From patchwork Thu Apr 17 14:04:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 61506 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55DFAC369D2 for ; Thu, 17 Apr 2025 14:04:48 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web11.9756.1744898680737865271 for ; Thu, 17 Apr 2025 07:04:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=H2EgXRuy; spf=pass (domain: mvista.com, ip: 209.85.210.176, mailfrom: vanusuri@mvista.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-7369ce5d323so677210b3a.1 for ; Thu, 17 Apr 2025 07:04:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744898679; x=1745503479; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=qJrFfrNkkdI/tRnHSRQ6+TkmK7mUJXHrJ124RRbxSZ0=; b=H2EgXRuyCWmNau8IHwzDpxK5lRK4Ez0tp2NigdDcPUtiEA2Mv17Sbk1RYjjspcQWOh dnRWOLpkwa+VB+ugAXyKm4eDTjeG+QW38ZEoPkcQaKvGJIRTrWLvSBOGEfQie8ezqz+z ErAQM8KLUREAJRlIzcW80rFjO23QGVORR7pKU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744898679; x=1745503479; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qJrFfrNkkdI/tRnHSRQ6+TkmK7mUJXHrJ124RRbxSZ0=; b=DwMLvdu5nuTU7f73ssPrVyPMCG8dI04P1ywdaBlD/G/zvvZ/wdIMutjnY9Gg30+SVt xbENW7xyupQ7kU2pcYQzaitILAS8hbqDEzpVOSA9NdX9Pg9yuYEC3WcYNwlzeGLJY3v5 izWTvzLV2zSDtNd1MTUufpMyPY80M9CtoZavEvyyItV2oFIOIF0rl0YENIODHpRRQ0pH QDoOX70ooyb7wZeqXs4PSjO22nEr4dPN0smIRvA6BK0Uau/s9SRgINgGqgV98myM2iYm SFZtEvdlSQHvDUJqzNbHryWn/Tcfi4lbvJs+ueOmYjhbCvX+E+cG984Z/GyCf38r2QZ4 5mUg== X-Gm-Message-State: AOJu0YzFEuKVwz7V13HTxzaMd4C8YwQ1mwmbL7zgrsJV1sh2sXNiyMv6 Hx7/Y4yvVlDy3/wzuHPHr7/3YAI2UPaZb9HOeuVTkAlgWUBdfHt8lvG98XxqNoub/7YL962t/P5 NX6E= X-Gm-Gg: ASbGncvpbpc6vVB4NgqKCPE0MILftjn9fDCnlBh47HM2bzxhq7LRUolKlKITwAUwmhr M/u5NPjC919gR6Gg3MHLl2NsSKfE0yYV4ZSHVAJHgBXmALrRcc7YF4fuM7Tc0W44ERdlzp/i+GF hQegyJ1yoC6hMi67iCoFUXivIma+H0rnB89vLPal0oNQFMIYunuggenOlZeJsj8U8J2mOdb1n7T JGvpxTuF2/FShjx/0BwfmtXspr4+Ncv1GfP+l7QKz9wzKyAiuU3TEU4JJ8KNrg8RHQTYS6VW0po wBFE5p7IdPXZJ4w6BzsVMIZ+Wxe+T4+zXDePpOxjXw4S2Apn0HfH X-Google-Smtp-Source: AGHT+IHWT3vzTVE33lZ4zR66jmhXix7Xp/NfeXoZ9bsikmrC3WpkQtJgJGVuDlvNxJ40QDeIqtBPaA== X-Received: by 2002:a05:6a00:328a:b0:736:32d2:aa93 with SMTP id d2e1a72fcca58-73c267fdc02mr9630746b3a.20.1744898679161; Thu, 17 Apr 2025 07:04:39 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.223.203]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-73db4717bfasm1127812b3a.129.2025.04.17.07.04.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Apr 2025 07:04:38 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH v3 1/5] libsoup: Fix CVE-2025-32910 Date: Thu, 17 Apr 2025 19:34:25 +0530 Message-Id: <20250417140429.136534-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Apr 2025 14:04:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215079 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe & https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a & https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 Signed-off-by: Vijay Anusuri --- .../libsoup-3.4.4/CVE-2025-32910-1.patch | 98 ++++++++++++ .../libsoup-3.4.4/CVE-2025-32910-2.patch | 149 ++++++++++++++++++ .../libsoup-3.4.4/CVE-2025-32910-3.patch | 27 ++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 3 + 4 files changed, 277 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-2.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-3.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-1.patch new file mode 100644 index 0000000000..27011f587f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-1.patch @@ -0,0 +1,98 @@ +From e40df6d48a1cbab56f5d15016cc861a503423cfe Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sun, 8 Dec 2024 20:00:35 -0600 +Subject: [PATCH] auth-digest: Handle missing realm in authenticate header + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri +--- + libsoup/auth/soup-auth-digest.c | 3 ++ + tests/auth-test.c | 50 +++++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 2e81849af..4f12e87a5 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -148,6 +148,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + ++ if (!soup_auth_get_realm (auth)) ++ return FALSE; ++ + g_free (priv->domain); + g_free (priv->nonce); + g_free (priv->opaque); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 158fdac10..3066e904a 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1866,6 +1866,55 @@ do_multiple_digest_algorithms (void) + soup_test_server_quit_unref (server); + } + ++static void ++on_request_read_for_missing_realm (SoupServer *server, ++ SoupServerMessage *msg, ++ gpointer user_data) ++{ ++ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); ++ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); ++} ++ ++static void ++do_missing_realm_test (void) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ SoupServer *server; ++ SoupAuthDomain *digest_auth_domain; ++ gint status; ++ GUri *uri; ++ ++ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ soup_server_add_handler (server, NULL, ++ server_callback, NULL, NULL); ++ uri = soup_test_server_get_uri (server, "http", NULL); ++ ++ digest_auth_domain = soup_auth_domain_digest_new ( ++ "realm", "auth-test", ++ "auth-callback", server_digest_auth_callback, ++ NULL); ++ soup_auth_domain_add_path (digest_auth_domain, "/"); ++ soup_server_add_auth_domain (server, digest_auth_domain); ++ g_object_unref (digest_auth_domain); ++ ++ g_signal_connect (server, "request-read", ++ G_CALLBACK (on_request_read_for_missing_realm), ++ NULL); ++ ++ session = soup_test_session_new (NULL); ++ msg = soup_message_new_from_uri ("GET", uri); ++ g_signal_connect (msg, "authenticate", ++ G_CALLBACK (on_digest_authenticate), ++ NULL); ++ ++ status = soup_test_session_send_message (session, msg); ++ ++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED); ++ g_uri_unref (uri); ++ soup_test_server_quit_unref (server); ++} ++ + int + main (int argc, char **argv) + { +@@ -1899,6 +1948,7 @@ main (int argc, char **argv) + g_test_add_func ("/auth/auth-uri", do_auth_uri_test); + g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate); + g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms); ++ g_test_add_func ("/auth/missing-realm", do_missing_realm_test); + + ret = g_test_run (); + +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-2.patch new file mode 100644 index 0000000000..b62e09cbdb --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-2.patch @@ -0,0 +1,149 @@ +From 405a8a34597a44bd58c4759e7d5e23f02c3b556a Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Thu, 26 Dec 2024 18:18:35 -0600 +Subject: [PATCH] auth-digest: Handle missing nonce + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri +--- + libsoup/auth/soup-auth-digest.c | 45 +++++++++++++++++++++++++-------- + tests/auth-test.c | 19 ++++++++------ + 2 files changed, 46 insertions(+), 18 deletions(-) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 4f12e87a..350bfde6 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -138,6 +138,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop) + return g_string_free (out, FALSE); + } + ++static gboolean ++validate_params (SoupAuthDigest *auth_digest) ++{ ++ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest); ++ ++ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) { ++ if (!priv->nonce) ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ + static gboolean + soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + GHashTable *auth_params) +@@ -175,16 +188,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + if (priv->algorithm == -1) + ok = FALSE; + +- stale = g_hash_table_lookup (auth_params, "stale"); +- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) +- recompute_hex_a1 (priv); +- else { +- g_free (priv->user); +- priv->user = NULL; +- g_free (priv->cnonce); +- priv->cnonce = NULL; +- memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); +- memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ if (!validate_params (auth_digest)) ++ ok = FALSE; ++ ++ if (ok) { ++ stale = g_hash_table_lookup (auth_params, "stale"); ++ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) ++ recompute_hex_a1 (priv); ++ else { ++ g_free (priv->user); ++ priv->user = NULL; ++ g_free (priv->cnonce); ++ priv->cnonce = NULL; ++ memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); ++ memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ } + } + + return ok; +@@ -276,6 +294,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp, + + /* In MD5-sess, A1 is hex_urp:nonce:cnonce */ + ++ g_assert (nonce && cnonce); ++ + checksum = g_checksum_new (G_CHECKSUM_MD5); + g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -366,6 +386,8 @@ soup_auth_digest_compute_response (const char *method, + if (qop) { + char tmp[9]; + ++ g_assert (cnonce); ++ + g_snprintf (tmp, 9, "%.8x", nc); + g_checksum_update (checksum, (guchar *)tmp, strlen (tmp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -429,6 +451,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg) + g_return_val_if_fail (uri != NULL, NULL); + url = soup_uri_get_path_and_query (uri); + ++ g_assert (priv->nonce); ++ g_assert (!priv->qop || priv->cnonce); ++ + soup_auth_digest_compute_response (soup_message_get_method (msg), url, priv->hex_a1, + priv->qop, priv->nonce, + priv->cnonce, priv->nc, +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 3066e904..c651c7cd 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1867,16 +1867,17 @@ do_multiple_digest_algorithms (void) + } + + static void +-on_request_read_for_missing_realm (SoupServer *server, +- SoupServerMessage *msg, +- gpointer user_data) ++on_request_read_for_missing_params (SoupServer *server, ++ SoupServerMessage *msg, ++ gpointer user_data) + { ++ const char *auth_header = user_data; + SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); +- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); ++ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header); + } + + static void +-do_missing_realm_test (void) ++do_missing_params_test (gconstpointer auth_header) + { + SoupSession *session; + SoupMessage *msg; +@@ -1899,8 +1900,8 @@ do_missing_realm_test (void) + g_object_unref (digest_auth_domain); + + g_signal_connect (server, "request-read", +- G_CALLBACK (on_request_read_for_missing_realm), +- NULL); ++ G_CALLBACK (on_request_read_for_missing_params), ++ (gpointer)auth_header); + + session = soup_test_session_new (NULL); + msg = soup_message_new_from_uri ("GET", uri); +@@ -1948,7 +1949,9 @@ main (int argc, char **argv) + g_test_add_func ("/auth/auth-uri", do_auth_uri_test); + g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate); + g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms); +- g_test_add_func ("/auth/missing-realm", do_missing_realm_test); ++ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); + + ret = g_test_run (); + +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-3.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-3.patch new file mode 100644 index 0000000000..32e0c86e62 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-3.patch @@ -0,0 +1,27 @@ +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 13:52:52 -0600 +Subject: [PATCH] auth-digest: Fix leak + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri +--- + libsoup/auth/soup-auth-digest.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 350bfde6..9eb7fa0e 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object) + g_free (priv->nonce); + g_free (priv->domain); + g_free (priv->cnonce); ++ g_free (priv->opaque); + + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index b2e32b892a..80cbbdf8ea 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -18,6 +18,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52531-1.patch \ file://CVE-2024-52531-2.patch \ file://CVE-2024-52531-3.patch \ + file://CVE-2025-32910-1.patch \ + file://CVE-2025-32910-2.patch \ + file://CVE-2025-32910-3.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Thu Apr 17 14:04:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 61505 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5401EC369D1 for ; Thu, 17 Apr 2025 14:04:48 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.web11.9758.1744898687769223875 for ; Thu, 17 Apr 2025 07:04:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=CkhENQxI; spf=pass (domain: mvista.com, ip: 209.85.210.179, mailfrom: vanusuri@mvista.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-736c062b1f5so642273b3a.0 for ; Thu, 17 Apr 2025 07:04:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744898687; x=1745503487; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9iwphMBGlTY25vfn5AjfjyeCZTTgksIlGA0dYtp7hSI=; b=CkhENQxIl5/Sf6R537wEjsrQvXw+s4x3AloNGRfWJFLwpbqpa1tLxjb8Z8bh+g5IkF QNhqxk4TYzZZr+XFXR3BvQ5DSJHIMchyWWvOFCcWpLQ5rfTWnm6AXfwLqgRVDvuPxMHp KULvW6/kfl2zJ/T1jvgpL7cgS/erHb7OXDooM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744898687; x=1745503487; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9iwphMBGlTY25vfn5AjfjyeCZTTgksIlGA0dYtp7hSI=; b=f/TUxMrK88F88ZGLZm+KmQBopiO70QI8qAdOEj9GzaceThTKQneXw28Q5CtOMDUdTf XE138IF4d6KlaXa6FEy3YWhT+4Sm80FsbFk5DTTBy6gL5BpWIkGhu7+tRl+3hyFOJIgG ixQDLL77/+ookqC9gS0ubP9x++iyTTQz0LiUF67vW+qNSGDED81jfZf9z4F4uV4bcJ5c UJfyfArgksnMBG/2Xlj89HA8MiGW1cxTG+VSEUocPbgHpymGda95Bhbp49qsNDRy3U8J nXQWf9MbSw9jPYbA/UZmi3t6EEW6ezH0fndxknRwzGhdAqokHcqdIX2PWGoviaNv7tyg 2ezw== X-Gm-Message-State: AOJu0Ywx/WgS9sTzKU6+iEw2IOxrYyHd6ZMEIrqaYz8TBjuf0829qKOq pQ0ZqgpCfUqUvMhQ0oTWFMzKV8MWrbPHG8NI3vFTs0CpJR0P30iF4oRr1LndPvwo3aB+6AshjGw rFAU= X-Gm-Gg: ASbGncuUTwgn8pF0kWTwUvCJMgss/M5bET88yA7uPyokKwRDHDua5LyGdmg++P+vy4Z l4qRu44l2ktaXOg1chPosUt0DCfXqTnyc6mmUpnhZK9fnjLrSJ1lfKjB5dzSqteOsgE90A4PyWU /POZxijggfepgH41TqqBFYwpFjipzhSLsnh75Q/bBI7qSL8Y/ZlWw+Iet2588tbPhF6iI93w+Z/ zpXfXpyMqdXMnhtWNUo/BDw8fVl9TLQWQe2Lnl92AAsZ15MiN4EcVM7ijsM42+h2FJMoUzcTuK3 SIJN35rloGBGvlETcOzWlktSy78oLUjNd9qdy0bHGNGwYwwJeK4h X-Google-Smtp-Source: AGHT+IEQaZ5PMbtIIuO3iTjYczWZier7aQvwxOLEAvrOw6mn9MtY8PAcLrgDcE9Bb/9g4dG/Z/iPkA== X-Received: by 2002:a05:6a00:e0f:b0:736:4ebd:e5a with SMTP id d2e1a72fcca58-73c267f2c4bmr9581780b3a.20.1744898686680; Thu, 17 Apr 2025 07:04:46 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.223.203]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-73db4717bfasm1127812b3a.129.2025.04.17.07.04.