main/libsoup: security upgrade to 2.58.2

	CVE-2017-2885

Fixes #7676

2 files changed, 63 insertions, 2 deletions

diff --git a/main/libsoup/APKBUILD b/main/libsoup/APKBUILD
index 0d69079cc7..2a4d4d9ac5 100644
--- a/main/libsoup/APKBUILD
+++ b/main/libsoup/APKBUILD
@@ -1,6 +1,6 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libsoup
-pkgver=2.58.1
+pkgver=2.58.2
 pkgrel=0
 pkgdesc="Gnome HTTP Library"
 url="http://live.gnome.org/LibSoup"
@@ -13,6 +13,10 @@ makedepends="$depends_dev libgcrypt-dev libgpg-error-dev zlib-dev
 	gobject-introspection-dev intltool vala libxml2-dev"
 source="http://ftp.gnome.org/pub/gnome/sources/$pkgname/${pkgver%.*}/$pkgname-$pkgver.tar.xz"
 
+# secfixes:
+#   2.58.2-r0:
+#     - CVE-2017-2885
+
 build() {
 	cd "$srcdir"/$pkgname-$pkgver
 	DATADIRNAME=share ./configure \
@@ -34,4 +38,4 @@ package() {
 	cd "$srcdir"/$pkgname-$pkgver
 	make DESTDIR="$pkgdir" install || return 1
 }
-sha512sums="9181771197a8ed700a80e449ad9b39e697d1b4f470a8d33c227a037322b2a81c8e68bcfdfdab062a97e2b71172b77397facba2ab000be5d388e7ae2f1d6c4d3a  libsoup-2.58.1.tar.xz"
+sha512sums="85af6fac87343bdd22312518402144d33916225f60d6fa158efdd84f7ee7ed1f9895989b3558f711c9aedc93cff35a4114ad79d6d2aa19c54cb326f162a4c7de  libsoup-2.58.2.tar.xz"
diff --git a/main/libsoup/CVE-2017-2885.patch b/main/libsoup/CVE-2017-2885.patch
new file mode 100644
index 0000000000..c22616ad5b
--- /dev/null
+++ b/main/libsoup/CVE-2017-2885.patch
@@ -0,0 +1,57 @@
+From 03c91c76daf70ee227f38304c5e45a155f45073d Mon Sep 17 00:00:00 2001
+From: Dan Winship <danw@gnome.org>
+Date: Thu, 3 Aug 2017 09:56:43 -0400
+Subject: Fix chunked decoding buffer overrun (CVE-2017-2885)
+
+https://bugzilla.gnome.org/show_bug.cgi?id=785774
+---
+ libsoup/soup-filter-input-stream.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c
+index cde4d12..2c30bf9 100644
+--- a/libsoup/soup-filter-input-stream.c
++++ b/libsoup/soup-filter-input-stream.c
+@@ -198,7 +198,7 @@ soup_filter_input_stream_read_until (SoupFilterInputStream  *fstream,
+ 				     GCancellable           *cancellable,
+ 				     GError                **error)
+ {
+-	gssize nread;
++	gssize nread, read_length;
+ 	guint8 *p, *buf, *end;
+ 	gboolean eof = FALSE;
+ 	GError *my_error = NULL;
+@@ -251,10 +251,11 @@ soup_filter_input_stream_read_until (SoupFilterInputStream  *fstream,
+ 	} else
+ 		buf = fstream->priv->buf->data;
+ 
+-	/* Scan for the boundary */
+-	end = buf + fstream->priv->buf->len;
+-	if (!eof)
+-		end -= boundary_length;
++	/* Scan for the boundary within the range we can possibly return. */
++	if (include_boundary)
++		end = buf + MIN (fstream->priv->buf->len, length) - boundary_length;
++	else
++		end = buf + MIN (fstream->priv->buf->len - boundary_length, length);
+ 	for (p = buf; p <= end; p++) {
+ 		if (*p == *(guint8*)boundary &&
+ 		    !memcmp (p, boundary, boundary_length)) {
+@@ -268,10 +269,9 @@ soup_filter_input_stream_read_until (SoupFilterInputStream  *fstream,
+ 	if (!*got_boundary && fstream->priv->buf->len < length && !eof)
+ 		goto fill_buffer;
+ 
+-	/* Return everything up to 'p' (which is either just after the boundary if
+-	 * include_boundary is TRUE, just before the boundary if include_boundary is
+-	 * FALSE, @boundary_len - 1 bytes before the end of the buffer, or end-of-
+-	 * file).
+-	 */
+-	return read_from_buf (fstream, buffer, p - buf);
++	if (eof && !*got_boundary)
++		read_length = MIN (fstream->priv->buf->len, length);
++	else
++		read_length = p - buf;
++	return read_from_buf (fstream, buffer, read_length);
+ }
+-- 
+cgit v0.12