From patchwork Tue May 6 15:57:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 62540 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 359E9C3ABAC for ; Tue, 6 May 2025 15:57:46 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web11.79919.1746547063466090313 for ; Tue, 06 May 2025 08:57:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=QeKWWQPe; spf=pass (domain: mvista.com, ip: 209.85.214.172, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-22e4db05fe8so7520775ad.0 for ; Tue, 06 May 2025 08:57:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1746547062; x=1747151862; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=luMSY2MRzIdTTXrJ8ezpha2m3hRnuDNUisznFtbTT+0=; b=QeKWWQPeDyNKC4/JuuM84hDHImtJ88X7XBXXLO0fIkTCSqnxczbpaDQ4ZCVBdMR2rl 9OO8T11RcbKit2yNtIDa6vMPJc5uhoZU2Y8OxsUuBRM+B+/8sEUdniPMjM/DF2EYW3HD swb7c/61H4Vj/MNvdZuFBShZG6uKA8nLXIqsU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746547062; x=1747151862; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=luMSY2MRzIdTTXrJ8ezpha2m3hRnuDNUisznFtbTT+0=; b=ujoZ1q92wWtbz3TdA1UGzCS2XQeEZFjCdSBQ2iCmf2CWhi9i2BX5jtjbhWjMqXfC8e JPg0/8Qayu9y6u/tZGF6CKYkv0X8nBKbh/sezxnlwMsyxMvWUOkAk8OgLn/odEPbI5Gb VAbNFpm9rphEcLEwDcM3wUYVeYoPvXlsw2hK6oKvy+W5x7nu/mZQz1duMTJAnEmDVoM8 lneQU9qLlgN7Fopc46PGDy3KACA9QD6iuTYLfu1y95jyDoxAEL1BoAhGH0Cbo0UpDlbq 5F9mc80yjTryin2jvC2WKDuTM04WYsM/Iw4k+orffcdN+xmh0iY/z3iyZ0c1lD/a8eMn DJ8w== X-Gm-Message-State: AOJu0Yz88l032YP5I4s5c0ezt2TulFVXbhxfZ2OJjtg6l1xmyQ1Jeo7p 6F6LfpXnO0IMTs2ccVViTCjOebTBtS02STAklYJwz0cj0JNjuNG7mHqVjas+npf7CAHaSHVi6Q/ umZo= X-Gm-Gg: ASbGncsgNYaxtdg/J9aPv/7S9L+Ld5oLHV02FrH0ULF9+qLn0IPzoEE1+qY10xt5H4Y f7L5z8l1WrtdPw/tnIBG4YTrutx4tEv1kD/mjv7xIS5GDbrceR3yX2xuCHzfCx86smS3UiUOSZA XAIAkIzn3/LInPieZL5cwyGHbmsKJy+WNUCiedMJmrRHdyVfpnscJ8Uxbq2LaXuivYQ9wqAk7ic i0AjVMq5tGDeWjJnAmlGj+jggLGVKoBjZP9Jl9mzx4KolRY9cSNByyL2hoNhsiyXdzr9Nz+Os0b ms43aKZD4mwqYYSPLiJuMqr/V6VqBdc37kkRl6keMESNrzbvh18= X-Google-Smtp-Source: AGHT+IHL2sloteVZrA2fj1hcGyie/S3BEAn5kQW/4YuHYjfM95OupimVs5qQP7pogFc6qEKsJfkmMg== X-Received: by 2002:a17:903:1a10:b0:224:1074:6393 with SMTP id d9443c01a7336-22e1eafeb7fmr177174485ad.43.1746547062353; Tue, 06 May 2025 08:57:42 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.214.86]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-22e152204desm75502685ad.140.2025.05.06.08.57.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 May 2025 08:57:41 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 1/5] libsoup-2.4: Fix CVE-2024-52530 Date: Tue, 6 May 2025 21:27:27 +0530 Message-Id: <20250506155731.677168-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 06 May 2025 15:57:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216068 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b Signed-off-by: Vijay Anusuri --- .../libsoup/libsoup-2.4/CVE-2024-52530.patch | 149 ++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 4 +- 2 files changed, 152 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch new file mode 100644 index 0000000000..bd62a748eb --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch @@ -0,0 +1,149 @@ +From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 8 Jul 2024 12:33:15 -0500 +Subject: [PATCH] headers: Strictly don't allow NUL bytes + +In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b] +CVE: CVE-2024-52530 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-headers.c | 15 +++------ + tests/header-parsing-test.c | 62 +++++++++++++++++-------------------- + 2 files changed, 32 insertions(+), 45 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index a0cf351ac..f30ee467a 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -51,13 +51,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) + * ignorable trailing whitespace. + */ + ++ /* No '\0's are allowed */ ++ if (memchr (str, '\0', len)) ++ return FALSE; ++ + /* Skip over the Request-Line / Status-Line */ + headers_start = memchr (str, '\n', len); + if (!headers_start) + return FALSE; +- /* No '\0's in the Request-Line / Status-Line */ +- if (memchr (str, '\0', headers_start - str)) +- return FALSE; + + /* We work on a copy of the headers, which we can write '\0's + * into, so that we don't have to individually g_strndup and +@@ -69,14 +70,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) + headers_copy[copy_len] = '\0'; + value_end = headers_copy; + +- /* There shouldn't be any '\0's in the headers already, but +- * this is the web we're talking about. +- */ +- while ((p = memchr (headers_copy, '\0', copy_len))) { +- memmove (p, p + 1, copy_len - (p - headers_copy)); +- copy_len--; +- } +- + while (*(value_end + 1)) { + name = value_end + 1; + name_end = strchr (name, ':'); +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index edf8eebb3..715c2c6f2 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -358,24 +358,6 @@ static struct RequestTest { + } + }, + +- { "NUL in header name", "760832", +- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, +- SOUP_STATUS_OK, +- "GET", "/", SOUP_HTTP_1_1, +- { { "Host", "example.com" }, +- { NULL } +- } +- }, +- +- { "NUL in header value", "760832", +- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35, +- SOUP_STATUS_OK, +- "GET", "/", SOUP_HTTP_1_1, +- { { "Host", "examplecom" }, +- { NULL } +- } +- }, +- + /************************/ + /*** INVALID REQUESTS ***/ + /************************/ +@@ -448,6 +430,21 @@ static struct RequestTest { + SOUP_STATUS_EXPECTATION_FAILED, + NULL, NULL, -1, + { { NULL } } ++ }, ++ ++ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 ++ { "NUL in header name", NULL, ++ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } ++ }, ++ ++ { "NUL in header value", NULL, ++ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +@@ -620,22 +617,6 @@ static struct ResponseTest { + { NULL } } + }, + +- { "NUL in header name", "760832", +- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28, +- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK", +- { { "Foo", "bar" }, +- { NULL } +- } +- }, +- +- { "NUL in header value", "760832", +- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, +- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK", +- { { "Foo", "bar" }, +- { NULL } +- } +- }, +- + /********************************/ + /*** VALID CONTINUE RESPONSES ***/ + /********************************/ +@@ -768,6 +749,19 @@ static struct ResponseTest { + { { NULL } + } + }, ++ ++ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 ++ { "NUL in header name", NULL, ++ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28, ++ -1, 0, NULL, ++ { { NULL } } ++ }, ++ ++ { "NUL in header value", "760832", ++ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, ++ -1, 0, NULL, ++ { { NULL } } ++ }, + }; + static const int num_resptests = G_N_ELEMENTS (resptests); + +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index ee20530b64..b833d2cfa9 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -12,7 +12,9 @@ DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl" SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ - file://0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch" + file://0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch \ + file://CVE-2024-52530.patch \ + " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" CVE_PRODUCT = "libsoup" From patchwork Tue May 6 15:57:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 62542 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D45DC3ABBC for ; Tue, 6 May 2025 15:57:56 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web10.79444.1746547070304968456 for ; Tue, 06 May 2025 08:57:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=C0ItxMf5; spf=pass (domain: mvista.com, ip: 209.85.214.181, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-22928d629faso55171075ad.3 for ; Tue, 06 May 2025 08:57:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1746547069; x=1747151869; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Gn0bdOIYpPxUcNy0xRu8CIRVyRHB1FaGDm0WO771eQU=; b=C0ItxMf5ToNUmlhZiIQuKqzsgMzwLfWb5dtM6JVpkR7XPrdAt++BYwi6TpDBzDLqnK NjiTAfTlLNqw3EBV4djzDOfjbgzmcZiU+Ot/g6RDYumBT4uFPAEQVanfFdu/Jes2dr/G TooWQ/dqP7+ENoszpVgWfXxY+mVAHU5imfVus= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746547069; x=1747151869; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Gn0bdOIYpPxUcNy0xRu8CIRVyRHB1FaGDm0WO771eQU=; b=kIFYGzNxLyEhN0Mr5oh92knq6jSyQZaUYJ0usTQ9iwRTySFH4Jqmr8u5hlRaqyalO/ GY4PR39DEcxHraGejOVyriRtYBK41fQMJMXLI/hMzPoRQCjIHi5W3bJjs1pKIAEPIie8 Op+uTCmdo07LM8GrfJv72IEViD2z7Dn1/Go17LIayzYa1Hg5/8DJ43ZOKYGyI6wIciyo At+hzzFFlwqv0ngbCLuTJYDF5bZRnkzeCF8lMniXI9yPE0kbDJFvtZnq091thTc1SF+E ERqF9b7JhkLYA7ahpTiWghX6rFZ50v+WYEyEGKXEc5DzfS0E9lp+O7N3M244Ag594o88 lSbg== X-Gm-Message-State: AOJu0Yzp+v9k73M2IIXJyRHPRa6HovbsfHj3l7TT5inm/fB1EV/J4tSJ k07xT1523j7NDb2N8GZslSAcAfkc9pv9/dWOy9p92/3Y7cSi1ZOdnGGXagIf+aREpGlao/o6XML ZAVI= X-Gm-Gg: ASbGncuNMyWldMSmW8qpKiRubuAmQly2j/WIratng0mCNPgQ79v9a4LSqh4OvS+qnB5 3FX/hZKI+aVUG0adG36eV+nPwWF6l7ASVdFZ6jp0b2erDRreynD3qDq1pH0S0cAXr0pMKH/iWRj YgcJXQd/cgB5LK5SVbPEunEfz8si5Ef1yWYejadjlv7igoJUj4BWohhGUpIDISkPk4mkcp6dGhd rKKYBJnGR94VD7y4d8+TTVlCcHAQ4pG2Nj9mGzOOynD2hVgm91Ahu3cVVYD99tPflmloj/F94mM L64Ls8688IQ+iucnUE7iHpW5uJI/fHXSUXchBUhYeUgl+QCsJ7cnXRfB7QuV0Q== X-Google-Smtp-Source: AGHT+IFjm/6q0ZqQHPGp9i0EmDjY62N+6OZ492u83fOvsrWX5d9GIaTded9aILL08RGEuXJb4AHkyQ== X-Received: by 2002:a17:903:32cc:b0:224:216e:3342 with SMTP id d9443c01a7336-22e1ea8d0f9mr169732595ad.43.1746547068819; Tue, 06 May 2025 08:57:48 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.214.86]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-22e152204desm75502685ad.140.2025.05.06.08.57.