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Apr 2025 07:04:46 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH v3 2/5] libsoup: Fix CVE-2025-32909 Date: Thu, 17 Apr 2025 19:34:26 +0530 Message-Id: <20250417140429.136534-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250417140429.136534-1-vanusuri@mvista.com> References: <20250417140429.136534-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Apr 2025 14:04:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215080 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/comm it/ba4c3a6f988beff59e45801ab36067293d24ce92 Signed-off-by: Vijay Anusuri --- .../libsoup-3.4.4/CVE-2025-32909.patch | 36 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32909.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32909.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32909.patch new file mode 100644 index 0000000000..8982da58f1 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32909.patch @@ -0,0 +1,36 @@ +From ba4c3a6f988beff59e45801ab36067293d24ce92 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 8 Jan 2025 16:30:17 -0600 +Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than 4 + bytes + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92] +CVE: CVE-2025-32909 +Signed-off-by: Vijay Anusuri +--- + libsoup/content-sniffer/soup-content-sniffer.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c +index 5a181ff1..aeee2e25 100644 +--- a/libsoup/content-sniffer/soup-content-sniffer.c ++++ b/libsoup/content-sniffer/soup-content-sniffer.c +@@ -243,9 +243,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, GBytes *buffer) + gsize resource_length; + const char *resource = g_bytes_get_data (buffer, &resource_length); + resource_length = MIN (512, resource_length); +- guint32 box_size = *((guint32*)resource); ++ guint32 box_size; + guint i; + ++ if (resource_length < sizeof (guint32)) ++ return FALSE; ++ ++ box_size = *((guint32*)resource); ++ + #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + box_size = ((box_size >> 24) | + ((box_size << 8) & 0x00FF0000) | +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 80cbbdf8ea..afba5ac12d 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -21,6 +21,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32910-1.patch \ file://CVE-2025-32910-2.patch \ file://CVE-2025-32910-3.patch \ + file://CVE-2025-32909.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Thu Apr 17 14:04:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 61507 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3DED0C369C2 for ; Thu, 17 Apr 2025 14:04:58 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.web10.9612.1744898695063609040 for ; Thu, 17 Apr 2025 07:04:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=LpEPboXf; spf=pass (domain: mvista.com, ip: 209.85.210.179, mailfrom: vanusuri@mvista.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-7399838db7fso821520b3a.0 for ; Thu, 17 Apr 2025 07:04:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744898694; x=1745503494; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lGke4S3EKsrIe9DiKkaSU2zi1I0Y2utWI0pX8XDMfW4=; b=LpEPboXfwVAVlRKlnzlL+PjprtwwimxzvgqGiqkqEM6aOsJTARVeXCerkbu1nN/gMv QDz7A/+cBDe4F8cfO0DCTdWLROweXjayqhRHfJvM5qm6bmUz15tsIGpIkhdMLjmH/8MV wPLgD5AE/8dRO2VOpdm1lnU1wsR0p1vLtQZfM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744898694; x=1745503494; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lGke4S3EKsrIe9DiKkaSU2zi1I0Y2utWI0pX8XDMfW4=; b=s7i6sDAhxDBRNtzNEVysx9bht68ikzy0bwvrXg+minKGNFFWfi6Rb86mkkOCrVZyte b6R2aikaEg7uwxSSrfpvTkOcG2fRrccmbRJ7h0RGn3SEmF/PkW/LhuDbL8mseROM5s1y VQk/OFC6NynD3g2x5BgzsQDhdSOe9m4GA0wue4C1kvuTQSGBmKtt9sK1eCkYVOUyvVu2 j8H0/2M1n35yCZKcPM1FjiPO1Qei2Ao2ZZrpyZ6aQfiR/eemz61sTZpQ1NsGPYmRFNoD p4+HntsEOcRhhQkB+Gn5kAEfwD2Npfn24zSlbuHmaaiM2Lj4ElB54R71ld4dosGMlOea 0bRw== X-Gm-Message-State: AOJu0Yx48yLWXWbzsej14jMmpm9ofUOMxU0sacnBsVlwN4bpVLUg8oD4 6XqZzxLHtbTPNC+5C/sMQ3sQQi6AwVjoFGHqAIZUDQCZw9FlZgI4k4zQXygQNEoscXKJQPqNMgm +i8c= X-Gm-Gg: ASbGncsyHt1QZjVKYZjfe5XN7i/XLxEwe0U0lVNZA3K4UFR8i4+F0NNRv8AhTXEck2l NJf2E3qMFJxjmO/MMw32vc3W+tquZxsHIayyRJ4MMDH8dscblmNcaw2ywvDDjOlbBGRZMdBXxv1 SuZk9t1+YqgVvhkY4Eiwnq8DvJiUHVn3esAz2Qkn3GPlXE4tLbp5q62pxnVdytrCWqgsmiNsHoQ iiIOkg6GQ8pFB2WUBMLO+ivjYLCNOIb5VI3MQkZw5MFB8X+nQeI54fyXvKtCaWC9bNKjucAs3qK 2W0GOxpDWon8Czus7d1ojztkg2kFzrQ1mQQT28XudwxzV8d8RSGg X-Google-Smtp-Source: AGHT+IEP6L75Ln5crVDsZYaDLwLP5MvmVknZ+1ZYz0HEYmubuF1MHp56imtcJM7uK+YypHgSgn6Geg== X-Received: by 2002:a05:6a00:1414:b0:732:1ce5:4a4c with SMTP id d2e1a72fcca58-73cf28f5949mr3579644b3a.1.1744898693811; Thu, 17 Apr 2025 07:04:53 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.223.203]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-73db4717bfasm1127812b3a.129.2025.04.17.07.04.