Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id
<ee4c0876608d99eb3f8b333b556fbd92e7a652eb.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1109147,
regarding bookworm-pu: package libsoup3/3.2.3-0+deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109147: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109147
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected],
[email protected], [email protected]
Control: affects -1 + src:libsoup3
User: [email protected]
Usertags: pu
[ Reason ]
1. Fix a gnome-calculator regression where it hangs during startup if
unable to download currency conversion rates for an optional feature
(there are many duplicate bug reports for this)
2. Fix all no-dsa CVEs that were already fixed in 3.6.5 upstream and in
trixie, which are a superset of those that were fixed in the libsoup2.4
in bullseye LTS
Related to (2.), I also cherry-picked an upstream documentation change
to clarify that SoupServer is not intended to be exposed on untrusted
networks (added to trixie in 3.6.0-4, and debian-security-support in
#1109118).
I also took the opportunity to backport the addition of a missing
build-dependency and autopkgtest dependency on ca-certificates
(#1064744, #1054962), which is formally RC, but in practice probably
did not affect bookworm because older buildd chroots and testbeds had
ca-certificates preinstalled.
This *does not* fix the CVEs that are unfixed in 3.6.5 upstream; I think
those should be handled in a follow-up update, after their fixes
(#1109142, maybe more later) have reached trixie.
[ Impact ]
1. Fixes a high-visibility gnome-calculator regression that has, so far,
been reported in 10 duplicate bug reports.
2. Fixes several denial of service issues which can crash applications
that use libsoup3; it is possible that there are also routes to
achieve arbitrary code execution via heap corruption.
[ Tests ]
Manual tests:
- ran epiphany-browser (GNOME Web) and used it to browse debian.org;
- deleted ~/.cache/gnome-calculator and ran gnome-calculator, causing it
to try to download currency conversion rate data. In bookworm this
is unsuccessful, at least from my home network (there is a HTTP/2
internal error reported on stderr), but at least the rest of its
functionality works. I have not attempted to debug this further,
it's outside my knowledge.
Automated tests: build-time tests (sbuild+unshare in a qemu VM on my
laptop) and autopkgtest (in a qemu VM on my laptop) were successful. As
with the libsoup3 update I've proposed for trixie, I expect that they
will need some retries on official Debian infrastructure because of
pre-existing instability in the test suite.
Some of the CVE fixes include new automated test coverage, which passed,
and I cherry-picked the new test coverage for CVE-2024-52531 (which was
included in 3.6.x, but not backported to 3.2.x by upstream). I have not
attempted to test the CVE fixes manually.
Source and amd64/i386/all .deb are available from
https://people.debian.org/~smcv/temp/2025/libsoup3-mr4/v9/ for further
testing.
[ Risks ]
libsoup3 is a key package in our default desktop environment.
As with the trixie update, I am not an expert on libsoup, so I have done
my best but I might have made mistakes.
The patches to the production code in this update were all
straightforward git cherry-picks from upstream releases, with no conflict
resolution required. For the changes that were already in the libsoup2.4
update in bullseye LTS, I cross-checked vs. the libsoup2.4 update and
confirmed that they all match up (modulo backporting changes that were
required in bullseye).
For the changes that were included in 3.2.3 upstream, I started by
applying the changes as patches and applying the patch series with gbp
pq, then imported the 3.2.3 upstream release, applied the resulting
reduced patch series and compared the resulting patches-applied trees.
The only differences were release-process stuff (NEWS and the version
number in meson.build), so I chose to use the upstream 3.2.3 release, to
make it more obvious what we are shipping.
Some of the upstream changes had known regressions, so I have tried to
identify and include the relevant regression fixes. There might be other
regressions, or I might have failed to include a regression fix.
As with trixie, unfortunately the libsoup test suite is known to be
flaky in several ways, so it might require some retries to herd it
through the official Debian infrastructure. See #1109142 for more
details.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
In case a respin is needed: the version proposed here is commit
5b8cd776, which is gnome-team/libsoup3!4 v9.
In the debdiff, I excluded the content of d/patches/*.patch to avoid
redundancy. All changes made by the patches are included in the debdiff
as changes to the upstream source (the debdiff is between
"patches-applied" trees).
Please see
https://salsa.debian.org/gnome-team/libsoup3/-/merge_requests/4 if you
would prefer to examine the patches individually, with their upstream
provenance and other DEP-3 metadata.
I've cc'd Debian LTS members who recently worked on libsoup2.4 (an older
version of this same upstream codebase) in the hope that they might be
able to take a look at this. My recommendation would be that we should
get these changes into bookworm-pu before backporting them into LTS
suites, and into libsoup3 before libsoup2.4.
smcv
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.12
Hi,
Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.
Regards,
Adam
--- End Message ---
