new file mode 100644
@@ -0,0 +1,89 @@
+From 56b8eb061a02c4e99644d6f1e62e601d0d814beb Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Tue, 15 Apr 2025 09:59:05 +0200
+Subject: [PATCH 1/2] soup-server-http2: Check validity of the constructed
+ connection URI
+
+The HTTP/2 pseudo-headers can contain invalid values, which the GUri rejects
+and returns NULL, but the soup-server did not check the validity and could
+abort the server itself later in the code.
+
+Closes #429
+
+CVE: CVE-2025-32908
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/451/diffs?commit_id=a792b23ab87cacbf4dd9462bf7b675fa678efbae]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ .../http2/soup-server-message-io-http2.c | 4 +++
+ tests/http2-test.c | 28 +++++++++++++++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c
+index 943ecfd..f1fe2d5 100644
+--- a/libsoup/server/http2/soup-server-message-io-http2.c
++++ b/libsoup/server/http2/soup-server-message-io-http2.c
+@@ -771,9 +771,13 @@ on_frame_recv_callback (nghttp2_session *session,
+ char *uri_string;
+ GUri *uri;
+
++ if (msg_io->scheme == NULL || msg_io->authority == NULL || msg_io->path == NULL)
++ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path);
+ uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL);
+ g_free (uri_string);
++ if (uri == NULL)
++ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ soup_server_message_set_uri (msg_io->msg, uri);
+ g_uri_unref (uri);
+
+diff --git a/tests/http2-test.c b/tests/http2-test.c
+index ef097f4..df86d9b 100644
+--- a/tests/http2-test.c
++++ b/tests/http2-test.c
+@@ -1241,6 +1241,30 @@ do_connection_closed_test (Test *test, gconstpointer data)
+ g_uri_unref (uri);
+ }
+
++static void
++do_broken_pseudo_header_test (Test *test, gconstpointer data)
++{
++ char *path;
++ SoupMessage *msg;
++ GUri *uri;
++ GBytes *body = NULL;
++ GError *error = NULL;
++
++ uri = g_uri_parse_relative (base_uri, "/ag", SOUP_HTTP_URI_FLAGS, NULL);
++
++ /* an ugly cheat to construct a broken URI, which can be sent from other libs */
++ path = (char *) g_uri_get_path (uri);
++ path[1] = '%';
++
++ msg = soup_message_new_from_uri (SOUP_METHOD_GET, uri);
++ body = soup_test_session_async_send (test->session, msg, NULL, &error);
++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_PARTIAL_INPUT);
++ g_assert_null (body);
++ g_clear_error (&error);
++ g_object_unref (msg);
++ g_uri_unref (uri);
++}
++
+ static gboolean
+ unpause_message (SoupServerMessage *msg)
+ {
+@@ -1549,6 +1573,10 @@ main (int argc, char **argv)
+ setup_session,
+ do_connection_closed_test,
+ teardown_session);
++ g_test_add ("/http2/broken-pseudo-header", Test, NULL,
++ setup_session,
++ do_broken_pseudo_header_test,
++ teardown_session);
+
+ ret = g_test_run ();
+
+--
+2.34.1
+
new file mode 100644
@@ -0,0 +1,53 @@
+From aad0dcf22ee9fdfefa6b72055268240cceccfe4c Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Mon, 28 Apr 2025 10:55:42 +0200
+Subject: [PATCH 2/2] soup-server-http2: Correct check of the validity of the
+ constructed connection URI
+
+RFC 5740: the CONNECT has unset the "scheme" and "path", thus allow them unset.
+
+The commit a792b23ab87cacbf4dd9462bf7b675fa678efbae also missed to decrement
+the `io->in_callback` in the early returns.
+
+Related to #429
+
+CVE: CVE-2025-32908
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/453/diffs?commit_id=527428a033df573ef4558ce1106e080fd9ec5c71]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ .../server/http2/soup-server-message-io-http2.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c
+index f1fe2d5..913afb4 100644
+--- a/libsoup/server/http2/soup-server-message-io-http2.c
++++ b/libsoup/server/http2/soup-server-message-io-http2.c
+@@ -771,13 +771,18 @@ on_frame_recv_callback (nghttp2_session *session,
+ char *uri_string;
+ GUri *uri;
+
+- if (msg_io->scheme == NULL || msg_io->authority == NULL || msg_io->path == NULL)
+- return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+- uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path);
++ if (msg_io->authority == NULL) {
++ io->in_callback--;
++ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
++ }
++ /* RFC 5740: the CONNECT has unset the "scheme" and "path", but the GUri requires the scheme, thus let it be "(null)" */
++ uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path == NULL ? "" : msg_io->path);
+ uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL);
+ g_free (uri_string);
+- if (uri == NULL)
+- return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
++ if (uri == NULL) {
++ io->in_callback--;
++ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
++ }
+ soup_server_message_set_uri (msg_io->msg, uri);
+ g_uri_unref (uri);
+
+--
+2.34.1
+
@@ -15,7 +15,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32914.patch \
file://CVE-2025-4476.patch \
file://CVE-2025-32907-1.patch \
- file://CVE-2025-32907-2.patch"
+ file://CVE-2025-32907-2.patch \
+ file://CVE-2025-32908-1.patch \
+ file://CVE-2025-32908-2.patch"
SRC_URI[sha256sum] = "6891765aac3e949017945c3eaebd8cc8216df772456dc9f460976fbdb7ada234"
PROVIDES = "libsoup-3.0"