Acknowledgement sent
to Alejandro Pomares <pomares.alejandro@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Wed, 09 Apr 2025 10:36:02 GMT) (full text, mbox, link).
Package: gnome-calculator
Version: 1:43.0.1-2
Severity: normal
Tags: upstream
Dear Maintainer,
I am experiencing a persistent freeze when launching `gnome-calculator` on
a clean Debian 12 (bookworm) system. The application window either remains
blank or does not appear at all. The following error is consistently shown
in the terminal:
---
** (gnome-calculator:XXXXX): WARNING **: currency-provider.vala:161:
Couldn't download IMF currency rate file: HTTP/2 Error: INTERNAL_ERROR
(gnome-calculator:XXXXX): libsoup-WARNING **: soup_session_dispose: runtime
check failed: (soup_connection_manager_get_num_conns (priv->conn_manager)
== 0)
(gnome-calculator:XXXXX): libsoup-WARNING **: soup_host_free: runtime check
failed: (host->conns == NULL)
---
The calculator fails to display properly after this error. Removing user
configuration and forcing `button-mode=basic` with `gsettings` does not
prevent the crash. The issue occurs consistently even with fresh user
accounts and no custom configuration.
I am using:
- Debian GNU/Linux 12 (bookworm)
- Kernel: 6.12.12+bpo-amd64
- GNOME: 43
- GPU: AMD Radeon RX 5700 XT (driver: amdgpu, running under Wayland)
- RAM: 128 GiB
Disabling network access via `firejail --net=none gnome-calculator` allows
the app to launch, which confirms the bug is related to IMF currency rate
fetching.
I believe this is a regression or unhandled network error that should be
safely caught without freezing the application.
Please let me know if any further debugging or logs are required.
Best regards,
Alejandro Pomares Padilla
Acknowledgement sent
to Joseph Hayden <tails123@live.com>:
Extra info received and forwarded to list. Copy sent to tails123@live.com, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Thu, 10 Apr 2025 20:51:01 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <1102471@bugs.debian.org>
Subject: Re: gnome-calculator 1:43.0.1-2 freezes on startup due to IMF currency rate HTTP error
Date: Thu, 10 Apr 2025 16:47:02 -0400
Package: gnome-calculator
Version: 1:43.0.1-2
Followup-For: Bug #1102471
X-Debbugs-Cc: tails123@live.com
Dear Maintainer (and bug reporter)
I can confirm, I saw the same error, and this solution of installing and using
firejail was sufficient to getting the program to work, though naturally, I
should expect that most, if not all debian packages should maintain their
function during regular use. Thank you for your fix, I hope that this can be
hotfixed instead of waiting for 13 to become the new stable.
-- System Information:
Debian Release: 12.10
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-32-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gnome-calculator depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.40.0-4
ii libadwaita-1-0 1.2.2-1
ii libc6 2.36-9+deb12u10
ii libgee-0.8-2 0.20.6-1
ii libglib2.0-0 2.74.6-2+deb12u5
ii libgtk-4-1 4.8.3+ds-2+deb12u1
ii libgtksourceview-5-0 5.6.2-1
ii libmpc3 1.3.1-1
ii libmpfr6 4.2.0-1
ii libsoup-3.0-0 3.2.2-2
ii libxml2 2.9.14+dfsg-1.3~deb12u1
Versions of packages gnome-calculator recommends:
ii gvfs 1.50.3-1
ii yelp 42.2-1
gnome-calculator suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#1102471; Package gnome-calculator.
(Thu, 21 Aug 2025 14:25:33 GMT) (full text, mbox, link).
Acknowledgement sent
to 1077962@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Thu, 21 Aug 2025 14:25:33 GMT) (full text, mbox, link).
