From patchwork Wed May 21 09:53:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 63450 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F782C54E65 for ; Wed, 21 May 2025 09:53:37 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web10.7383.1747821215357992079 for ; Wed, 21 May 2025 02:53:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=Pm6HJvTI; spf=pass (domain: mvista.com, ip: 209.85.210.169, mailfrom: vanusuri@mvista.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-7390d21bb1cso5782644b3a.2 for ; Wed, 21 May 2025 02:53:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1747821214; x=1748426014; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=gVVk8cM47L0jz6xPkCs8CguKMIMEzrT6AHhT1hpBGHQ=; b=Pm6HJvTIWqyJwlQQSge4SclZiIVHxX+uVyVq8RanBrc37MO6nIZyKUA+G1GJbHYxSM oe4G/8nfiytAzo+kWk9iEHfkDtrHrOpareyTzkKRSwyLF71nF2wtj4uAL0eTRqljonR6 6flL17uOu52D+PGxIu90v5Kqh+IniljH+fp+M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747821214; x=1748426014; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gVVk8cM47L0jz6xPkCs8CguKMIMEzrT6AHhT1hpBGHQ=; b=l54hCLTRl+hkdPHSf08B06wd4iRY8jznKJOgRz/9WVIOEdTymTjAqzaUT5oQT7A0lX vigsKGH7mS0EeMvyMZ1D6CXK0Xf2fqIYbZrLxwyFN9sF39kGok2YP2lDxZAcXw7osyQA 5pVsg40hNPufRmJklaH0iLo1jE06OCn2hKBZm4d7s8xVFuCOHzoRwc1SApkOBMjB3c/l JS3uFyog0DkBsNnyWlAqQh2jJipYLNHB3Qn0Lsk7SAe7Qvxs8ULBveoWKoHCmbaxF0zJ DZEP79Ay2E+P+64ZJyDMgMM1Vk6OCYQEgYcQZ0Aa0jVCnLfgObAY1VnDHUQynLWWulN0 16yg== X-Gm-Message-State: AOJu0YwNnTZ9orHSc+79iTx2RZhewpqVkxQH/aS5es/+y5ko8aLRhFUa p19wnnNaGD0JH6qhe4Yv67ljzsODFE0VnuvOc2K5mWZa25nUJBDfA5huZqfH2u1gecYAcOFQcVB txfDjbgE= X-Gm-Gg: ASbGncsRzTfldJbJwxl96XsP9CYnJLkdP6o0uCEYjAnv9AUGueLqNtBkz0uA6vwKboD b94swVERWP8YH9/n6UjPLKwThRcAGp9r+X1o+Ub/BBXxzJiXzE4Gguhz9gWprL67W024TCGi+2D sYWTL0meHR05B3BcP7Iz0kEsRNYy0N69c48y06hiV3XFIC8Azg3pt/YmQBwsvIV6EU/rGWhg4lU s4yXpXuqCJVXV/Mi0qszVNXxC3ACn3v6CgmXS6LJZtHp8+rJ0UQ9J3omLX8Z29VER5SRTU+vih9 gBCLEMC69peD4V69lAawtnOjOprEKciA9ErHX4dwugUokOh+sNxOlRsiMUiSMhQ= X-Google-Smtp-Source: AGHT+IFHwu9wHGh1h44sXs0Q5s57qELe2mPYQt0G8XYTFsoCy7q6hDakY5tU26ISpi5YVQLr+B4Iug== X-Received: by 2002:a05:6a00:3985:b0:742:a334:466a with SMTP id d2e1a72fcca58-742a97eb677mr27931717b3a.12.1747821214137; Wed, 21 May 2025 02:53:34 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.212.152]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-742a9829cb7sm9241325b3a.111.2025.05.21.02.53.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 May 2025 02:53:33 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 1/4] libsoup-2.4: Fix CVE-2025-32910 Date: Wed, 21 May 2025 15:23:21 +0530 Message-Id: <20250521095324.92028-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 21 May 2025 09:53:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217012 From: Vijay Anusuri import patch from debian to fix CVE-2025-32910 Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe & https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a & https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832] Reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417 https://security-tracker.debian.org/tracker/CVE-2025-32910 Signed-off-by: Vijay Anusuri --- .../libsoup-2.4/CVE-2025-32910-1.patch | 97 ++++++++++++ .../libsoup-2.4/CVE-2025-32910-2.patch | 148 ++++++++++++++++++ .../libsoup-2.4/CVE-2025-32910-3.patch | 26 +++ .../libsoup/libsoup-2.4_2.74.3.bb | 3 + 4 files changed, 274 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch new file mode 100644 index 0000000000..de4faf5380 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch @@ -0,0 +1,97 @@ +From: Patrick Griffis +Date: Sun, 8 Dec 2024 20:00:35 -0600 +Subject: auth-digest: Handle missing realm in authenticate header + +(cherry picked from commit e40df6d48a1cbab56f5d15016cc861a503423cfe) + +Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-1.patch?ref_type=heads +Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-auth-digest.c | 3 +++ + tests/auth-test.