[meta-oe] libsoup-2.4: Add recipe

The libsoup-2.4 recipe has been removed from OE-Core, but there are
still a number of recipes in meta-openembedded that depend on it.

Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
---
 .../libsoup-2.4/0001-CVE-2025-32911.patch     |  74 +++++++++
 ...ild-with-libxml2-2.12.0-and-clang-17.patch |  44 ++++++
 ...-Fix-possibly-uninitialized-warnings.patch |  43 ++++++
 ...-http-and-https-aliases-support-test.patch | 145 ++++++++++++++++++
 .../libsoup-2.4/CVE-2024-52532-1.patch        |  37 +++++
 .../libsoup-2.4/CVE-2024-52532-2.patch        |  43 ++++++
 .../libsoup-2.4/CVE-2024-52532-3.patch        |  48 ++++++
 .../libsoup/libsoup-2.4_2.74.3.bb             |  66 ++++++++
 8 files changed, 500 insertions(+)
 create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch
 create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch
 create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-possibly-uninitialized-warnings.patch
 create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Remove-http-and-https-aliases-support-test.patch
 create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch
 create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch
 create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
 create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb

Thanks for the patch, I think before I accept this patch it would be
good to take and opportunity to minimize its use in meta-openembedded
recipes
I have sent few patches, there are some hard dependencies left to address

 xfce4-weather-plugin, librest, gstd, libgdata, dleyna-server and dleyna-server

All other usecases are either migrated to use libsoup3 or are package
configs disabled by default.

On Fri, May 16, 2025 at 4:44 AM Peter Kjellerstedt via
lists.openembedded.org
<peter.kjellerstedt=axis.com@lists.openembedded.org> wrote:
>
> The libsoup-2.4 recipe has been removed from OE-Core, but there are
> still a number of recipes in meta-openembedded that depend on it.
>
> Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
> ---
>  .../libsoup-2.4/0001-CVE-2025-32911.patch     |  74 +++++++++
>  ...ild-with-libxml2-2.12.0-and-clang-17.patch |  44 ++++++
>  ...-Fix-possibly-uninitialized-warnings.patch |  43 ++++++
>  ...-http-and-https-aliases-support-test.patch | 145 ++++++++++++++++++
>  .../libsoup-2.4/CVE-2024-52532-1.patch        |  37 +++++
>  .../libsoup-2.4/CVE-2024-52532-2.patch        |  43 ++++++
>  .../libsoup-2.4/CVE-2024-52532-3.patch        |  48 ++++++
>  .../libsoup/libsoup-2.4_2.74.3.bb             |  66 ++++++++
>  8 files changed, 500 insertions(+)
>  create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch
>  create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch
>  create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-possibly-uninitialized-warnings.patch
>  create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Remove-http-and-https-aliases-support-test.patch
>  create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch
>  create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch
>  create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
>  create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
>
> diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch
> new file mode 100644
> index 0000000000..9ef0643837
> --- /dev/null
> +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch
> @@ -0,0 +1,74 @@
> +From 52c5859b82fe79f2c32d883e048d218e0d7f2182 Mon Sep 17 00:00:00 2001
> +From: Changqing Li <changqing.li@windriver.com>
> +Date: Wed, 30 Apr 2025 14:59:55 +0800
> +Subject: [PATCH] CVE-2025-32911
> +
> +CVE: CVE-2025-32911
> +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/422/commits]
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + libsoup/soup-message-headers.c | 13 +++++++++----
> + tests/header-parsing-test.c    | 15 +++++++++++++++
> + 2 files changed, 24 insertions(+), 4 deletions(-)
> +
> +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
> +index 39ad14a..78b2455 100644
> +--- a/libsoup/soup-message-headers.c
> ++++ b/libsoup/soup-message-headers.c
> +@@ -1454,10 +1454,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders  *hdrs,
