From patchwork Wed Apr 16 05:13:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 61383 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A64BBC369B1 for ; Wed, 16 Apr 2025 05:13:31 +0000 (UTC) Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) by mx.groups.io with SMTP id smtpd.web11.12224.1744780407121055621 for ; Tue, 15 Apr 2025 22:13:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=e5HdNB91; spf=pass (domain: mvista.com, ip: 209.85.216.47, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-30155bbbed9so4902447a91.1 for ; Tue, 15 Apr 2025 22:13:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744780406; x=1745385206; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=cWgWolLrjgbgwqRJanGY0atl5CDlXnWTmc3KRhpaIds=; b=e5HdNB91l9MWpHSlHHymH00K2gWm+bJe2InF3y8hlW7aaJrrkh5TBW3rJjRT9LD22a 5ZvZ3xXv5zcJGx68gRE6qkG5VNzaAer5s8X6Nus8zbQfGsogz0BQmGB4++KTLf5l2vId vnajHh8FXTe9yknQ0jv9VBmVr2zaD8CJ8ZQAI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744780406; x=1745385206; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=cWgWolLrjgbgwqRJanGY0atl5CDlXnWTmc3KRhpaIds=; b=bjqVrnKqVFccLasc2M/dKfIbNvoFMgZ0ztl6KIfXw8AQ4fFGxTDUNYAj/XBw2SZwkZ 4a+IDC3GlfDPrIpv1gB/lpG8AxxPp1zSuwOrzi5hUyz72fNjuP6j6Q6kVk2HVf2LxZQE 5CmTfeDmVLLGgZP7IwIyQ22DPZFYZ6SkVkSUqjuT4yxslL3S8PAwORTfuVcGjWk1FZga wRkcYYX3jGWCSUYB8r1x6s+RMyL+s8adCnJbGpefFw2tf7YJ0HOyE+XjykB7c0NeTnyA CjXz3TtM1gPM3XTgpBmOQs9795mTCjKfjkmMvhZnGviPHWlxJRNyt9ChLv/6NS9NmkGz Na8Q== X-Gm-Message-State: AOJu0YyiE0AY9sb9hJu5ihW0jS8bwbFGdxVWH7ykoXyG/nQD+SH/3nnT 0rQ3OR4mpYJvwr1onQPikkUfC/qbS8cqugOgM2epc3VN6R5VzxWQOqH/K9cG9/i+TQVw7nIcAaa ZITQ= X-Gm-Gg: ASbGnculq2mxvLiL6WkP9lAnum+NoeXtCyxShqK7ZyRdpJRV9vyhskz9PWKjDUpPbbP SzfTBXDt+D5oh34IT52cMA6/LvQOHiEwzW129dMzIKmsSD52GpXTTzUOH8jBPxkk2ghRnrO3kCq Cw4OTyuaGT0sI7c7OR3gZrEKGiO4Xfpcy4TXQKrGsMXs3r2XjnukyoAdyfYqB4LQj12QV35q6nO AY8vcYdsHwrpd3y7XImDmRxUkKBiyzJoVh4l926h0yLgwibBORYTOvOPBEC4iIXEosyvB3iyYIu y0la1c4IbC4FEI9rNC6Y+JMzZhR8ou5cj99yPUkXZl77grJlQcE= X-Google-Smtp-Source: AGHT+IEWl1vb5SN+X0Yw4jdo8kPvFsTq8FtnvgbjhHeoVZdZ0/3ZHP3odNPjs0zWFrESktMRZEcCTA== X-Received: by 2002:a17:90b:2745:b0:2fe:9e6c:add9 with SMTP id 98e67ed59e1d1-30863f30492mr737436a91.18.1744780405964; Tue, 15 Apr 2025 22:13:25 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.229.43]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3086122a8absm582419a91.35.2025.04.15.22.13.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Apr 2025 22:13:25 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 1/5] libsoup: Fix CVE-2025-32910 Date: Wed, 16 Apr 2025 10:43:10 +0530 Message-Id: <20250416051314.96105-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 16 Apr 2025 05:13:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/214974 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 Signed-off-by: Vijay Anusuri --- .../libsoup-3.4.4/CVE-2025-32910.patch | 27 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 28 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch new file mode 100644 index 0000000000..32e0c86e62 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch @@ -0,0 +1,27 @@ +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 13:52:52 -0600 +Subject: [PATCH] auth-digest: Fix leak + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri +--- + libsoup/auth/soup-auth-digest.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 350bfde6..9eb7fa0e 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object) + g_free (priv->nonce); + g_free (priv->domain); + g_free (priv->cnonce); ++ g_free (priv->opaque); + + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index b2e32b892a..757e6432f7 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52531-1.patch \ file://CVE-2024-52531-2.patch \ file://CVE-2024-52531-3.patch \ + file://CVE-2025-32910.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Wed Apr 16 05:13:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 61384 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62A1EC369B1 for ; Wed, 16 Apr 2025 05:13:41 +0000 (UTC) Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) by mx.groups.io with SMTP id smtpd.web10.12370.1744780412503236089 for ; Tue, 15 Apr 2025 22:13:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=XXvnjfNr; spf=pass (domain: mvista.com, ip: 209.85.215.180, mailfrom: vanusuri@mvista.com) Received: by mail-pg1-f180.google.com with SMTP id 41be03b00d2f7-af908bb32fdso300819a12.1 for ; Tue, 15 Apr 2025 22:13:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744780411; x=1745385211; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JgZzUlbfjgXZ1QwLW7Puql2/KzFt/e7maHjYeDDsSWI=; b=XXvnjfNr2SScTvDQDskzl0AnPEATgakOIvYaX+u6p6SSsX1//NuazzOCzW2sYmsb66 