[Medium] Patch libsoup for CVE-2025-32909, CVE-2025-32910, CVE-2025-32912, CVE-2025-4476

[kevin-b-lockwood]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./SPECS/LICENSES-AND-NOTICES/data/licenses.json, ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md, ./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• If you are adding/removing a .spec file that has multiple-versions supported, please add @microsoft/cbl-mariner-multi-package-reviewers team as reviewer (Eg. golang has 2 versions 1.18, 1.21+)
• Ready to merge

---

Summary

Patch libsoup for CVE-2025-32909, CVE-2025-32910, CVE-2025-32912

Change Log

• [Medium] Patch libsoup for CVE-2025-32909
• [Medium] Patch libsoup for CVE-2025-32910
• [Medium] Patch libsoup for CVE-2025-32912
• [Medium] Patch libsoup for CVE-2025-4476

Does this affect the toolchain?

NO

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-32909
• https://nvd.nist.gov/vuln/detail/CVE-2025-32910
• https://nvd.nist.gov/vuln/detail/CVE-2025-32912
• https://nvd.nist.gov/vuln/detail/CVE-2025-4476

Test Methodology

• Local build

[Kanishk-Bansal]

Kindly retarget this PR against the dev branch. For 3.0 it's 3.0-dev and for 2.0 it is main

[kevin-b-lockwood]

Kindly retarget this PR against the dev branch. For 3.0 it's 3.0-dev and for 2.0 it is main

My apologies, must have been bad muscle memory I think. Ought to be all straightened out now.

[kevin-b-lockwood]

Fixed merge conflicts and numbered the patches as per #13446 (comment)

[Kanishk-Bansal]

Suggested change

[kevin-b-lockwood]

Will do

[Kanishk-Bansal]

• Buddy Build
• patch applied during the build (check rpm.log)
• patch include an upstream reference
• PR has security tag

[kgodara912]

Could you please update release number, here and above release tag?

[kevin-b-lockwood]

Forgot to bump the release number during the merge, I'll fix that now.

[kevin-b-lockwood]

Hopefully addressed all the concerns

[kevin-b-lockwood]

Forgot to bump the release number during the merge, I'll fix that now.

[kevin-b-lockwood]

Will do

[kgodara912]

Sorry to bother you again, actually for CVE-2025-32912, there are 3 patches from the issue request,
Fix: !417 (merged) and !434 (merged) and 910ebdcd

Out of three patches, you only took one which was also later modified as from
if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce")) to
if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce"))

Please check all the relevant fixes for CVEs from above fix list of the issue https://gitlab.gnome.org/GNOME/libsoup/-/issues/434 and confirm once if this is the one only needed to fix the CVE. Remaining two look ok.

[kgodara912]

Buddy build. After rebase to tip, the patches in this PR don't apply cleanly. Please ensure that patches apply cleanly after rebasing.

[Kanishk-Bansal]

@kevin-b-lockwood
Investigate.

[kevin-b-lockwood]

Sorry to bother you again, actually for CVE-2025-32912, there are 3 patches from the issue request, Fix: !417 (merged) and !434 (merged) and 910ebdcd

Out of three patches, you only took one which was also later modified as from if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce")) to if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce"))

Please check all the relevant fixes for CVEs from above fix list of the issue https://gitlab.gnome.org/GNOME/libsoup/-/issues/434 and confirm once if this is the one only needed to fix the CVE. Remaining two look ok.

Of the three patchsets mentioned:

• !417 (merged): These are the patches contained in CVE-2025-32910.patch. Prerequisite for CVE-2025-32912, but also the patches for that CVE.
• !434 (merged): This is the patch already in CVE-2025-32912.patch.
• 910ebdcd: I had not seen this patch, thank you for bringing it to my attention. I have added it.

[Kanishk-Bansal]

since you have modified either create a new patch or try to apply the upstream patches with no changes

[kevin-b-lockwood]

since you have modified either create a new patch or try to apply the upstream patches with no changes

I didn't make any changes to the patch for CVE-2025-4476, I downloaded the patch, renamed the patch file, and added it to the spec file.

[kgodara912]

Test cases aren't included as part of two CVE patches. Any reason for excluding them from patches? Buddy build

[kevin-b-lockwood]

Test cases aren't included as part of two CVE patches. Any reason for excluding them from patches? Buddy build

I didn't exclude them, the source patches simply didn't include any updates to the tests that I could find. I just went through and compared the patches in the PR and the patches in the upstream and I didn't see any where I had removed any tests. Please tell me which patches if I missed any.

[kevin-b-lockwood]

@kgodara912 Please clarify which tests are missing so I can get this PR moving again

[kgodara912]

Buddy build is succeeded. LGTM.

[Kanishk-Bansal]

Buddy Build