Bug#1109147: bookworm-pu: package libsoup3/3.2.3-0+deb12u1

Simon McVittie smcv at debian.org
Sat Jul 12 15:27:32 BST 2025 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libsoup3 at packages.debian.org, team at security.debian.org, spwhitton at spwhitton.name, andreas at fatal.se
Control: affects -1 + src:libsoup3
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]

1. Fix a gnome-calculator regression where it hangs during startup if
   unable to download currency conversion rates for an optional feature
   (there are many duplicate bug reports for this)

2. Fix all no-dsa CVEs that were already fixed in 3.6.5 upstream and in
   trixie, which are a superset of those that were fixed in the libsoup2.4
   in bullseye LTS

Related to (2.), I also cherry-picked an upstream documentation change 
to clarify that SoupServer is not intended to be exposed on untrusted 
networks (added to trixie in 3.6.0-4, and debian-security-support in 
#1109118).

I also took the opportunity to backport the addition of a missing 
build-dependency and autopkgtest dependency on ca-certificates 
(#1064744, #1054962), which is formally RC, but in practice probably 
did not affect bookworm because older buildd chroots and testbeds had 
ca-certificates preinstalled.

This *does not* fix the CVEs that are unfixed in 3.6.5 upstream; I think 
those should be handled in a follow-up update, after their fixes 
(#1109142, maybe more later) have reached trixie.

[ Impact ]

1. Fixes a high-visibility gnome-calculator regression that has, so far,
   been reported in 10 duplicate bug reports.

2. Fixes several denial of service issues which can crash applications
   that use libsoup3; it is possible that there are also routes to
   achieve arbitrary code execution via heap corruption.

[ Tests ]

Manual tests:

- ran epiphany-browser (GNOME Web) and used it to browse debian.org;
- deleted ~/.cache/gnome-calculator and ran gnome-calculator, causing it
  to try to download currency conversion rate data. In bookworm this
  is unsuccessful, at least from my home network (there is a HTTP/2
  internal error reported on stderr), but at least the rest of its
  functionality works. I have not attempted to debug this further,
  it's outside my knowledge.

Automated tests: build-time tests (sbuild+unshare in a qemu VM on my 
laptop) and autopkgtest (in a qemu VM on my laptop) were successful. As 
with the libsoup3 update I've proposed for trixie, I expect that they 
will need some retries on official Debian infrastructure because of 
pre-existing instability in the test suite.

Some of the CVE fixes include new automated test coverage, which passed, 
and I cherry-picked the new test coverage for CVE-2024-52531 (which was 
included in 3.6.x, but not backported to 3.2.x by upstream). I have not 
attempted to test the CVE fixes manually.

Source and amd64/i386/all .deb are available from 
https://people.debian.org/~smcv/temp/2025/libsoup3-mr4/v9/ for further 
testing.

[ Risks ]

libsoup3 is a key package in our default desktop environment.

As with the trixie update, I am not an expert on libsoup, so I have done 
my best but I might have made mistakes.

The patches to the production code in this update were all 
straightforward git cherry-picks from upstream releases, with no conflict 
resolution required. For the changes that were already in the libsoup2.4 
update in bullseye LTS, I cross-checked vs. the libsoup2.4 update and
confirmed that they all match up (modulo backporting changes that were 
required in bullseye).

For the changes that were included in 3.2.3 upstream, I started by 
applying the changes as patches and applying the patch series with gbp 
pq, then imported the 3.2.3 upstream release, applied the resulting 
reduced patch series and compared the resulting patches-applied trees. 
The only differences were release-process stuff (NEWS and the version 
number in meson.build), so I chose to use the upstream 3.2.3 release, to 
make it more obvious what we are shipping.

Some of the upstream changes had known regressions, so I have tried to 
identify and include the relevant regression fixes. There might be other 
regressions, or I might have failed to include a regression fix.

As with trixie, unfortunately the libsoup test suite is known to be 
flaky in several ways, so it might require some retries to herd it 
through the official Debian infrastructure. See #1109142 for more 
details.

[ Checklist ]

  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

In case a respin is needed: the version proposed here is commit 
5b8cd776, which is gnome-team/libsoup3!4 v9.

In the debdiff, I excluded the content of d/patches/*.patch to avoid 
redundancy. All changes made by the patches are included in the debdiff 
as changes to the upstream source (the debdiff is between 
"patches-applied" trees).

Please see 
https://salsa.debian.org/gnome-team/libsoup3/-/merge_requests/4 if you 
would prefer to examine the patches individually, with their upstream 
provenance and other DEP-3 metadata.

I've cc'd Debian LTS members who recently worked on libsoup2.4 (an older 
version of this same upstream codebase) in the hope that they might be 
able to take a look at this. My recommendation would be that we should 
get these changes into bookworm-pu before backporting them into LTS 
suites, and into libsoup3 before libsoup2.4.

    smcv

More information about the pkg-gnome-maintainers mailing list