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index e8ba990..263a15a 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + ++ if (!soup_auth_get_realm (auth)) ++ return FALSE; ++ + g_free (priv->domain); + g_free (priv->nonce); + g_free (priv->opaque); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 8295ec3..dfc6b09 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1549,6 +1549,55 @@ do_cancel_after_retry_test (void) + soup_test_session_abort_unref (session); + } + ++static void ++on_request_read_for_missing_realm (SoupServer *server, ++ SoupServerMessage *msg, ++ gpointer user_data) ++{ ++ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); ++ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); ++} ++ ++static void ++do_missing_realm_test (void) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ SoupServer *server; ++ SoupAuthDomain *digest_auth_domain; ++ gint status; ++ GUri *uri; ++ ++ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ soup_server_add_handler (server, NULL, ++ server_callback, NULL, NULL); ++ uri = soup_test_server_get_uri (server, "http", NULL); ++ ++ digest_auth_domain = soup_auth_domain_digest_new ( ++ "realm", "auth-test", ++ "auth-callback", server_digest_auth_callback, ++ NULL); ++ soup_auth_domain_add_path (digest_auth_domain, "/"); ++ soup_server_add_auth_domain (server, digest_auth_domain); ++ g_object_unref (digest_auth_domain); ++ ++ g_signal_connect (server, "request-read", ++ G_CALLBACK (on_request_read_for_missing_realm), ++ NULL); ++ ++ session = soup_test_session_new (NULL); ++ msg = soup_message_new_from_uri ("GET", uri); ++ g_signal_connect (msg, "authenticate", ++ G_CALLBACK (on_digest_authenticate), ++ NULL); ++ ++ status = soup_test_session_send_message (session, msg); ++ ++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED); ++ g_uri_unref (uri); ++ soup_test_server_quit_unref (server); ++} ++ + int + main (int argc, char **argv) + { +@@ -1576,6 +1625,7 @@ main (int argc, char **argv) + g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test); + g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test); + g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test); ++ g_test_add_func ("/auth/missing-realm", do_missing_realm_test); + + ret = g_test_run (); + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch new file mode 100644 index 0000000000..0d72afa1d6 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch @@ -0,0 +1,148 @@ +From: Patrick Griffis +Date: Thu, 26 Dec 2024 18:18:35 -0600 +Subject: auth-digest: Handle missing nonce + +(cherry picked from commit 405a8a34597a44bd58c4759e7d5e23f02c3b556a) + +Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-2.patch?ref_type=heads +Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-auth-digest.c | 45 +++++++++++++++++++++++++++++++++++---------- + tests/auth-test.c | 19 +++++++++++-------- + 2 files changed, 46 insertions(+), 18 deletions(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 263a15a..393adb6 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop) + return g_string_free (out, FALSE); + } + ++static gboolean ++validate_params (SoupAuthDigest *auth_digest) ++{ ++ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest); ++ ++ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) { ++ if (!priv->nonce) ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ + static gboolean + soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + GHashTable *auth_params) +@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + if (priv->algorithm == -1) + ok = FALSE; + +- stale = g_hash_table_lookup (auth_params, "stale"); +- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) +- recompute_hex_a1 (priv); +- else { +- g_free (priv->user); +- priv->user = NULL; +- g_free (priv->cnonce); +- priv->cnonce = NULL; +- memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); +- memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ if (!validate_params (auth_digest)) ++ ok = FALSE; ++ ++ if (ok) { ++ stale = g_hash_table_lookup (auth_params, "stale"); ++ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) ++ recompute_hex_a1 (priv); ++ else { ++ g_free (priv->user); ++ priv->user = NULL; ++ g_free (priv->cnonce); ++ priv->cnonce = NULL; ++ memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); ++ memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ } + } + + return ok; +@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp, + + /* In MD5-sess, A1 is hex_urp:nonce:cnonce */ + ++ g_assert (nonce && cnonce); ++ + checksum = g_checksum_new (G_CHECKSUM_MD5); + g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char *method, + if (qop) { + char tmp[9]; + ++ g_assert (cnonce); ++ + g_snprintf (tmp, 9, "%.8x", nc); + g_checksum_update (checksum, (guchar *)tmp, strlen (tmp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg) + g_return_val_if_fail (uri != NULL, NULL); + url = soup_uri_to_string (uri, TRUE); + ++ g_assert (priv->nonce); ++ g_assert (!priv->qop || priv->cnonce); ++ + soup_auth_digest_compute_response (msg->method, url, priv->hex_a1, + priv->qop, priv->nonce, + priv->cnonce, priv->nc, +diff --git a/tests/auth-test.c b/tests/auth-test.c +index dfc6b09..6fb1e4a 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void) + } + + static void +-on_request_read_for_missing_realm (SoupServer *server, +- SoupServerMessage *msg, +- gpointer user_data) ++on_request_read_for_missing_params (SoupServer *server, ++ SoupServerMessage *msg, ++ gpointer user_data) + { ++ const char *auth_header = user_data; + SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); +- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); ++ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header); + } + + static void +-do_missing_realm_test (void) ++do_missing_params_test (gconstpointer auth_header) + { + SoupSession *session; + SoupMessage *msg; +@@ -1582,8 +1583,8 @@ do_missing_realm_test (void) + g_object_unref (digest_auth_domain); + + g_signal_connect (server, "request-read", +- G_CALLBACK (on_request_read_for_missing_realm), +- NULL); ++ G_CALLBACK (on_request_read_for_missing_params), ++ (gpointer)auth_header); + + session = soup_test_session_new (NULL); + msg = soup_message_new_from_uri ("GET", uri); +@@ -1625,7 +1626,9 @@ main (int argc, char **argv) + g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test); + g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test); + g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test); +- g_test_add_func ("/auth/missing-realm", do_missing_realm_test); ++ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); + + ret = g_test_run (); + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch new file mode 100644 index 0000000000..ab0f650804 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch @@ -0,0 +1,26 @@ +From: Patrick Griffis +Date: Fri, 27 Dec 2024 13:52:52 -0600 +Subject: auth-digest: Fix leak + +(cherry picked from commit ea16eeacb052e423eb5c3b0b705e5eab34b13832) + +Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-3.patch?ref_type=heads +Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-auth-digest.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 393adb6..a1db188 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object) + g_free (priv->nonce); + g_free (priv->domain); + g_free (priv->cnonce); ++ g_free (priv->opaque); + + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index fa4dece0e9..b27c56895b 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -23,6 +23,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32906-2.patch \ file://CVE-2025-32909.patch \ file://CVE-2025-46420.patch \ + file://CVE-2025-32910-1.patch \ + file://CVE-2025-32910-2.patch \ + file://CVE-2025-32910-3.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed May 21 09:53:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 63451 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4BD11C54E65 for ; Wed, 21 May 2025 09:53:47 +0000 (UTC) Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) by mx.groups.io with SMTP id smtpd.web11.7477.1747821221338136091 for ; Wed, 21 May 2025 02:53:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=SuO7+d0V; spf=pass (domain: mvista.com, ip: 209.85.210.175, mailfrom: vanusuri@mvista.com) Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-742c2ed0fe1so4042822b3a.1 for ; Wed, 21 May 2025 