> +        */
> +       if (params && g_hash_table_lookup_extended (*params, "filename",
> +                                                   &orig_key, &orig_value)) {
> +-              char *filename = strrchr (orig_value, '/');
> +-
> +-              if (filename)
> +-                      g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
> ++                if (orig_value) {
> ++                        char *filename = strrchr (orig_value, '/');
> ++
> ++                        if (filename)
> ++                                g_hash_table_insert (*params, g_strdup (orig_key), g_strdup(filename + 1));
> ++                } else {
> ++                        /* filename with no value isn't valid. */
> ++                        g_hash_table_remove (*params, "filename");
> ++                }
> +       }
> +       return TRUE;
> + }
> +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
> +index 946f118..752196e 100644
> +--- a/tests/header-parsing-test.c
> ++++ b/tests/header-parsing-test.c
> +@@ -1034,6 +1034,7 @@ do_param_list_tests (void)
> + #define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\""
> + #define RFC5987_TEST_HEADER_NO_TYPE  "filename=\"test.txt\""
> + #define RFC5987_TEST_HEADER_NO_TYPE_2  "filename=\"test.txt\"; foo=bar"
> ++#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename"
> +
> + static void
> + do_content_disposition_tests (void)
> +@@ -1133,6 +1134,20 @@ do_content_disposition_tests (void)
> +       g_assert_cmpstr (filename, ==, RFC5987_TEST_FALLBACK_FILENAME);
> +         parameter2 = g_hash_table_lookup (params, "foo");
> +         g_assert_cmpstr (parameter2, ==, "bar");
> ++      g_hash_table_destroy (params);
> ++
> ++       /* Empty filename */
> ++      soup_message_headers_clear (hdrs);
> ++      soup_message_headers_append (hdrs, "Content-Disposition",
> ++                                                               RFC5987_TEST_HEADER_EMPTY_FILENAME);
> ++      if (!soup_message_headers_get_content_disposition (hdrs,
> ++                                                                                                         &disposition,
> ++                                                                                                         &params)) {
> ++                      soup_test_assert (FALSE, "empty filename decoding FAILED");
> ++                      return;
> ++      }
> ++      g_free (disposition);
> ++      g_assert_false (g_hash_table_contains (params, "filename"));
> +       g_hash_table_destroy (params);
> +
> +       soup_message_headers_free (hdrs);
> +--
> +2.34.1
> +
> diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch
> new file mode 100644
> index 0000000000..d867e5bc17
> --- /dev/null
> +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch
> @@ -0,0 +1,44 @@
> +From ced3c5d8cad0177b297666343f1561799dfefb0d Mon Sep 17 00:00:00 2001
> +From: Khem Raj <raj.khem@gmail.com>
> +Date: Wed, 22 Nov 2023 18:49:10 -0800
> +Subject: [PATCH] Fix build with libxml2-2.12.0 and clang-17
> +
> +Fixes build errors about missing function prototypes with clang-17
> +
> +Fixes
> +| ../libsoup-2.74.3/libsoup/soup-xmlrpc-old.c:512:8: error: call to undeclared function 'xmlParseMemory'; ISO C99 and later do not support implicit function declarations
> +
> +Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/385]
> +Signed-off-by: Khem Raj <raj.khem@gmail.com>
> +---
> + libsoup/soup-xmlrpc-old.c | 1 +
> + libsoup/soup-xmlrpc.c     | 1 +
> + 2 files changed, 2 insertions(+)
> +
> +diff --git a/libsoup/soup-xmlrpc-old.c b/libsoup/soup-xmlrpc-old.c
> +index c57086b6..527e3b23 100644
> +--- a/libsoup/soup-xmlrpc-old.c
> ++++ b/libsoup/soup-xmlrpc-old.c
> +@@ -11,6 +11,7 @@
> +
> + #include <string.h>
> +
> ++#include <libxml/parser.h>
> + #include <libxml/tree.h>
> +
> + #include "soup-xmlrpc-old.h"
> +diff --git a/libsoup/soup-xmlrpc.c b/libsoup/soup-xmlrpc.c
> +index 42dcda9c..e991cbf0 100644
> +--- a/libsoup/soup-xmlrpc.c
> ++++ b/libsoup/soup-xmlrpc.c
> +@@ -17,6 +17,7 @@
> +
> + #include <string.h>
> + #include <errno.h>
> ++#include <libxml/parser.h>
> + #include <libxml/tree.h>
> + #include "soup-xmlrpc.h"