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Apr 2025 07:04:53 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH v3 3/5] libsoup: Fix CVE-2025-32911 & CVE-2025-32913 Date: Thu, 17 Apr 2025 19:34:27 +0530 Message-Id: <20250417140429.136534-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250417140429.136534-1-vanusuri@mvista.com> References: <20250417140429.136534-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Apr 2025 14:04:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215081 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0 Signed-off-by: Vijay Anusuri --- .../CVE-2025-32911_CVE-2025-32913-1.patch | 72 +++++++++++++++++++ .../CVE-2025-32911_CVE-2025-32913-2.patch | 44 ++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 2 + 3 files changed, 118 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32911_CVE-2025-32913-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32911_CVE-2025-32913-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32911_CVE-2025-32913-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32911_CVE-2025-32913-1.patch new file mode 100644 index 0000000000..4e1d8212f5 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32911_CVE-2025-32913-1.patch @@ -0,0 +1,72 @@ +From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 17:53:50 -0600 +Subject: [PATCH] soup_message_headers_get_content_disposition: Fix NULL deref + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34] +CVE: CVE-2025-32911 CVE-2025-32913 #Dependency Patch +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-message-headers.c | 13 +++++++++---- + tests/header-parsing-test.c | 14 ++++++++++++++ + 2 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 56cc1e9d..04f4c302 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1660,10 +1660,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + */ + if (params && g_hash_table_lookup_extended (*params, "filename", + &orig_key, &orig_value)) { +- char *filename = strrchr (orig_value, '/'); +- +- if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ if (orig_value) { ++ char *filename = strrchr (orig_value, '/'); ++ ++ if (filename) ++ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ } else { ++ /* filename with no value isn't valid. */ ++ g_hash_table_remove (*params, "filename"); ++ } + } + return TRUE; + } +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 5e423d2b..d0b360c8 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -1039,6 +1039,7 @@ do_param_list_tests (void) + #define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\"" + #define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\"" + #define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar" ++#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename" + + static void + do_content_disposition_tests (void) +@@ -1139,6 +1140,19 @@ do_content_disposition_tests (void) + g_assert_cmpstr (parameter2, ==, "bar"); + g_hash_table_destroy (params); + ++ /* Empty filename */ ++ soup_message_headers_clear (hdrs); ++ soup_message_headers_append (hdrs, "Content-Disposition", ++ RFC5987_TEST_HEADER_EMPTY_FILENAME); ++ if (!soup_message_headers_get_content_disposition (hdrs, ++ &disposition, ++ ¶ms)) { ++ soup_test_assert (FALSE, "empty filename decoding FAILED"); ++ return; ++ } ++ g_assert_false (g_hash_table_contains (params, "filename")); ++ g_hash_table_destroy (params); ++ + soup_message_headers_unref (hdrs); + + /* Ensure that soup-multipart always quotes filename */ +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32911_CVE-2025-32913-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32911_CVE-2025-32913-2.patch new file mode 100644 index 0000000000..5d9f33c736 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32911_CVE-2025-32913-2.patch @@ -0,0 +1,44 @@ +From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 18:00:39 -0600 +Subject: [PATCH] soup_message_headers_get_content_disposition: strdup + truncated filenames + +This table frees the strings it contains. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0] +CVE: CVE-2025-32911 CVE-2025-32913 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-message-headers.c | 2 +- + tests/header-parsing-test.