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 May 2025 08:57:48 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 2/5] libsoup-2.4: Fix CVE-2024-52531 Date: Tue, 6 May 2025 21:27:28 +0530 Message-Id: <20250506155731.677168-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250506155731.677168-1-vanusuri@mvista.com> References: <20250506155731.677168-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 06 May 2025 15:57:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216069 From: Vijay Anusuri import patch from ubuntu to fix CVE-2024-52531 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches?h=ubuntu/jammy-security Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/825fda3425546847b42ad5270544e9388ff349fe] Reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/ https://ubuntu.com/security/CVE-2024-52531 Signed-off-by: Vijay Anusuri --- .../libsoup-2.4/CVE-2024-52531-1.patch | 131 ++++++++++++++++++ .../libsoup-2.4/CVE-2024-52531-2.patch | 36 +++++ .../libsoup/libsoup-2.4_2.74.3.bb | 2 + 3 files changed, 169 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch new file mode 100644 index 0000000000..d56ad0ff5e --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch @@ -0,0 +1,131 @@ +From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 27 Aug 2024 13:53:26 -0500 +Subject: [PATCH 1/2] headers: Be more robust against invalid input when + parsing params + +If you pass invalid input to a function such as soup_header_parse_param_list_strict() +it can cause an overflow if it decodes the input to UTF-8. + +This should never happen with valid UTF-8 input which libsoup's client API +ensures, however it's server API does not currently. + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2024-52531-1.patch?h=ubuntu/jammy-security +Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283] +CVE: CVE-2024-52531 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-headers.c | 46 ++++++++++++++++++++++-------------------- + 1 file changed, 24 insertions(+), 22 deletions(-) + +Index: libsoup2.4-2.74.2/libsoup/soup-headers.c +=================================================================== +--- libsoup2.4-2.74.2.orig/libsoup/soup-headers.c ++++ libsoup2.4-2.74.2/libsoup/soup-headers.c +@@ -643,8 +643,9 @@ soup_header_contains (const char *header + } + + static void +-decode_quoted_string (char *quoted_string) ++decode_quoted_string_inplace (GString *quoted_gstring) + { ++ char *quoted_string = quoted_gstring->str; + char *src, *dst; + + src = quoted_string + 1; +@@ -658,10 +659,11 @@ decode_quoted_string (char *quoted_strin + } + + static gboolean +-decode_rfc5987 (char *encoded_string) ++decode_rfc5987_inplace (GString *encoded_gstring) + { + char *q, *decoded; + gboolean iso_8859_1 = FALSE; ++ const char *encoded_string = encoded_gstring->str; + + q = strchr (encoded_string, '\''); + if (!q) +@@ -690,14 +692,7 @@ decode_rfc5987 (char *encoded_string) + decoded = utf8; + } + +- /* If encoded_string was UTF-8, then each 3-character %-escape +- * will be converted to a single byte, and so decoded is +- * shorter than encoded_string. If encoded_string was +- * iso-8859-1, then each 3-character %-escape will be +- * converted into at most 2 bytes in UTF-8, and so it's still +- * shorter. +- */ +- strcpy (encoded_string, decoded); ++ g_string_assign (encoded_gstring, decoded); + g_free (decoded); + return TRUE; + } +@@ -707,15 +702,17 @@ parse_param_list (const char *header, ch + { + GHashTable *params; + GSList *list, *iter; +- char *item, *eq, *name_end, *value; +- gboolean override, duplicated; + + params = g_hash_table_new_full (soup_str_case_hash, + soup_str_case_equal, +- g_free, NULL); ++ g_free, g_free); + + list = parse_list (header, delim); + for (iter = list; iter; iter = iter->next) { ++ char *item, *eq, *name_end; ++ gboolean override, duplicated; ++ GString *parsed_value = NULL; ++ + item = iter->data; + override = FALSE; + +@@ -730,19 +727,19 @@ parse_param_list (const char *header, ch + + *name_end = '\0'; + +- value = (char *)skip_lws (eq + 1); ++ parsed_value = g_string_new ((char *)skip_lws (eq + 