From patchwork Fri May  9 15:45:48 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 62694
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E94A7C3ABBC
	for <webhook@archiver.kernel.org>; Fri,  9 May 2025 15:46:13 +0000 (UTC)
Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com
 [209.85.215.181])
 by mx.groups.io with SMTP id smtpd.web11.1978.1746805564799933483
 for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:04 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=t3pPkSXC;
 spf=softfail (domain: sakoman.com, ip: 209.85.215.181,
 mailfrom: steve@sakoman.com)
Received: by mail-pg1-f181.google.com with SMTP id
 41be03b00d2f7-b12b984e791so1811596a12.2
        for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1746805564;
 x=1747410364; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=NKHa1Tin6Ao0OHFFPEW/BssJ318magWLBA3viX34GXw=;
        b=t3pPkSXCjE47PKH84/OE6g9ygDi5Dm8BR5tMG3A9zNENKHlWIpl6Qb17f6zzWE8U8J
         1zSzVAXrcfQhDEwOKD6uKeZI0DRPJUxwf0u3Ek9b0Gt16LGVXykcuKZp6cqsmOtvrNOQ
         8HDacAzC5mbekHWz6DOz1fASmXkk8DoMimAiF5LwCxc4akfZm+IAp0Q6VNNEjFddLl+G
         9hciC0AuX8wujQGe3ffeQH8gsm2YHngmKt1Q+1kYNoQCqOvx83rJiDUsxdigIoe9R5Wx
         t6v/GMw0aBUs73sn1vGEI5/5Olhgcn8Kgd7vpCR9fbStQlnlObBYxopRIzTO98UM32Tx
         kjXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1746805564; x=1747410364;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=NKHa1Tin6Ao0OHFFPEW/BssJ318magWLBA3viX34GXw=;
        b=fbUUykql+qV60HKlS/JtMafeJZI/yff16g/jZVeOJD2v4QshgfnJcMCr0QnB++JAIQ
         xWFud/8Bkx5A6GnEPtT05Hx5+TnFSrANKUMzNXNtd6h+VsRRDhOoe7X9mJiGT3GVxBHC
         +a7es+KyIlPed82qcbyJhBkSgaMJh5sq+w0m9CTCX8OL2H9m4TmWFmeHs/3lVPAgeabV
         vywHko6IScYv/AwfZ81vG2/Eki2YJ92Kw/oEBKD3YwiLEb7NskN5I+mCbY5beZ3HXMjs
         bz7tGAE92DRFYnPqAsLqL6oIxyYCOxuI0X8f9PZ0R3ZVHXmAwHMocmb8u4qpg9qxU6lF
         BnCg==
X-Gm-Message-State: AOJu0Yxvtq4PHH0Ggz+2M8jwc4mlScUEHhiDrfxEc+rtU0VHmNPBDxlZ
	RbJ9ZKucG+5MdBwwPvIvChu0REYlotRaeyRRV0dMUVk0ao09+6xzJIMe6fJ2uLx7I8QN4Eq/CC8
	7
X-Gm-Gg: ASbGncsgOcNSLGs5t2fatkRep2CKXgO1RvJfmjHcSCijLjT+kM9MrhDWnK1kWOlCUQ3
	tXhdt6dny+Aw1AUKxmaB3qJrD2fiJaPj4W+wbqGC88fElrmhRszWTD4+dSQwxoNB948/aNoXNct
	mbnQXE3JPn1fkeCsmClLJOC1S7Vzebfk+lDW4kfG6t/zLhDXvJGHPOlJOk+hhuky6ZffKMPm9li
	Sqdu3jc1AYlmAjD0CCBh4BB1oPuVVaB2ZjlUof/JZdibHJL1Mih2OGveEqlSJZTxZbYCNfxcS6p
	zIpc+R1C8DkKXHEaqsfvppHl3tTQ7tSO
X-Google-Smtp-Source: 
 AGHT+IFyKBPIrqkkfTFAohKLkX9hGRsqydDTXzT/TARxf26w7fdcDZPzxfEJ+tpJ6mgO91ff/Dfl8g==
X-Received: by 2002:a17:90b:3907:b0:2fc:3264:3657 with SMTP id
 98e67ed59e1d1-30c3b90e372mr7713863a91.0.1746805563920;
        Fri, 09 May 2025 08:46:03 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:1912:b658:11a7:402c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-30c39dee9aasm1983093a91.25.2025.05.09.08.46.03
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 09 May 2025 08:46:03 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 1/8] libsoup-2.4: Fix CVE-2024-52530
Date: Fri,  9 May 2025 08:45:48 -0700
Message-ID: 
 <ef1bff79d6b84eacccff2a3f8a5c3b8ed92fe0c4.1746805404.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1746805404.git.steve@sakoman.com>
References: <cover.1746805404.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 09 May 2025 15:46:13 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/216227

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from
https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libsoup/libsoup-2.4/CVE-2024-52530.patch  | 149 ++++++++++++++++++
 .../libsoup/libsoup-2.4_2.74.3.bb             |   4 +-
 2 files changed, 152 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch
new file mode 100644
index 0000000000..bd62a748eb
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch
@@ -0,0 +1,149 @@
+From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Mon, 8 Jul 2024 12:33:15 -0500
+Subject: [PATCH] headers: Strictly don't allow NUL bytes
+
+In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b]
+CVE: CVE-2024-52530
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-headers.c      | 15 +++------
+ tests/header-parsing-test.c | 62 +++++++++++++++++--------------------
+ 2 files changed, 32 insertions(+), 45 deletions(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index a0cf351ac..f30ee467a 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -51,13 +51,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
+ 	 * ignorable trailing whitespace.
+ 	 */
+ 
++	/* No '\0's are allowed */
++	if (memchr (str, '\0', len))
++		return FALSE;
++
+ 	/* Skip over the Request-Line / Status-Line */
+ 	headers_start = memchr (str, '\n', len);
+ 	if (!headers_start)
+ 		return FALSE;
+-	/* No '\0's in the Request-Line / Status-Line */
+-	if (memchr (str, '\0', headers_start - str))
+-		return FALSE;
+ 
+ 	/* We work on a copy of the headers, which we can write '\0's
+ 	 * into, so that we don't have to individually g_strndup and
+@@ -69,14 +70,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
+ 	headers_copy[copy_len] = '\0';
+ 	value_end = headers_copy;
+ 
+-	/* There shouldn't be any '\0's in the headers already, but
+-	 * this is the web we're talking about.
+-	 */
+-	while ((p = memchr (headers_copy, '\0', copy_len))) {
+-		memmove (p, p + 1, copy_len - (p - headers_copy));
+-		copy_len--;
+-	}
+-
+ 	while (*(value_end + 1)) {
+ 		name = value_end + 1;
+ 		name_end = strchr (name, ':');
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index edf8eebb3..715c2c6f2 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -358,24 +358,6 @@ static struct RequestTest {
+ 	  }
+ 	},
+ 
+-	{ "NUL in header name", "760832",
+-	  "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
+-	  SOUP_STATUS_OK,
+-	  "GET", "/", SOUP_HTTP_1_1,
+-	  { { "Host", "example.com" },
+-	    { NULL }
+-	  }
+-	},
+-
+-	{ "NUL in header value", "760832",
+-	  "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
+-	  SOUP_STATUS_OK,
+-	  "GET", "/", SOUP_HTTP_1_1,
+-	  { { "Host", "examplecom" },
+-	    { NULL }
+-	  }
+-	},
+-
+ 	/************************/
+ 	/*** INVALID REQUESTS ***/
+ 	/************************/
+@@ -448,6 +430,21 @@ static struct RequestTest {
+ 	  SOUP_STATUS_EXPECTATION_FAILED,
+ 	  NULL, NULL, -1,
+ 	  { { NULL } }
++	},
++
++	// https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
++	{ "NUL in header name", NULL,
++	  "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
++	  SOUP_STATUS_BAD_REQUEST,
++	  NULL, NULL, -1,
++	  { { NULL } }
++	},
++
++	{ "NUL in header value", NULL,
++	  "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
++	  SOUP_STATUS_BAD_REQUEST,
++           NULL, NULL, -1,
++	  { { NULL } }
+ 	}
+ };
+ static const int num_reqtests = G_N_ELEMENTS (reqtests);
+@@ -620,22 +617,6 @@ static struct ResponseTest {
+ 	    { NULL } }
+ 	},
+ 
+-	{ "NUL in header name", "760832",
+-	  "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
+-	  SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
+-	  { { "Foo", "bar" },
+-	    { NULL }
+-	  }
+-	},
+-
+-	{ "NUL in header value", "760832",
+-	  "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+-	  SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
+-	  { { "Foo", "bar" },
+-	    { NULL }
+-	  }
+-	},
+-
+ 	/********************************/
+ 	/*** VALID CONTINUE RESPONSES ***/
+ 	/********************************/
+@@ -768,6 +749,19 @@ static struct ResponseTest {
+ 	  { { NULL }
+ 	  }
+ 	},
++
++	// https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
++	{ "NUL in header name", NULL,
++	  "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
++	  -1, 0, NULL,
++	  { { NULL } }
++	},
++
++	{ "NUL in header value", "760832",
++	  "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
++	  -1, 0, NULL,
++	  { { NULL } }
++	},
+ };
+ static const int num_resptests = G_N_ELEMENTS (resptests);
+ 
+-- 
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index ee20530b64..b833d2cfa9 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -12,7 +12,9 @@ DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl"
 SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 
 SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
-           file://0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch"
+           file://0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch \
+           file://CVE-2024-52530.patch \
+          "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
 
