From 7ec5732eeb839cfa19c69e37d2ff2337910b5be7 Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Thu, 2 Apr 2026 08:23:22 +0000
Subject: [PATCH] Patch libsoup for CVE-2026-2436

---
 SPECS/libsoup/CVE-2026-2436.patch | 81 +++++++++++++++++++++++++++++++
 SPECS/libsoup/libsoup.spec        |  6 ++-
 2 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/libsoup/CVE-2026-2436.patch

diff --git a/SPECS/libsoup/CVE-2026-2436.patch b/SPECS/libsoup/CVE-2026-2436.patch
new file mode 100644
index 00000000000..bcbe168749e
--- /dev/null
+++ b/SPECS/libsoup/CVE-2026-2436.patch
@@ -0,0 +1,81 @@
+From 50838ec94696282406d9cee47f41ca7c11f68694 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Wed, 14 Jan 2026 11:39:18 -0600
+Subject: [PATCH] server-connection: check for cancellation in handshake
+ callback
+
+If the SoupServerConnection is destroyed before the TLS handshake
+completes, then we have a use after free of the SoupServerConnection in
+tls_connection_handshake_ready_cb().
+
+Spotted in #YWH-PGM9867-161. (I have not created a libsoup issue report
+for -161 because it was rejected by our triagers due to errors.)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/495.patch
+---
+ libsoup/server/soup-server-connection.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/libsoup/server/soup-server-connection.c b/libsoup/server/soup-server-connection.c
+index cac4eaa..7d4064a 100644
+--- a/libsoup/server/soup-server-connection.c
++++ b/libsoup/server/soup-server-connection.c
+@@ -62,6 +62,7 @@ typedef struct {
+         gboolean advertise_http2;
+         SoupHTTPVersion http_version;
+         SoupServerMessageIO *io_data;
++        GCancellable *cancellable;
+ 
+         GSocketAddress *local_addr;
+         GSocketAddress *remote_addr;
+@@ -86,6 +87,7 @@ soup_server_connection_init (SoupServerConnection *conn)
+         SoupServerConnectionPrivate *priv = soup_server_connection_get_instance_private (conn);
+ 
+         priv->http_version = SOUP_HTTP_1_1;
++        priv->cancellable = g_cancellable_new ();
+ }
+ 
+ static void
+@@ -109,6 +111,9 @@ soup_server_connection_finalize (GObject *object)
+         SoupServerConnection *conn = SOUP_SERVER_CONNECTION (object);
+         SoupServerConnectionPrivate *priv = soup_server_connection_get_instance_private (conn);
+ 
++        g_cancellable_cancel (priv->cancellable);
++        g_clear_object (&priv->cancellable);
++
+         if (priv->conn) {
+                 disconnect_internal (conn);
+         } else {
+@@ -428,8 +433,9 @@ tls_connection_handshake_ready_cb (GTlsConnection       *tls_conn,
+                                    SoupServerConnection *conn)
+ {
+         SoupServerConnectionPrivate *priv = soup_server_connection_get_instance_private (conn);
++        GError *error = NULL;
+ 
+-        if (g_tls_connection_handshake_finish (tls_conn, result, NULL)) {
++        if (g_tls_connection_handshake_finish (tls_conn, result, &error)) {
+                 const char *protocol = g_tls_connection_get_negotiated_protocol (tls_conn);
+ 
+                 if (g_strcmp0 (protocol, "h2") == 0)
+@@ -440,7 +446,7 @@ tls_connection_handshake_ready_cb (GTlsConnection       *tls_conn,
+                         priv->http_version = SOUP_HTTP_1_1;
+ 
+                 soup_server_connection_connected (conn);
+-        } else {
++        } else if (!g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED)) {
+                 soup_server_connection_disconnect (conn);
+         }
+ }
+@@ -518,7 +524,7 @@ soup_server_connection_accepted (SoupServerConnection *conn)
+                                          conn, G_CONNECT_SWAPPED);
+ 
+                 g_tls_connection_handshake_async (G_TLS_CONNECTION (priv->conn),
+-                                                  G_PRIORITY_DEFAULT, NULL,
++                                                  G_PRIORITY_DEFAULT, priv->cancellable,
+                                                   (GAsyncReadyCallback)tls_connection_handshake_ready_cb,
+                                                   conn);
+                 return;
+-- 
+2.45.4
+
diff --git a/SPECS/libsoup/libsoup.spec b/SPECS/libsoup/libsoup.spec
index 7327cde3253..506fd64310a 100644
--- a/SPECS/libsoup/libsoup.spec
+++ b/SPECS/libsoup/libsoup.spec
@@ -4,7 +4,7 @@
 Summary:        libsoup HTTP client/server library
 Name:           libsoup
 Version:        3.4.4
-Release:        14%{?dist}
+Release:        15%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -78,6 +78,7 @@ Patch28:         fix-ssl-test.patch
 Patch29:         CVE-2026-0716.patch
 Patch30:         CVE-2026-2443.patch
 Patch31:         CVE-2026-2369.patch
+Patch32:         CVE-2026-2436.patch
 
 %description
 libsoup is HTTP client/server library for GNOME
@@ -153,6 +154,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %defattr(-,root,root)
 
 %changelog
+* Thu Apr 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.4.4-15
+- Patch for CVE-2026-2436
+
 * Wed Mar 25 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.4.4-14
 - Patch for CVE-2026-2369