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 04f4c302..ee7a3cb1 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1664,7 +1664,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + char *filename = strrchr (orig_value, '/'); + + if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1)); + } else { + /* filename with no value isn't valid. */ + g_hash_table_remove (*params, "filename"); +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index d0b360c8..07ea2866 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -1150,6 +1150,7 @@ do_content_disposition_tests (void) + soup_test_assert (FALSE, "empty filename decoding FAILED"); + return; + } ++ g_free (disposition); + g_assert_false (g_hash_table_contains (params, "filename")); + g_hash_table_destroy (params); + +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index afba5ac12d..167163b91f 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -22,6 +22,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32910-2.patch \ file://CVE-2025-32910-3.patch \ file://CVE-2025-32909.patch \ + file://CVE-2025-32911_CVE-2025-32913-1.patch \ + file://CVE-2025-32911_CVE-2025-32913-2.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Thu Apr 17 14:04:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 61508 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EB0CC369C2 for ; Thu, 17 Apr 2025 14:05:08 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.9764.1744898698996222566 for ; Thu, 17 Apr 2025 07:04:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=DIUn5D3H; spf=pass (domain: mvista.com, ip: 209.85.214.176, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-224191d92e4so9130545ad.3 for ; Thu, 17 Apr 2025 07:04:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744898698; x=1745503498; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=CC7WRHPQDY+TNetoSqfnDLWKhUXkQU8geJ6s2alr7KM=; b=DIUn5D3Hy6ZI5+PsHp4/Wp3RIsS5lgW65+waBm7YGLP2lGyQ/F1mAoDBWySpxwES27 8mv7Qm2ioox3galzdfrXTRs8ab5h7UUR2glgUTPJW6d/FwZ4Cg/Om9VWBX/GTY/FH7zM EyQH5CBIT50QaM2lyfD/6n7PaSzyRI1klP8do= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744898698; x=1745503498; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CC7WRHPQDY+TNetoSqfnDLWKhUXkQU8geJ6s2alr7KM=; b=I5pWrz5IpJ3IyrYMKI+VZdqxjiEvJtQ3bsm29HDtChUZlLcNjgiloOOQBwRqu/GvSi r+Tbebtmj+X/4lNSV/uE6Gwc4A2V3RD47S23QMLbIly9JtfZ+1ZPGMFMkg3mcWZ+ek7U Hc63GPVnSw/VwUU4Kodtphy3joRrMWMAncW1CnLEONRr7+W87oIZmEmL4pPqQDml/1sQ n0iGKg2glFxb3u9c3hsGFnCbR+bQX/ifvFyFebX8/0ZgaV5g1byDnqzieYyKV3dPXKjX XYIKfBu1puTi9Nm8VsZSC0tXXdHqDSvjIyQ9tIGa7Y2KpzaZbE7k0yN6nq2IbsXioYnD FuxA== X-Gm-Message-State: AOJu0YysB6sVt1sN1BoPBZ7nOpuqJ59/7xhGr7Dz3smWNZyqPtacVtED Pv+5h1Uop0U2od6h2PyAAVRtkOQRQHp93qShMgooqu+ak+8t2e2AxSZlOlcrKD+Q7etzp27ENap 301c= X-Gm-Gg: ASbGncuWocSO9CHdg/A++aCUtFzixOG2UTMtwS/t9Ha+KdnHJK9DrZsZoS7TyhAWTe9 gMdHorL/Vob6yR9yr7iQRImPFJA2/5Z8YoD3W40jFWrsFMQiZkktV7H8WIK9OFyHyjs+arfiJuW W6xsRiVoVs7OQg4Q9jn5PqAjFia4NIT2eWxgfpbUEMKLOraQlYAL216RWoSXTUTjcnDSknVIGWu k9ouu41nj/tGBnbEuNAC30umIk9lXbdOXBtgSlg8OgODfUs1BnWJqBzehpl5HEHUzQgity8miMm A6NbEAr3U3e+A29txnhZXRLWgcSa/ma2tFYX9nhoucnOOuPFm2+M X-Google-Smtp-Source: AGHT+IGkaomA/zbAnz1kDNrUMF/3YggbE8AlNfX1g2/X3gEDwu3lGQkoFacwyiynit/Rk7HqEW+Tog== X-Received: by 2002:a17:902:fc86:b0:225:adf8:8634 with SMTP id d9443c01a7336-22c359913a1mr86220295ad.51.1744898697804; Thu, 17 Apr 2025 07:04:57 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.223.203]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-73db4717bfasm1127812b3a.129.2025.04.17.07.04.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Apr 2025 07:04:57 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH v3 4/5] libsoup: Fix CVE-2025-32912 Date: Thu, 17 Apr 2025 19:34:28 +0530 Message-Id: <20250417140429.136534-4-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250417140429.136534-1-vanusuri@mvista.com> References: <20250417140429.136534-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Apr 2025 14:05:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215082 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f Signed-off-by: Vijay Anusuri --- .../libsoup-3.4.4/CVE-2025-32912-1.patch | 41 +++++++++++++++++++ .../libsoup-3.4.4/CVE-2025-32912-2.patch | 30 ++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 2 + 3 files changed, 73 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-1.patch new file mode 100644 index 0000000000..c35c599502 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-1.patch @@ -0,0 +1,41 @@ +From cd077513f267e43ce4b659eb18a1734d8a369992 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 14:03:05 -0600 +Subject: [PATCH] auth-digest: Handle missing nonce + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992] +CVE: CVE-2025-32912 +Signed-off-by: Vijay Anusuri +--- + libsoup/auth/soup-auth-digest.c | 2 +- + tests/auth-test.