 CVE_PRODUCT = "libsoup"

From patchwork Fri May  9 15:45:49 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 62695
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EA411C3ABCC
	for <webhook@archiver.kernel.org>; Fri,  9 May 2025 15:46:13 +0000 (UTC)
Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com
 [209.85.216.54])
 by mx.groups.io with SMTP id smtpd.web11.1979.1746805566343329096
 for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:06 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=vjbDF1wU;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.54,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f54.google.com with SMTP id
 98e67ed59e1d1-30a99cff4feso2748603a91.0
        for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1746805565;
 x=1747410365; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=A2tmG6XyyDCtwIgNxENwlWkpKgp7ImH48gG97i9jZu4=;
        b=vjbDF1wUp/jIy90NmvMBoovcmopVsFMBswTMOmJh5fb5FPuCWlOlcKrkzxF60FR+Z6
         iusohN+0Kog9YQ9a7O3ZZgTYku/WGCAspH0v1zqAcZ5ZaAyW0YsrlsipKG8tcLSRF1rf
         pEH6DqnoQ6y22dyOwfj6X/DqB5wEdyCIkgSx/qQtxaF3Dg7NF6Irpx4wU945YU0syBjA
         sJqwxxB2cFIox5LrUVLwmw+Mur0RxJmSr7mYcjU1rYMcMDgqTHNHPp1hmcdz4+3uNUBl
         JDNlWNeXloipA4nBMS0Ro9jS+/za4CLsbtMEVk529clpc+gMCXC0OEvbLRs6jrmbN4i6
         23Vw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1746805565; x=1747410365;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=A2tmG6XyyDCtwIgNxENwlWkpKgp7ImH48gG97i9jZu4=;
        b=kkYEqPCuYdpE/d1bpz7Q94Ds2eGshiNXpDDyL92D7CnXoABLq22iSxx0IOWeLlas4P
         NNDr0aCNzwT8E83IcGnB9tdk9d7BM94o3lC/gjEkMAz/ANHaRLpj48bx5wsFWNjR5AJ7
         MXQNQHCMo5DL+x8SDrv+QLxKNHiublmU9Ipe/FmeGai++jR39LpoZM14zgFfMX8nBP0O
         bpD0/w3Z10OMwm26SlaEdAnQrh3rO3utPOGmRChDG9sn3zJ5ijcfp4bL6rKSmV6oKk1R
         ZNdca2iK1EtfmL1J4LCKANOeDiZn8KebKAx1KfpKItK+nOw5OqkCt2fBQ+t9+p0/sdt/
         /taA==
X-Gm-Message-State: AOJu0YzdpP9LoSYDS/8H4e2ehf/GQUnI8K5JVMQJBvGnXyo0l1K31LkZ
	R9tseeh3/VjHVjUrstzySaaB6m8GGKqa+W2jNmS1RF6F9kgXayqw7L8E1WOnWTOTL5Sjeclryy2
	R
X-Gm-Gg: ASbGncs5muN1nZMJJe1+jLluRvUg+GJl8naqlAQlfdADJPNhjTTuN4E1ufdfhH47xRM
	jQacFTyCJ+Ny52WpDdeDU5B4lXLcOpu6xJvCsVaRA8jZ6mU9no0Wd/uymIvvas7uyx/I4oSfeyw
	ABnm07Ya+v8mMR6IkfdJZDe3nh23fGcYyZfDb7zLqooOleVRTvKbZBsT3v4zltEc51hP+778rzs
	58mHACfjz+jeE0qQI/np3zrwQ3MQEu3pSAaSSF4yGdDw+qqrgscgIvkpcsd+myMhFkya9++btbk
	9zt/XsXn3DDS8N7iI6WGbxgQuWG8r8Uj
X-Google-Smtp-Source: 
 AGHT+IHgqRQvRsgnK2tg08cAgkJm4ixBWIqhwU7vIUMNkWvJQqkAFQUWpSxOu3XseajnOgdeir6qng==
X-Received: by 2002:a17:90b:4acb:b0:2fa:137f:5c61 with SMTP id
 98e67ed59e1d1-30c3cefe24amr7249223a91.12.1746805565315;
        Fri, 09 May 2025 08:46:05 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:1912:b658:11a7:402c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-30c39dee9aasm1983093a91.25.2025.05.09.08.46.04
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 09 May 2025 08:46:05 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 2/8] libsoup-2.4: Fix CVE-2024-52531
Date: Fri,  9 May 2025 08:45:49 -0700
Message-ID: 
 <c7ab8b45b1f533ca1b27b07c30f44b7b64a3cfde.1746805404.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1746805404.git.steve@sakoman.com>
References: <cover.1746805404.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 09 May 2025 15:46:13 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/216228

From: Vijay Anusuri <vanusuri@mvista.com>

import patch from ubuntu to fix
 CVE-2024-52531

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283
&
https://gitlab.gnome.org/GNOME/libsoup/-/commit/825fda3425546847b42ad5270544e9388ff349fe]

Reference:
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/
https://ubuntu.com/security/CVE-2024-52531

