Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], [email protected], [email protected], [email protected] Control: affects -1 + src:libsoup3 User: [email protected] Usertags: pu
[ Reason ] 1. Fix a gnome-calculator regression where it hangs during startup if unable to download currency conversion rates for an optional feature (there are many duplicate bug reports for this) 2. Fix all no-dsa CVEs that were already fixed in 3.6.5 upstream and in trixie, which are a superset of those that were fixed in the libsoup2.4 in bullseye LTS Related to (2.), I also cherry-picked an upstream documentation change to clarify that SoupServer is not intended to be exposed on untrusted networks (added to trixie in 3.6.0-4, and debian-security-support in #1109118). I also took the opportunity to backport the addition of a missing build-dependency and autopkgtest dependency on ca-certificates (#1064744, #1054962), which is formally RC, but in practice probably did not affect bookworm because older buildd chroots and testbeds had ca-certificates preinstalled. This *does not* fix the CVEs that are unfixed in 3.6.5 upstream; I think those should be handled in a follow-up update, after their fixes (#1109142, maybe more later) have reached trixie. [ Impact ] 1. Fixes a high-visibility gnome-calculator regression that has, so far, been reported in 10 duplicate bug reports. 2. Fixes several denial of service issues which can crash applications that use libsoup3; it is possible that there are also routes to achieve arbitrary code execution via heap corruption. [ Tests ] Manual tests: - ran epiphany-browser (GNOME Web) and used it to browse debian.org; - deleted ~/.cache/gnome-calculator and ran gnome-calculator, causing it to try to download currency conversion rate data. In bookworm this is unsuccessful, at least from my home network (there is a HTTP/2 internal error reported on stderr), but at least the rest of its functionality works. I have not attempted to debug this further, it's outside my knowledge. Automated tests: build-time tests (sbuild+unshare in a qemu VM on my laptop) and autopkgtest (in a qemu VM on my laptop) were successful. As with the libsoup3 update I've proposed for trixie, I expect that they will need some retries on official Debian infrastructure because of pre-existing instability in the test suite. Some of the CVE fixes include new automated test coverage, which passed, and I cherry-picked the new test coverage for CVE-2024-52531 (which was included in 3.6.x, but not backported to 3.2.x by upstream). I have not attempted to test the CVE fixes manually. Source and amd64/i386/all .deb are available from https://people.debian.org/~smcv/temp/2025/libsoup3-mr4/v9/ for further testing. [ Risks ] libsoup3 is a key package in our default desktop environment. As with the trixie update, I am not an expert on libsoup, so I have done my best but I might have made mistakes. The patches to the production code in this update were all straightforward git cherry-picks from upstream releases, with no conflict resolution required. For the changes that were already in the libsoup2.4 update in bullseye LTS, I cross-checked vs. the libsoup2.4 update and confirmed that they all match up (modulo backporting changes that were required in bullseye). For the changes that were included in 3.2.3 upstream, I started by applying the changes as patches and applying the patch series with gbp pq, then imported the 3.2.3 upstream release, applied the resulting reduced patch series and compared the resulting patches-applied trees. The only differences were release-process stuff (NEWS and the version number in meson.build), so I chose to use the upstream 3.2.3 release, to make it more obvious what we are shipping. Some of the upstream changes had known regressions, so I have tried to identify and include the relevant regression fixes. There might be other regressions, or I might have failed to include a regression fix. As with trixie, unfortunately the libsoup test suite is known to be flaky in several ways, so it might require some retries to herd it through the official Debian infrastructure. See #1109142 for more details. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] In case a respin is needed: the version proposed here is commit 5b8cd776, which is gnome-team/libsoup3!4 v9. In the debdiff, I excluded the content of d/patches/*.patch to avoid redundancy. All changes made by the patches are included in the debdiff as changes to the upstream source (the debdiff is between "patches-applied" trees). Please see https://salsa.debian.org/gnome-team/libsoup3/-/merge_requests/4 if you would prefer to examine the patches individually, with their upstream provenance and other DEP-3 metadata. I've cc'd Debian LTS members who recently worked on libsoup2.4 (an older version of this same upstream codebase) in the hope that they might be able to take a look at this. My recommendation would be that we should get these changes into bookworm-pu before backporting them into LTS suites, and into libsoup3 before libsoup2.4. smcv