1)); + + if (name_end[-1] == '*' && name_end > item + 1) { + name_end[-1] = '\0'; +- if (!decode_rfc5987 (value)) { ++ if (!decode_rfc5987_inplace (parsed_value)) { ++ g_string_free (parsed_value, TRUE); + g_free (item); + continue; + } + override = TRUE; +- } else if (*value == '"') +- decode_quoted_string (value); +- } else +- value = NULL; ++ } else if (parsed_value->str[0] == '"') ++ decode_quoted_string_inplace (parsed_value); ++ } + + duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL); + +@@ -750,11 +747,16 @@ parse_param_list (const char *header, ch + soup_header_free_param_list (params); + params = NULL; + g_slist_foreach (iter, (GFunc)g_free, NULL); ++ if (parsed_value) ++ g_string_free (parsed_value, TRUE); + break; +- } else if (override || !duplicated) +- g_hash_table_replace (params, item, value); +- else ++ } else if (override || !duplicated) { ++ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL); ++ } else { ++ if (parsed_value) ++ g_string_free (parsed_value, TRUE); + g_free (item); ++ } + } + + g_slist_free (list); diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch new file mode 100644 index 0000000000..19b1872866 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch @@ -0,0 +1,36 @@ +From 825fda3425546847b42ad5270544e9388ff349fe Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 27 Aug 2024 13:52:08 -0500 +Subject: [PATCH 2/2] tests: Add test for passing invalid UTF-8 to + soup_header_parse_semi_param_list() + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2024-52531-2.patch?h=ubuntu/jammy-security +Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/825fda3425546847b42ad5270544e9388ff349fe] +CVE: CVE-2024-52531 +Signed-off-by: Vijay Anusuri +--- + tests/header-parsing-test.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +Index: libsoup2.4-2.74.2/tests/header-parsing-test.c +=================================================================== +--- libsoup2.4-2.74.2.orig/tests/header-parsing-test.c ++++ libsoup2.4-2.74.2/tests/header-parsing-test.c +@@ -825,6 +825,17 @@ static struct ParamListTest { + { "filename", "t\xC3\xA9st.txt" }, + }, + }, ++ ++ /* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */ ++ { TRUE, ++ "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo", ++ { ++ { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" }, ++ { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" }, ++ { "foo", NULL }, ++ ++ }, ++ } + }; + static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests); + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index b833d2cfa9..bd58773ba3 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -14,6 +14,8 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch \ file://CVE-2024-52530.patch \ + file://CVE-2024-52531-1.patch \ + file://CVE-2024-52531-2.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Tue May 6 15:57:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 62541 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1FFA4C3ABBE for ; Tue, 6 May 2025 15:57:56 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web10.79445.1746547074481502610 for ; Tue, 06 May 2025 08:57:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=OLF6qjMr; spf=pass (domain: mvista.com, ip: 209.85.214.179, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2264aefc45dso92131075ad.0 for ; Tue, 06 May 2025 08:57:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1746547073; x=1747151873; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=DXx5UgtQSd7wezK6gwiblEkyaOcQoY0sLqJGXC3qc8I=; b=OLF6qjMrHzP+SnRjScHFmjoo2ADOa6UBu0326ltlB02byK2luf+h1usR4dtJpObFjE RvcKwQkNRf99MopJG15urtO2jUZfRpouK7k9V4lbqfcHkgHPqfABq/u1Q1506frWtgRg 6EPTJ7/JLUBut2F6xwJpZ9vpD0ldPqYCkpmz8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746547073; x=1747151873; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DXx5UgtQSd7wezK6gwiblEkyaOcQoY0sLqJGXC3qc8I=; b=nhLbih6MYh+miEHBcAS9K3A2V3oUUWkJyYyvNcqb5Zjv7s/Pa9cnwOpanjETy9G+KN h978qwECkTcyfhkkQfkffiOAa64rOAt6AYR1elVGkYdxvdM8fLRf0e3iFvIknIK2+vIo 8YAsLrMnlNH3VQeUqewAnb9S0V6ITVSeGYMBYMrrOAOCUOm4AHQqqf9Epiabu7Y05Ziq Hve7yPUOhzoU9lJAJV52xLPTvwq0bPzCsGchwjyez0Q46226LOcxl3uVWhqunCtP1EFz 67ed09KFgb/I5aycy79ARPG0nqzjdtnNwofXN3eWyqkMytB4mtAtMjy8h7aXdl7UIt7s yl9A== X-Gm-Message-State: AOJu0Yz0ZdJE6a2yfLx9mEqnokDwa7vn4vc4QRmlpWig7eaNDVywRtni 6g0FnN0cgh8MQIS79lgccTD8MwLfnPWAjEAo4Sv7kqlzjFZ8LGwWnVhvcpEH5hqYlD2wQ4Z1Iak nMkc= X-Gm-Gg: ASbGncvvX6HpiVSvjYjVlNM3fbOCbQCICBRTkyno96s5TMMF0bvTMHQz6wUjOh1w/1T 1m0AJWyioQwr4GGsgbjBpHjBAEydodHJFlqrYu8J9HOagsOy1yHKGczBCg2+jvpVtVZZ6jNbga6 mgcRqPWkz55WrqMP8Ru+NuDjqzcwmI3pcYPenI6iEdFxJEcEA54mvD9i+WE23ospFPdP+jPSKIG LENx3/2faT5PpI6CvKMWiRlOeb4x0mSbQuOT9lvpeex/4EKg31FoKkXdcC7byLt3XqhpcFTjoWh Igfyerel3MLL6dOEQKFx0Ea8xdDPYmT2wTihLNlSgCeZ0Y/Auj8= X-Google-Smtp-Source: AGHT+IGFdP21g/8tTnYC2yvVFBRaT9DysJQysWEsnt8ZNfTR6vpKZOXnpzVknMiqleKfMu8gY44oGA== X-Received: by 2002:a17:902:ce02:b0:223:536d:f67b with SMTP id d9443c01a7336-22e1eaaf8ccmr214436305ad.38.1746547073433; Tue, 06 May 2025 08:57:53 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.214.86]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-22e152204desm75502685ad.140.2025.05.06.08.57.