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libsoup-2.4/CVE-2024-52531-1.patch        | 131 ++++++++++++++++++
 .../libsoup-2.4/CVE-2024-52531-2.patch        |  36 +++++
 .../libsoup/libsoup-2.4_2.74.3.bb             |   2 +
 3 files changed, 169 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch
new file mode 100644
index 0000000000..d56ad0ff5e
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch
@@ -0,0 +1,131 @@
+From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 27 Aug 2024 13:53:26 -0500
+Subject: [PATCH 1/2] headers: Be more robust against invalid input when
+ parsing params
+
+If you pass invalid input to a function such as soup_header_parse_param_list_strict()
+it can cause an overflow if it decodes the input to UTF-8.
+
+This should never happen with valid UTF-8 input which libsoup's client API
+ensures, however it's server API does not currently.
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2024-52531-1.patch?h=ubuntu/jammy-security
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283]
+CVE: CVE-2024-52531
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-headers.c | 46 ++++++++++++++++++++++--------------------
+ 1 file changed, 24 insertions(+), 22 deletions(-)
+
+Index: libsoup2.4-2.74.2/libsoup/soup-headers.c
+===================================================================
+--- libsoup2.4-2.74.2.orig/libsoup/soup-headers.c
++++ libsoup2.4-2.74.2/libsoup/soup-headers.c
+@@ -643,8 +643,9 @@ soup_header_contains (const char *header
+ }
+ 
+ static void
+-decode_quoted_string (char *quoted_string)
++decode_quoted_string_inplace (GString *quoted_gstring)
+ {
++	char *quoted_string = quoted_gstring->str;
+ 	char *src, *dst;
+ 
+ 	src = quoted_string + 1;
+@@ -658,10 +659,11 @@ decode_quoted_string (char *quoted_strin
+ }
+ 
+ static gboolean
+-decode_rfc5987 (char *encoded_string)
++decode_rfc5987_inplace (GString *encoded_gstring)
+ {
+ 	char *q, *decoded;
+ 	gboolean iso_8859_1 = FALSE;
++	const char *encoded_string = encoded_gstring->str;
+ 
+ 	q = strchr (encoded_string, '\'');
+ 	if (!q)
+@@ -690,14 +692,7 @@ decode_rfc5987 (char *encoded_string)
+ 		decoded = utf8;
+ 	}
+ 
+-	/* If encoded_string was UTF-8, then each 3-character %-escape
+-	 * will be converted to a single byte, and so decoded is
+-	 * shorter than encoded_string. If encoded_string was
+-	 * iso-8859-1, then each 3-character %-escape will be
+-	 * converted into at most 2 bytes in UTF-8, and so it's still
+-	 * shorter.
+-	 */
+-	strcpy (encoded_string, decoded);
++	g_string_assign (encoded_gstring, decoded);
+ 	g_free (decoded);
+ 	return TRUE;
+ }
+@@ -707,15 +702,17 @@ parse_param_list (const char *header, ch
+ {
+ 	GHashTable *params;
+ 	GSList *list, *iter;
+-	char *item, *eq, *name_end, *value;
+-	gboolean override, duplicated;
+ 
+ 	params = g_hash_table_new_full (soup_str_case_hash, 
+ 					soup_str_case_equal,
+-					g_free, NULL);
++					g_free, g_free);
+ 
+ 	list = parse_list (header, delim);
+ 	for (iter = list; iter; iter = iter->next) {
++		char *item, *eq, *name_end;
++		gboolean override, duplicated;
++		GString *parsed_value = NULL;
++
+ 		item = iter->data;
+ 		override = FALSE;
+ 
+@@ -730,19 +727,19 @@ parse_param_list (const char *header, ch
+ 
+ 			*name_end = '\0';
+ 
+-			value = (char *)skip_lws (eq + 1);
++			parsed_value = g_string_new ((char *)skip_lws (eq + 1));
+ 
+ 			if (name_end[-1] == '*' && name_end > item + 1) {
+ 				name_end[-1] = '\0';
+-				if (!decode_rfc5987 (value)) {
++				if (!decode_rfc5987_inplace (parsed_value)) {
++					g_string_free (parsed_value, TRUE);
+ 					g_free (item);
+ 					continue;
+ 				}
+ 				override = TRUE;
+-			} else if (*value == '"')
+-				decode_quoted_string (value);
+-		} else
+-			value = NULL;
++			} else if (parsed_value->str[0] == '"')
++				decode_quoted_string_inplace (parsed_value);
++		}
+ 
+ 		duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
+ 
+@@ -750,11 +747,16 @@ parse_param_list (const char *header, ch
+ 			soup_header_free_param_list (params);
+ 			params = NULL;
+ 			g_slist_foreach (iter, (GFunc)g_free, NULL);
++			if (parsed_value)
++				g_string_free (parsed_value, TRUE);
+ 			break;
+-		} else if (override || !duplicated)
+-			g_hash_table_replace (params, item, value);
+-		else
++		} else if (override || !duplicated) {
++			g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
++		} else {
++			if (parsed_value)
++				g_string_free (parsed_value, TRUE);
+ 			g_free (item);
++		}
+ 	}
+ 
+ 	g_slist_free (list);
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
new file mode 100644
index 0000000000..19b1872866
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
@@ -0,0 +1,36 @@
+From 825fda3425546847b42ad5270544e9388ff349fe Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 27 Aug 2024 13:52:08 -0500
+Subject: [PATCH 2/2] tests: Add test for passing invalid UTF-8 to
+ soup_header_parse_semi_param_list()
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2024-52531-2.patch?h=ubuntu/jammy-security
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/825fda3425546847b42ad5270544e9388ff349fe]
+CVE: CVE-2024-52531
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tests/header-parsing-test.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+Index: libsoup2.4-2.74.2/tests/header-parsing-test.c
+===================================================================
+--- libsoup2.4-2.74.2.orig/tests/header-parsing-test.c
++++ libsoup2.4-2.74.2/tests/header-parsing-test.c
+@@ -825,6 +825,17 @@ static struct ParamListTest {
+ 	    { "filename", "t\xC3\xA9st.txt" },
+ 	  },
+ 	},
++
++        /* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */
++        { TRUE,
++              "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo",
++              {
++                    { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
++                    { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
++                    { "foo", NULL },
++
++                },
++        }
+ };
+ static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests);
+ 
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index b833d2cfa9..bd58773ba3 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -14,6 +14,8 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch \
            file://CVE-2024-52530.patch \
+           file://CVE-2024-52531-1.patch \
+           file://CVE-2024-52531-2.patch \
           "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
 

From patchwork Fri May  9 15:45:50 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 62701
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E82CAC3ABCF
	for <webhook@archiver.kernel.org>; Fri,  9 May 2025 15:46:23 +0000 (UTC)
Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com
 [209.85.216.48])
 by mx.groups.io with SMTP id smtpd.web10.1934.1746805567724728647
 for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:07 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=WltI+zfX;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.48,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f48.google.com with SMTP id
 98e67ed59e1d1-30a9cd61159so2244980a91.1
        for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1746805567;
 x=1747410367; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=fuHQ1an4J5dOhDxcVUsu/g5tNUhqcricVEBGjZR0560=;
        b=WltI+zfXr44mcMkNRxWSHdD/F1p+Ziz5TqEWOWb4F5nUxtEIBSKDMx+jAVQqgp3Prt
         I9felUw3c052ZZkdiCUwkNRUWhxe+rqO8UNP5sQJ0cwJKJL8yjxZkePJduA02NPDdWUy
         UcrgY8dpN8HFW+U16Z1mi6OkBnfF7ivI5qGPDPTpnYxzr4gVsPuSwNMq9OQRmmjgIKYR
         rxlEVvZpBx5kp8S1I5Y6Hhrb6tHWS+Qj8I2rbit19cT+Hh8se4nuIOzVK5qwyV/ZPQKw
         u63QMQh7vaEGFJHcYyZdAbszql2Vw6/p/2n2Vu8e9zsOP1eIXQZsdEqyo7Uvqx08A3E9
         ZGDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1746805567; x=1747410367;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=fuHQ1an4J5dOhDxcVUsu/g5tNUhqcricVEBGjZR0560=;
        b=Y4NbAvtzlQN06Rf5an03OL25Z/Eqd8b+5m+yfHoPV2Np3ung0/8e5i2UX+tlOk5K5c
         RslKed+bFHxYeD5WcSGPVKaiMpRM+KD8jnVGRTxkO8V0owH/k9Ww2PJ0Av8JHD9IDCAO
         W+yNl2ODDtGlZYBclX8DeSvR3XKOW15RO5u9M9Ne4ZUhy5/0ZeWOkP31nrJ3LieRllnl
         CGB/uW5fUeW3RD6GbTI2a4g/2k8mN1SlW4yQ7h6TIi89hbkaxyxYQXOPI/+J0EponuKT
         wS+02fypIf4fmpmHxRVmShBlsdxd/i/4PgFjyw6v6ZGlruUfpxdMexZ76AOUBhLpJdry
         DwVw==
X-Gm-Message-State: AOJu0Yx/SOdfxxIglBUL1Uan3S3RAljyIk5Qpwx277WSEMQ67py+lW/R
	mEpDQ6SCrzrs2kmqXeTSSieS1o+U9aNdxC5IxDwV0Tywd3CUUIYqN+VQuwvq8/TUZNf0cNivkcY
	q
X-Gm-Gg: ASbGnctIxSxiLBlyj5XDjEUe8f/AkNMixni11WoZuw4g9sikXH2jmnl3mwJDR7I+ITR
	u7kEqC0oxvH04eATpmOJSNvgAxJsmkFBmmAjeWmFfvI8bN2TBtpNv2B12wFvowABk7mO336Rfr8
	r8jlV0ExvuOYSKaRlm4g84oli48ZmTk2YTHyGcykF4IZSlyxyHz5C2fqr3M999xtFLxxPN5i3Jq
	4+tRLLqPkpkED6kwcFk4zlaSvXfevLzBCJLqABzeZJcnedjohsBi5ev6ane5uV8T3lrXBqk/o1m
	Vst/CaknpFRIl6uARmr1oCwoTsPXNWr6
X-Google-Smtp-Source: 
 AGHT+IFWUbnRtn7iDjgTI02Jd805IbIyns+ILVNfvumPp6eUh3I0EmMebwAP+66LUqvP9/qllOrWgQ==
X-Received: by 2002:a17:90b:520d:b0:30a:9cd5:5932 with SMTP id
 98e67ed59e1d1-30c4000fa4emr6197833a91.13.1746805566879;
        Fri, 09 May 2025 08:46:06 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:1912:b658:11a7:402c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-30c39dee9aasm1983093a91.25.2025.05.09.08.46.06
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 09 May 2025 08:46:06 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 3/8] libsoup-2.4: Fix CVE-2024-52532
Date: Fri,  9 May 2025 08:45:50 -0700
Message-ID: 
 <dfde13ecffad3426846bd4b366d1e0cdb77b1be0.1746805404.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1746805404.git.steve@sakoman.com>
References: <cover.1746805404.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 09 May 2025 15:46:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/216229

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be
&
https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c
& https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6676a37b6485620c332e568e1a3f530ff