Cc: Jace <jaymanshad@proton.me>, Mike Swanson <mikeonthecomputer@gmail.com>,
1052551@bugs.debian.org, 1052551-submitter@bugs.debian.org,
Mauro Meloni <maurom1982@yahoo.com.ar>,
little_red_n <little_red_n@proton.me>,
Peter Mueller <petermueller@ro.ru>,
Marcelo Gondim <gondim@gmail.com>, alireza <alirezaimi@gmail.com>,
1098315@bugs.debian.org, 1098315-submitter@bugs.debian.org,
Trevor Vance <trevor.k.vance@gmail.com>,
Colomban Wendling <lists.ban@herbesfolles.org>,
Daniel Blaschke <blaschke@hep.itp.tuwien.ac.at>,
1099119@bugs.debian.org, 1099119-submitter@bugs.debian.org,
Serge Smeesters <serge@facegnu.org>,
Marcin Owsiany <porridge@debian.org>,
Alexander Koeppe <alexander@koeppe.rocks>,
Tim Boneko <tim@boneko.de>, 1100509@bugs.debian.org,
1100509-submitter@bugs.debian.org, 1104456@bugs.debian.org,
1104456-submitter@bugs.debian.org, 1100541@bugs.debian.org,
1100541-submitter@bugs.debian.org, 1101922@bugs.debian.org,
1101922-submitter@bugs.debian.org,
Wouter Wijsman <wwijsman@live.nl>, 1102471@bugs.debian.org,
1102471-submitter@bugs.debian.org,
Joseph Hayden <tails123@live.com>, 1059773@bugs.debian.org,
1059773-submitter@bugs.debian.org, 1059773.bugs.debian.org@halis.cc,
Nate Bargmann <n0nb@n0nb.us>, Olivier Berger <oberger@ouvaton.org>,
Samuel Wolf <samuelwolf85@googlemail.com>,
Charles Curley <charlescurley@charlescurley.com>
Subject: Re: Bug#1077962: libsoup-3.0-0: makes gnome-calculator hang during
startup
Date: Thu, 21 Aug 2025 15:23:06 +0100
Control: severity -1 serious
Control: tags -1 + bookworm pending
Control: block -1 by 1109147
On Thu, 10 Jul 2025 at 19:31:59 +0100, Simon McVittie wrote:
>On Mon, 05 Aug 2024 at 06:45:18 +0000, Jace wrote:
>>gnome-calculator freezes when using a Debian system behind mullvadVPN due to a
>>bug in libsoup that was patched in version 3.4.3
>
>[The underlying bug is]
><https://gitlab.gnome.org/GNOME/libsoup/-/issues/361>, which was
>apparently fixed by
><https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/374>. The
>original issue report and merge request talk about crashes, but these
>are memory management/object lifetime issues that could equally well
>cause a hang.
A fix for this libsoup3 issue has been approved by the stable release
managers and should be included in the Debian 12.12 point release, which
is planned for 6th September. The same issue was also already fixed in
the Debian 13.0 stable release.
This is a libsoup3 bug, not a gnome-calculator bug (even though the
symptom appears in gnome-calculator), so gnome-calculator will not be
changed for this.
As noted in several of the many duplicate bug reports, a workaround is
to run this command
gsettings set org.gnome.calculator refresh-interval 0
which turns off download of currency exchange rates.
Peter Mueller wrote:
>Whoever is responsible: shouldn't the bug reports be merged?
I am intentionally not merging the duplicate bug reports or reassigning
them to libsoup3 at this stage, in the hope that this way, users of
gnome-calculator will see at least one of the 10 different bug reports
that refers to this issue, and not open an 11th.
smcv
Severity set to 'serious' from 'normal'
Request was from Simon McVittie <smcv@debian.org>
to 1102471-submit@bugs.debian.org.
(Thu, 21 Aug 2025 14:25:33 GMT) (full text, mbox, link).
Added tag(s) pending and bookworm.
Request was from Simon McVittie <smcv@debian.org>
to 1102471-submit@bugs.debian.org.
