diff --git a/SOURCES/chunked-decoding-buffer-overrun-CVE-2017-2885.patch b/SOURCES/chunked-decoding-buffer-overrun-CVE-2017-2885.patch new file mode 100644 index 0000000..87970de --- /dev/null +++ b/SOURCES/chunked-decoding-buffer-overrun-CVE-2017-2885.patch @@ -0,0 +1,57 @@ +From 34d361188adc4b4a81457bcffb14588d84078e79 Mon Sep 17 00:00:00 2001 +From: Dan Winship +Date: Thu, 3 Aug 2017 09:56:43 -0400 +Subject: [PATCH] Fix chunked decoding buffer overrun (CVE-2017-2885) + +https://bugzilla.gnome.org/show_bug.cgi?id=785774 +--- + libsoup/soup-filter-input-stream.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c +index cde4d12..2c30bf9 100644 +--- a/libsoup/soup-filter-input-stream.c ++++ b/libsoup/soup-filter-input-stream.c +@@ -198,7 +198,7 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream, + GCancellable *cancellable, + GError **error) + { +- gssize nread; ++ gssize nread, read_length; + guint8 *p, *buf, *end; + gboolean eof = FALSE; + GError *my_error = NULL; +@@ -251,10 +251,11 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream, + } else + buf = fstream->priv->buf->data; + +- /* Scan for the boundary */ +- end = buf + fstream->priv->buf->len; +- if (!eof) +- end -= boundary_length; ++ /* Scan for the boundary within the range we can possibly return. */ ++ if (include_boundary) ++ end = buf + MIN (fstream->priv->buf->len, length) - boundary_length; ++ else ++ end = buf + MIN (fstream->priv->buf->len - boundary_length, length); + for (p = buf; p <= end; p++) { + if (*p == *(guint8*)boundary && + !memcmp (p, boundary, boundary_length)) { +@@ -268,10 +269,9 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream, + if (!*got_boundary && fstream->priv->buf->len < length && !eof) + goto fill_buffer; + +- /* Return everything up to 'p' (which is either just after the boundary if +- * include_boundary is TRUE, just before the boundary if include_boundary is +- * FALSE, @boundary_len - 1 bytes before the end of the buffer, or end-of- +- * file). +- */ +- return read_from_buf (fstream, buffer, p - buf); ++ if (eof && !*got_boundary) ++ read_length = MIN (fstream->priv->buf->len, length); ++ else ++ read_length = p - buf; ++ return read_from_buf (fstream, buffer, read_length); + } +-- +2.9.4 \ No newline at end of file diff --git a/SPECS/libsoup.spec b/SPECS/libsoup.spec index a8630d4..0b0b2c9 100644 --- a/SPECS/libsoup.spec +++ b/SPECS/libsoup.spec @@ -2,7 +2,7 @@ Name: libsoup Version: 2.56.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Soup, an HTTP library implementation License: LGPLv2 @@ -19,6 +19,9 @@ Patch03: negotiate-internals.patch Patch04: negotiate-connection-close.patch # https://bugzilla.gnome.org/show_bug.cgi?id=783781 Patch05: tcms-site-warning.patch +# https://bugzilla.gnome.org/show_bug.cgi?id=785774 +# https://bugzilla.redhat.com/show_bug.cgi?id=1479281 +Patch06: chunked-decoding-buffer-overrun-CVE-2017-2885.patch BuildRequires: glib2-devel >= %{glib2_version} BuildRequires: glib-networking @@ -58,6 +61,7 @@ you to develop applications that use the libsoup library. %patch03 -p1 -b .negotiate-internals %patch04 -p1 -b .negotiate-connection-close %patch05 -p1 -b .tcms-site-warning +%patch06 -p1 -b .cve-2017-2885 %build %configure --disable-static @@ -97,6 +101,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la %{_datadir}/vala/vapi/libsoup-2.4.vapi %changelog +* Wed Aug 09 2017 Tomas Popela - 2.56.0-4 +- Fix chunked decoding buffer overrun (CVE-2017-2885) (rh #1479322) + * Thu Jun 22 2017 Tomas Popela - 2.56.0-3 - libsoup stuck on infinite loop for kerberized pages (rh #1439798)