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libsoup-2.4/CVE-2024-52532-1.patch        | 36 +++++++++++++++
 .../libsoup-2.4/CVE-2024-52532-2.patch        | 42 +++++++++++++++++
 .../libsoup-2.4/CVE-2024-52532-3.patch        | 46 +++++++++++++++++++
 .../libsoup/libsoup-2.4_2.74.3.bb             |  3 ++
 4 files changed, 127 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch
new file mode 100644
index 0000000000..68eb942762
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch
@@ -0,0 +1,36 @@
+From 6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Wed, 11 Sep 2024 11:52:11 +0200
+Subject: [PATCH] websocket: process the frame as soon as we read data
+
+Otherwise we can enter in a read loop because we were not
+validating the data until the all the data was read.
+
+Fixes #391
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be]
+CVE: CVE-2024-52532
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-websocket-connection.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
+index a4095e1..9d5f4f8 100644
+--- a/libsoup/soup-websocket-connection.c
++++ b/libsoup/soup-websocket-connection.c
+@@ -1140,9 +1140,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self)
+ 		}
+ 
+ 		pv->incoming->len = len + count;
+-	} while (count > 0);
+ 
+-	process_incoming (self);
++		process_incoming (self);
++	} while (count > 0 && !pv->close_sent && !pv->io_closing);
+ 
+ 	if (end) {
+ 		if (!pv->close_sent || !pv->close_received) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch
new file mode 100644
index 0000000000..e4e2d03d58
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch
@@ -0,0 +1,42 @@
+From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Wed, 2 Oct 2024 11:17:19 +0200
+Subject: [PATCH] websocket-test: disconnect error copy after the test ends
+
+Otherwise the server will have already sent a few more wrong
+bytes and the client will continue getting errors to copy
+but the error is already != NULL and it will assert
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c]
+CVE: CVE-2024-52532
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tests/websocket-test.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tests/websocket-test.c b/tests/websocket-test.c
+index 06c443bb5..6a48c1f9b 100644
+--- a/tests/websocket-test.c
++++ b/tests/websocket-test.c
+@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test,
+ 	GError *error = NULL;
+ 	InvalidEncodeLengthTest context = { test, NULL };
+ 	guint i;
++	guint error_id;
+ 
+-	g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
++	error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+ 	g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
+ 
+ 	/* We use 127(\x7f) as payload length with 65535 extended length */
+@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test,
+ 	WAIT_UNTIL (error != NULL || received != NULL);
+ 	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
+ 	g_clear_error (&error);
++        g_signal_handler_disconnect (test->client, error_id);
+ 	g_assert_null (received);
+ 
+         g_thread_join (thread);
+-- 
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
new file mode 100644
index 0000000000..edcca86e8c
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
@@ -0,0 +1,46 @@
+From 4c9e75c6676a37b6485620c332e568e1a3f530ff Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@debian.org>
+Date: Wed, 13 Nov 2024 14:14:23 +0000
+Subject: [PATCH] websocket-test: Disconnect error signal in another place
+
+This is the same change as commit 29b96fab "websocket-test: disconnect
+error copy after the test ends", and is done for the same reason, but
+replicating it into a different function.
+
+Fixes: 6adc0e3e "websocket: process the frame as soon as we read data"
+Resolves: https://gitlab.gnome.org/GNOME/libsoup/-/issues/399
+Signed-off-by: Simon McVittie <smcv@debian.org>
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6676a37b6485620c332e568e1a3f530ff]
+CVE: CVE-2024-52532
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tests/websocket-test.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tests/websocket-test.c b/tests/websocket-test.c
+index 6a48c1f9..723f2857 100644
+--- a/tests/websocket-test.c
++++ b/tests/websocket-test.c
+@@ -1508,8 +1508,9 @@ test_receive_invalid_encode_length_16 (Test *test,
+ 	GError *error = NULL;
+ 	InvalidEncodeLengthTest context = { test, NULL };
+ 	guint i;
++	guint error_id;
+ 
+-	g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
++	error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+ 	g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
+ 
+ 	/* We use 126(~) as payload length with 125 extended length */
+@@ -1522,6 +1523,7 @@ test_receive_invalid_encode_length_16 (Test *test,
+ 	WAIT_UNTIL (error != NULL || received != NULL);
+ 	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
+ 	g_clear_error (&error);
++        g_signal_handler_disconnect (test->client, error_id);
+ 	g_assert_null (received);
+ 
+ 	g_thread_join (thread);
+-- 
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index bd58773ba3..6125c0624a 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -16,6 +16,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2024-52530.patch \
            file://CVE-2024-52531-1.patch \
            file://CVE-2024-52531-2.patch \
+           file://CVE-2024-52532-1.patch \
+           file://CVE-2024-52532-2.patch \
+           file://CVE-2024-52532-3.patch \
           "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
 

From patchwork Fri May  9 15:45:51 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 62698
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E7DE4C3ABCD
	for <webhook@archiver.kernel.org>; Fri,  9 May 2025 15:46:23 +0000 (UTC)
Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com
 [209.85.216.51])
 by mx.groups.io with SMTP id smtpd.web10.1935.1746805569290872635
 for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:09 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=p/SELnX/;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.51,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f51.google.com with SMTP id
 98e67ed59e1d1-30a8cbddca4so2619982a91.3
        for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1746805568;
 x=1747410368; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=s7T/tfk3eCCZzWhgOQtzYcBfZlvF+YkvVNSTJEztcqc=;
        b=p/SELnX/D0xKiETgw4jVMxr30tSAc9D/n5qBYJ9b/MwrS+RRsGtVvrwC7fNAYgk7Ik
         SVnZ+x4u10Q+Mz/E+3C/iBNwvUtyZhbGP/MXs3HoXxLt+UlBFv6BKBJnnUmeq6+4J2ja
         nCnzvS0IP+RjeqhpQgDsjJF7zVCYfEsW5gY3+OAchQw5vfl6c6QDOIj5A6tHF+1C69Ne
         MQ4sKV3KKTq1Io0YD5tpspNyi0/r6V8kvB5RpiaU5sLPqeuKhC9ncq0JZ34HrKEPtL2B
         ne9S+YtHCFaULiiwBZsyTfYA94CSZwsggU40yTQ4gHgAkc38BuQfzA3NY6COWEn5bd7S
         f8Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1746805568; x=1747410368;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=s7T/tfk3eCCZzWhgOQtzYcBfZlvF+YkvVNSTJEztcqc=;
        b=fOl7bS6WXzFEK1eMlOKOjUe8QLt2MkHFUU0fTBfb74fXxT91NNRRdXr1Cxhbs3i9mN
         WNEXrnaIeoJt2jOl8qnqkdb4BB7L4WL+0bzx9FNrep4WR+im19JsnrxKjo9xB23Sc77K
         WtMxZjcC5wrAVjhjjvAQ8QAs0pKaum01UngvXWq6STBewY68vdtaYnoEg+gBNgJJs2yP
         l4YFAQHWXlIHTrBcPjMyHjMN+LKfQXLRLbExApIUy+9nYgVSqn+qhZbGO7267xpmhxbW
         zfKTAE4B5yeaMALkVB2n9tG4vRFIaxdyS1njdvA/63df/84FR5RMv7EBTIHjIb3zdfV0
         iLjQ==
X-Gm-Message-State: AOJu0Yx1T2GEQqAOuDtlDM7vlaj+LssuCdgm6JCvpTL2KPN2oNp8hXx+
	meWF3GbxtuCFVcllwNvXeM+BBYdzQLVNHrcblLbmwyyboYstDhwyeRbECAiHBlFoe88NEgR65Ar
	e
X-Gm-Gg: ASbGnctrhUkSA0lZ7XijuVI4M+mYZ0JEAKxCOlVNX2MHqB3PbVo3KXDv6O/nWvaODAp
	gjIIp4i5wgx1IRzy0UX7gmcarbKyaOxwDDHPmjIRFGxgrP1PNWs6BwoDvMYnXyh3y95g4834/Vc
	4/80l0kz8G2Yqnwbx8XxvWmdp79pnoFDsJmkcNh5hwU6ZSIpchFa1m68CdO79EtPuM5d+6nSzC9
	pRubfL+7NrCLDyr8WV2evEYAtraYkuJvafHj2gnJdDNq2iZzmmG+AV7IRkKY7w0rW2QDQCBLkQF
	9h4tdsHUBwO+6Qiu/hsIFj7pc8Ajnbak
X-Google-Smtp-Source: 
 AGHT+IFruvY88piBAmfuZBCi/38LBnqKgAiaX4+p3cs1+GBd6X1QsggKx2j7BHXqSgtf4MYXXLwk9Q==
X-Received: by 2002:a17:90a:da8b:b0:30c:52c5:3dc4 with SMTP id
 98e67ed59e1d1-30c52c540e9mr2561945a91.24.1746805568312;
        Fri, 09 May 2025 08:46:08 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:1912:b658:11a7:402c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-30c39dee9aasm1983093a91.25.2025.05.09.08.46.07
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 09 May 2025 08:46:08 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 4/8] libsoup-2.4: Fix CVE-2025-32906
Date: Fri,  9 May 2025 08:45:51 -0700
Message-ID: 
 <6e373ec360151b212ae6eedc4c663fb9e760ae75.1746805404.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1746805404.git.steve@sakoman.com>
References: <cover.1746805404.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 09 May 2025 15:46:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/216230