(Thu, 21 Aug 2025 14:25:34 GMT) (full text, mbox, link).
Added blocking bug(s) of 1102471: 1109147
Request was from Simon McVittie <smcv@debian.org>
to 1102471-submit@bugs.debian.org.
(Thu, 21 Aug 2025 14:25:34 GMT) (full text, mbox, link).
Message sent on
to Alejandro Pomares <pomares.alejandro@gmail.com>:
Bug#1102471.
(Thu, 21 Aug 2025 14:25:40 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Fri, 22 Aug 2025 15:35:10 GMT) (full text, mbox, link).
Notification sent
to Alejandro Pomares <pomares.alejandro@gmail.com>:
Bug acknowledged by developer.
(Fri, 22 Aug 2025 15:35:10 GMT) (full text, mbox, link).
Source: libsoup3
Source-Version: 3.2.3-0+deb12u1
Done: Simon McVittie <smcv@debian.org>
We believe that the bug you reported is fixed in the latest version of
libsoup3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1102471@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated libsoup3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 12 Jul 2025 14:39:06 +0100
Source: libsoup3
Architecture: source
Version: 3.2.3-0+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 10525511054962105977310647441077962108741610874171098315109911911005091100541110192211024711104456
Changes:
libsoup3 (3.2.3-0+deb12u1) bookworm; urgency=medium
.
* Team upload
.
[ Jeremy Bícha ]
* d/control{,.in}: Add Build-Depends: ca-certificates for build-time tests
(Closes: #1064744, #1054962)
.
[ Simon McVittie ]
* Re-export patch series (no functional changes)
* New upstream old-stable release 3.2.3
- Fix a buffer overrun if asked to parse non-UTF-8 headers. It is
believed that this cannot happen on the client side, but it can
happen in SoupServer. (CVE-2024-52531, Closes: #1087417)
- Avoid an infinite loop in WebSocket processing which can cause a denial
of service via resource exhaustion (CVE-2024-52532, Closes: #1087416)
- Fix denial of service (crash) when parsing invalid data URLs
(CVE-2025-32051)
- Fix heap overflows during content sniffing
(CVE-2025-32052, libsoup3 equivalent of #1102214)
(CVE-2025-32053, libsoup3 equivalent of #1102215)
- Fix an integer overflow during parameter serialization
(CVE-2025-32050, libsoup3 equivalent of #1102212)
* Fix a regression introduced in 3.2.3 by backporting its fixes from
3.6.5:
- d/p/sniffer-Fix-potential-overflow.patch,
d/p/sniffer-Add-better-coverage-of-skip_insignificant_space.patch:
Fix more heap buffer overflows during content sniffing
(CVE-2025-2784; libsoup3 equivalent of #1102208)
- d/source/include-binaries: Configure dpkg to accept non-text diffs
in test data for CVE-2025-2784
* d/p/server-Add-note-about-recommended-usage.patch:
Update documentation to indicate the level of security support for
the server side.
Upstream clarified the documentation in 3.6.1 to state that SoupServer
is not intended to be exposed to untrusted clients.
(Related to CVE-2024-52531, CVE-2024-52532)
* d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch:
Add test coverage related to CVE-2024-52531
* Backport additional CVE fixes from upstream release 3.5.2:
- d/p/headers-Strictly-don-t-allow-NUL-bytes.patch:
Reject HTTP headers if they contain NUL bytes
(CVE-2024-52530, libsoup3 equivalent of #1088812)
* Backport additional CVE fixes from upstream release 3.6.2:
- d/p/content-sniffer-Handle-sniffing-resource-shorter-than-4-b.patch:
Fix denial of service when sniffing type of a short resource
(CVE-2025-32909, libsoup3 equivalent of #1103517)
- d/p/auth-digest-Handle-missing-realm-in-authenticate-header.patch,
d/p/auth-digest-Handle-missing-nonce.patch,
d/p/auth-digest-Fix-leak.patch:
Fix denial of service (crash) during client-side authentication
(CVE-2025-32910, libsoup3 equivalent of #1103516)
- d/p/soup_message_headers_get_content_disposition-Fix-NULL-der.patch,
d/p/soup_message_headers_get_content_disposition-strdup-trunc.patch:
Fix memory management of message headers.