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 9eb7fa0e..d69a4013 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -162,7 +162,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + +- if (!soup_auth_get_realm (auth)) ++ if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce")) + return FALSE; + + g_free (priv->domain); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index c651c7cd..484097f1 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1952,6 +1952,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test); + + ret = g_test_run (); + +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-2.patch new file mode 100644 index 0000000000..ad6f3a8028 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-2.patch @@ -0,0 +1,30 @@ +From 910ebdcd3dd82386717a201c13c834f3a63eed7f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 8 Feb 2025 12:30:13 -0600 +Subject: [PATCH] digest-auth: Handle NULL nonce + +`contains` only handles a missing nonce, `lookup` handles both missing and empty. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f] +CVE: CVE-2025-32912 +Signed-off-by: Vijay Anusuri +--- + libsoup/auth/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index d69a4013..dc4dbfc5 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -162,7 +162,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + +- if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce")) ++ if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce")) + return FALSE; + + g_free (priv->domain); +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 167163b91f..f62c657213 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -24,6 +24,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32909.patch \ file://CVE-2025-32911_CVE-2025-32913-1.patch \ file://CVE-2025-32911_CVE-2025-32913-2.patch \ + file://CVE-2025-32912-1.patch \ + file://CVE-2025-32912-2.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Thu Apr 17 14:04:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 61509 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D97AC369B2 for ; Thu, 17 Apr 2025 14:05:08 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web11.9769.1744898703699496185 for ; Thu, 17 Apr 2025 07:05:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=WreawxpQ; spf=pass (domain: mvista.com, ip: 209.85.210.169, mailfrom: vanusuri@mvista.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-736b350a22cso654598b3a.1 for ; Thu, 17 Apr 2025 07:05:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744898702; x=1745503502; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=br/9rpESURtv5Q+J7+p05qD1ImTPaHtcmzW/qaIVCbM=; b=WreawxpQ9F8cc2fn4u/4DLeVlN04ox1wQ3dGlubG4TduFtavzpkGo464xq6zuY69J3 t2+QEKefqMTRDn9g9JkqZ31FXwLNLuoo7Tuj3Ea61clowP3Zqe5eqerSFKb7KnnzCx4T VlQ70Ddt918aytJha13Qi+ieNQehWbi6rrnOo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744898702; x=1745503502; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=br/9rpESURtv5Q+J7+p05qD1ImTPaHtcmzW/qaIVCbM=; b=MOFm8jKYR+ALFs413iw/hs97WpTYS5u+jc7LpBKp0paghEAyiNsxbkXvX3v1vnh8DJ eyiKnvY2KXe1vPOLyO4mirpiICfd5Dw+5M/b0h8zlzkYzLiJTGkya4s6K8zGOdlvNDq/ 5bSZHxLVBiK1o/uWJYPkwKEZnNT1mDPYnyrrC8zq984t++i42asdMgVR8MYBSetqnV9Q eQdv/iePRkXJzqL94hZbzRjJiWOwnM5lWztu0Od4F/V+bYD3BanRyqFgcdHt3WoifxyD S3P0p7eX+epZ+MhKD+51pa8fzJbx2wp4SFQvCmKAjdTQfyLb4haKzMkYYWQU9H0kwEUn HGxQ== X-Gm-Message-State: AOJu0Yy7Ain2Kcw36cdidYeXrnLkGkWhmCMtc0laNyA8dMvzEiCOOfXn 966n0rQ19qrxk/RbL0i15IFvg3GYOwCo+qHRFjwcSfwPWE+M5RKRE9ktJ02WWiHXD7UCLfeEdeo ktjM= X-Gm-Gg: ASbGnctEhoQcng7h0ELPPNf9RwTFUswq3rZmDor1l6Fb54ozrzhVeMaKVdXycGLUbkS xWc+8Ayc5aDXtVAhpU+gfpu0jstwibEmpTv6XfEPQUiuxGL3bgjNHPE5J03K0YT8lEUoatcj5iY BT1B99vD+GY8sWuTo54ML3VqVGXTSn3Y3kIzMMQL3wy61knSVWcBW1IHhg+NbLBmz9JKWHlGush B1zjlu39objkzX+M2isQjF3wdr7Xh3/NKILPU9cZE6FdyE1oAFS0dsUQuQskG8KPFejUsn80QFt M0wuYHj13Zp/NNzMRQ/aTVAz4LT/WjtwGrYa1UbsbNrjaJqkUgPJ X-Google-Smtp-Source: AGHT+IEfB2sBOL9Q6dnJv/iBcKyqD7R7TNR3N1xOZrWTw0gau5Z6zPGLajT1efoAtBb8tjtOHiPnRQ== X-Received: by 2002:a05:6a00:aca:b0:736:5504:e8b4 with SMTP id d2e1a72fcca58-73c267d2f23mr8414036b3a.19.1744898702124; Thu, 17 Apr 2025 07:05:02 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.223.203]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-73db4717bfasm1127812b3a.129.2025.04.17.07.04.