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from
https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931
& https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libsoup-2.4/CVE-2025-32906-1.patch        | 61 ++++++++++++++
 .../libsoup-2.4/CVE-2025-32906-2.patch        | 83 +++++++++++++++++++
 .../libsoup/libsoup-2.4_2.74.3.bb             |  2 +
 3 files changed, 146 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch
new file mode 100644
index 0000000000..916a41a71f
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch
@@ -0,0 +1,61 @@
+From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 11 Feb 2025 14:36:26 -0600
+Subject: [PATCH] headers: Handle parsing edge case
+
+This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931]
+CVE: CVE-2025-32906 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-headers.c      |  2 +-
+ tests/header-parsing-test.c | 12 ++++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 85385cea..9d6d00a3 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -225,7 +225,7 @@ soup_headers_parse_request (const char          *str,
+ 	    !g_ascii_isdigit (version[5]))
+ 		return SOUP_STATUS_BAD_REQUEST;
+ 	major_version = strtoul (version + 5, &p, 10);
+-	if (*p != '.' || !g_ascii_isdigit (p[1]))
++	if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1]))
+ 		return SOUP_STATUS_BAD_REQUEST;
+ 	minor_version = strtoul (p + 1, &p, 10);
+ 	version_end = p;
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 07ea2866..10ddb684 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -6,6 +6,10 @@ typedef struct {
+ 	const char *name, *value;
+ } Header;
+ 
++static char unterminated_http_version[] = {
++        'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
++};
++
+ static struct RequestTest {
+ 	const char *description;
+ 	const char *bugref;
+@@ -383,6 +387,14 @@ static struct RequestTest {
+ 	  { { NULL } }
+ 	},
+ 
++        /* This couldn't be a C string as going one byte over would have been safe. */
++	{ "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
++	  unterminated_http_version, sizeof (unterminated_http_version),
++	  SOUP_STATUS_BAD_REQUEST,
++           NULL, NULL, -1,
++	  { { NULL } }
++	},
++
+ 	{ "Non-HTTP request", NULL,
+ 	  "GET / SOUP/1.1\r\nHost: example.com\r\n", -1,
+ 	  SOUP_STATUS_BAD_REQUEST,
+-- 
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch
new file mode 100644
index 0000000000..5baad15648
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch
@@ -0,0 +1,83 @@
+From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 12 Feb 2025 11:30:02 -0600
+Subject: [PATCH] headers: Handle parsing only newlines
+
+Closes #404
+Closes #407
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f]
+CVE: CVE-2025-32906
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-headers.c      |  4 ++--
+ tests/header-parsing-test.c | 13 ++++++++++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 9d6d00a3..52ef2ece 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -186,7 +186,7 @@ soup_headers_parse_request (const char          *str,
+ 	/* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
+ 	 * received where a Request-Line is expected."
+ 	 */
+-	while ((*str == '\r' || *str == '\n') && len > 0) {
++	while (len > 0 && (*str == '\r' || *str == '\n')) {
+ 		str++;
+ 		len--;
+ 	}
+@@ -371,7 +371,7 @@ soup_headers_parse_response (const char          *str,
+ 	 * after a response, which we then see prepended to the next
+ 	 * response on that connection.
+ 	 */
+-	while ((*str == '\r' || *str == '\n') && len > 0) {
++	while (len > 0 && (*str == '\r' || *str == '\n')) {
+ 		str++;
+ 		len--;
+ 	}
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 10ddb684..4faafbd6 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -6,10 +6,15 @@ typedef struct {
+ 	const char *name, *value;
+ } Header;
+ 
++/* These are not C strings to ensure going one byte over is not safe. */
+ static char unterminated_http_version[] = {
+         'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
+ };
+ 
++static char only_newlines[] = {
++        '\n', '\n', '\n', '\n'
++};
++
+ static struct RequestTest {
+ 	const char *description;
+ 	const char *bugref;
+@@ -387,7 +392,6 @@ static struct RequestTest {
+ 	  { { NULL } }
+ 	},
+ 
+-        /* This couldn't be a C string as going one byte over would have been safe. */
+ 	{ "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
+ 	  unterminated_http_version, sizeof (unterminated_http_version),
+ 	  SOUP_STATUS_BAD_REQUEST,
+@@ -457,6 +461,13 @@ static struct RequestTest {
+ 	  SOUP_STATUS_BAD_REQUEST,
+            NULL, NULL, -1,
+ 	  { { NULL } }
++	},
++
++	{ "Only newlines", NULL,
++	  only_newlines, sizeof (only_newlines),
++	  SOUP_STATUS_BAD_REQUEST,
++           NULL, NULL, -1,
++	  { { NULL } }
+ 	}
+ };
+ static const int num_reqtests = G_N_ELEMENTS (reqtests);
+-- 
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index 6125c0624a..c0c2209501 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -19,6 +19,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2024-52532-1.patch \
            file://CVE-2024-52532-2.patch \
            file://CVE-2024-52532-3.patch \
+           file://CVE-2025-32906-1.patch \
+           file://CVE-2025-32906-2.patch \
           "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
 

From patchwork Fri May  9 15:45:52 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 62696
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CD906C3ABC3
	for <webhook@archiver.kernel.org>; Fri,  9 May 2025 15:46:23 +0000 (UTC)
Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com
 [209.85.216.46])
 by mx.groups.io with SMTP id smtpd.web10.1936.1746805570921972598
 for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:11 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=alH/7cP4;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.46,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f46.google.com with SMTP id
 98e67ed59e1d1-30ac268a8e0so2549886a91.0
        for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1746805570;
 x=1747410370; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=mI0SPqSJ8B4VZs3fJC8KeKGWaq5+hGZ14igfpK+35kQ=;
        b=alH/7cP4WbvtF2Ad0sxJrKS9CdAqoO5ptU8o8lpMSMnAUY8d9Ln89J9s/RWTs/Pn/h
         EIPWNYtmBmVkHAOuXyHj5Ml2yiiuwpms8LmhNRtGMXLBMPCTS42HKZRZyR1fKWtLKcpX
         KqPImulqbiamRfGrAC/w7QTgMwxsb/Q7WVWNdpZQszsLwsKDT6LiKnADds77/mqBGvyB
         RGBsG+URouEhJ5eVcFAf9sFzkKpuZSsWkv08PVqWRXhHZpU3xEjorl5dNaRbw67L/XYK
         NsWZUuqjEUOooUdhro6MNGRAtwjflqwuTj5pBioMXi0F7MIkLCe7zgtWz2UA+yB3Ylkd
         pwWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1746805570; x=1747410370;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=mI0SPqSJ8B4VZs3fJC8KeKGWaq5+hGZ14igfpK+35kQ=;
        b=U1w9X4phdS15Fmwi2IDzWEAnmFvq9ipe8Ir2kncw+C0zpKwhH1ct4pne7OsaGYkL69
         Fp8LP8ymp/GDW/f6TsWjOujaSTfxyLAy2V1kJG8JsPd75tB7DSYJLM0wkBGpuJdof94x
         lYK9XgPvRL2UWD27lQS2Qr7Hmtsysm06IZy+xDsmBOWMKQ28GhoiTDHCowO4wXF6IcS+
         erEix3DixuuUtW+Z75n6Y0G3vElXwSIFpTqbFKnRyJ4MzM+VrWr96R2TVhfXJkPNLzdf
         8D5vOV/6j1CJZmL8C4OIzMnk1U28QfL4UYlhwWZBssu7N80wBDQZn7w1V5OdtyP4D1VG
         XoKQ==
X-Gm-Message-State: AOJu0YxLjx7C12jjww2X2bpPEUYAEw0iJodtCuB3Pyhsc+ZecCIcRy1+
	bRFwGBuEpvxC+41TIroko9HGcufnBW8PwSTH0R033f2dBAKAeMKQGw0XuVmpQHbGVT+E38LALU0
	E
X-Gm-Gg: ASbGncvNASfYxTiqQ+L9aXL3H/IPdAj7n2OXohTBt2bA89fUD6Fx1p9TtIZMtLHh5dt
	pnVZvA/Jqy067t3VWDwyW2KOtftgGlAUjJGSyaQ22me/xPKzJN6tKE+cclolSRcuf8FOs7vf48F
	x3VdXtoKRkl8L4GLrRG1WIcm+vbw8P8FfHYyBaVCvmJgsjkimuZWpQq6OCrGxdeWDVl97KAXBML
	KIFn+UnViM8q8k7YzWE/tB3scctxmsTob/BFiqO+rRvfC/v0EwI75FwTj3Mp3k9VZThimkd5v6V
	DEqihM1jK5i2Z1LMqSTyvkNojPBIr377
X-Google-Smtp-Source: 
 AGHT+IGdqPMAQsl4/Z+c7nY3NeM9rtMyt2L3TTwkYRhhLrV+r/oYjz8qEZorOjnGooY6mnsJ7CaUkQ==
X-Received: by 2002:a17:90b:2f84:b0:308:2945:3842 with SMTP id
 98e67ed59e1d1-30c4011c2camr6032636a91.15.1746805569881;
        Fri, 09 May 2025 08:46:09 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:1912:b658:11a7:402c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-30c39dee9aasm1983093a91.25.2025.05.09.08.46.09
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 09 May 2025 08:46:09 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 5/8] libsoup-2.4: Fix CVE-2025-32909
Date: Fri,  9 May 2025 08:45:52 -0700
Message-ID: 
 <90359036300731b6c26b646afbf3d66127b72fa2.1746805404.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1746805404.git.steve@sakoman.com>
References: <cover.1746805404.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 09 May 2025 15:46:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/216231