> + #include "soup.h"
> +--
> +2.43.0
> +
> diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-possibly-uninitialized-warnings.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-possibly-uninitialized-warnings.patch
> new file mode 100644
> index 0000000000..fcd442c13a
> --- /dev/null
> +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-possibly-uninitialized-warnings.patch
> @@ -0,0 +1,43 @@
> +From 1159686379184a1c899eabb2174258aba5e0fd79 Mon Sep 17 00:00:00 2001
> +From: Patrick Griffis <pgriffis@igalia.com>
> +Date: Mon, 20 Sep 2021 15:41:31 -0500
> +Subject: [PATCH] Fix possibly uninitialized warnings
> +
> +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/fb98e9a8c3062c75357b961543af091de2dd5459]
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + libsoup/soup-websocket-connection.c | 2 +-
> + tests/samesite-test.c               | 3 +++
> + 2 files changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
> +index 65c1492..585d45c 100644
> +--- a/libsoup/soup-websocket-connection.c
> ++++ b/libsoup/soup-websocket-connection.c
> +@@ -471,7 +471,7 @@ send_message (SoupWebsocketConnection *self,
> +       GByteArray *bytes;
> +       gsize frame_len;
> +       guint8 *outer;
> +-      guint8 mask_offset;
> ++      guint8 mask_offset = 0;
> +       GBytes *filtered_bytes;
> +       GList *l;
> +       GError *error = NULL;
> +diff --git a/tests/samesite-test.c b/tests/samesite-test.c
> +index 0b081b2..60c9b8e 100644
> +--- a/tests/samesite-test.c
> ++++ b/tests/samesite-test.c
> +@@ -60,6 +60,9 @@ assert_highest_policy_visible (GSList *cookies, SoupSameSitePolicy policy)
> +       case SOUP_SAME_SITE_POLICY_NONE:
> +               expected_count = 1;
> +               break;
> ++      default:
> ++              g_assert_not_reached ();
> ++              break;
> +       }
> +
> +       g_assert_cmpuint (size, ==, expected_count);
> +--
> +2.34.1
> +
> diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Remove-http-and-https-aliases-support-test.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Remove-http-and-https-aliases-support-test.patch
> new file mode 100644
> index 0000000000..0d4139ec08
> --- /dev/null
> +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Remove-http-and-https-aliases-support-test.patch
> @@ -0,0 +1,145 @@
> +From 0e3bfa22b23451531caf8cc30b1771ac6a41fcad Mon Sep 17 00:00:00 2001
> +From: Carlos Garcia Campos <cgarcia@igalia.com>
> +Date: Thu, 11 Feb 2021 10:47:09 +0100
> +Subject: [PATCH] Remove http and https aliases support test
> +
> +Upstream has removed the whole function of http and https aliases
> +support, this commit partially cherry pick it, only remove the test to
> +mute the warning:
> +| ../libsoup-2.74.3/tests/server-test.c: In function 'do_one_server_aliases_test':
> +| ../libsoup-2.74.3/tests/server-test.c:180:17: warning: 'g_socket_client_set_tls_validation_flags' is deprecated [-Wdeprecated-declarations]
> +|   180 |                 g_socket_client_set_tls_validation_flags (client, 0);
> +|       |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/111ae4ebe7cc2e389573cff5b9ac76509d6cbac0]
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + tests/server-test.c | 104 --------------------------------------------
> + 1 file changed, 104 deletions(-)
> +
> +diff --git a/tests/server-test.c b/tests/server-test.c
> +index 8976103..cb7e815 100644
> +--- a/tests/server-test.c
> ++++ b/tests/server-test.c
> +@@ -154,108 +154,6 @@ do_star_test (ServerData *sd, gconstpointer test_data)
> +       soup_uri_free (star_uri);
> + }
> +
> +-static void
> +-do_one_server_aliases_test (SoupURI    *uri,
> +-                          const char *alias,
> +-                          gboolean    succeed)
> +-{
> +-      GSocketClient *client;
> +-      GSocketConnectable *addr;
> +-      GSocketConnection *conn;
> +-      GInputStream *in;
> +-      GOutputStream *out;
> +-      GError *error = NULL;
> +-      GString *req;
> +-      static char buf[1024];
> +-
> +-      debug_printf (1, "  %s via %s\n", alias, uri->scheme);
> +-
> +-      /* There's no way to make libsoup's client side send an absolute
> +-       * URI (to a non-proxy server), so we have to fake this.