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 May 2025 08:57:52 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 3/5] libsoup-2.4: Fix CVE-2024-52532 Date: Tue, 6 May 2025 21:27:29 +0530 Message-Id: <20250506155731.677168-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250506155731.677168-1-vanusuri@mvista.com> References: <20250506155731.677168-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 06 May 2025 15:57:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216070 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be & https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c & https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6676a37b6485620c332e568e1a3f530ff Signed-off-by: Vijay Anusuri --- .../libsoup-2.4/CVE-2024-52532-1.patch | 36 +++++++++++++++ .../libsoup-2.4/CVE-2024-52532-2.patch | 42 +++++++++++++++++ .../libsoup-2.4/CVE-2024-52532-3.patch | 46 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 3 ++ 4 files changed, 127 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch new file mode 100644 index 0000000000..68eb942762 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch @@ -0,0 +1,36 @@ +From 6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Wed, 11 Sep 2024 11:52:11 +0200 +Subject: [PATCH] websocket: process the frame as soon as we read data + +Otherwise we can enter in a read loop because we were not +validating the data until the all the data was read. + +Fixes #391 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be] +CVE: CVE-2024-52532 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-websocket-connection.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c +index a4095e1..9d5f4f8 100644 +--- a/libsoup/soup-websocket-connection.c ++++ b/libsoup/soup-websocket-connection.c +@@ -1140,9 +1140,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self) + } + + pv->incoming->len = len + count; +- } while (count > 0); + +- process_incoming (self); ++ process_incoming (self); ++ } while (count > 0 && !pv->close_sent && !pv->io_closing); + + if (end) { + if (!pv->close_sent || !pv->close_received) { +-- +2.25.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch new file mode 100644 index 0000000000..e4e2d03d58 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch @@ -0,0 +1,42 @@ +From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Wed, 2 Oct 2024 11:17:19 +0200 +Subject: [PATCH] websocket-test: disconnect error copy after the test ends + +Otherwise the server will have already sent a few more wrong +bytes and the client will continue getting errors to copy +but the error is already != NULL and it will assert + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c] +CVE: CVE-2024-52532 +Signed-off-by: Vijay Anusuri +--- + tests/websocket-test.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tests/websocket-test.c b/tests/websocket-test.c +index 06c443bb5..6a48c1f9b 100644 +--- a/tests/websocket-test.c ++++ b/tests/websocket-test.c +@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test, + GError *error = NULL; + InvalidEncodeLengthTest context = { test, NULL }; + guint i; ++ guint error_id; + +- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); ++ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); + g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received); + + /* We use 127(\x7f) as payload length with 65535 extended length */ +@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test, + WAIT_UNTIL (error != NULL || received != NULL); + g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR); + g_clear_error (&error); ++ g_signal_handler_disconnect (test->client, error_id); + g_assert_null (received); + + g_thread_join (thread); +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch new file mode 100644 index 0000000000..edcca86e8c --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch @@ -0,0 +1,46 @@ +From 4c9e75c6676a37b6485620c332e568e1a3f530ff Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 13 Nov 2024 14:14:23 +0000 +Subject: [PATCH] websocket-test: Disconnect error signal in another place + +This is the same change as commit 29b96fab "websocket-test: disconnect +error copy after the test ends", and is done for the same reason, but +replicating it into a different function. + +Fixes: 6adc0e3e "websocket: process the frame as soon as we read data" +Resolves: https://gitlab.gnome.org/GNOME/libsoup/-/issues/399 +Signed-off-by: Simon McVittie + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6676a37b6485620c332e568e1a3f530ff] +CVE: CVE-2024-52532 +Signed-off-by: Vijay Anusuri +--- + tests/websocket-test.