Skip to content

Draft: [bookworm] Stable update based on upstream 3.2.3

Simon McVittie requested to merge wip/bookworm into debian/bookworm 
libsoup3 (3.2.3-0+deb12u1) UNRELEASED; urgency=medium

  * Team upload

  [ Jeremy Bícha ]
  * d/control{,.in}: Add Build-Depends: ca-certificates for build-time tests
    (Closes: #1064744, #1054962)

  [ Simon McVittie ]
  * Re-export patch series (no functional changes)
  * New upstream old-stable release 3.2.3
    - Fix a buffer overrun if asked to parse non-UTF-8 headers. It is
      believed that this cannot happen on the client side, but it can
      happen in SoupServer. (CVE-2024-52531, Closes: #1087417)
    - Avoid an infinite loop in WebSocket processing which can cause a denial
      of service via resource exhaustion (CVE-2024-52532, Closes: #1087416)
    - Fix denial of service (crash) when parsing invalid data URLs
      (CVE-2025-32051)
    - Fix heap overflows during content sniffing
      (CVE-2025-32052, libsoup3 equivalent of #1102214)
      (CVE-2025-32053, libsoup3 equivalent of #1102215)
    - Fix an integer overflow during parameter serialization
      (CVE-2025-32050, libsoup3 equivalent of #1102212)
  * Fix a regression introduced in 3.2.3 by backporting its fixes from
    3.6.5:
    - d/p/sniffer-Fix-potential-overflow.patch,
      d/p/sniffer-Add-better-coverage-of-skip_insignificant_space.patch:
      Fix more heap buffer overflows during content sniffing
      (CVE-2025-2784; libsoup3 equivalent of #1102208)
    - d/source/include-binaries: Configure dpkg to accept non-text diffs
      in test data for CVE-2025-2784
  * d/p/server-Add-note-about-recommended-usage.patch:
    Update documentation to indicate the level of security support for
    the server side.
    Upstream clarified the documentation in 3.6.1 to state that SoupServer
    is not intended to be exposed to untrusted clients.
    (Related to CVE-2024-52531, CVE-2024-52532)
  * d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch:
    Add test coverage related to CVE-2024-52531
  * Backport additional CVE fixes from upstream release 3.5.2:
    - d/p/headers-Strictly-don-t-allow-NUL-bytes.patch:
      Reject HTTP headers if they contain NUL bytes
      (CVE-2024-52530, libsoup3 equivalent of #1088812)
  * Backport additional CVE fixes from upstream release 3.6.2:
    - d/p/content-sniffer-Handle-sniffing-resource-shorter-than-4-b.patch:
      Fix denial of service when sniffing type of a short resource
      (CVE-2025-32909, libsoup3 equivalent of #1103517)
    - d/p/auth-digest-Handle-missing-realm-in-authenticate-header.patch,
      d/p/auth-digest-Handle-missing-nonce.patch,
      d/p/auth-digest-Fix-leak.patch:
      Fix denial of service (crash) during client-side authentication
      (CVE-2025-32910, libsoup3 equivalent of #1103516)
    - d/p/soup_message_headers_get_content_disposition-Fix-NULL-der.patch,
      d/p/soup_message_headers_get_content_disposition-strdup-trunc.patch:
      Fix memory management of message headers.
      (CVE-2025-32911, CVE-2025-32913; libsoup3 equivalent of #1103515)
    - d/p/soup_header_parse_quality_list-Fix-leak.patch:
      Fix a memory leak (slow denial of service) in quality list parsing
      (CVE-2025-46420, libsoup3 equivalent of #1104055)
  * Backport additional CVE fixes from upstream release 3.6.5:
    - d/p/auth-digest-Handle-missing-nonce-1.patch,
      d/p/digest-auth-Handle-NULL-nonce.patch:
      Fix additional denial of service issues related to CVE-2025-32910
      (CVE-2025-32912, libsoup3 equivalent of #1103516)
    - d/p/headers-Handle-parsing-edge-case.patch,
      d/p/headers-Handle-parsing-only-newlines.patch:
      Fix denial of service (crash) in http server header parsing
      (CVE-2025-32906, libsoup3 equivalent of #1103521)
    - d/p/session-Strip-authentication-credentails-on-cross-origin-.patch:
      Fix credentials disclosure on cross-origin redirect
      (CVE-2025-46421, libsoup3 equivalent of #110405)
  * d/control: libsoup-3.0-tests Depends on ca-certificates
    (Equivalent of #1054962, #1064744 for autopkgtests)
  * d/p/connection-manager-don-t-crash-if-connection-outlives-its.patch:
    Add patch from upstream fixing a use-after-free during disconnection.
    In particular this resolves a hang during gnome-calculator startup,
    when it downloads currency conversion data.
    (Closes: #1077962, #1052551, #1098315, #1099119, #1100509, #1104456,
    #1100541, #1101922, #1102471, #1059773)
  * d/p/connection-auth-don-t-crash-if-connection-outlives-the-au.patch:
    Add patch from upstream fixing another use-after-free during disconnect.
    (Related to #1077962, etc.)
Edited by Simon McVittie

Merge request reports