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/comm
it/ba4c3a6f988beff59e45801ab36067293d24ce92

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libsoup/libsoup-2.4/CVE-2025-32909.patch  | 36 +++++++++++++++++++
 .../libsoup/libsoup-2.4_2.74.3.bb             |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch
new file mode 100644
index 0000000000..046f20203f
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch
@@ -0,0 +1,36 @@
+From ba4c3a6f988beff59e45801ab36067293d24ce92 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 8 Jan 2025 16:30:17 -0600
+Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than 4
+ bytes
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92]
+CVE: CVE-2025-32909
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-content-sniffer.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
+index 967ec61..a1f23c2 100644
+--- a/libsoup/soup-content-sniffer.c
++++ b/libsoup/soup-content-sniffer.c
+@@ -227,9 +227,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+ {
+ 	const char *resource = (const char *)buffer->data;
+ 	guint resource_length = MIN (512, buffer->length);
+-	guint32 box_size = *((guint32*)resource);
++	guint32 box_size;
+ 	guint i;
+ 
++	  if (resource_length < sizeof (guint32))
++		  return FALSE;
++
++	  box_size = *((guint32*)resource);
++
+ #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
+ 	box_size = ((box_size >> 24) |
+ 		    ((box_size << 8) & 0x00FF0000) |
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index c0c2209501..3aaa06a541 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2024-52532-3.patch \
            file://CVE-2025-32906-1.patch \
            file://CVE-2025-32906-2.patch \
+           file://CVE-2025-32909.patch \
           "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
 

From patchwork Fri May  9 15:45:53 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 62699
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D6C15C3ABBC
	for <webhook@archiver.kernel.org>; Fri,  9 May 2025 15:46:23 +0000 (UTC)
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com
 [209.85.216.47])
 by mx.groups.io with SMTP id smtpd.web10.1937.1746805572130949362
 for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:12 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=L1IRsgcs;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.47,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f47.google.com with SMTP id
 98e67ed59e1d1-306b6ae4fb3so2815264a91.1
        for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1746805571;
 x=1747410371; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=m1U2TU/KAyzsWJZKXVUvneimww6AxMU95NwEPmrj1wU=;
        b=L1IRsgcs/diBOJ6xGjxRXTFPCG2XYmZ8NdOUbyNVuvwQg/WvqFqUga539EK81QZOWo
         vqYxptYdaM9MZsHHqHm3gxaO1/lgvp0jql5EYidnoGi/3xOhHcqPHHZA7TZDgEyES6iQ
         XsyeN9ZnWmO/TK6tliH7Q2riI5k/9SWp7IaVaA/9U5C/9qB9f+dcV2OjDGAGSFKGCSsq
         L6b9z9KGSfg09831jpUaD55NkYdLelNET6+e+J00fI8rAivIFeQG9sQZz7fC6aDTdbzX
         WYYC3KV2SAZ4nwkqJfIeWv1jTzOJ0Um4JkdBldfH/sdL1mGFa1JgtjakNNLSTWHzKxeN
         PjGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1746805571; x=1747410371;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=m1U2TU/KAyzsWJZKXVUvneimww6AxMU95NwEPmrj1wU=;
        b=brx7n5D74KcwcnvScj2MRFyBPKweeppQyPXMzVEWnllXcxR4lEyMvqztoFzcLrtYlp
         zOYP8XiCai+WJWnGaCW7kshqt6KfrgFplZ15aWlhTk0sBdU/P6MRJMviWpgCLJ4wa+fq
         zRtKA0Tjj3FK2JsQR8B3F+QZPu13zGabZ911TOH2TFxc95gatIGgmdzxMO5zs3kEHCZj
         E6UppQgiGQqwZBs4z1/FYtZu5Zh+dzTcM/pDnkjWFqnkRE7b8WPq9xCqYlhR7uNfvOsy
         37lgz1YVLLU24I/hSkG74Ymo7rNzr+3gTOu7WLcDBuRL39YT3pWaFjYx7+Puwj9DqEkh
         LHDg==
X-Gm-Message-State: AOJu0YxwbXWCPme4WICGaMdDS37pqguXmFl+WAcQ/xpJ3YtulPVGta6F
	H+t7Yld0/oq8BU5uXRcFnnbVHAG+F9PSy2cSAFy3EwzkS6vQsEfa9ICS69WvzI+HuCy1BtbsA1h
	j
X-Gm-Gg: ASbGnct4jZH7llK17Jvw5zRyqAiTYhYWhw6KzEzJLsEvzDwQ2DP9QBCJqCz4ay3ma4e
	A6zNJS8KeCEz5kieiYeIMA1ncA92vj2Xu3KmAf9f2/cdO5MK6Ks6Tu6cAKErf3x55LbKhtqbakl
	/RJb6RGTb69XeGoN/94OQCA+WkC5dSfAiBpXUrdNYyFgSGVe0iPaYLKEOxVAR3P+Blc5xahphZ4
	KcLG96ZytzYb7K6UQ6qXQHDRPX7DsFLj7YcnASeHcTpYQUkc1hSnJQW2TFMzVJCYCPhxCg0t2uh
	CNwzs3fCv0zGh0Wm3Iiy8cMl04zhe/8i
X-Google-Smtp-Source: 
 AGHT+IEFza9xba9T4hTHf9cNa4pwtZwuOgxDWaFyP/YYUoVyp9DgLhmcPSOSTd22dIodqB05BtY2nA==
X-Received: by 2002:a17:90b:394a:b0:2ee:ad18:b309 with SMTP id
 98e67ed59e1d1-30c3cc109a9mr5990556a91.3.1746805571347;
        Fri, 09 May 2025 08:46:11 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:1912:b658:11a7:402c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-30c39dee9aasm1983093a91.25.2025.05.09.08.46.10
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 09 May 2025 08:46:11 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 6/8] connman :fix CVE-2025-32743
Date: Fri,  9 May 2025 08:45:53 -0700
Message-ID: 
 <9558ec2091964556b47b0909c5d243aee5bafb6f.1746805404.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1746805404.git.steve@sakoman.com>
References: <cover.1746805404.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 09 May 2025 15:46:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/216232

From: Praveen Kumar <praveen.kumar@windriver.com>

In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
can be NULL or an empty string when the TC (Truncated) bit is set in
a DNS response. This allows attackers to cause a denial of service
(application crash) or possibly execute arbitrary code, because those
lookup values lead to incorrect length calculations and incorrect
memcpy operations.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32743