arBK226AkSwJ2QxBTzcZ4qsFSanG1ZmWSZKssQogWMwaDQlTnxyBnFnMQ0MfG8LR/nQV 9+TjCOK02wRE+bKfNjyKZMnGwWbh+FKIZGT+Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744780411; x=1745385211; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JgZzUlbfjgXZ1QwLW7Puql2/KzFt/e7maHjYeDDsSWI=; b=eawBMqBN4ItjNlSxov0+/muE+PfSxjF8VE8o8X+TW02g1wi9nrqTSGENLA2Nluy0eQ Gj7xNjUG0xbq6LwhjjJA/NQOrx1Mc2g+SUJu3F7k7edpsqkN0ENrRJYlX/C+TrAb+2qo jn/iIAk1ErWsjhorgTQdiN3eIbyBsq5er02Oj4Fsnd1Sf9zeeV5ZVLtMVa2Zos0MWtzA SiefSTSPyoXgh6UyV2XEcP6plqXhh3P3j/9850yUYu9Uuu1J/koK0xyR60TSXOUmvXw+ 3Yv3DBz1ZbLsN1bG6FcfUy/KfcbpwWVazI2aqOvPDsfM1JEeC0UWyTdWo5IPsncGI6Y/ zDiw== X-Gm-Message-State: AOJu0YwEsmkxMbSsSmsK4Msw3EThOkBMFa8XQsvMrlUpaBCq3Aaz/z/m AK3ApI1FPKZeCirvGR1enQjS0IFyAMHIKR+aK0oYbOFJkXlN0ZUyvDqSbU1NHFZJkYnqK2qSt6Q DUHo= X-Gm-Gg: ASbGnctP0I7ADU46c+4le9MvrU+8jlpDkKT18occpvMyZaMpMxOd/w5ryR8gtfaeg9g 8riSq/tNQzR7/g/23fMHOnhNpMuLOQ5hLwjQbQSRQXvRbuCC6SfZMvYtsFX4zBiaWIOMgiq6r5I XMO7lVwMHz5xd7350SlwtNHfx6G8HbiOqw/LrhwvKEfz8RqkMXj39E/GaiLSOTYA9MPsYSfPzXM sqV2+kv91S6Uu2ouY6DpTx9t7zUFFQm5Oakb9GjoPYUW3HFjaEu5dCNzSIQ0mrK9V7l8UtdjvOm 3p3SOsKnsufqkDzZrlFAzQLsS9u5P06zCYefHHnNRuC5HslpsvA= X-Google-Smtp-Source: AGHT+IFGQPgdCGJ4WTpgB4luklSIr48zAeR90HzO0tGsW/KklDDkIzgUFfYuar+QhQ05iTOELX6cmQ== X-Received: by 2002:a17:90b:2247:b0:2e2:c2b0:d03e with SMTP id 98e67ed59e1d1-30864293690mr486157a91.5.1744780411391; Tue, 15 Apr 2025 22:13:31 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.229.43]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3086122a8absm582419a91.35.2025.04.15.22.13.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Apr 2025 22:13:30 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 2/5] libsoup: Fix CVE-2025-32909 Date: Wed, 16 Apr 2025 10:43:11 +0530 Message-Id: <20250416051314.96105-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250416051314.96105-1-vanusuri@mvista.com> References: <20250416051314.96105-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 16 Apr 2025 05:13:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/214975 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92 Signed-off-by: Vijay Anusuri --- .../libsoup-3.4.4/CVE-2025-32909.patch | 36 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32909.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32909.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32909.patch new file mode 100644 index 0000000000..8982da58f1 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32909.patch @@ -0,0 +1,36 @@ +From ba4c3a6f988beff59e45801ab36067293d24ce92 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 8 Jan 2025 16:30:17 -0600 +Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than 4 + bytes + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92] +CVE: CVE-2025-32909 +Signed-off-by: Vijay Anusuri +--- + libsoup/content-sniffer/soup-content-sniffer.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c +index 5a181ff1..aeee2e25 100644 +--- a/libsoup/content-sniffer/soup-content-sniffer.c ++++ b/libsoup/content-sniffer/soup-content-sniffer.c +@@ -243,9 +243,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, GBytes *buffer) + gsize resource_length; + const char *resource = g_bytes_get_data (buffer, &resource_length); + resource_length = MIN (512, resource_length); +- guint32 box_size = *((guint32*)resource); ++ guint32 box_size; + guint i; + ++ if (resource_length < sizeof (guint32)) ++ return FALSE; ++ ++ box_size = *((guint32*)resource); ++ + #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + box_size = ((box_size >> 24) | + ((box_size << 8) & 0x00FF0000) | +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 757e6432f7..ec3305aed7 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -19,6 +19,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52531-2.patch \ file://CVE-2024-52531-3.patch \ file://CVE-2025-32910.patch \ + file://CVE-2025-32909.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Wed Apr 16 05:13:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 61385 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61B88C369BA for ; Wed, 16 Apr 2025 05:13:41 +0000 (UTC) Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) by mx.groups.io with SMTP id smtpd.web10.12372.1744780417738735152 for ; Tue, 15 Apr 2025 22:13:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=fCbhQx70; spf=pass (domain: mvista.com, ip: 209.85.215.180, mailfrom: vanusuri@mvista.com) Received: by mail-pg1-f180.google.com with SMTP id 41be03b00d2f7-af5cdf4a2f8so4753218a12.3 for ; Tue, 15 Apr 2025 