(CVE-2025-32911, CVE-2025-32913; libsoup3 equivalent of #1103515)
- d/p/soup_header_parse_quality_list-Fix-leak.patch:
Fix a memory leak (slow denial of service) in quality list parsing
(CVE-2025-46420, libsoup3 equivalent of #1104055)
* Backport additional CVE fixes from upstream release 3.6.5:
- d/p/auth-digest-Handle-missing-nonce-1.patch,
d/p/digest-auth-Handle-NULL-nonce.patch:
Fix additional denial of service issues related to CVE-2025-32910
(CVE-2025-32912, libsoup3 equivalent of #1103516)
- d/p/headers-Handle-parsing-edge-case.patch,
d/p/headers-Handle-parsing-only-newlines.patch:
Fix denial of service (crash) in http server header parsing
(CVE-2025-32906, libsoup3 equivalent of #1103521)
- d/p/session-Strip-authentication-credentails-on-cross-origin-.patch:
Fix credentials disclosure on cross-origin redirect
(CVE-2025-46421, libsoup3 equivalent of #110405)
* d/control: libsoup-3.0-tests Depends on ca-certificates
(Equivalent of #1054962, #1064744 for autopkgtests)
* d/p/connection-manager-don-t-crash-if-connection-outlives-its.patch:
Add patch from upstream fixing a use-after-free during disconnection.
In particular this resolves a hang during gnome-calculator startup,
when it downloads currency conversion data.
(Closes: #1077962, #1052551, #1098315, #1099119, #1100509, #1104456,
#1100541, #1101922, #1102471, #1059773)
* d/p/connection-auth-don-t-crash-if-connection-outlives-the-au.patch:
Add patch from upstream fixing another use-after-free during disconnect.
(Related to #1077962, etc.)
Checksums-Sha1:
3cd4cbe62114d1591ac7ed133219be3096f5ebee 3362 libsoup3_3.2.3-0+deb12u1.dsc
104cbce77f3d620c9b6660f03c6c8076a2c99711 1530552 libsoup3_3.2.3.orig.tar.xz
0ee17a274d37bd4967b3d8941c13c766520a52c5 37636 libsoup3_3.2.3-0+deb12u1.debian.tar.xz
cdd653b893d75895662f4fdf3c380b53edb10ee7 18435 libsoup3_3.2.3-0+deb12u1_source.buildinfo
Checksums-Sha256:
f68bd3c65f208bacfc99d54fe24012a9ce0aef217f89ff0e4ae354f5f029852b 3362 libsoup3_3.2.3-0+deb12u1.dsc
3f50c2a883d7e984e31ecbaa35326b4e6bc6357bd3eed9bb4eb49154ebadd2fd 1530552 libsoup3_3.2.3.orig.tar.xz
5afa608a041cf3b0f08386f97e9ec6adaa8971598876e03cbd30812a19ab97c8 37636 libsoup3_3.2.3-0+deb12u1.debian.tar.xz
9a0bd6df19b611dc6b0f17e16406112bcc8d18f5fcd7da57efefa486d22e0f6c 18435 libsoup3_3.2.3-0+deb12u1_source.buildinfo
Files:
9e780002f7ff4ffbc7098ba3a46e45da 3362 devel optional libsoup3_3.2.3-0+deb12u1.dsc
