new file mode 100644

@@ -0,0 +1,57 @@

+From 34d361188adc4b4a81457bcffb14588d84078e79 Mon Sep 17 00:00:00 2001

+From: Dan Winship <danw@gnome.org>

+Date: Thu, 3 Aug 2017 09:56:43 -0400

+Subject: [PATCH] Fix chunked decoding buffer overrun (CVE-2017-2885)

+

+https://bugzilla.gnome.org/show_bug.cgi?id=785774

+---

+ libsoup/soup-filter-input-stream.c | 22 +++++++++++-----------

+ 1 file changed, 11 insertions(+), 11 deletions(-)

+

+diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c

+index cde4d12..2c30bf9 100644

+--- a/libsoup/soup-filter-input-stream.c

+@@ -198,7 +198,7 @@ soup_filter_input_stream_read_until (SoupFilterInputStream  *fstream,

+ 				     GCancellable           *cancellable,

+ 				     GError                **error)

+ {

+-	gssize nread;

++	gssize nread, read_length;

+ 	guint8 *p, *buf, *end;

+ 	gboolean eof = FALSE;

+ 	GError *my_error = NULL;

+@@ -251,10 +251,11 @@ soup_filter_input_stream_read_until (SoupFilterInputStream  *fstream,

+ 	} else

+ 		buf = fstream->priv->buf->data;

+ 

+-	/* Scan for the boundary */

+-	end = buf + fstream->priv->buf->len;

+-	if (!eof)

+-		end -= boundary_length;

++	/* Scan for the boundary within the range we can possibly return. */

++	if (include_boundary)

++		end = buf + MIN (fstream->priv->buf->len, length) - boundary_length;

++	else

++		end = buf + MIN (fstream->priv->buf->len - boundary_length, length);

+ 	for (p = buf; p <= end; p++) {

+ 		if (*p == *(guint8*)boundary &&

+ 		    !memcmp (p, boundary, boundary_length)) {

+@@ -268,10 +269,9 @@ soup_filter_input_stream_read_until (SoupFilterInputStream  *fstream,

+ 	if (!*got_boundary && fstream->priv->buf->len < length && !eof)

+ 		goto fill_buffer;

+ 

+-	/* Return everything up to 'p' (which is either just after the boundary if

+-	 * include_boundary is TRUE, just before the boundary if include_boundary is

+-	 * FALSE, @boundary_len - 1 bytes before the end of the buffer, or end-of-

+-	 * file).

+-	 */

+-	return read_from_buf (fstream, buffer, p - buf);

++	if (eof && !*got_boundary)

++		read_length = MIN (fstream->priv->buf->len, length);

++	else

++		read_length = p - buf;

++	return read_from_buf (fstream, buffer, read_length);

+ }

+-- 

+2.9.4

@@ -1,7 +1,7 @@

 Summary:    libsoup HTTP client/server library

 Name:       libsoup

 Version:    2.57.1

-Release:    2%{?dist}

+Release:    3%{?dist}

 License:    GPLv2

 URL:        http://wiki.gnome.org/LibSoup

 Group:      System Environment/Development

@@ -9,6 +9,7 @@ Vendor:     VMware, Inc.

 Distribution:   Photon

 Source0:    http://ftp.gnome.org/pub/GNOME/sources/libsoup/2.57/%{name}-%{version}.tar.xz

 %define sha1 libsoup=a855a98c1d002a4e2bfb7562135265a8df4dad65

+Patch0:          CVE-2017-2885.patch

 BuildRequires:   glib

 BuildRequires:   glib-devel

 BuildRequires:   gobject-introspection

@@ -54,6 +55,7 @@ These are the additional language files of libsoup.

 %prep

 %setup -q

+%patch0 -p1

 %build

 export CFLAGS="%{optflags}"

@@ -91,6 +93,8 @@ make  check

 %defattr(-,root,root)

 %changelog

+*   Mon Jun 18 2018 Tapas Kundu <tkundu@vmware.com> 2.57.1-3

+-   CVE-2017-2885

 *   Fri Aug 11 2017 Chang Lee <changlee@vmware.com> 2.57.1-2

 -   Added krb5-devel to BuildRequires for %check

 *   Tue Apr 04 2017 Kumar Kaushik <kaushikk@vmware.com> 2.57.1-1