| Message ID | 20250528061230.70782-1-hprajapati@mvista.com |
|---|---|
| State | Under Review |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [scarthgap] libsoup-2.4: Fix CVE-2025-4969 | expand |
This recipe has been moved to meta-oe in master, and I think this change will be desirable for meta-oe/master as well. Would you mind sending it there as well ? On 5/27/25 11:12 PM, Hitendra Prajapati via lists.openembedded.org wrote: > Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/07b94e27afafebf31ef3cd868866a1e383750086 > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > --- > .../libsoup/libsoup-2.4/CVE-2025-4969.patch | 76 +++++++++++++++++++ > .../libsoup/libsoup-2.4_2.74.3.bb | 1 + > 2 files changed, 77 insertions(+) > create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch > > diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch > new file mode 100644 > index 0000000000..d45b2a2cb0 > --- /dev/null > +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch > @@ -0,0 +1,76 @@ > +From 07b94e27afafebf31ef3cd868866a1e383750086 Mon Sep 17 00:00:00 2001 > +From: Milan Crha <mcrha@redhat.com> > +Date: Mon, 19 May 2025 17:48:27 +0200 > +Subject: [PATCH] soup-multipart: Verify array bounds before accessing its > + members > + > +The boundary could be at a place which, calculated, pointed > +before the beginning of the array. Check the bounds, to avoid > +read out of the array bounds. > + > +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 > + > +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/07b94e27afafebf31ef3cd868866a1e383750086] > +CVE: CVE-2025-4969 > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + libsoup/soup-multipart.c | 2 +- > + tests/multipart-test.c | 22 ++++++++++++++++++++++ > + 2 files changed, 23 insertions(+), 1 deletion(-) > + > +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c > +index dd93973..b3611db 100644 > +--- a/libsoup/soup-multipart.c > ++++ b/libsoup/soup-multipart.c > +@@ -108,7 +108,7 @@ find_boundary (const char *start, const char *end, > + continue; > + > + /* Check that it's at start of line */ > +- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r'))) > ++ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r'))) > + continue; > + > + /* Check for "--" or "\r\n" after boundary */ > +diff --git a/tests/multipart-test.c b/tests/multipart-test.c > +index 834b181..980eb68 100644 > +--- a/tests/multipart-test.c > ++++ b/tests/multipart-test.c > +@@ -562,6 +562,27 @@ test_multipart_bounds_bad (void) > + g_bytes_unref (bytes); > + } > + > ++static void > ++test_multipart_bounds_bad_2 (void) > ++{ > ++ SoupMultipart *multipart; > ++ SoupMessageHeaders *headers; > ++ GBytes *bytes; > ++ const char *raw_data = "\n--123\r\nline\r\n--123--\r"; > ++ > ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); > ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); > ++ > ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); > ++ > ++ multipart = soup_multipart_new_from_message (headers, bytes); > ++ g_assert_nonnull (multipart); > ++ > ++ soup_multipart_free (multipart); > ++ soup_message_headers_free (headers); > ++ g_bytes_unref (bytes); > ++} > ++ > + int > + main (int argc, char **argv) > + { > +@@ -593,6 +614,7 @@ main (int argc, char **argv) > + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); > + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); > + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); > ++ g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2); > + > + ret = g_test_run (); > + > +-- > +2.49.0 > + > diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb > index b986e2eea2..df97a68b9c 100644 > --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb > +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb > @@ -31,6 +31,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ > file://CVE-2025-32912-1.patch \ > file://CVE-2025-32912-2.patch \ > file://CVE-2025-32914.patch \ > + file://CVE-2025-4969.patch \ > " > SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#217335): https://lists.openembedded.org/g/openembedded-core/message/217335 > Mute This Topic: https://lists.openembedded.org/mt/113339715/1997914 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch new file mode 100644 index 0000000000..d45b2a2cb0 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch @@ -0,0 +1,76 @@ +From 07b94e27afafebf31ef3cd868866a1e383750086 Mon Sep 17 00:00:00 2001 +From: Milan Crha <mcrha@redhat.com> +Date: Mon, 19 May 2025 17:48:27 +0200 +Subject: [PATCH] soup-multipart: Verify array bounds before accessing its + members + +The boundary could be at a place which, calculated, pointed +before the beginning of the array. Check the bounds, to avoid +read out of the array bounds. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/07b94e27afafebf31ef3cd868866a1e383750086] +CVE: CVE-2025-4969 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 22 ++++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index dd93973..b3611db 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -108,7 +108,7 @@ find_boundary (const char *start, const char *end, + continue; + + /* Check that it's at start of line */ +- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r'))) ++ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r'))) + continue; + + /* Check for "--" or "\r\n" after boundary */ +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index 834b181..980eb68 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -562,6 +562,27 @@ test_multipart_bounds_bad (void) + g_bytes_unref (bytes); + } + ++static void ++test_multipart_bounds_bad_2 (void) ++{ ++ SoupMultipart *multipart; ++ SoupMessageHeaders *headers; ++ GBytes *bytes; ++ const char *raw_data = "\n--123\r\nline\r\n--123--\r"; ++ ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); ++ ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); ++ ++ multipart = soup_multipart_new_from_message (headers, bytes); ++ g_assert_nonnull (multipart); ++ ++ soup_multipart_free (multipart); ++ soup_message_headers_free (headers); ++ g_bytes_unref (bytes); ++} ++ + int + main (int argc, char **argv) + { +@@ -593,6 +614,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); ++ g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2); + + ret = g_test_run (); + +-- +2.49.0 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index b986e2eea2..df97a68b9c 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -31,6 +31,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32912-1.patch \ file://CVE-2025-32912-2.patch \ file://CVE-2025-32914.patch \ + file://CVE-2025-4969.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/07b94e27afafebf31ef3cd868866a1e383750086 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../libsoup/libsoup-2.4/CVE-2025-4969.patch | 76 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch