new file mode 100644
@@ -0,0 +1,39 @@
+From 8331e681c85c3b1893d8d5193783f631bfc07acb Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Fri, 16 May 2025 13:42:08 +0800
+Subject: [PATCH] tests: Add test for passing invalid UTF-8 to
+ soup_header_parse_semi_param_list()
+
+CVE: CVE-2024-52531
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=825fda3425546847b42ad5270544e9388ff349fe]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ tests/header-parsing-test.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index b811115..cfcc003 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -836,6 +836,17 @@ static struct ParamListTest {
+ { "filename", "t\xC3\xA9st.txt" },
+ },
+ },
++
++/* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */
++ { TRUE,
++ "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo",
++ {
++ { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
++ { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
++ { "foo", NULL },
++ },
++ }
++
+ };
+ static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests);
+
+--
+2.34.1
+
new file mode 100644
@@ -0,0 +1,133 @@
+From 12523a592f1216450d18706bcf6c16e0f1ab0ce0 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Fri, 16 May 2025 13:52:37 +0800
+Subject: [PATCH] headers: Be more robust against invalid input when
+ parsing params
+
+If you pass invalid input to a function such as soup_header_parse_param_list_strict()
+it can cause an overflow if it decodes the input to UTF-8.
+
+This should never happen with valid UTF-8 input which libsoup's client API
+ensures, however it's server API does not currently.
+
+CVE: CVE-2024-52531
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=a35222dd0bfab2ac97c10e86b95f762456628283]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-headers.c | 45 +++++++++++++++++++++---------------------
+ 1 file changed, 23 insertions(+), 22 deletions(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 67905b2..39e8d34 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -642,8 +642,9 @@ soup_header_contains (const char *header, const char *token)
+ }
+
+ static void
+-decode_quoted_string (char *quoted_string)
++decode_quoted_string_inplace (GString *quoted_gstring)
+ {
++ char *quoted_string = quoted_gstring->str;
+ char *src, *dst;
+
+ src = quoted_string + 1;
+@@ -657,10 +658,11 @@ decode_quoted_string (char *quoted_string)
+ }
+
+ static gboolean
+-decode_rfc5987 (char *encoded_string)
++decode_rfc5987_inplace (GString *encoded_gstring)
+ {
+ char *q, *decoded;
+ gboolean iso_8859_1 = FALSE;
++ const char *encoded_string = encoded_gstring->str;
+
+ q = strchr (encoded_string, '\'');
+ if (!q)
+@@ -689,14 +691,7 @@ decode_rfc5987 (char *encoded_string)
+ decoded = utf8;
+ }
+
+- /* If encoded_string was UTF-8, then each 3-character %-escape
+- * will be converted to a single byte, and so decoded is
+- * shorter than encoded_string. If encoded_string was
+- * iso-8859-1, then each 3-character %-escape will be
+- * converted into at most 2 bytes in UTF-8, and so it's still
+- * shorter.
+- */
+- strcpy (encoded_string, decoded);
++ g_string_assign (encoded_gstring, decoded);
+ g_free (decoded);
+ return TRUE;
+ }
+@@ -706,15 +701,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
+ {
+ GHashTable *params;
+ GSList *list, *iter;
+- char *item, *eq, *name_end, *value;
+- gboolean override, duplicated;
+
+ params = g_hash_table_new_full (soup_str_case_hash,
+ soup_str_case_equal,
+- g_free, NULL);
++ g_free, g_free);
+
+ list = parse_list (header, delim);
+ for (iter = list; iter; iter = iter->next) {
++ char *item, *eq, *name_end;
++ gboolean override, duplicated;
++ GString *parsed_value = NULL;
+ item = iter->data;
+ override = FALSE;
+
+@@ -729,19 +725,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
+
+ *name_end = '\0';
+
+- value = (char *)skip_lws (eq + 1);
++ parsed_value = g_string_new ((char *)skip_lws (eq + 1));
+
+ if (name_end[-1] == '*' && name_end > item + 1) {
+ name_end[-1] = '\0';
+- if (!decode_rfc5987 (value)) {
++ if (!decode_rfc5987_inplace (parsed_value)) {
++ g_string_free (parsed_value, TRUE);
+ g_free (item);
+ continue;
+ }
+ override = TRUE;
+- } else if (*value == '"')
+- decode_quoted_string (value);
+- } else
+- value = NULL;
++ } else if (parsed_value->str[0] == '"')
++ decode_quoted_string_inplace (parsed_value);
++ }
+
+ duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
+
+@@ -749,11 +745,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
+ soup_header_free_param_list (params);
+ params = NULL;
+ g_slist_foreach (iter, (GFunc)g_free, NULL);
++ if (parsed_value)
++ g_string_free (parsed_value, TRUE);
+ break;
+- } else if (override || !duplicated)
+- g_hash_table_replace (params, item, value);
+- else
++ } else if (override || !duplicated) {
++ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
++ } else {
++ if (parsed_value)
++ g_string_free (parsed_value, TRUE);
+ g_free (item);
++ }
+ }
+
+ g_slist_free (list);
+--
+2.34.1
+
@@ -31,6 +31,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32910-2.patch \
file://CVE-2025-32910-3.patch \
file://CVE-2025-32912.patch \
+ file://CVE-2024-52531-1.patch \
+ file://CVE-2024-52531-2.patch \
"
SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"