[AutoPR- Security] Patch libsoup for CVE-2026-2369 [MEDIUM] (#16286)

Co-authored-by: akhila-guruju <v-guakhila@microsoft.com>

Author: azurelinux-security

SPECS/libsoup/CVE-2026-2369.patch

@@ -0,0 +1,31 @@
+From db3f4c30a3436d664763b016613c8ac7d586aadb Mon Sep 17 00:00:00 2001
+From: Samuel Dainard <>
+Date: Wed, 11 Feb 2026 10:19:04 -0600
+Subject: [PATCH] sniffer: Handle potential underflow
+
+Closes #498
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.gnome.org/GNOME/libsoup/-/commit/af4bde990270b825b7d110a495cc65de9e2ec32f.patch
+---
+ libsoup/content-sniffer/soup-content-sniffer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
+index a5e18d5..594d0bb 100644
+--- a/libsoup/content-sniffer/soup-content-sniffer.c
++++ b/libsoup/content-sniffer/soup-content-sniffer.c
+@@ -524,6 +524,10 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer,
+ 		if (!sniff_scriptable && type_row->scriptable)
+ 			continue;
+ 
++		/* Ensure we have data to sniff - prevents underflow in resource_length - 1 */
++		if (resource_length == 0)
++			continue;
++
+ 		if (type_row->has_ws) {
+ 			guint index_stream = 0;
+ 			guint index_pattern = 0;
+-- 
+2.45.4
+

SPECS/libsoup/libsoup.spec

@@ -4,7 +4,7 @@
 Summary:        libsoup HTTP client/server library
 Name:           libsoup
 Version:        3.4.4
-Release:        13%{?dist}
+Release:        14%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -77,6 +77,7 @@ Patch27:         CVE-2026-1801.patch
 Patch28:         fix-ssl-test.patch
 Patch29:         CVE-2026-0716.patch
 Patch30:         CVE-2026-2443.patch
+Patch31:         CVE-2026-2369.patch
 
 %description
 libsoup is HTTP client/server library for GNOME
@@ -125,7 +126,7 @@ find %{buildroot} -type f -name "*.la" -delete -print
 
 %check
 %if 0%{?with_check}
-%meson_test
+%meson_test --timeout-multiplier 10
 %endif
 
 %post   -p /sbin/ldconfig
@@ -152,6 +153,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %defattr(-,root,root)
 
 %changelog
+* Wed Mar 25 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.4.4-14
+- Patch for CVE-2026-2369
+
 * Tue Feb 17 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.4.4-13
 - Patch for CVE-2026-0716, CVE-2026-2443
 - enable ptests and fix ssl-test