> +-       */
> +-
> +-      client = g_socket_client_new ();
> +-      if (uri->scheme == SOUP_URI_SCHEME_HTTPS) {
> +-              g_socket_client_set_tls (client, TRUE);
> +-              g_socket_client_set_tls_validation_flags (client, 0);
> +-      }
> +-      addr = g_network_address_new (uri->host, uri->port);
> +-
> +-      conn = g_socket_client_connect (client, addr, NULL, &error);
> +-      g_object_unref (addr);
> +-      g_object_unref (client);
> +-      if (!conn) {
> +-              g_assert_no_error (error);
> +-              g_error_free (error);
> +-              return;
> +-      }
> +-
> +-      in = g_io_stream_get_input_stream (G_IO_STREAM (conn));
> +-      out = g_io_stream_get_output_stream (G_IO_STREAM (conn));
> +-
> +-      req = g_string_new (NULL);
> +-      g_string_append_printf (req, "GET %s://%s:%d HTTP/1.1\r\n",
> +-                              alias, uri->host, uri->port);
> +-      g_string_append_printf (req, "Host: %s:%d\r\n",
> +-                              uri->host, uri->port);
> +-      g_string_append (req, "Connection: close\r\n\r\n");
> +-
> +-      if (!g_output_stream_write_all (out, req->str, req->len, NULL, NULL, &error)) {
> +-              g_assert_no_error (error);
> +-              g_error_free (error);
> +-              g_object_unref (conn);
> +-              g_string_free (req, TRUE);
> +-              return;
> +-      }
> +-      g_string_free (req, TRUE);
> +-
> +-      if (!g_input_stream_read_all (in, buf, sizeof (buf), NULL, NULL, &error)) {
> +-              g_assert_no_error (error);
> +-              g_error_free (error);
> +-              g_object_unref (conn);
> +-              return;
> +-      }
> +-
> +-      if (succeed)
> +-              g_assert_true (g_str_has_prefix (buf, "HTTP/1.1 200 "));
> +-      else
> +-              g_assert_true (g_str_has_prefix (buf, "HTTP/1.1 400 "));
> +-
> +-      g_io_stream_close (G_IO_STREAM (conn), NULL, NULL);
> +-      g_object_unref (conn);
> +-}
> +-
> +-static void
> +-do_server_aliases_test (ServerData *sd, gconstpointer test_data)
> +-{
> +-      char *http_aliases[] = { "dav", NULL };
> +-      char *https_aliases[] = { "davs", NULL };
> +-      char *http_good[] = { "http", "dav", NULL };
> +-      char *http_bad[] = { "https", "davs", "fred", NULL };
> +-      char *https_good[] = { "https", "davs", NULL };
> +-      char *https_bad[] = { "http", "dav", "fred", NULL };
> +-      int i;
> +-
> +-      g_test_bug ("703694");
> +-
> +-      g_object_set (G_OBJECT (sd->server),
> +-                    SOUP_SERVER_HTTP_ALIASES, http_aliases,
> +-                    SOUP_SERVER_HTTPS_ALIASES, https_aliases,
> +-                    NULL);
> +-
> +-      for (i = 0; http_good[i]; i++)
> +-              do_one_server_aliases_test (sd->base_uri, http_good[i], TRUE);
> +-      for (i = 0; http_bad[i]; i++)
> +-              do_one_server_aliases_test (sd->base_uri, http_bad[i], FALSE);
> +-
> +-      if (tls_available) {
> +-              for (i = 0; https_good[i]; i++)
> +-                      do_one_server_aliases_test (sd->ssl_base_uri, https_good[i], TRUE);
> +-              for (i = 0; https_bad[i]; i++)
> +-                      do_one_server_aliases_test (sd->ssl_base_uri, https_bad[i], FALSE);
> +-      }
> +-}
> +-
> + static void
> + do_dot_dot_test (ServerData *sd, gconstpointer test_data)
> + {
> +@@ -1382,8 +1280,6 @@ main (int argc, char **argv)
> +
> +       g_test_add ("/server/OPTIONS *", ServerData, NULL,
> +                   server_setup, do_star_test, server_teardown);
> +-      g_test_add ("/server/aliases", ServerData, NULL,
> +-                  server_setup, do_server_aliases_test, server_teardown);
> +       g_test_add ("/server/..-in-path", ServerData, NULL,
> +                   server_setup, do_dot_dot_test, server_teardown);
> +       g_test_add ("/server/ipv6", ServerData, NULL,
> +--
> +2.34.1
> +
> diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch
> new file mode 100644
> index 0000000000..cb1f096110
> --- /dev/null
> +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch
> @@ -0,0 +1,37 @@
> +From a693d49bff058fc20a448dc4e7d324ff0dc6597e Mon Sep 17 00:00:00 2001
> +From: Ignacio Casal Quinteiro <qignacio@amazon.com>
> +Date: Wed, 11 Sep 2024 11:52:11 +0200
> +Subject: [PATCH 1/3] websocket: process the frame as soon as we read data
> +
> +Otherwise we can enter in a read loop because we were not
> +validating the data until the all the data was read.
> +
> +Fixes #391
> +
> +CVE: CVE-2024-52532
> +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be#f1d67ca0386b145ea201cf88d27f72724d7c6715]
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + libsoup/soup-websocket-connection.c | 5 ++---
> + 1 file changed, 2 insertions(+), 3 deletions(-)
> +
> +diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
> +index a4095e1..65c1492 100644
> +--- a/libsoup/soup-websocket-connection.c
> ++++ b/libsoup/soup-websocket-connection.c
> +@@ -1140,9 +1140,8 @@ soup_websocket_connection_read (SoupWebsocketConnection *self)
> +               }
> +
> +               pv->incoming->len = len + count;
> +-      } while (count > 0);
> +-
> +-      process_incoming (self);
> ++              process_incoming (self);
> ++      } while (count > 0 && !pv->close_sent && !pv->io_closing);
> +
> +       if (end) {
> +               if (!pv->close_sent || !pv->close_received) {
> +--
> +2.34.1
> +
> diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch
> new file mode 100644
> index 0000000000..dcadafe944
> --- /dev/null
> +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch
> @@ -0,0 +1,43 @@
> +From f5b76410de1318f49844dacf6e68692522b6c856 Mon Sep 17 00:00:00 2001
> +From: Ignacio Casal Quinteiro <qignacio@amazon.com>
> +Date: Wed, 2 Oct 2024 11:17:19 +0200
> +Subject: [PATCH] websocket-test: disconnect error copy after the test ends
> +
> +Otherwise the server will have already sent a few more wrong
> +bytes and the client will continue getting errors to copy
> +but the error is already != NULL and it will assert
> +
> +CVE: CVE-2024-52532
> +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c]
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + tests/websocket-test.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/tests/websocket-test.c b/tests/websocket-test.c
> +index 5e40cf3..1ec9ff6 100644
> +--- a/tests/websocket-test.c
> ++++ b/tests/websocket-test.c
> +@@ -1331,8 +1331,9 @@ test_receive_invalid_encode_length_64 (Test *test,
> +       GError *error = NULL;
> +       InvalidEncodeLengthTest context = { test, NULL };
> +       guint i;
> ++      guint error_id;
> +
> +-      g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
> ++      error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
> +       g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
> +
> +       /* We use 127(\x7f) as payload length with 65535 extended length */
> +@@ -1345,6 +1346,7 @@ test_receive_invalid_encode_length_64 (Test *test,
> +       WAIT_UNTIL (error != NULL || received != NULL);
> +       g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
> +       g_clear_error (&error);
> ++      g_signal_handler_disconnect (test->client, error_id);
> +       g_assert_null (received);
> +
> +         g_thread_join (thread);
> +--
> +2.34.1
> +
> diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
> new file mode 100644
> index 0000000000..ab6af72291
> --- /dev/null
> +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
> @@ -0,0 +1,48 @@
> +From d97bb2e340f5a6d7e56a7738403f9d18bc406b70 Mon Sep 17 00:00:00 2001
> +From: Simon McVittie <smcv@debian.org>
> +Date: Wed, 13 Nov 2024 14:14:23 +0000
> +Subject: [PATCH 3/3] websocket-test: Disconnect error signal in another place
> +
> +This is the same change as commit 29b96fab "websocket-test: disconnect
> +error copy after the test ends", and is done for the same reason, but
> +replicating it into a different function.