c609e3028296f559786fa581c418f4da 1530552 devel optional libsoup3_3.2.3.orig.tar.xz
a155ad6386cde3560239fddd97e02581 37636 devel optional libsoup3_3.2.3-0+deb12u1.debian.tar.xz
4f3fec537be1c450b78572bf5ff4fb43 18435 devel optional libsoup3_3.2.3-0+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmiYbz8ACgkQI1wJnT6z
MHYX5w//TNn1SbM3UK6VL7w3yeKY724RIjlt8pkF4I75kS9ws2gNVxddbpBhG04c
MVMF/C8ZiKWtIl73FUfQe8ywLePM/QEwUe/gqwkXwXTUG8CJLj0NjsVjOZrWtWI5
EZPdhFun6hX5l236IdYtV71jZSVu/LPzXdSH+Ycs0TyuQth1RRpOKPaJoyZSkE8d
pJvrGRGGtGqW6p3gdlhnwgOlnHZ0ei/15fI4xptjlikikMFXXuNVTC86Fdz5yvHH
TJus4XUka0+KV+mh98NrABNAh/Ar4MNCJfmpEceip6eGLqJ2JaegalHuaJkUusKe
POQ9lrR3cvL22gaw/Xw+O79GFwc4mN3wN/NRar5CHuUr83NdbLnkmzuohfAk3PzA
d14lBtJaPOa/Jxkv5HwwuFlG9DfyvtGkXfoU+5pD+alXrj08OzZ1i/P4kVs0hzrA
cEgQcneFJJjaD0JOWps6LlsT2CXWdpDRKN54l0lUeVRXlCXq41FqMuN8+plBYdCN
Pkaj0fxFUat1sBq9llzgreg26Tor1Kec7+ASuYw9iv9HB9JJromYUjc8tVb4Aj8u
xnjpZgFw1X7eR+zI9hruuuZV0ji46hcujkDy+5eqwUxTupvzluLxy2Qz6eICNTlt
FNg/ZJv95cKx19G+Z8yTcpgoNzEn6eiSOhiObzXwGBn5FRCNtRE=
=wM44
-----END PGP SIGNATURE-----
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Wed, 27 Aug 2025 07:05:08 GMT) (full text, mbox, link).
Notification sent
to Alejandro Pomares <pomares.alejandro@gmail.com>:
Bug acknowledged by developer.
(Wed, 27 Aug 2025 07:05:08 GMT) (full text, mbox, link).
Source: libsoup3
Source-Version: 3.2.3-0+deb12u2
Done: Simon McVittie <smcv@debian.org>
We believe that the bug you reported is fixed in the latest version of
libsoup3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1102471@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated libsoup3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 25 Aug 2025 16:06:45 +0100
Source: libsoup3
Architecture: source
Version: 3.2.3-0+deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 10525511054962105977310647441077962108741610874171098315109911911005091100541110192211024711104456
Changes:
libsoup3 (3.2.3-0+deb12u2) bookworm; urgency=medium
.
* Team upload
* d/p/tests-Gracefully-skip-test-if-a-large-memory-allocation-f.patch:
Add proposed patch to fix a test failure on some 32-bit machines, in
particular Debian 12's mipsel buildds
.
libsoup3 (3.2.3-0+deb12u1) bookworm; urgency=medium
.
* Team upload
.
[ Jeremy Bícha ]
* d/control{,.in}: Add Build-Depends: ca-certificates for build-time tests
(Closes: #1064744, #1054962)
.