Upstream-patch:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../connman/connman/CVE-2025-32743.patch      | 48 +++++++++++++++++++
 .../connman/connman_1.42.bb                   |  1 +
 2 files changed, 49 insertions(+)
 create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
new file mode 100644
index 0000000000..b31c59aa70
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
@@ -0,0 +1,48 @@
+From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
+From: Praveen Kumar <praveen.kumar@windriver.com>
+Date: Thu, 24 Apr 2025 11:39:29 +0000
+Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
+
+In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
+can be NULL or an empty string when the TC (Truncated) bit is set in
+a DNS response. This allows attackers to cause a denial of service
+(application crash) or possibly execute arbitrary code, because those
+lookup values lead to incorrect length calculations and incorrect
+memcpy operations.
+
+This patch includes a check to make sure loookup value is valid before
+using it. This helps avoid unexpected value when the input is empty or
+incorrect.
+
+Fixes: CVE-2025-32743
+
+CVE: CVE-2025-32743
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/dnsproxy.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 7ebffbc..1a5a4f3 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1669,8 +1669,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req,
+				gpointer request, gpointer name)
+ {
+	int sk = -1;
++	int err;
+	const char *lookup = (const char *)name;
+-	int err = ns_try_resolv_from_cache(req, request, lookup);
++
++	if (!lookup || strlen(lookup) == 0)
++		return -EINVAL;
++
++	err = ns_try_resolv_from_cache(req, request, lookup);
+
+	if (err > 0)
+		/* cache hit */
+--
+2.40.0
diff --git a/meta/recipes-connectivity/connman/connman_1.42.bb b/meta/recipes-connectivity/connman/connman_1.42.bb
index 91ab9895ac..3a1c9802bd 100644
--- a/meta/recipes-connectivity/connman/connman_1.42.bb
+++ b/meta/recipes-connectivity/connman/connman_1.42.bb
@@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
            file://no-version-scripts.patch \
            file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \
            file://0001-src-log.c-Include-libgen.h-for-basename-API.patch \
+           file://CVE-2025-32743.patch \
            "
 
 SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"

From patchwork Fri May  9 15:45:54 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 62700
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DAB2FC3ABCE
	for <webhook@archiver.kernel.org>; Fri,  9 May 2025 15:46:23 +0000 (UTC)
Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com
 [209.85.216.48])
 by mx.groups.io with SMTP id smtpd.web10.1938.1746805574104153126
 for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:14 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=WkjVXxRE;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.48,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f48.google.com with SMTP id
 98e67ed59e1d1-30828fc17adso2317027a91.1
        for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1746805573;
 x=1747410373; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=o27hlFZ76ZiWm2/8ZYZWqJ7qfY9qagoxmAgsAMz+Mco=;
        b=WkjVXxRE5PaBBXgBZCaGck7BnimWQX6/T8Io6rXBBVLoJyOjpjsgLtlOyxuXmiQ3TQ
         yZrCLymFgPPTDClALnK9uteToU33qKpwIuL4SwuLNldYcowCI8xY7AXyO0sJ9A2Hs7pC
         2T40Qdb4EFyWGoKoAcaL8eDzepyYJ/lwlhHcMKtVJb+hP3ZzrmCR6YYBr3WtP9QlOaIy
         epdnHxchwTWGPzYEqQzuIZe3MuaHyBDUNK27TC/YL6w1rpJ1Pl625Wj65D6l1b3w0T7w
         DR9ay3TZ7wCeyVzjc54zf9Gs0BwuYQbtyCqat1u68DhJAIFUmzQDIUFsT62QX4quG/Nf
         W+bA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1746805573; x=1747410373;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=o27hlFZ76ZiWm2/8ZYZWqJ7qfY9qagoxmAgsAMz+Mco=;
        b=u43GvR/C9jAJNxXgRg4Mwvx1mVyTaNEeFXNpxdIMDbrDJ77ICoaJz6XDxNeBgOezPk
         U5nS0muRDKKd6ITPSxihdo1Z7SJP3b81PJ1sqCa0P+32pLjHWG+bFhKvxMQVD0do+Fnq
         NCZFK2g6YqKF6UjPSwALyDiuR/2VE8B6rtmSXlYESa5+taRdJS5hTAxFPNzui1Es+xas
         Pa1GN8/B7FBV8kizHogP9nRpjQ/Hl7M0gC5uW5/vebx0AdJWtguel401TIi5fnlc8u7U
         OIPC/TG02wmWklvvW4/96fIWDkogGLiVZ6ju1oBrAtgQl53OuqgD87d6v5/ZOUbGpn0K
         x4rQ==
X-Gm-Message-State: AOJu0Yyu0jX14IvNm1iRyJawzz1mtiaOGXOyGPBkF+iaqJl7zdBxuij8
	P4yL0B5+ZStYhtBDHywFrDrOzjC0s8LxAe58RMCt5qE7DAh522Kc2JMJ1b3/DRqI3RVxluSYjQz
	p
X-Gm-Gg: ASbGncs/nIaqRD/rlYBtKFrKquYDYuwJ+9HY3r5adx6w0TtOM9BDd4wvwuQPaik7qhv
	sLSNkA3qCAb9Ik4rrjOkaN3QQOpYZ2ZKDXiD7zcUCNa4d11tbF0U8nloFOVNlBlqa7QORg9yZ8+
	DKmZ5vJih9gFfsBZl5cnitoxTJNtCwY/0SOxdQmEfSPlLhkVB2XHNUlQuQgbXgCwQzaZaDa6iPN
	RVbeJvpDCHRD1CkTfyH+yzUL0NmPfBpfznkIR1VbQ9+o9eFtzaf7wvEhyHUf06GwHV5qJ8bDZ2l
	4woSHilRKJG6h67Rh/elIcy2Dv0FSnw0
X-Google-Smtp-Source: 
 AGHT+IHNB8F99IQyhyzWf13Ke+ZYxgQIa2HqVoXcptdTAY9COPTFH++hePFlLg5CgKGkXSEq7XhHZQ==
X-Received: by 2002:a17:90b:554d:b0:301:1d9f:4ba2 with SMTP id
 98e67ed59e1d1-30c3d64998emr6292047a91.28.1746805573147;
        Fri, 09 May 2025 08:46:13 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:1912:b658:11a7:402c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-30c39dee9aasm1983093a91.25.2025.05.09.08.46.12
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 09 May 2025 08:46:12 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 7/8] libsoup: Fix CVE-2025-32914
Date: Fri,  9 May 2025 08:45:54 -0700
Message-ID: 
 <6dd125b619974c8102b3050900781c22c2db4b10.1746805404.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1746805404.git.steve@sakoman.com>
References: <cover.1746805404.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 09 May 2025 15:46:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/216233

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libsoup-3.4.4/CVE-2025-32914.patch        | 111 ++++++++++++++++++
 meta/recipes-support/libsoup/libsoup_3.4.4.bb |   1 +
 2 files changed, 112 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32914.patch

diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32914.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32914.patch
new file mode 100644
index 0000000000..0ada9f3134
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32914.patch
@@ -0,0 +1,111 @@
+From 5bfcf8157597f2d327050114fb37ff600004dbcf Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Tue, 15 Apr 2025 09:03:00 +0200
+Subject: [PATCH] multipart: Fix read out of buffer bounds under
+ soup_multipart_new_from_message()
+
+This is CVE-2025-32914, special crafted input can cause read out of buffer bounds
+of the body argument.
+
+Closes #436
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf]
+CVE: CVE-2025-32914
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-multipart.c |  2 +-
+ tests/multipart-test.c   | 58 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index 2421c91f8..102ce3722 100644
+--- a/libsoup/soup-multipart.c
++++ b/libsoup/soup-multipart.c
+@@ -173,7 +173,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
+ 			return NULL;
+ 		}
+ 
+-		split = strstr (start, "\r\n\r\n");
++		split = g_strstr_len (start, body_end - start, "\r\n\r\n");
+ 		if (!split || split > end) {
+ 			soup_multipart_free (multipart);
+ 			return NULL;
+diff --git a/tests/multipart-test.c b/tests/multipart-test.c
+index 2c0e7e969..f5b986889 100644
+--- a/tests/multipart-test.c
++++ b/tests/multipart-test.c
+@@ -471,6 +471,62 @@ test_multipart (gconstpointer data)
+ 	loop = NULL;
+ }
+ 
++static void
++test_multipart_bounds_good (void)
++{
++	#define TEXT "line1\r\nline2"
++	SoupMultipart *multipart;
++	SoupMessageHeaders *headers, *set_headers = NULL;
++	GBytes *bytes, *set_bytes = NULL;
++	const char *raw_data = "--123\r\nContent-Type: text/plain;\r\n\r\n" TEXT "\r\n--123--\r\n";
++	gboolean success;
++
++	headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
++	soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
++
++	bytes = g_bytes_new (raw_data, strlen (raw_data));
++
++	multipart = soup_multipart_new_from_message (headers, bytes);
++
++	g_assert_nonnull (multipart);
++	g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1);
++	success = soup_multipart_get_part (multipart, 0, &set_headers, &set_bytes);
++	g_assert_true (success);
++	g_assert_nonnull (set_headers);
++	g_assert_nonnull (set_bytes);
++	g_assert_cmpint (strlen (TEXT), ==, g_bytes_get_size (set_bytes));
++	g_assert_cmpstr ("text/plain", ==, soup_message_headers_get_content_type (set_headers, NULL));
++	g_assert_cmpmem (TEXT, strlen (TEXT), g_bytes_get_data (set_bytes, NULL), g_bytes_get_size (set_bytes));
++
++	soup_message_headers_unref (headers);
++	g_bytes_unref (bytes);
++
++	soup_multipart_free (multipart);
++
++	#undef TEXT
++}
++
++static void
++test_multipart_bounds_bad (void)
++{
++	SoupMultipart *multipart;
++	SoupMessageHeaders *headers;
++	GBytes *bytes;
++	const char *raw_data = "--123\r\nContent-Type: text/plain;\r\nline1\r\nline2\r\n--123--\r\n";
++
++	headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
++	soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
++
++	bytes = g_bytes_new (raw_data, strlen (raw_data));
++
++	/* it did read out of raw_data/bytes bounds */
++	multipart = soup_multipart_new_from_message (headers, bytes);
++	g_assert_null (multipart);
++
++	soup_message_headers_unref (headers);
++	g_bytes_unref (bytes);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -498,6 +554,8 @@ main (int argc, char **argv)
+ 	g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart);
+ 	g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart);
+ 	g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
++	g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
++	g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
+ 
+ 	ret = g_test_run ();
+ 
+-- 
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
index 63e9afa6fc..8cca980faf 100644
--- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
@@ -29,6 +29,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2025-32906-1.patch \
            file://CVE-2025-32906-2.patch \
            file://CVE-2025-46420.patch \
+           file://CVE-2025-32914.patch \
           "
 SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
 