22:13:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744780417; x=1745385217; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=eqA0dwcb6NJcufyouZsyzvXz+zbBVy3YoyRy3pBI7LU=; b=fCbhQx70vMdNqTrNGsWewWegj4Dj2Kwa28rSuw7Zug9NWJSEtkEA+Gahbp+vmFA02r p9ICs6urSLnsbR20FlhcNVBtS/BJrb1Nbdgb6HOXMYxGyqLarAEjyFYZ2UhHKXsOrNqu Tr+V639pQkR8P+gvrWQaDiaEBdOUXFhyz6+fs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744780417; x=1745385217; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eqA0dwcb6NJcufyouZsyzvXz+zbBVy3YoyRy3pBI7LU=; b=BmRA9Z6J9kYsKckWYwIrjOdjbUfjCITiioTKVzExkywqBPCLnJSc0TA7Yed1HrLmd0 qG8bVDz36aWbqt84ptu5SAIlihRyKBZqKdvX+ehrkfFvom+548de2kmKifK84MvRVbbb peUjMRGKLNbntF4lyppxXodOM7ax+fXwjarVw+YskTRTplrPqZPZUrX8J58Kn9ucSnze RAeBO1lQjDxzGjMMgy/lHXgWJ7kWF/kticForXSylGqbX/RaGaFLwMjb+Sc+VnjIKDY8 bZnVHo5uXz4GRtwlC4JTGQ5T3z85wqMb0m8U1fMcSFWEGAz9irOsAWQiEq0Uap/psTWf 5JUQ== X-Gm-Message-State: AOJu0YzaWW4DVoXbpzlPeYq3CumY/aMdh/gg9u7dy4kUV/aN4LPJDaii 6KEgR6Z7zZAoprb8FXmO8F7rk9zczbVKuJ1FFJ1ZYW03cqTzIAyukRhz4oai9ilI28+sUXMapm0 dNV8= X-Gm-Gg: ASbGncvnlw4+18CZNPpThWRABXZxABeEP3G9NSsfUThqmy8+TlqAVDNLI8yZecAnhSc o+Ud7ZjKTW0XRqGgTLmUF1EiYZO5v4oZmzPMctkXEgF6xPLs94soI6TBHa/zwEprw64RXjo6BHO EIOMrmlaH2Ik0V8uZrYxfNedYdPpwO56x//6gGLPeBiVgVbnl9pBJf55KzXPi/3F1IO3BnDmwlp jjqG6VloT8SFOGSeTNLky1qIxAaZFesPg2+3ykWk5Y85KhnsAZg2U9o/59vFXWASiz6a1qposK+ 0iJw1qMTewJ3gSR6Jaw1bMUGZYmzIvd5jcRNfyKELPPmoYzijRs= X-Google-Smtp-Source: AGHT+IHfqfdsSNULvio2yE/Jmv68rOxCo3Sl3yhxGEPi0RBoq67XFizWFfMf9aSDNrGQ54HsaY/h7A== X-Received: by 2002:a17:90b:4ecf:b0:2ff:6788:cc67 with SMTP id 98e67ed59e1d1-30864172844mr583241a91.34.1744780416707; Tue, 15 Apr 2025 22:13:36 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.229.43]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3086122a8absm582419a91.35.2025.04.15.22.13.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Apr 2025 22:13:36 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 3/5] libsoup: Fix CVE-2025-32913 Date: Wed, 16 Apr 2025 10:43:12 +0530 Message-Id: <20250416051314.96105-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250416051314.96105-1-vanusuri@mvista.com> References: <20250416051314.96105-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 16 Apr 2025 05:13:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/214976 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0 Signed-off-by: Vijay Anusuri --- .../libsoup-3.4.4/CVE-2025-32913-1.patch | 72 +++++++++++++++++++ .../libsoup-3.4.4/CVE-2025-32913-2.patch | 44 ++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 2 + 3 files changed, 118 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-1.patch new file mode 100644 index 0000000000..1d6a9aa193 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-1.patch @@ -0,0 +1,72 @@ +From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 17:53:50 -0600 +Subject: [PATCH] soup_message_headers_get_content_disposition: Fix NULL deref + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34] +CVE: CVE-2025-32913 #Dependency Patch +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-message-headers.c | 13 +++++++++---- + tests/header-parsing-test.c | 14 ++++++++++++++ + 2 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 56cc1e9d..04f4c302 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1660,10 +1660,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + */ + if (params && g_hash_table_lookup_extended (*params, "filename", + &orig_key, &orig_value)) { +- char *filename = strrchr (orig_value, '/'); +- +- if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ if (orig_value) { ++ char *filename = strrchr (orig_value, '/'); ++ ++ if (filename) ++ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ } else { ++ /* filename with no value isn't valid. */ ++ g_hash_table_remove (*params, "filename"); ++ } + } + return TRUE; + } +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 5e423d2b..d0b360c8 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -1039,6 +1039,7 @@ do_param_list_tests (void) + #define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\"" + #define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\"" + #define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar" ++#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename" + + static void + do_content_disposition_tests (void) +@@ -1139,6 +1140,19 @@ do_content_disposition_tests (void) + g_assert_cmpstr (parameter2, ==, "bar"); + g_hash_table_destroy (params); + ++ /* Empty filename */ ++ soup_message_headers_clear (hdrs); ++ soup_message_headers_append (hdrs, "Content-Disposition", ++ RFC5987_TEST_HEADER_EMPTY_FILENAME); ++ if (!soup_message_headers_get_content_disposition (hdrs, ++ &disposition, ++ ¶ms)) { ++ soup_test_assert (FALSE, "empty filename decoding FAILED"); ++ return; ++ } ++ g_assert_false (g_hash_table_contains (params, "filename")); ++ g_hash_table_destroy (params); ++ + soup_message_headers_unref (hdrs); + + /* Ensure that soup-multipart always quotes filename */ +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-2.patch new file mode 100644 index 0000000000..6d30bb91d3 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32913-2.patch @@ -0,0 +1,44 @@ +From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 18:00:39 -0600 +Subject: [PATCH] soup_message_headers_get_content_disposition: strdup + truncated filenames + +This table frees the strings it contains. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0] +CVE: CVE-2025-32913 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-message-headers.c | 2 +- + tests/header-parsing-test.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 04f4c302..ee7a3cb1 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1664,7 +1664,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + char *filename = strrchr (orig_value, '/'); + + if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1)); + } else { + /* filename with no value isn't valid. */ + g_hash_table_remove (*params, "filename"); +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index d0b360c8..07ea2866 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -1150,6 +1150,7 @@ do_content_disposition_tests (void) + soup_test_assert (FALSE, "empty filename decoding FAILED"); + return; + } ++ g_free (disposition); + g_assert_false (g_hash_table_contains (params, "filename")); + g_hash_table_destroy (params); + +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index ec3305aed7..0b464d274b 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -20,6 +20,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52531-3.patch \ file://CVE-2025-32910.patch \ file://CVE-2025-32909.patch \ + file://CVE-2025-32913-1.patch \ + file://CVE-2025-32913-2.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Wed Apr 16 05:13:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 61386 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66AC1C369B1 for ; Wed, 16 Apr 2025 05:13:51 +0000 (UTC) Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.web10.12375.1744780422873412307 for ; Tue, 15 Apr 2025 22:13:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=QoGOMIOS; spf=pass (domain: mvista.com, ip: 209.85.216.52, mailfrom: vanusuri@mvista.com) Received: by mail-pj1-f52.google.com with SMTP id 98e67ed59e1d1-30828fc17adso4426897a91.1 for ; Tue, 15 Apr 2025 22:13:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744780422; x=1745385222; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+L5xTOX4Mo2ip8szpLWEO1SlW5i5Q44kXcBM6qtjT+o=; b=QoGOMIOSACcuKgXusIvMwkmcCcCgKHUGT15DfsALOwygufHNrNu+z5WiaSgrpFzx01 RH5WA/ylZyI2dYpPl6smRdU13zxRfcnIS65PEESeNSpuw5Yix45dPeYYZ7FL+FoUxaGu vtdONOXWCudW7QbpzFTdX552WsiaMCLZyu7N8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744780422; x=1745385222; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+L5xTOX4Mo2ip8szpLWEO1SlW5i5Q44kXcBM6qtjT+o=; b=JJ/kKVR2C28d72b4BXQKRg2D9PHRJ82cCGbtyxOPxD0kUceAA2SHJ44a33Q8J8aERI CDXSCpx9bhJFQTiRunh2MlLquZYNFIuM4L9A8Mgl3e3PwO5fc6zpNQ/xCLn5upZlhAUb sJ894wEj8+uXcN9E8+4wbNSht5qs13hN5PFVsO68/SAZQXb72OL2fgnVuhaTbGNpbE92 bZ+YXWqGwjJvGboKGajYAFGf7/2w8nLswNYnmMrZjd+2cZ9npF7GkrbQh+0UoX8K7jOt cmYlArRTKrrDRig6k/WptXgJpN3YboMVqpdhR26j+XYRpJXkJAFpDoR05qtl/t8LHOE5 SphQ== X-Gm-Message-State: AOJu0YyjjytkTft3yWCZ+2y77zwK9onM+W2f/ZCB/5cPAOmPAeqDNPfH 03NYt1b9IsuEePLMWW49oDdRhE1mzn5ZrPtp79cesNHIRYDIJ4o9i2K2wYirOnRRtJrNrK1NXBU S94M= X-Gm-Gg: ASbGncunbltUVGwmdEKddK7kdV+tIWWmetyGIdFVa74G/41BLkx1BuuGAiI7Mxx+0CX AtxZSpmahGIsRf+sqP8HvJwT6MdIexRc0CIB/d8fciFTcwhEOBpCrf9iMB0I6m9z505d/B0hRdX ol1ycO4sPzb8uStOqtvKpfzRZA06aMkqbfVIfb7Mrpkn4tuIxfQ6Ik0MmJtvhsptDpdXd9t6xoU FBjkHskN0fO3eDdYMp1Tu9q0vYqmD4AJLevogVA6xl46JnOktg6OV0TCrTl4K8l12xDjVrjynTs EucQIzGKCTeuwbBMLuUo7x3Xs+Y8iFMX6+8m/x9ChuJTEtV4pZs= X-Google-Smtp-Source: AGHT+IGgzKEJiCM5KKvgkdKSrD5KCO44Gvm5je5MA7LvjL4MmkqbP9mtaohGntezDbX5EwHXbspKcg== X-Received: by 2002:a17:90b:524a:b0:301:c5cb:7b13 with SMTP id 98e67ed59e1d1-30863d25d99mr694102a91.3.1744780421729; Tue, 15 Apr 2025 22:13:41 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.229.43]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3086122a8absm582419a91.35.2025.04.15.22.13.