[meta-oe] libsoup-2.4: fix CVE-2025-4945

Message ID	20250708072113.4100657-1-changqing.li@windriver.com
State	New
Headers	show Return-Path: <changqing.li@windriver.com> ip: 205.220.166.238, mailfrom: prvs=9284fa5eea=changqing.li@windriver.com) From: <changqing.li@windriver.com> To: <openembedded-devel@lists.openembedded.org> Subject: [meta-oe][PATCH] libsoup-2.4: fix CVE-2025-4945 Date: Tue, 8 Jul 2025 15:21:13 +0800 Message-ID: <20250708072113.4100657-1-changqing.li@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[meta-oe] libsoup-2.4: fix CVE-2025-4945 \| expand [meta-oe] libsoup-2.4: fix CVE-2025-4945

diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch new file mode 100644 index 0000000000..c9fbdbacc8 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch @@ -0,0 +1,117 @@ +From 3844026f74a41dd9ccab955899e005995293d246 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Tue, 8 Jul 2025 14:58:30 +0800 +Subject: [PATCH] soup-date-utils: Add value checks for date/time parsing + +Reject date/time when it does not represent a valid value. + +Closes #448 + +CVE: CVE-2025-4945 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + libsoup/soup-date.c | 21 +++++++++++++++------ + tests/cookies-test.c | 10 ++++++++++ + 2 files changed, 25 insertions(+), 6 deletions(-) + +diff --git a/libsoup/soup-date.c b/libsoup/soup-date.c +index 9602d1f..4c114c1 100644 +--- a/libsoup/soup-date.c ++++ b/libsoup/soup-date.c +@@ -284,7 +284,7 @@ parse_day (SoupDate *date, const char **date_string) + while (*end == ' ' || *end == '-') + end++; + *date_string = end; +- return TRUE; ++ return date->day >= 1 && date->day <= 31; + } + + static inline gboolean +@@ -324,7 +324,7 @@ parse_year (SoupDate *date, const char **date_string) + while (*end == ' ' || *end == '-') + end++; + *date_string = end; +- return TRUE; ++ return date->year > 0 && date->year < 9999; + } + + static inline gboolean +@@ -348,7 +348,7 @@ parse_time (SoupDate *date, const char **date_string) + while (*p == ' ') + p++; + *date_string = p; +- return TRUE; ++ return date->hour >= 0 && date->hour < 24 && date->minute >= 0 && date->minute < 60 && date->second >= 0 && date->second < 60; + } + + static inline gboolean +@@ -361,8 +361,15 @@ parse_timezone (SoupDate *date, const char **date_string) + gulong val; + int sign = (**date_string == '+') ? -1 : 1; + val = strtoul (*date_string + 1, (char **)date_string, 10); ++ if (val > 9999) ++ return FALSE; + if (**date_string == ':') +- val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10); ++ { ++ gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10); ++ if (val > 99 || val2 > 99) ++ return FALSE; ++ val = 60 * val + val2; ++ } + else + val = 60 * (val / 100) + (val % 100); + date->offset = sign * val; +@@ -407,7 +414,8 @@ parse_textual_date (SoupDate *date, const char *date_string) + if (!parse_month (date, &date_string) || + !parse_day (date, &date_string) || + !parse_time (date, &date_string) || +- !parse_year (date, &date_string)) ++ !parse_year (date, &date_string) || ++ !g_date_valid_dmy(date->day, date->month, date->year)) + return FALSE; + + /* There shouldn't be a timezone, but check anyway */ +@@ -419,7 +427,8 @@ parse_textual_date (SoupDate *date, const char *date_string) + if (!parse_day (date, &date_string) || + !parse_month (date, &date_string) || + !parse_year (date, &date_string) || +- !parse_time (date, &date_string)) ++ !parse_time (date, &date_string) || ++ !g_date_valid_dmy(date->day, date->month, date->year)) + return FALSE; + + /* This time there *should* be a timezone, but we +diff --git a/tests/cookies-test.c b/tests/cookies-test.c +index 2e2a54f..6035a86 100644 +--- a/tests/cookies-test.c ++++ b/tests/cookies-test.c +@@ -413,6 +413,15 @@ do_remove_feature_test (void) + soup_uri_free (uri); + } + ++static void ++do_cookies_parsing_int32_overflow (void) ++{ ++ SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9 999:9:9+ 999999999-age=main=gne=", NULL); ++ g_assert_nonnull (cookie); ++ g_assert_null (soup_cookie_get_expires (cookie)); ++ soup_cookie_free (cookie); ++} ++ + int + main (int argc, char **argv) + { +@@ -434,6 +443,7 @@ main (int argc, char **argv) + g_test_add_func ("/cookies/accept-policy-subdomains", do_cookies_subdomain_policy_test); + g_test_add_func ("/cookies/parsing", do_cookies_parsing_test); + g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin); ++ g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow); + g_test_add_func ("/cookies/get-cookies/empty-host", do_get_cookies_empty_host_test); + g_test_add_func ("/cookies/remove-feature", do_remove_feature_test); + g_test_add_func ("/cookies/secure-cookies", do_cookies_strict_secure_test); +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index cbc886a2cb..68ec576d9b 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -39,6 +39,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32907.patch \ file://CVE-2025-4948.patch \ file://CVE-2025-4969.patch \ + file://CVE-2025-4945.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"

[meta-oe] libsoup-2.4: fix CVE-2025-4945

Commit Message

Patch