[AutoPR- Security] Patch libsoup for CVE-2026-2436 [MEDIUM]

SPECS/libsoup/CVE-2026-2436.patch

@@ -0,0 +1,81 @@
+From 50838ec94696282406d9cee47f41ca7c11f68694 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Wed, 14 Jan 2026 11:39:18 -0600
+Subject: [PATCH] server-connection: check for cancellation in handshake
+ callback
+
+If the SoupServerConnection is destroyed before the TLS handshake
+completes, then we have a use after free of the SoupServerConnection in
+tls_connection_handshake_ready_cb().
+
+Spotted in #YWH-PGM9867-161. (I have not created a libsoup issue report
+for -161 because it was rejected by our triagers due to errors.)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/495.patch
+---
+ libsoup/server/soup-server-connection.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/libsoup/server/soup-server-connection.c b/libsoup/server/soup-server-connection.c
+index cac4eaa..7d4064a 100644
+--- a/libsoup/server/soup-server-connection.c
++++ b/libsoup/server/soup-server-connection.c
+@@ -62,6 +62,7 @@ typedef struct {
+         gboolean advertise_http2;
+         SoupHTTPVersion http_version;
+         SoupServerMessageIO *io_data;
++        GCancellable *cancellable;
+
+         GSocketAddress *local_addr;
+         GSocketAddress *remote_addr;
+@@ -86,6 +87,7 @@ soup_server_connection_init (SoupServerConnection *conn)
+         SoupServerConnectionPrivate *priv = soup_server_connection_get_instance_private (conn);
+
+         priv->http_version = SOUP_HTTP_1_1;
++        priv->cancellable = g_cancellable_new ();
+ }
+
+ static void
+@@ -109,6 +111,9 @@ soup_server_connection_finalize (GObject *object)
+         SoupServerConnection *conn = SOUP_SERVER_CONNECTION (object);
+         SoupServerConnectionPrivate *priv = soup_server_connection_get_instance_private (conn);
+
++        g_cancellable_cancel (priv->cancellable);
++        g_clear_object (&priv->cancellable);
++
+         if (priv->conn) {
+                 disconnect_internal (conn);
+         } else {
+@@ -428,8 +433,9 @@ tls_connection_handshake_ready_cb (GTlsConnection       *tls_conn,
+                                    SoupServerConnection *conn)
+ {
+         SoupServerConnectionPrivate *priv = soup_server_connection_get_instance_private (conn);
++        GError *error = NULL;
+
+-        if (g_tls_connection_handshake_finish (tls_conn, result, NULL)) {
++        if (g_tls_connection_handshake_finish (tls_conn, result, &error)) {
+                 const char *protocol = g_tls_connection_get_negotiated_protocol (tls_conn);
+
+                 if (g_strcmp0 (protocol, "h2") == 0)
+@@ -440,7 +446,7 @@ tls_connection_handshake_ready_cb (GTlsConnection       *tls_conn,
+                         priv->http_version = SOUP_HTTP_1_1;
+
+                 soup_server_connection_connected (conn);
+-        } else {
++        } else if (!g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED)) {
+                 soup_server_connection_disconnect (conn);
+         }
+ }
+@@ -518,7 +524,7 @@ soup_server_connection_accepted (SoupServerConnection *conn)
+                                          conn, G_CONNECT_SWAPPED);
+
+                 g_tls_connection_handshake_async (G_TLS_CONNECTION (priv->conn),
+-                                                  G_PRIORITY_DEFAULT, NULL,
++                                                  G_PRIORITY_DEFAULT, priv->cancellable,
+                                                   (GAsyncReadyCallback)tls_connection_handshake_ready_cb,
+                                                   conn);
+                 return;
+-- 
+2.45.4
+

SPECS/libsoup/libsoup.spec

@@ -4,7 +4,7 @@
 Summary:        libsoup HTTP client/server library
 Name:           libsoup
 Version:        3.4.4
-Release:        14%{?dist}
+Release:        15%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -78,6 +78,7 @@ Patch28:         fix-ssl-test.patch
 Patch29:         CVE-2026-0716.patch
 Patch30:         CVE-2026-2443.patch
 Patch31:         CVE-2026-2369.patch
+Patch32:         CVE-2026-2436.patch
 
 %description
 libsoup is HTTP client/server library for GNOME
@@ -153,6 +154,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %defattr(-,root,root)
 
 %changelog
+* Thu Apr 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.4.4-15
+- Patch for CVE-2026-2436
+
 * Wed Mar 25 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.4.4-14
 - Patch for CVE-2026-2369