| Message ID | 20250416051314.96105-3-vanusuri@mvista.com |
|---|---|
| State | Superseded |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [scarthgap,1/5] libsoup: Fix CVE-2025-32910 | expand |
This commit resolves CVE-2025-32911 along with CVE-2025-32913. I have renamed the patch and sent a v2 patch. Thanks & Regards, Vijay On Wed, Apr 16, 2025 at 10:43 AM <vanusuri@mvista.com> wrote: > From: Vijay Anusuri <vanusuri@mvista.com> > > Upstream-Status: Backport from > > https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34 > & > <https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34&> > https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0 > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../libsoup-3.4.4/CVE-2025-32913-1.patch | 72 +++++++++++++++++++ > .../libsoup-3.4.4/CVE-2025-32913-2.patch | 44 ++++++++++++ > meta/recipes-support/libsoup/libsoup_3.4.4.bb | 2 + > 3 files changed, 118 insertions(+) > create mode 100644 > meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-1.patch > create mode 100644 > meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-2.patch > > diff --git > a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-1.patch > b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-1.patch > new file mode 100644 > index 0000000000..1d6a9aa193 > --- /dev/null > +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-1.patch > @@ -0,0 +1,72 @@ > +From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001 > +From: Patrick Griffis <pgriffis@igalia.com> > +Date: Fri, 27 Dec 2024 17:53:50 -0600 > +Subject: [PATCH] soup_message_headers_get_content_disposition: Fix NULL > deref > + > +Upstream-Status: Backport [ > https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34 > ] > +CVE: CVE-2025-32913 #Dependency Patch > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + libsoup/soup-message-headers.c | 13 +++++++++---- > + tests/header-parsing-test.c | 14 ++++++++++++++ > + 2 files changed, 23 insertions(+), 4 deletions(-) > + > +diff --git a/libsoup/soup-message-headers.c > b/libsoup/soup-message-headers.c > +index 56cc1e9d..04f4c302 100644 > +--- a/libsoup/soup-message-headers.c > ++++ b/libsoup/soup-message-headers.c > +@@ -1660,10 +1660,15 @@ soup_message_headers_get_content_disposition > (SoupMessageHeaders *hdrs, > + */ > + if (params && g_hash_table_lookup_extended (*params, "filename", > + &orig_key, > &orig_value)) { > +- char *filename = strrchr (orig_value, '/'); > +- > +- if (filename) > +- g_hash_table_insert (*params, g_strdup (orig_key), > filename + 1); > ++ if (orig_value) { > ++ char *filename = strrchr (orig_value, '/'); > ++ > ++ if (filename) > ++ g_hash_table_insert (*params, g_strdup > (orig_key), filename + 1); > ++ } else { > ++ /* filename with no value isn't valid. */ > ++ g_hash_table_remove (*params, "filename"); > ++ } > + } > + return TRUE; > + } > +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c > +index 5e423d2b..d0b360c8 100644 > +--- a/tests/header-parsing-test.c > ++++ b/tests/header-parsing-test.c > +@@ -1039,6 +1039,7 @@ do_param_list_tests (void) > + #define RFC5987_TEST_HEADER_FALLBACK "attachment; > filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\"" > + #define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\"" > + #define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar" > ++#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename" > + > + static void > + do_content_disposition_tests (void) > +@@ -1139,6 +1140,19 @@ do_content_disposition_tests (void) > + g_assert_cmpstr (parameter2, ==, "bar"); > + g_hash_table_destroy (params); > + > ++ /* Empty filename */ > ++ soup_message_headers_clear (hdrs); > ++ soup_message_headers_append (hdrs, "Content-Disposition", > ++ RFC5987_TEST_HEADER_EMPTY_FILENAME); > ++ if (!soup_message_headers_get_content_disposition (hdrs, > ++ &disposition, > ++ ¶ms)) { > ++ soup_test_assert (FALSE, "empty filename decoding FAILED"); > ++ return; > ++ } > ++ g_assert_false (g_hash_table_contains (params, "filename")); > ++ g_hash_table_destroy (params); > ++ > + soup_message_headers_unref (hdrs); > + > + /* Ensure that soup-multipart always quotes filename */ > +-- > +GitLab > + > diff --git > a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-2.patch > b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-2.patch > new file mode 100644 > index 0000000000..6d30bb91d3 > --- /dev/null > +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-2.patch > @@ -0,0 +1,44 @@ > +From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001 > +From: Patrick Griffis <pgriffis@igalia.com> > +Date: Fri, 27 Dec 2024 18:00:39 -0600 > +Subject: [PATCH] soup_message_headers_get_content_disposition: strdup > + truncated filenames > + > +This table frees the strings it contains. > + > +Upstream-Status: Backport [ > https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0 > ] > +CVE: CVE-2025-32913 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + libsoup/soup-message-headers.c | 2 +- > + tests/header-parsing-test.c | 1 + > + 2 files changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/libsoup/soup-message-headers.c > b/libsoup/soup-message-headers.c > +index 04f4c302..ee7a3cb1 100644 > +--- a/libsoup/soup-message-headers.c > ++++ b/libsoup/soup-message-headers.c > +@@ -1664,7 +1664,7 @@ soup_message_headers_get_content_disposition > (SoupMessageHeaders *hdrs, > + char *filename = strrchr (orig_value, '/'); > + > + if (filename) > +- g_hash_table_insert (*params, g_strdup > (orig_key), filename + 1); > ++ g_hash_table_insert (*params, g_strdup > (orig_key), g_strdup (filename + 1)); > + } else { > + /* filename with no value isn't valid. */ > + g_hash_table_remove (*params, "filename"); > +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c > +index d0b360c8..07ea2866 100644 > +--- a/tests/header-parsing-test.c > ++++ b/tests/header-parsing-test.c > +@@ -1150,6 +1150,7 @@ do_content_disposition_tests (void) > + soup_test_assert (FALSE, "empty filename decoding FAILED"); > + return; > + } > ++ g_free (disposition); > + g_assert_false (g_hash_table_contains (params, "filename")); > + g_hash_table_destroy (params); > + > +-- > +GitLab > + > diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb > b/meta/recipes-support/libsoup/libsoup_3.4.4.bb > index ec3305aed7..0b464d274b 100644 > --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb > +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb > @@ -20,6 +20,8 @@ SRC_URI = > "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ > file://CVE-2024-52531-3.patch \ > file://CVE-2025-32910.patch \ > file://CVE-2025-32909.patch \ > + file://CVE-2025-32913-1.patch \ > + file://CVE-2025-32913-2.patch \ > " > SRC_URI[sha256sum] = > "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" > > -- > 2.25.1 > >
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-1.patch new file mode 100644 index 0000000000..1d6a9aa193 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-1.patch @@ -0,0 +1,72 @@ +From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis <pgriffis@igalia.com> +Date: Fri, 27 Dec 2024 17:53:50 -0600 +Subject: [PATCH] soup_message_headers_get_content_disposition: Fix NULL deref + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34] +CVE: CVE-2025-32913 #Dependency Patch +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libsoup/soup-message-headers.c | 13 +++++++++---- + tests/header-parsing-test.c | 14 ++++++++++++++ + 2 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 56cc1e9d..04f4c302 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1660,10 +1660,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + */ + if (params && g_hash_table_lookup_extended (*params, "filename", + &orig_key, &orig_value)) { +- char *filename = strrchr (orig_value, '/'); +- +- if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ if (orig_value) { ++ char *filename = strrchr (orig_value, '/'); ++ ++ if (filename) ++ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ } else { ++ /* filename with no value isn't valid. */ ++ g_hash_table_remove (*params, "filename"); ++ } + } + return TRUE; + } +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 5e423d2b..d0b360c8 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -1039,6 +1039,7 @@ do_param_list_tests (void) + #define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\"" + #define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\"" + #define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar" ++#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename" + + static void + do_content_disposition_tests (void) +@@ -1139,6 +1140,19 @@ do_content_disposition_tests (void) + g_assert_cmpstr (parameter2, ==, "bar"); + g_hash_table_destroy (params); + ++ /* Empty filename */ ++ soup_message_headers_clear (hdrs); ++ soup_message_headers_append (hdrs, "Content-Disposition", ++ RFC5987_TEST_HEADER_EMPTY_FILENAME); ++ if (!soup_message_headers_get_content_disposition (hdrs, ++ &disposition, ++ ¶ms)) { ++ soup_test_assert (FALSE, "empty filename decoding FAILED"); ++ return; ++ } ++ g_assert_false (g_hash_table_contains (params, "filename")); ++ g_hash_table_destroy (params); ++ + soup_message_headers_unref (hdrs); + + /* Ensure that soup-multipart always quotes filename */ +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-2.patch new file mode 100644 index 0000000000..6d30bb91d3 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-2.patch @@ -0,0 +1,44 @@ +From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis <pgriffis@igalia.com> +Date: Fri, 27 Dec 2024 18:00:39 -0600 +Subject: [PATCH] soup_message_headers_get_content_disposition: strdup + truncated filenames + +This table frees the strings it contains. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0] +CVE: CVE-2025-32913 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libsoup/soup-message-headers.c | 2 +- + tests/header-parsing-test.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 04f4c302..ee7a3cb1 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1664,7 +1664,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + char *filename = strrchr (orig_value, '/'); + + if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1)); + } else { + /* filename with no value isn't valid. */ + g_hash_table_remove (*params, "filename"); +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index d0b360c8..07ea2866 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -1150,6 +1150,7 @@ do_content_disposition_tests (void) + soup_test_assert (FALSE, "empty filename decoding FAILED"); + return; + } ++ g_free (disposition); + g_assert_false (g_hash_table_contains (params, "filename")); + g_hash_table_destroy (params); + +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index ec3305aed7..0b464d274b 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -20,6 +20,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52531-3.patch \ file://CVE-2025-32910.patch \ file://CVE-2025-32909.patch \ + file://CVE-2025-32913-1.patch \ + file://CVE-2025-32913-2.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"