02:53:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1747821220; x=1748426020; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ts6jLcET2VrgC7KYIXQZkQYWHX9JCQDhQyr1PaupgDM=; b=SuO7+d0VD4H5ox+77fnaKms4NJGAaIsj+k5p5aMn/f0SrToVhwMp15AgHwzvWOmWgZ T4FI8JgiwjsyqEkW5pmZT9POyENP84EbXZswDpa3689jvkIB7W6FLX5ncQblNUMNn9A4 EPCxvoKPLkZv8iyMn+gjgGHJp54c1i+ivYR1I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747821220; x=1748426020; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ts6jLcET2VrgC7KYIXQZkQYWHX9JCQDhQyr1PaupgDM=; b=wl70oTVIV+R9oIayCfyCWU03Yqya3/YfSxCrk8P5o/nunCoL1ZuOP3bvgcjOJ9ve+W c70FOvhmoFOeWs0HeFVduTIoZokfiF3YFuo5PFVVpgAREVIgqFx9vPFlCzayLythRL08 ogCAGrV7z8I+giwLPDE6AtTeWb3KLQtoXdr0dwiXGR75JE33hze6RZ1fb/j0Sl8HjGLA 86JR79QRsTWsMhFrBMNBvDyBiGOikh/rw6NN7Co6wfKYCYtOgTVkQcXiYERmriYJeGvv 8kYomq77zdjGrh9TH5RS0Km3xbINmIBkd/rFqcDF3coSlPXeOCC7TIp+zmJ7xeilWHgu WBng== X-Gm-Message-State: AOJu0YyNkZhzWbUsFizJKWYboOOkYZlwgI5vV5KhMeIM4+V8RE49Uz1t CWyUQja6H6x1flO1OHQaNqaQHdCGDliMtUOAgX5FKVibob8j3Mvf5rTJ77cnRlYvxGLBx8vIIv2 vOs8vfWk= X-Gm-Gg: ASbGnctRIfe/1nWMPW4Qop28tdKNk/hDlqVXFFcSgBBzr7nwGWVMoOk6Fv8cXdo5GJo 4sLlxEIKMBoiHNO+0VKMetAKP4c+ByMDzZhTMi4hEn5qp3Ptlr/CR35zuuH5bght32J0P6Eq+Ct gNhZ8FMhZ4tYJgUgJqYHl6CnLvBhnMIYk8mxuh/QDKuh3/JARn5BAYrn9H5+PCodHu0UccCvTM7 CmUAO3xPg1SCoEKlNcH6joK3jgIONL2iSaBz2mpuZXBq5EYSpY085k99XubtBS6OZzfHleLUs/0 elkIoyFEs4MoZcwBzoSkthZ64d8J2dBJersyO7OmMW4Qn1ldlwJFSfCq3saPNUg= X-Google-Smtp-Source: AGHT+IFN2tL+fhK0IQkpTOBP/TkjGJ6Ox39TqR/z0e8hADXP7og+ZjAeJpric3D7WA3seVEVJJ1oYA== X-Received: by 2002:a05:6a00:ab87:b0:73c:c11:b42e with SMTP id d2e1a72fcca58-742a98d427dmr26049108b3a.20.1747821220153; Wed, 21 May 2025 02:53:40 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.212.152]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-742a9829cb7sm9241325b3a.111.2025.05.21.02.53.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 May 2025 02:53:39 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 2/4] libsoup-2.4: Fix CVE-2025-32911 & CVE-2025-32913 Date: Wed, 21 May 2025 15:23:22 +0530 Message-Id: <20250521095324.92028-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250521095324.92028-1-vanusuri@mvista.com> References: <20250521095324.92028-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 21 May 2025 09:53:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217013 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0 Signed-off-by: Vijay Anusuri --- .../CVE-2025-32911_CVE-2025-32913-1.patch | 72 +++++++++++++++++++ .../CVE-2025-32911_CVE-2025-32913-2.patch | 44 ++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 2 + 3 files changed, 118 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch new file mode 100644 index 0000000000..4652635294 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch @@ -0,0 +1,72 @@ +From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 17:53:50 -0600 +Subject: [PATCH] soup_message_headers_get_content_disposition: Fix NULL deref + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34] +CVE: CVE-2025-32911 CVE-2025-32913 #Dependency Patch +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-message-headers.c | 13 +++++++++---- + tests/header-parsing-test.c | 14 ++++++++++++++ + 2 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 56cc1e9d..04f4c302 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1660,10 +1660,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + */ + if (params && g_hash_table_lookup_extended (*params, "filename", + &orig_key, &orig_value)) { +- char *filename = strrchr (orig_value, '/'); +- +- if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ if (orig_value) { ++ char *filename = strrchr (orig_value, '/'); ++ ++ if (filename) ++ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ } else { ++ /* filename with no value isn't valid. */ ++ g_hash_table_remove (*params, "filename"); ++ } + } + return TRUE; + } +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 5e423d2b..d0b360c8 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -1039,6 +1039,7 @@ do_param_list_tests (void) + #define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\"" + #define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\"" + #define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar" ++#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename" + + static