File libsoup-CVE-2025-11021.patch of Package libsoup

From cba7a8ebf3ced832f0743221170d4ec0f15011f8 Mon Sep 17 00:00:00 2001
From: Alynx Zhou <alynx.zhou@gmail.com>
Date: Sat, 11 Oct 2025 15:52:47 +0800
Subject: [PATCH] cookies: Avoid expires attribute if date is invalid

According to CVE-2025-11021, we may get invalid on processing date
string with timezone offset, this commit will ignore it.

Closes #459
---
 libsoup/cookies/soup-cookie.c | 9 +++++----
 libsoup/soup-date-utils.c     | 3 +++
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/libsoup/cookies/soup-cookie.c b/libsoup/cookies/soup-cookie.c
index ba949239..df446e40 100644
--- a/libsoup/cookies/soup-cookie.c
+++ b/libsoup/cookies/soup-cookie.c
@@ -758,12 +758,13 @@ serialize_cookie (SoupCookie *cookie, GString *header, gboolean set_cookie)
 
 	if (cookie->expires) {
 		char *timestamp;
-
-		g_string_append (header, "; expires=");
 		timestamp = soup_date_time_to_string (cookie->expires,
 						      SOUP_DATE_COOKIE);
-		g_string_append (header, timestamp);
-		g_free (timestamp);
+                if (timestamp) {
+                        g_string_append (header, "; expires=");
+                        g_string_append (header, timestamp);
+                        g_free (timestamp);
+                }
 	}
 	if (cookie->path) {
 		g_string_append (header, "; path=");
diff --git a/libsoup/soup-date-utils.c b/libsoup/soup-date-utils.c
index 73f80ab6..26f47b7c 100644
--- a/libsoup/soup-date-utils.c
+++ b/libsoup/soup-date-utils.c
@@ -92,6 +92,9 @@ soup_date_time_to_string (GDateTime      *date,
 		 * @date if it's non-UTC.
 		 */
 		GDateTime *utcdate = g_date_time_to_utc (date);
+                if (!utcdate)
+                        return NULL;
+
                 char *date_format;
                 char *formatted_date;
 
-- 
GitLab