XPost: linux.debian.devel.release
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc:
[email protected],
[email protected],
[email protected],
[email protected]
Control: affects -1 + src:libsoup3
User:
[email protected]
Usertags: pu
[ Reason ]
1. Fix a gnome-calculator regression where it hangs during startup if
unable to download currency conversion rates for an optional feature
(there are many duplicate bug reports for this)
2. Fix all no-dsa CVEs that were already fixed in 3.6.5 upstream and in
trixie, which are a superset of those that were fixed in the libsoup2.4
in bullseye LTS
Related to (2.), I also cherry-picked an upstream documentation change
to clarify that SoupServer is not intended to be exposed on untrusted
networks (added to trixie in 3.6.0-4, and debian-security-support in
#1109118).
I also took the opportunity to backport the addition of a missing build-dependency and autopkgtest dependency on ca-certificates
(#1064744, #1054962), which is formally RC, but in practice probably
did not affect bookworm because older buildd chroots and testbeds had ca-certificates preinstalled.
This *does not* fix the CVEs that are unfixed in 3.6.5 upstream; I think
those should be handled in a follow-up update, after their fixes
(#1109142, maybe more later) have reached trixie.
[ Impact ]
1. Fixes a high-visibility gnome-calculator regression that has, so far,
been reported in 10 duplicate bug reports.
2. Fixes several denial of service issues which can crash applications
that use libsoup3; it is possible that there are also routes to
achieve arbitrary code execution via heap corruption.
[ Tests ]
Manual tests:
- ran epiphany-browser (GNOME Web) and used it to browse debian.org;
- deleted ~/.cache/gnome-calculator and ran gnome-calculator, causing it
to try to download currency conversion rate data. In bookworm this
is unsuccessful, at least from my home network (there is a HTTP/2
internal error reported on stderr), but at least the rest of its
functionality works. I have not attempted to debug this further,
it's outside my knowledge.
Automated tests: build-time tests (sbuild+unshare in a qemu VM on my
laptop) and autopkgtest (in a qemu VM on my laptop) were successful. As
with the libsoup3 update I've proposed for trixie, I expect that they
will need some retries on official Debian infrastructure because of pre-existing instability in the test suite.
Some of the CVE fixes include new automated test coverage, which passed,
and I cherry-picked the new test coverage for CVE-2024-52531 (which was included in 3.6.x, but not backported to 3.2.x by upstream). I have not attempted to test the CVE fixes manually.
Source and amd64/i386/all .deb are available from
https://people.debian.org/~smcv/temp/2025/libsoup3-mr4/v9/ for further
testing.
[ Risks ]
libsoup3 is a key package in our default desktop environment.
As with the trixie update, I am not an expert on libsoup, so I have done
my best but I might have made mistakes.
The patches to the production code in this update were all
straightforward git cherry-picks from upstream releases, with no conflict resolution required. For the changes that were already in the libsoup2.4
update in bullseye LTS, I cross-checked vs. the libsoup2.4 update and
confirmed that they all match up (modulo backporting changes that were
required in bullseye).
For the changes that were included in 3.2.3 upstream, I started by
applying the changes as patches and applying the patch series with gbp
pq, then imported the 3.2.3 upstream release, applied the resulting
reduced patch series and compared the resulting patches-applied trees.
The only differences were release-process stuff (NEWS and the version
number in meson.build), so I chose to use the upstream 3.2.3 release, to
make it more obvious what we are shipping.
Some of the upstream changes had known regressions, so I have tried to
identify and include the relevant regression fixes. There might be other regressions, or I might have failed to include a regression fix.
As with trixie, unfortunately the libsoup test suite is known to be
flaky in several ways, so it might require some retries to herd it
through the official Debian infrastructure. See #1109142 for more
details.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
In case a respin is needed: the version proposed here is commit
5b8cd776, which is gnome-team/libsoup3!4 v9.
In the debdiff, I excluded the content of d/patches/*.patch to avoid redundancy. All changes made by the patches are included in the debdiff
as changes to the upstream source (the debdiff is between
"patches-applied" trees).
Please see
https://salsa.debian.org/gnome-team/libsoup3/-/merge_requests/4 if you
would prefer to examine the patches individually, with their upstream provenance and other DEP-3 metadata.
I've cc'd Debian LTS members who recently worked on libsoup2.4 (an older version of this same upstream codebase) in the hope that they might be
able to take a look at this. My recommendation would be that we should
get these changes into bookworm-pu before backporting them into LTS
suites, and into libsoup3 before libsoup2.4.
smcv
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)