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tests/websocket-test.c b/tests/websocket-test.c +index 6a48c1f9..723f2857 100644 +--- a/tests/websocket-test.c ++++ b/tests/websocket-test.c +@@ -1508,8 +1508,9 @@ test_receive_invalid_encode_length_16 (Test *test, + GError *error = NULL; + InvalidEncodeLengthTest context = { test, NULL }; + guint i; ++ guint error_id; + +- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); ++ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); + g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received); + + /* We use 126(~) as payload length with 125 extended length */ +@@ -1522,6 +1523,7 @@ test_receive_invalid_encode_length_16 (Test *test, + WAIT_UNTIL (error != NULL || received != NULL); + g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR); + g_clear_error (&error); ++ g_signal_handler_disconnect (test->client, error_id); + g_assert_null (received); + + g_thread_join (thread); +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index bd58773ba3..6125c0624a 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -16,6 +16,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52530.patch \ file://CVE-2024-52531-1.patch \ file://CVE-2024-52531-2.patch \ + file://CVE-2024-52532-1.patch \ + file://CVE-2024-52532-2.patch \ + file://CVE-2024-52532-3.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Tue May 6 15:57:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 62544 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A56AC3ABBC for ; Tue, 6 May 2025 15:58:06 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web10.79448.1746547078621451449 for ; Tue, 06 May 2025 08:57:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=W0xbZU6Q; spf=pass (domain: mvista.com, ip: 209.85.214.177, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-22d95f0dda4so83976735ad.2 for ; Tue, 06 May 2025 08:57:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1746547077; x=1747151877; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FYV63sfKHSOQ3ewV+09RyFdsAIsPR2On+PtvPNwjbkc=; b=W0xbZU6Q0cgyf5cUE/VIIYU2kDbgIAbXeKMOb/jReSepeB9L5SM6VIZ4gU6DRnuFs2 qu8SrEDs5dDaIWx5CB5oM0mi+0SLGuelpEs+iRYsf/3QLsNfHxaWAwKJiBcl6o2fKS4K Bw6BRLEbS8sUaxeqHk4cJzVzVDb4edVZrl22Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746547077; x=1747151877; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FYV63sfKHSOQ3ewV+09RyFdsAIsPR2On+PtvPNwjbkc=; b=UYDemWnz9P7ljPJN/Cwvp2SaQQoucBcyUfpo+H9mzw0ATOauvLlNl5C2KSFsbhbwhx PnJVffqZvf8wUZseyYxJt2boAT4QUL95F7KytDenVIMehOG/KgIeTGgOGzKf1sZbtV5e j6FjMi3oKD+Z2eyxW9JEaGutsdwJEAKtDdGQYYopaTwtqdTopDNoVJmn92mnw/P6Blxu DI0WBJu8oZBhRHn/lBdaTMTm5EAbNNHcQt1anot06E48CriUTODng7nrSZeB9Ov2hxJD 3OIIyaGX1ui2cMEH1LJF49u6VeaLn0HiLKUsqjJ3I9T+WRXUxEU8JBCrDs4Kgctyv/Aq Dk7A== X-Gm-Message-State: AOJu0Yyat9NTbVNmXUB/abxa9D3Jb7LfdhJQySw1Cw3PAhuhiU1ezL2u syvJSmSTLl9dOt38Hlf/YLv5uY/kCJP8T/q9Q2Q1HS+IsI2nSfm4bZJsSpBcs+mjc0AGh8ocigr TZwQ= X-Gm-Gg: ASbGncsTSoPvjTgwdGX3tPfkZeuSaX3qp00bQqfDCoTEydPJObNJ1OXeaBIcer12mZQ sltuQbeJTybxO7Tt1PkFC7kGN1oJRzqR8EXcAhSs68W2uEisM79D/6olBctCEmQt4gZVfigqTjX guPp086wT9EwEXzTomv4z9Jsv66D0T7cjQ31ONxDDxj1SWOrJg2jXydJlSOYdx+ge69NIYJSSrA BpIkBOdA4uHvaIIAwwD05EHGKuCIeqSJUPObli75pudZpVPfuZd3brg0w487XRHgNr51W/mvNYu PKiF1lgxiyO3QmloRiFTRfBbv1L8S96eRKSn1UW7wI8VozJPWbE= X-Google-Smtp-Source: AGHT+IERM74zlIcqZziSCfkMtwerN6dND5TYJNCtahnRSck+ddWq4p77js1oyiQVmoAuVMkYOGC+PA== X-Received: by 2002:a17:902:fc8d:b0:216:3d72:1712 with SMTP id d9443c01a7336-22e365af0demr56076745ad.48.1746547077522; Tue, 06 May 2025 08:57:57 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.214.86]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-22e152204desm75502685ad.140.2025.05.06.08.57.