> +
> +Fixes: 6adc0e3e "websocket: process the frame as soon as we read data"
> +Resolves: https://gitlab.gnome.org/GNOME/libsoup/-/issues/399
> +Signed-off-by: Simon McVittie <smcv@debian.org>
> +
> +CVE: CVE-2024-52532
> +Upstream-Status: Backport
> +[https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6676a37b6485620c332e568e1a3f530ff]
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + tests/websocket-test.c | 4 +++-
> + 1 file changed, 3 insertions(+), 1 deletion(-)
> +
> +diff --git a/tests/websocket-test.c b/tests/websocket-test.c
> +index 2b19a7b..0699a06 100644
> +--- a/tests/websocket-test.c
> ++++ b/tests/websocket-test.c
> +@@ -1300,8 +1300,9 @@ test_receive_invalid_encode_length_16 (Test *test,
> +       GError *error = NULL;
> +       InvalidEncodeLengthTest context = { test, NULL };
> +       guint i;
> ++      guint error_id;
> +
> +-      g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
> ++      error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
> +       g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
> +
> +       /* We use 126(~) as payload length with 125 extended length */
> +@@ -1314,6 +1315,7 @@ test_receive_invalid_encode_length_16 (Test *test,
> +       WAIT_UNTIL (error != NULL || received != NULL);
> +       g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
> +       g_clear_error (&error);
> ++        g_signal_handler_disconnect (test->client, error_id);
> +       g_assert_null (received);
> +
> +       g_thread_join (thread);
> +--
> +2.34.1
> +
> diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
> new file mode 100644
> index 0000000000..7e275a48f4
> --- /dev/null
> +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
> @@ -0,0 +1,66 @@
> +SUMMARY = "An HTTP library implementation in C"
> +DESCRIPTION = "libsoup is an HTTP client/server library for GNOME. It uses GObjects \
> +and the glib main loop, to integrate well with GNOME applications."
