_values); i++) {
@@ -1247,7 +1241,7 @@ index 5e423d2..e81d3b7 100644
  	soup_message_headers_unref (hdrs);
  }
 
-@@ -1291,6 +1421,7 @@ main (int argc, char **argv)
+@@ -1291,6 +1414,7 @@ main (int argc, char **argv)
  	g_test_add_func ("/header-parsing/content-type", do_content_type_tests);
  	g_test_add_func ("/header-parsing/append-param", do_append_param_tests);
  	g_test_add_func ("/header-parsing/bad", do_bad_header_tests);
@@ -1271,5 +1265,5 @@ index 92944d6..6fa63e9 100644
          } else if (strcmp (path, "/invalid-header-rfc9113") == 0) {
                  SoupMessageHeaders *response_headers;
 -- 
-2.45.4
+2.43.0