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 May 2025 08:57:57 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 4/5] libsoup-2.4: Fix CVE-2025-32906 Date: Tue, 6 May 2025 21:27:30 +0530 Message-Id: <20250506155731.677168-4-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250506155731.677168-1-vanusuri@mvista.com> References: <20250506155731.677168-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 06 May 2025 15:58:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216071 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f Signed-off-by: Vijay Anusuri --- .../libsoup-2.4/CVE-2025-32906-1.patch | 61 ++++++++++++++ .../libsoup-2.4/CVE-2025-32906-2.patch | 83 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 2 + 3 files changed, 146 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch new file mode 100644 index 0000000000..916a41a71f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch @@ -0,0 +1,61 @@ +From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Tue, 11 Feb 2025 14:36:26 -0600 +Subject: [PATCH] headers: Handle parsing edge case + +This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931] +CVE: CVE-2025-32906 #Dependency Patch +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-headers.c | 2 +- + tests/header-parsing-test.c | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 85385cea..9d6d00a3 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str, + !g_ascii_isdigit (version[5])) + return SOUP_STATUS_BAD_REQUEST; + major_version = strtoul (version + 5, &p, 10); +- if (*p != '.' || !g_ascii_isdigit (p[1])) ++ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1])) + return SOUP_STATUS_BAD_REQUEST; + minor_version = strtoul (p + 1, &p, 10); + version_end = p; +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 07ea2866..10ddb684 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -6,6 +6,10 @@ typedef struct { + const char *name, *value; + } Header; + ++static char unterminated_http_version[] = { ++ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.' ++}; ++ + static struct RequestTest { + const char *description; + const char *bugref; +@@ -383,6 +387,14 @@ static struct RequestTest { + { { NULL } } + }, + ++ /* This couldn't be a C string as going one byte over would have been safe. */ ++ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404", ++ unterminated_http_version, sizeof (unterminated_http_version), ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } ++ }, ++ + { "Non-HTTP request", NULL, + "GET / SOUP/1.1\r\nHost: example.com\r\n", -1, + SOUP_STATUS_BAD_REQUEST, +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch new file mode 100644 index 0000000000..5baad15648 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch @@ -0,0 +1,83 @@ +From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 12 Feb 2025 11:30:02 -0600 +Subject: [PATCH] headers: Handle parsing only newlines + +Closes #404 +Closes #407 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f] +CVE: CVE-2025-32906 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-headers.c | 4 ++-- + tests/header-parsing-test.c | 13 ++++++++++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 9d6d00a3..52ef2ece 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str, + /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s) + * received where a Request-Line is expected." + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str, + * after a response, which we then see prepended to the next + * response on that connection. + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 10ddb684..4faafbd6 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -6,10 +6,15 @@ typedef struct { + const char *name, *value; + } Header; + ++/* These are not C strings to ensure going one byte over is not safe. */ + static char unterminated_http_version[] = { + 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.' + }; + ++static char only_newlines[] = { ++ '\n', '\n', '\n', '\n' ++}; ++ + static struct RequestTest { + const char *description; + const char *bugref; +@@ -387,7 +392,6 @@ static struct RequestTest { + { { NULL } } + }, + +- /* This couldn't be a C string as going one byte over would have been safe. */ + { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404", + unterminated_http_version, sizeof (unterminated_http_version), + SOUP_STATUS_BAD_REQUEST, +@@ -457,6 +461,13 @@ static struct RequestTest { + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, + { { NULL } } ++ }, ++ ++ { "Only newlines", NULL, ++ only_newlines, sizeof (only_newlines), ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 6125c0624a..c0c2209501 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -19,6 +19,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52532-1.patch \ file://CVE-2024-52532-2.patch \ file://CVE-2024-52532-3.patch \ + file://CVE-2025-32906-1.patch \ + file://CVE-2025-32906-2.