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Apr 2025 22:13:41 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 4/5] libsoup: Fix CVE-2025-32912 Date: Wed, 16 Apr 2025 10:43:13 +0530 Message-Id: <20250416051314.96105-4-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250416051314.96105-1-vanusuri@mvista.com> References: <20250416051314.96105-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 16 Apr 2025 05:13:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/214977 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe & https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a & https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f Signed-off-by: Vijay Anusuri --- .../libsoup-3.4.4/CVE-2025-32912-1.patch | 98 ++++++++++++ .../libsoup-3.4.4/CVE-2025-32912-2.patch | 149 ++++++++++++++++++ .../libsoup-3.4.4/CVE-2025-32912-3.patch | 41 +++++ .../libsoup-3.4.4/CVE-2025-32912-4.patch | 30 ++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 4 + 5 files changed, 322 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-2.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-3.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-4.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-1.patch new file mode 100644 index 0000000000..311f3020b8 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-1.patch @@ -0,0 +1,98 @@ +From e40df6d48a1cbab56f5d15016cc861a503423cfe Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sun, 8 Dec 2024 20:00:35 -0600 +Subject: [PATCH] auth-digest: Handle missing realm in authenticate header + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe] +CVE: CVE-2025-32912 #Dependency Patch1 +Signed-off-by: Vijay Anusuri +--- + libsoup/auth/soup-auth-digest.c | 3 ++ + tests/auth-test.c | 50 +++++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 2e81849af..4f12e87a5 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -148,6 +148,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + ++ if (!soup_auth_get_realm (auth)) ++ return FALSE; ++ + g_free (priv->domain); + g_free (priv->nonce); + g_free (priv->opaque); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 158fdac10..3066e904a 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1866,6 +1866,55 @@ do_multiple_digest_algorithms (void) + soup_test_server_quit_unref (server); + } + ++static void ++on_request_read_for_missing_realm (SoupServer *server, ++ SoupServerMessage *msg, ++ gpointer user_data) ++{ ++ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); ++ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); ++} ++ ++static void ++do_missing_realm_test (void) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ SoupServer *server; ++ SoupAuthDomain *digest_auth_domain; ++ gint status; ++ GUri *uri; ++ ++ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ soup_server_add_handler (server, NULL, ++ server_callback, NULL, NULL); ++ uri = soup_test_server_get_uri (server, "http", NULL); ++ ++ digest_auth_domain = soup_auth_domain_digest_new ( ++ "realm", "auth-test", ++ "auth-callback", server_digest_auth_callback, ++ NULL); ++ soup_auth_domain_add_path (digest_auth_domain, "/"); ++ soup_server_add_auth_domain (server, digest_auth_domain); ++ g_object_unref (digest_auth_domain); ++ ++ g_signal_connect (server, "request-read", ++ G_CALLBACK (on_request_read_for_missing_realm), ++ NULL); ++ ++ session = soup_test_session_new (NULL); ++ msg = soup_message_new_from_uri ("GET", uri); ++ g_signal_connect (msg, "authenticate", ++ G_CALLBACK (on_digest_authenticate), ++ NULL); ++ ++ status = soup_test_session_send_message (session, msg); ++ ++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED); ++ g_uri_unref (uri); ++ soup_test_server_quit_unref (server); ++} ++ + int + main (int argc, char **argv) + { +@@ -1899,6 +1948,7 @@ main (int argc, char **argv) + g_test_add_func ("/auth/auth-uri", do_auth_uri_test); + g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate); + g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms); ++ g_test_add_func ("/auth/missing-realm", do_missing_realm_test); + + ret = g_test_run (); + +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-2.patch new file mode 100644 index 0000000000..5809e178d1 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-2.patch @@ -0,0 +1,149 @@ +From 405a8a34597a44bd58c4759e7d5e23f02c3b556a Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Thu, 26 Dec 2024 18:18:35 -0600 +Subject: [PATCH] auth-digest: Handle missing nonce + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a] +CVE: CVE-2025-32912 #Dependency Patch2 +Signed-off-by: Vijay Anusuri +--- + libsoup/auth/soup-auth-digest.c | 45 +++++++++++++++++++++++++-------- + tests/auth-test.c | 19 ++++++++------ + 2 files changed, 46 insertions(+), 18 deletions(-) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 4f12e87a..350bfde6 