> +HOMEPAGE = "https://wiki.gnome.org/Projects/libsoup"
> +BUGTRACKER = "https://bugzilla.gnome.org/"
> +SECTION = "x11/gnome/libs"
> +LICENSE = "LGPL-2.0-only"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"
> +
> +DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl"
> +
> +SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
> +
> +SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
> +           file://0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch \
> +           file://0001-CVE-2025-32911.patch \
> +           file://0001-Fix-possibly-uninitialized-warnings.patch \
> +           file://0001-Remove-http-and-https-aliases-support-test.patch \
> +           file://CVE-2024-52532-1.patch \
> +           file://CVE-2024-52532-2.patch \
> +           file://CVE-2024-52532-3.patch"
> +
> +SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
> +
> +CVE_PRODUCT = "libsoup"
> +
> +S = "${WORKDIR}/libsoup-${PV}"
> +
> +inherit meson gettext pkgconfig upstream-version-is-even gobject-introspection gtk-doc
> +
> +UPSTREAM_CHECK_REGEX = "libsoup-(?P<pver>2(\.(?!99)\d+)+)\.tar"
> +
> +GIR_MESON_ENABLE_FLAG = 'enabled'
> +GIR_MESON_DISABLE_FLAG = 'disabled'
> +
> +PACKAGECONFIG ??= ""
> +PACKAGECONFIG[brotli] = "-Dbrotli=enabled,-Dbrotli=disabled,brotli"
> +# libsoup-gnome is entirely deprecated and just stubs in 2.42 onwards
> +PACKAGECONFIG[gnome] = "-Dgnome=true,-Dgnome=false"
> +PACKAGECONFIG[gssapi] = "-Dgssapi=enabled,-Dgssapi=disabled,krb5"
> +PACKAGECONFIG[ntlm] = "-Dntlm=enabled,-Dntlm=disabled"
> +PACKAGECONFIG[sysprof] = "-Dsysprof=enabled,-Dsysprof=disabled,sysprof"
> +
> +# Tell libsoup where the target ntlm_auth is installed
> +do_write_config:append:class-target() {
> +    cat >${WORKDIR}/soup.cross <<EOF
> +[binaries]
> +ntlm_auth = '${bindir}/ntlm_auth'
> +EOF
> +}
> +EXTRA_OEMESON:append:class-target = " --cross-file ${WORKDIR}/soup.cross"
> +
> +EXTRA_OEMESON += "-Dvapi=disabled -Dtls_check=false"
> +
> +GTKDOC_MESON_OPTION = "gtk_doc"
> +
> +# When built without gnome support, libsoup-2.4 will contain only one shared lib
> +# and will therefore become subject to renaming by debian.bbclass. Prevent
> +# renaming in order to keep the package name consistent regardless of whether
> +# gnome support is enabled or disabled.
> +DEBIAN_NOAUTONAME:${PN} = "1"
> +
> +# glib-networking is needed for SSL, proxies, etc.
> +RRECOMMENDS:${PN} = "glib-networking"
> +
> +BBCLASSEXTEND = "native nativesdk"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#117428): https://lists.openembedded.org/g/openembedded-devel/message/117428
> Mute This Topic: https://lists.openembedded.org/mt/113143457/1997914
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

> -----Original Message-----
> From: Khem Raj <raj.khem@gmail.com>
> Sent: den 16 maj 2025 18:11
> To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
> Cc: openembedded-devel@lists.openembedded.org
> Subject: Re: [oe] [meta-oe][PATCH] libsoup-2.4: Add recipe
> 
> Thanks for the patch, I think before I accept this patch it would be
> good to take and opportunity to minimize its use in meta-openembedded recipes
> I have sent few patches, there are some hard dependencies left to address
> 
>  xfce4-weather-plugin, librest, gstd, libgdata, dleyna-server and dleyna-server
> 
> All other usecases are either migrated to use libsoup3 or are package
> configs disabled by default.

Ok. I'll add it to one of our own layers then for now as we still have a 
number of recipes that rely on libsoup-2.4. And inform our developers 
that it is time to update...

//Peter

On Fri, May 16, 2025 at 9:56 AM Peter Kjellerstedt
<peter.kjellerstedt@axis.com> wrote:
>
> > -----Original Message-----
> > From: Khem Raj <raj.khem@gmail.com>
> > Sent: den 16 maj 2025 18:11
> > To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
> > Cc: openembedded-devel@lists.openembedded.org
> > Subject: Re: [oe] [meta-oe][PATCH] libsoup-2.4: Add recipe
> >
> > Thanks for the patch, I think before I accept this patch it would be
> > good to take and opportunity to minimize its use in meta-openembedded recipes
> > I have sent few patches, there are some hard dependencies left to address
> >
> >  xfce4-weather-plugin, librest, gstd, libgdata, dleyna-server and dleyna-server
> >
> > All other usecases are either migrated to use libsoup3 or are package
> > configs disabled by default.
>
> Ok. I'll add it to one of our own layers then for now as we still have a
> number of recipes that rely on libsoup-2.4. And inform our developers
> that it is time to update...

Its in master-next and I will wait maybe some more for more fixes
before we get it in to let cleanup happen
I have already sent mine.
>
> //Peter
>