[ Simon McVittie ]
* Re-export patch series (no functional changes)
* New upstream old-stable release 3.2.3
- Fix a buffer overrun if asked to parse non-UTF-8 headers. It is
believed that this cannot happen on the client side, but it can
happen in SoupServer. (CVE-2024-52531, Closes: #1087417)
- Avoid an infinite loop in WebSocket processing which can cause a denial
of service via resource exhaustion (CVE-2024-52532, Closes: #1087416)
- Fix denial of service (crash) when parsing invalid data URLs
(CVE-2025-32051)
- Fix heap overflows during content sniffing
(CVE-2025-32052, libsoup3 equivalent of #1102214)
(CVE-2025-32053, libsoup3 equivalent of #1102215)
- Fix an integer overflow during parameter serialization
(CVE-2025-32050, libsoup3 equivalent of #1102212)
* Fix a regression introduced in 3.2.3 by backporting its fixes from
3.6.5:
- d/p/sniffer-Fix-potential-overflow.patch,
d/p/sniffer-Add-better-coverage-of-skip_insignificant_space.patch:
Fix more heap buffer overflows during content sniffing
(CVE-2025-2784; libsoup3 equivalent of #1102208)
- d/source/include-binaries: Configure dpkg to accept non-text diffs
in test data for CVE-2025-2784
* d/p/server-Add-note-about-recommended-usage.patch:
Update documentation to indicate the level of security support for
the server side.
Upstream clarified the documentation in 3.6.1 to state that SoupServer
is not intended to be exposed to untrusted clients.
(Related to CVE-2024-52531, CVE-2024-52532)
* d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch:
Add test coverage related to CVE-2024-52531
* Backport additional CVE fixes from upstream release 3.5.2:
- d/p/headers-Strictly-don-t-allow-NUL-bytes.patch:
Reject HTTP headers if they contain NUL bytes
(CVE-2024-52530, libsoup3 equivalent of #1088812)
* Backport additional CVE fixes from upstream release 3.6.2:
- d/p/content-sniffer-Handle-sniffing-resource-shorter-than-4-b.patch:
Fix denial of service when sniffing type of a short resource
(CVE-2025-32909, libsoup3 equivalent of #1103517)
- d/p/auth-digest-Handle-missing-realm-in-authenticate-header.patch,
d/p/auth-digest-Handle-missing-nonce.patch,
d/p/auth-digest-Fix-leak.patch:
Fix denial of service (crash) during client-side authentication
(CVE-2025-32910, libsoup3 equivalent of #1103516)
- d/p/soup_message_headers_get_content_disposition-Fix-NULL-der.patch,
d/p/soup_message_headers_get_content_disposition-strdup-trunc.patch:
Fix memory management of message headers.
(CVE-2025-32911, CVE-2025-32913; libsoup3 equivalent of #1103515)
- d/p/soup_header_parse_quality_list-Fix-leak.patch:
Fix a memory leak (slow denial of service) in quality list parsing
(CVE-2025-46420, libsoup3 equivalent of #1104055)
* Backport additional CVE fixes from upstream release 3.6.5:
- d/p/auth-digest-Handle-missing-nonce-1.patch,
d/p/digest-auth-Handle-NULL-nonce.patch:
Fix additional denial of service issues related to CVE-2025-32910
(CVE-2025-32912, libsoup3 equivalent of #1103516)
- d/p/headers-Handle-parsing-edge-case.patch,
d/p/headers-Handle-parsing-only-newlines.patch:
Fix denial of service (crash) in http server header parsing
(CVE-2025-32906, libsoup3 equivalent of #1103521)
- d/p/session-Strip-authentication-credentails-on-cross-origin-.patch:
Fix credentials disclosure on cross-origin redirect
(CVE-2025-46421, libsoup3 equivalent of #110405)
* d/control: libsoup-3.0-tests Depends on ca-certificates
(Equivalent of #1054962, #1064744 for autopkgtests)
* d/p/connection-manager-don-t-crash-if-connection-outlives-its.patch:
Add patch from upstream fixing a use-after-free during disconnection.
In particular this resolves a hang during gnome-calculator startup,
when it downloads currency conversion data.
(Closes: #1077962, #1052551, #1098315, #1099119, #1100509, #1104456,
#1100541, #1101922, #1102471, #1059773)
* d/p/connection-auth-don-t-crash-if-connection-outlives-the-au.patch:
Add patch from upstream fixing another use-after-free during disconnect.
(Related to #1077962, etc.)