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Apr 2025 07:05:01 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH v3 5/5] libsoup: Fix CVE-2025-32906 Date: Thu, 17 Apr 2025 19:34:29 +0530 Message-Id: <20250417140429.136534-5-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250417140429.136534-1-vanusuri@mvista.com> References: <20250417140429.136534-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Apr 2025 14:05:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215083 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f Signed-off-by: Vijay Anusuri --- .../libsoup-3.4.4/CVE-2025-32906-1.patch | 61 ++++++++++++++ .../libsoup-3.4.4/CVE-2025-32906-2.patch | 83 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 2 + 3 files changed, 146 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch new file mode 100644 index 0000000000..916a41a71f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch @@ -0,0 +1,61 @@ +From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 11 Feb 2025 14:36:26 -0600 +Subject: [PATCH] headers: Handle parsing edge case + +This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931] +CVE: CVE-2025-32906 #Dependency Patch +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-headers.c | 2 +- + tests/header-parsing-test.c | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 85385cea..9d6d00a3 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str, + !g_ascii_isdigit (version[5])) + return SOUP_STATUS_BAD_REQUEST; + major_version = strtoul (version + 5, &p, 10); +- if (*p != '.' || !g_ascii_isdigit (p[1])) ++ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1])) + return SOUP_STATUS_BAD_REQUEST; + minor_version = strtoul (p + 1, &p, 10); + version_end = p; +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 07ea2866..10ddb684 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -6,6 +6,10 @@ typedef struct { + const char *name, *value; + } Header; + ++static char unterminated_http_version[] = { ++ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.' ++}; ++ + static struct RequestTest { + const char *description; + const char *bugref; +@@ -383,6 +387,14 @@ static struct RequestTest { + { { NULL } } + }, + ++ /* This couldn't be a C string as going one byte over would have been safe. */ ++ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404", ++ unterminated_http_version, sizeof (unterminated_http_version), ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } ++ }, ++ + { "Non-HTTP request", NULL, + "GET / SOUP/1.1\r\nHost: example.com\r\n", -1, + SOUP_STATUS_BAD_REQUEST, +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-2.patch new file mode 100644 index 0000000000..5baad15648 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-2.patch @@ -0,0 +1,83 @@ +From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 12 Feb 2025 11:30:02 -0600 +Subject: [PATCH] headers: Handle parsing only newlines + +Closes #404 +Closes #407 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f] +CVE: CVE-2025-32906 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-headers.c | 4 ++-- + tests/header-parsing-test.c | 13 ++++++++++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 9d6d00a3..52ef2ece 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str, + /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s) + * received where a Request-Line is expected." + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str, + * after a response, which we then see prepended to the next + * response on that connection. + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 10ddb684..4faafbd6 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -6,10 +6,15 @@ typedef struct { + const char *name, *value; + } Header; + ++/* These are not C strings to ensure going one byte over is not safe. */ + static char unterminated_http_version[] = { + 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.' + }; + ++static char only_newlines[] = { ++ '\n', '\n', '\n', '\n' ++}; ++ + static struct RequestTest { + const char *description; + const char *bugref; +@@ -387,7 +392,6 @@ static struct RequestTest { + { { NULL } } + }, + +- /* This couldn't be a C string as going one byte over would have been safe. */ + { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404", + unterminated_http_version, sizeof (unterminated_http_version), + SOUP_STATUS_BAD_REQUEST, +@@ -457,6 +461,13 @@ static struct RequestTest { + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, + { { NULL } } ++ }, ++ ++ { "Only newlines", NULL, ++ only_newlines, sizeof (only_newlines), ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index f62c657213..cbb098908d 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -26,6 +26,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32911_CVE-2025-32913-2.patch \ file://CVE-2025-32912-1.patch \ file://CVE-2025-32912-2.patch \ + file://CVE-2025-32906-1.patch \ + file://CVE-2025-32906-2.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"