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -138,6 +138,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop) + return g_string_free (out, FALSE); + } + ++static gboolean ++validate_params (SoupAuthDigest *auth_digest) ++{ ++ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest); ++ ++ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) { ++ if (!priv->nonce) ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ + static gboolean + soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + GHashTable *auth_params) +@@ -175,16 +188,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + if (priv->algorithm == -1) + ok = FALSE; + +- stale = g_hash_table_lookup (auth_params, "stale"); +- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) +- recompute_hex_a1 (priv); +- else { +- g_free (priv->user); +- priv->user = NULL; +- g_free (priv->cnonce); +- priv->cnonce = NULL; +- memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); +- memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ if (!validate_params (auth_digest)) ++ ok = FALSE; ++ ++ if (ok) { ++ stale = g_hash_table_lookup (auth_params, "stale"); ++ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) ++ recompute_hex_a1 (priv); ++ else { ++ g_free (priv->user); ++ priv->user = NULL; ++ g_free (priv->cnonce); ++ priv->cnonce = NULL; ++ memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); ++ memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ } + } + + return ok; +@@ -276,6 +294,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp, + + /* In MD5-sess, A1 is hex_urp:nonce:cnonce */ + ++ g_assert (nonce && cnonce); ++ + checksum = g_checksum_new (G_CHECKSUM_MD5); + g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -366,6 +386,8 @@ soup_auth_digest_compute_response (const char *method, + if (qop) { + char tmp[9]; + ++ g_assert (cnonce); ++ + g_snprintf (tmp, 9, "%.8x", nc); + g_checksum_update (checksum, (guchar *)tmp, strlen (tmp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -429,6 +451,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg) + g_return_val_if_fail (uri != NULL, NULL); + url = soup_uri_get_path_and_query (uri); + ++ g_assert (priv->nonce); ++ g_assert (!priv->qop || priv->cnonce); ++ + soup_auth_digest_compute_response (soup_message_get_method (msg), url, priv->hex_a1, + priv->qop, priv->nonce, + priv->cnonce, priv->nc, +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 3066e904..c651c7cd 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1867,16 +1867,17 @@ do_multiple_digest_algorithms (void) + } + + static void +-on_request_read_for_missing_realm (SoupServer *server, +- SoupServerMessage *msg, +- gpointer user_data) ++on_request_read_for_missing_params (SoupServer *server, ++ SoupServerMessage *msg, ++ gpointer user_data) + { ++ const char *auth_header = user_data; + SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); +- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); ++ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header); + } + + static void +-do_missing_realm_test (void) ++do_missing_params_test (gconstpointer auth_header) + { + SoupSession *session; + SoupMessage *msg; +@@ -1899,8 +1900,8 @@ do_missing_realm_test (void) + g_object_unref (digest_auth_domain); + + g_signal_connect (server, "request-read", +- G_CALLBACK (on_request_read_for_missing_realm), +- NULL); ++ G_CALLBACK (on_request_read_for_missing_params), ++ (gpointer)auth_header); + + session = soup_test_session_new (NULL); + msg = soup_message_new_from_uri ("GET", uri); +@@ -1948,7 +1949,9 @@ main (int argc, char **argv) + g_test_add_func ("/auth/auth-uri", do_auth_uri_test); + g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate); + g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms); +- g_test_add_func ("/auth/missing-realm", do_missing_realm_test); ++ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); + + ret = g_test_run (); + +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-3.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-3.patch new file mode 100644 index 0000000000..c35c599502 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-3.patch @@ -0,0 +1,41 @@ +From cd077513f267e43ce4b659eb18a1734d8a369992 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 14:03:05 -0600 +Subject: [PATCH] auth-digest: Handle missing nonce + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992] +CVE: CVE-2025-32912 +Signed-off-by: Vijay Anusuri +--- + libsoup/auth/soup-auth-digest.c | 2 +- + tests/auth-test.