From patchwork Fri May  9 15:45:55 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 62702
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EA7D1C3ABCD
	for <webhook@archiver.kernel.org>; Fri,  9 May 2025 15:46:33 +0000 (UTC)
Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com
 [209.85.215.175])
 by mx.groups.io with SMTP id smtpd.web10.1944.1746805585153563942
 for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:25 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=Y7to0pNK;
 spf=softfail (domain: sakoman.com, ip: 209.85.215.175,
 mailfrom: steve@sakoman.com)
Received: by mail-pg1-f175.google.com with SMTP id
 41be03b00d2f7-b1ff9b276c2so1288145a12.1
        for <openembedded-core@lists.openembedded.org>;
 Fri, 09 May 2025 08:46:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1746805584;
 x=1747410384; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=3J7KFf5lggbjXtsnvRTWvuoRxacgrKZtUq3b/b2K4gk=;
        b=Y7to0pNKBB8pAu83SoNo83wODXIXQZiA0e7tDyLF7ylKZn242E7RF5XexZdeR0w4af
         lSji2Now9YlGIUSHaqsoSFDuQ2J7XipyaEym03P5MZbk7Pag9I6wU4/5IA+nJRbiVqJ1
         YLaSf0WBVE/TlWHCqAyPch7jBcueGpVi8DCx26C979gGOshueOlMpx4d9XGSQ4vw41Tb
         VoJorDYBAIdhkUiziP0wR+uotzjZG9ueE3rX3I09u2Dpbt4dwUGKxJmWfvEwf8ferUOG
         ez3ND3bWoR5ND9Ld7OiWhNB103RigOx3372+HFRhKRHuc6E7pS18dclEEsigNODzo+oc
         AyVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1746805584; x=1747410384;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=3J7KFf5lggbjXtsnvRTWvuoRxacgrKZtUq3b/b2K4gk=;
        b=TfBEKaE/xquU1HoER/gHsI6F82v3TYS/hJmkx9TT109Hwv+gayul2iVbMBY22KjrxY
         5k2CZ/z3k/vtPgNvtzq2Gm6jBI4NQUmKdAFT/YN1uPcQhC2V48np7ecU0bFAYZfoWguE
         55SJNRol+QzrYwcEUsIN9RUYtwqE1b2hQ8U9xnJhA7Fei6I2ELhksVeW8d1bjZ3gcQaK
         9ZQqJR27zzMXcs5EICRRvc3+hyBdU39k3taisvDMrTvusL5MmY8G4do3Zmfg9bkY5JCK
         oXmuXLOsb8SPY7sOGNHe0ZWYpMaa0JD13ZHVAW0KEh2+f3U8Wzm+InYH1yrWMQOOSV9e
         LgJw==
X-Gm-Message-State: AOJu0Yywh7LeQ84i5aaIhhbv6HGgSWVf4mFMgZbbXUe1/p8nVltTfWKu
	oCAHdlfCSpmfDfMALUvRVSfFPKa0r9OU8aiw4+5n1PgfvmyQ9eiP243GyCuZOiIkPuuyl1Ck/p1
	B
X-Gm-Gg: ASbGncubnJW+bHVkOn16PMQTff2PnJqnOkeA83BSkobLI+OClz+lRR12DSA4kcvydxb
	oD3FqT/d8feu4Pvu+VYue4Ya03/xoUjnAORd9JHnIZ4l4DpX43jhXPv58BnaA3s93y8M+L0PYQA
	x01lY19mDcSW1DsTGqrCwYFDeF9MNGfFJUFoxL49vP9jfTut99zfGVN2yZRAV6zkCQc/IqPMlrk
	ODkU2S8qvpiazkvvoCBW6KPUCgcyFu0+ezy9v8GL3JowEnUHeUGLum5/lGwfwAYj6QvUHSvn/tG
	7umFufJFVNEwBsj+XeUIOzLPCtnK7bWhMiNnF9v8oQw=
X-Google-Smtp-Source: 
 AGHT+IEicfcsNe8AtBKGxWjF/g3D6syx07hRf/bmtkb2hBcJcN7dokBjg7+aUAwgfLVyQOvvzDSfwA==
X-Received: by 2002:a17:90b:4c89:b0:2fe:7f40:420a with SMTP id
 98e67ed59e1d1-30c3d3e8b69mr7573721a91.17.1746805584395;
        Fri, 09 May 2025 08:46:24 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:1912:b658:11a7:402c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-30c39dee9aasm1983093a91.25.2025.05.09.08.46.23
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 09 May 2025 08:46:24 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 8/8] glibc: Add single-threaded fast path to
 rand()
Date: Fri,  9 May 2025 08:45:55 -0700
Message-ID: 
 <68ee8d16fa5419acba9111d3aca285be92bd93d3.1746805404.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1746805404.git.steve@sakoman.com>
References: <cover.1746805404.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 09 May 2025 15:46:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/216234

From: Haixiao Yan <haixiao.yan.cn@windriver.com>

Backport a patch [1] to improve performance of rand() and __random()[2]
by adding a single-threaded fast path.

[1] https://sourceware.org/git/?p=glibc.git;a=commit;h=be0cfd848d9ad7378800d6302bc11467cf2b514f
[2] https://sourceware.org/bugzilla/show_bug.cgi?id=32777
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...dd-single-threaded-fast-path-to-rand.patch | 47 +++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.39.bb         |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch

diff --git a/meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch b/meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch
new file mode 100644
index 0000000000..736fc51f38
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch
@@ -0,0 +1,47 @@
+From 4f54b0dfc16dbe0df86afccb90e447df5f7f571e Mon Sep 17 00:00:00 2001
+From: Wilco Dijkstra <wilco.dijkstra@arm.com>
+Date: Mon, 18 Mar 2024 15:18:20 +0000
+Subject: [PATCH] stdlib: Add single-threaded fast path to rand()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Improve performance of rand() and __random() by adding a single-threaded
+fast path.  Bench-random-lock shows about 5x speedup on Neoverse V1.
+
+Upstream-Status: Backport [be0cfd848d9ad7378800d6302bc11467cf2b514f]
+
+Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
+---
+ stdlib/random.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/stdlib/random.c b/stdlib/random.c
+index 17cc61ba8f55..5d482a857065 100644
+--- a/stdlib/random.c
++++ b/stdlib/random.c
+@@ -51,6 +51,7 @@
+    SUCH DAMAGE.*/
+ 
+ #include <libc-lock.h>
++#include <sys/single_threaded.h>
+ #include <limits.h>
+ #include <stddef.h>
+ #include <stdlib.h>
+@@ -288,6 +289,12 @@ __random (void)
+ {
+   int32_t retval;
+ 
++  if (SINGLE_THREAD_P)
++    {
++      (void) __random_r (&unsafe_state, &retval);
++      return retval;
++    }
++
+   __libc_lock_lock (lock);
+ 
+   (void) __random_r (&unsafe_state, &retval);
+-- 
+2.34.1
+
diff --git a/meta/recipes-core/glibc/glibc_2.39.bb b/meta/recipes-core/glibc/glibc_2.39.bb
index 8373db2c4f..e4e2a766d7 100644
--- a/meta/recipes-core/glibc/glibc_2.39.bb
+++ b/meta/recipes-core/glibc/glibc_2.39.bb
@@ -53,6 +53,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
            file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \
            file://0023-qemu-stale-process.patch \
+           file://0001-stdlib-Add-single-threaded-fast-path-to-rand.patch \
 "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"