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Tue May 6 15:57:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 62543 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A536C3ABAC for ; Tue, 6 May 2025 15:58:06 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web11.79930.1746547083489920717 for ; Tue, 06 May 2025 08:58:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=KqOEci1Z; spf=pass (domain: mvista.com, ip: 209.85.214.178, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-22438c356c8so58624075ad.1 for ; Tue, 06 May 2025 08:58:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1746547082; x=1747151882; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jIqxomu6IrY+nWkj7iEqf6jBurb4eos5MX2EBA2lgoY=; b=KqOEci1Z1qleKXI8z6qjuPjhlTkwsH8DBkNrXxWBSzElXEOhvpW3M3V9Q3zNe9bI5q +P5+n+vdB2IOViJnFL7Xbmhpu3prYg98hR50t1qq91gQlxGNDLs6MVRG5SvdnM/TKwJR fAmm9j6X7RQBl4Ru/K2jyFJebmKUPgeLFQifc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746547082; x=1747151882; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jIqxomu6IrY+nWkj7iEqf6jBurb4eos5MX2EBA2lgoY=; b=UsYKNdF9+sMA+Iitf8hpC2G/sN3US15jZznSVPDqBuncuML275nRcyobFHIRFLrWdQ kjLPiVycGfIhxIgxN7mc9OVo+bL/M28B7CUmDq9NfE6rpN40MhDi7Hnl8fb6El4vruGe BDi7R24nTTGQGmdT89vAv0iIbq/uNIKZJdQQW0DaXol3RkstMlUjjmXi9WcKiS75Ujuw hqCeNjPji1u/zw1Hpl1MX+2QXqnpNyr+/m0Dm/vhlsFsQGJjHCMNd8MzP9YxeRq1uYAR Pvhck62RhFincUlZM+BvXsbimqj7OTu6kD1I58cTMMtAmyN7dijkpd0fb3hkpGohW2l8 OgFA== X-Gm-Message-State: AOJu0Yxd8FHcypWHfbGKrmatoo113HJuR7+pyK7XPLVO5TLU94oLE8tj xCy9yuLyKmxq7pA1nxCeK2E7vB/h6LNok2F2V1fYhQ+d0eaHxgMEOJVUNdXNiv4cJEZ/fnSlhLP kaf4= X-Gm-Gg: ASbGnctz9+ESSm+1EZmFGYJPUdQVgyNZlx/FoLWBOXYW/YbNW52YaK6nO6uzLpdCp6j 57D9xyLI0dpX1ch3WBepPOXCix6Lsqkb5DCjldTKn/t0wKo5oZD8CmzNu5mn5WvtOWakfNKMqIY XVxYk2VUkrars4rJVhOQInyncFzqr0HfrGJcg3Yw39hIpSzbnPezjJn8eK0v6GDJnrF8ZwF8q9P mXrwoFfszkd6L1bE7/T9isGt6HpQwUP79DaoSkXyImzA+N0t9W3dtbbNgq9rRF5u4abrnw1ZtlK XtmzPPJL2B1mGCba8K3cYTEOjD2sIqXkziHkFak3FrfpfTjpm1g= X-Google-Smtp-Source: AGHT+IFuR6hL6uF0Wtdx5BPWbW/CrDbOhejwlq4/OzJuDxdMNSdsjAlNUGto8CapuIOkDtxADS4Ppw== X-Received: by 2002:a17:902:d490:b0:223:fbc7:25f4 with SMTP id d9443c01a7336-22e1e8e8234mr180956535ad.14.1746547082549; Tue, 06 May 2025 08:58:02 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.214.86]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-22e152204desm75502685ad.140.2025.05.06.08.58.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 May 2025 08:58:02 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 5/5] libsoup-2.4: Fix CVE-2025-32909 Date: Tue, 6 May 2025 21:27:31 +0530 Message-Id: <20250506155731.677168-5-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250506155731.677168-1-vanusuri@mvista.com> References: <20250506155731.677168-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 06 May 2025 15:58:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216072 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/comm it/ba4c3a6f988beff59e45801ab36067293d24ce92 Signed-off-by: Vijay Anusuri --- .../libsoup/libsoup-2.4/CVE-2025-32909.patch | 36 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch new file mode 100644 index 0000000000..046f20203f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch @@ -0,0 +1,36 @@ +From ba4c3a6f988beff59e45801ab36067293d24ce92 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 8 Jan 2025 16:30:17 -0600 +Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than 4 + bytes + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92] +CVE: CVE-2025-32909 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-content-sniffer.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 967ec61..a1f23c2 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -227,9 +227,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, SoupBuffer *buffer) + { + const char *resource = (const char *)buffer->data; + guint resource_length = MIN (512, buffer->length); +- guint32 box_size = *((guint32*)resource); ++ guint32 box_size; + guint i; + ++ if (resource_length < sizeof (guint32)) ++ return FALSE; ++ ++ box_size = *((guint32*)resource); ++ + #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + box_size = ((box_size >> 24) | + ((box_size << 8) & 0x00FF0000) | +-- +2.25.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index c0c2209501..3aaa06a541 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -21,6 +21,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52532-3.patch \ file://CVE-2025-32906-1.patch \ file://CVE-2025-32906-2.patch \ + file://CVE-2025-32909.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"