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 9eb7fa0e..d69a4013 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -162,7 +162,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + +- if (!soup_auth_get_realm (auth)) ++ if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce")) + return FALSE; + + g_free (priv->domain); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index c651c7cd..484097f1 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1952,6 +1952,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test); + + ret = g_test_run (); + +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-4.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-4.patch new file mode 100644 index 0000000000..ad6f3a8028 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-4.patch @@ -0,0 +1,30 @@ +From 910ebdcd3dd82386717a201c13c834f3a63eed7f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 8 Feb 2025 12:30:13 -0600 +Subject: [PATCH] digest-auth: Handle NULL nonce + +`contains` only handles a missing nonce, `lookup` handles both missing and empty. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f] +CVE: CVE-2025-32912 +Signed-off-by: Vijay Anusuri +--- + libsoup/auth/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index d69a4013..dc4dbfc5 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -162,7 +162,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + +- if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce")) ++ if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce")) + return FALSE; + + g_free (priv->domain); +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 0b464d274b..bb1360bc49 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -22,6 +22,10 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32909.patch \ file://CVE-2025-32913-1.patch \ file://CVE-2025-32913-2.patch \ + file://CVE-2025-32912-1.patch \ + file://CVE-2025-32912-2.patch \ + file://CVE-2025-32912-3.patch \ + file://CVE-2025-32912-4.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Wed Apr 16 05:13:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 61387 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 69A76C369BA for ; Wed, 16 Apr 2025 05:14:01 +0000 (UTC) Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) by mx.groups.io with SMTP id smtpd.web10.12377.1744780427794896095 for ; Tue, 15 Apr 2025 22:13:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=VuCmCBSs; spf=pass (domain: mvista.com, ip: 209.85.215.171, mailfrom: vanusuri@mvista.com) Received: by mail-pg1-f171.google.com with SMTP id 41be03b00d2f7-af52a624283so312740a12.0 for ; Tue, 15 Apr 2025 22:13:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744780427; x=1745385227; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9vvdWVtTls6CeqYtGZdXS8roXax57T0131oS0Ef897E=; b=VuCmCBSsYiBpxCF4zsPCSU4NitoRyJsYrRq/xr5NzEgW575B2FRWEVn0JdYXZqzkEJ ZtRjJQCHx5PV8kU2JCMojDmiqQ7EiIvK10PrnQW0M8HvLv7tZBtm7+lX7WZl/k10HHHV 6MuWhhDLxSKsOJK6pElzsTUfjt8vc/S0IUNhs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744780427; x=1745385227; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9vvdWVtTls6CeqYtGZdXS8roXax57T0131oS0Ef897E=; b=oWKPIy16Zf/1ZF9XrgcIxcQ4/UspCU2Z//RP/p7+rO/D3Ny3w8+4fM4GNkFI30CXC4 9rUTQjxn9htXXkBPdFYMv9gY82Mu/dYWLnL6SjLtYvL54MhPTQyLS7Qh3hd1jxkX4+pz WsL1ZgO1zrURE2P3JE4qsdOc2NRQ6dZv2H303ikTYWsMDn7o3zDjGChk2sObR1qufVgR sW04uCTYFGqxUsscwlB3H6d4FdrNRS9ALky228iQuD1dvEQHizFjBbuhOZrrqdzPbnZl DbiWnDgGjGsW1oObSWrEPB/jA3jTl4dZ/4yCDzrcPl7xHeERQTswnGXaGRJYx6m92t4e PY+g== X-Gm-Message-State: AOJu0Yy+JDczjgOZeMwFUQkE3Na5vxkLsr+9bSaQbDGX1iL3skcyWWBg Yi0lUDUwv83M4fOqUwywch/XeSPwrw5OnrQffGuYvF1jraeotL0K67svrbBojbVufYQPaU+/2jb huJs= X-Gm-Gg: ASbGnctB1v+RVF5lchL9P+8rKpAFrdZzH4KXRfqEwkOM6u8oB8SFcDCn76wbnakJ3fI /Bn/hP4zhyiKYLyWFQ/jXJdLiFjUOFg8E0wPv3YnNQr5qsr0ghoQPweOU6yIW7cLWQ8WqyoJJ4c llrFCCheJS8pIxQqYTCCouhmXGjK/3guRb0a8dhXjEVzOmGMsvjItylzuRzVXeUjACXIS0gc6Ld qWCeEcSKu8zU5Dtrhu/dip6kkya06TpPa46zey46aD5kaCLO+tfW1EE4YDdgO0V4BAppi94658d GB/x9sOfDIaKJvQybHMSqZb/4yhWdD6UUvk2+ubv/BhZ6jJJkA4= X-Google-Smtp-Source: AGHT+IFQQwtr7D4hATmX+diUEfUb39T8NyRUDsQLHEXG+6pa3TIVplmiL6BgYqGb+IMTf0KCR7976A== X-Received: by 2002:a17:90b:5683:b0:2fa:4926:d18d with SMTP id 98e67ed59e1d1-308646c937cmr600382a91.13.1744780426644; Tue, 15 Apr 2025 22:13:46 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.229.43]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3086122a8absm582419a91.35.2025.04.15.22.13.