Checksums-Sha1:
109f78b0454e2dfb3c04d7580032cf1653adbbc7 3514 libsoup3_3.2.3-0+deb12u2.dsc
18c39cf2ccdbe8bafae6ea5cb9fcee000ff89f92 38208 libsoup3_3.2.3-0+deb12u2.debian.tar.xz
12081c772865f927fc2d717eb0b22e03c23aae09 2473716 libsoup3_3.2.3-0+deb12u2.git.tar.xz
a67dd354b3d5929d371fdb3d37d0804d0efc7fd9 18090 libsoup3_3.2.3-0+deb12u2_source.buildinfo
Checksums-Sha256:
b00656d3dc925048e575643f7ea701ffc3d1e2ec677372b77255284e0b810be6 3514 libsoup3_3.2.3-0+deb12u2.dsc
34a04a865a644a16d635f55454ba06d52329806de943a95ed245384e6ea077b6 38208 libsoup3_3.2.3-0+deb12u2.debian.tar.xz
9337618beea532c5699338dab705633fad05b05f761381c3d467ba0ed9c29791 2473716 libsoup3_3.2.3-0+deb12u2.git.tar.xz
dcb95818cb589d1d9f81f49c5d5e6a16ab48560674c47eaf457b4c995b4a7409 18090 libsoup3_3.2.3-0+deb12u2_source.buildinfo
Files:
ecaa011c29a9237de552df9ec26cd29f 3514 devel optional libsoup3_3.2.3-0+deb12u2.dsc
ebaf706e41784c7ecdac04475eaa8674 38208 devel optional libsoup3_3.2.3-0+deb12u2.debian.tar.xz
d2c73254c8d2288371d330a92fccb046 2473716 None None libsoup3_3.2.3-0+deb12u2.git.tar.xz
861f8b3a357d3ca2ddd458456d12edd9 18090 devel optional libsoup3_3.2.3-0+deb12u2_source.buildinfo
Git-Tag-Info: tag=fa847d591345c7074c0ccb2bad8f16dcde18d15a fp=7a073ad1ae694fa25bff62e5235c099d3eb33076
Git-Tag-Tagger: Simon McVittie <smcv@debian.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmishYoACgkQYG0ITkaD
wHkCwQ/+Pe4XP/B5bvd/zePkpk49GSx3We7W7xpgJuDentebHISJObL9HlU0b4ey
gPtnBfVmIFW9Jg2AzgrHqWd9fBd7HvbIhYZAu7Wr4KXYKvnNl7lJFdmRbAuJjwS+
GRCjh77nZZFy7bhFqxH+twPt4BI5dIJTdUs5tGA3iSFGshd3xpgZe01ABOhgbFCK
Lb3yqduCWEYQ1BeOhHYb+ZWNi8XNU5VAgEPhVYL8yVpzbGVR5G9IowyQ932U26Zb
yw37MYH5hPSLSjuFBttqYenS1krtwOnfW+EKRnLeF7uEBNKWWn3KEchtmgDBPUDi
unGZx5MqzYIVmpxvfCBYqxJ3n1oByBmZKRdsXQxUYUANuXTQ290Ean9cvbSY7M2l
Jq2JaRbDe/61wLWzmFzyXp1bBOT28TeWwBIABsj/xcd/UyRyI2gIDI8dnyqNlEd/
oRfwg0s0i8menc9Kq2X1rOqO1VllhxOb8aOWVpM4zPyX4GqA7nLfoNeEVp3z+Yxw
DOnt6kr/VTAH0UlbiVfrQPJVMokM1H3c1ymnnP0KZKV0gAA51Dzd66Wh7Vmp9JQi
rDiqqWiMTrvyGjF0d1/PzmD9TRneTlBVjAaWMqxu9wHVooarzyjvqrsgKu1kGIW7
jM6vOCyVS3yjAeys9ieKQZ2VXiG2F0AjyTF0H2yLkAvtPDC/FXw=
=r12K
-----END PGP SIGNATURE-----
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.