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Apr 2025 22:13:45 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 5/5] libsoup: Fix CVE-2025-32906 Date: Wed, 16 Apr 2025 10:43:14 +0530 Message-Id: <20250416051314.96105-5-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250416051314.96105-1-vanusuri@mvista.com> References: <20250416051314.96105-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 16 Apr 2025 05:14:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/214978 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f Signed-off-by: Vijay Anusuri --- .../libsoup-3.4.4/CVE-2025-32906-1.patch | 61 ++++++++++++++ .../libsoup-3.4.4/CVE-2025-32906-2.patch | 83 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 2 + 3 files changed, 146 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch new file mode 100644 index 0000000000..916a41a71f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch @@ -0,0 +1,61 @@ +From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 11 Feb 2025 14:36:26 -0600 +Subject: [PATCH] headers: Handle parsing edge case + +This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931] +CVE: CVE-2025-32906 #Dependency Patch +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-headers.c | 2 +- + tests/header-parsing-test.c | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 85385cea..9d6d00a3 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str, + !g_ascii_isdigit (version[5])) + return SOUP_STATUS_BAD_REQUEST; + major_version = strtoul (version + 5, &p, 10); +- if (*p != '.' || !g_ascii_isdigit (p[1])) ++ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1])) + return SOUP_STATUS_BAD_REQUEST; + minor_version = strtoul (p + 1, &p, 10); + version_end = p; +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 07ea2866..10ddb684 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -6,6 +6,10 @@ typedef struct { + const char *name, *value; + } Header; + ++static char unterminated_http_version[] = { ++ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.' ++}; ++ + static struct RequestTest { + const char *description; + const char *bugref; +@@ -383,6 +387,14 @@ static struct RequestTest { + { { NULL } } + }, + ++ /* This couldn't be a C string as going one byte over would have been safe. */ ++ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404", ++ unterminated_http_version, sizeof (unterminated_http_version), ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } ++ }, ++ + { "Non-HTTP request", NULL, + "GET / SOUP/1.1\r\nHost: example.com\r\n", -1, + SOUP_STATUS_BAD_REQUEST, +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-2.patch new file mode 100644 index 0000000000..5baad15648 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-2.patch @@ -0,0 +1,83 @@ +From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 12 Feb 2025 11:30:02 -0600 +Subject: [PATCH] headers: Handle parsing only newlines + +Closes #404 +Closes #407 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f] +CVE: CVE-2025-32906 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-headers.c | 4 ++-- + tests/header-parsing-test.c | 13 ++++++++++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 9d6d00a3..52ef2ece 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str, + /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s) + * received where a Request-Line is expected." + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str, + * after a response, which we then see prepended to the next + * response on that connection. + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 10ddb684..4faafbd6 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -6,10 +6,15 @@ typedef struct { + const char *name, *value; + } Header; + ++/* These are not C strings to ensure going one byte over is not safe. */ + static char unterminated_http_version[] = { + 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.' + }; + ++static char only_newlines[] = { ++ '\n', '\n', '\n', '\n' ++}; ++ + static struct RequestTest { + const char *description; + const char *bugref; +@@ -387,7 +392,6 @@ static struct RequestTest { + { { NULL } } + }, + +- /* This couldn't be a C string as going one byte over would have been safe. */ + { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404", + unterminated_http_version, sizeof (unterminated_http_version), + SOUP_STATUS_BAD_REQUEST, +@@ -457,6 +461,13 @@ static struct RequestTest { + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, + { { NULL } } ++ }, ++ ++ { "Only newlines", NULL, ++ only_newlines, sizeof (only_newlines), ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index bb1360bc49..30b8320a64 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -26,6 +26,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32912-2.patch \ file://CVE-2025-32912-3.patch \ file://CVE-2025-32912-4.patch \ + file://CVE-2025-32906-1.patch \ + file://CVE-2025-32906-2.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"