void + do_content_disposition_tests (void) +@@ -1139,6 +1140,19 @@ do_content_disposition_tests (void) + g_assert_cmpstr (parameter2, ==, "bar"); + g_hash_table_destroy (params); + ++ /* Empty filename */ ++ soup_message_headers_clear (hdrs); ++ soup_message_headers_append (hdrs, "Content-Disposition", ++ RFC5987_TEST_HEADER_EMPTY_FILENAME); ++ if (!soup_message_headers_get_content_disposition (hdrs, ++ &disposition, ++ ¶ms)) { ++ soup_test_assert (FALSE, "empty filename decoding FAILED"); ++ return; ++ } ++ g_assert_false (g_hash_table_contains (params, "filename")); ++ g_hash_table_destroy (params); ++ + soup_message_headers_free (hdrs); + + /* Ensure that soup-multipart always quotes filename */ +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch new file mode 100644 index 0000000000..5d9f33c736 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch @@ -0,0 +1,44 @@ +From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 18:00:39 -0600 +Subject: [PATCH] soup_message_headers_get_content_disposition: strdup + truncated filenames + +This table frees the strings it contains. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0] +CVE: CVE-2025-32911 CVE-2025-32913 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-message-headers.c | 2 +- + tests/header-parsing-test.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 04f4c302..ee7a3cb1 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1664,7 +1664,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + char *filename = strrchr (orig_value, '/'); + + if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1)); + } else { + /* filename with no value isn't valid. */ + g_hash_table_remove (*params, "filename"); +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index d0b360c8..07ea2866 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -1150,6 +1150,7 @@ do_content_disposition_tests (void) + soup_test_assert (FALSE, "empty filename decoding FAILED"); + return; + } ++ g_free (disposition); + g_assert_false (g_hash_table_contains (params, "filename")); + g_hash_table_destroy (params); + +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index b27c56895b..8d974c2d59 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -26,6 +26,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32910-1.patch \ file://CVE-2025-32910-2.patch \ file://CVE-2025-32910-3.patch \ + file://CVE-2025-32911_CVE-2025-32913-1.patch \ + file://CVE-2025-32911_CVE-2025-32913-2.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed May 21 09:53:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 63453 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4DE1EC54E90 for ; Wed, 21 May 2025 09:53:57 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web10.7386.1747821227461331097 for ; Wed, 21 May 2025 02:53:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=AeMpw39j; spf=pass (domain: mvista.com, ip: 209.85.210.172, mailfrom: vanusuri@mvista.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-73c17c770a7so7116154b3a.2 for ; Wed, 21 May 2025 02:53:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1747821226; x=1748426026; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OsCzspfX8wbHiSSdRhdUui5rYfTlFV6XR2q9/7RCfHg=; b=AeMpw39jO1ImRvW7/taYoaaGqBGEHEn5MNkYZymixW9NawrUeh6BnlxKMQOuoFYhTY vrmP/FgQfVTyIhwCtPbpUAPVYNVPtqygfk81ySqKyUTC6yoY2mCogbio7JlbUTJxa0D9 YDc4my58/FiEHOufjfh4nc8W53aXXABizLQNo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747821226; x=1748426026; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OsCzspfX8wbHiSSdRhdUui5rYfTlFV6XR2q9/7RCfHg=; b=vqr8uf1b7BG06BUJiCDV0hTPQbmmLmtbegpTufUH66qG1ShlS/C1Z8dcDOTkRAwYOz OFDWsltMlqrYlqpVoawVRH/EDoKAzLm1AlkCaD8JlwvhTEhIMSt4vAaK5/Kno8BHxeZU 8nwvxzfRi9njSZPAww10Si9+pjfxaUKM9Srs52c89SE6BQsDok06vtyyo84ip+38z5zR SFu2TSZcizHGq7E+EPxBQaMTcGDW5uHoOvTbTRUED72Ek4o5OqGUDj/yRwT4EIS6diWS zqRhrtPbxv33V955iWrLlqS2qtU23Z4KXmQcCPn/ExmVM3zs2yfnEtxbpIsHUhBv0H7a t7QA== X-Gm-Message-State: AOJu0YyEGy9w30+anEG9fpNRcWtMZnvMmMj0R6+Ot6QvOCSux0OJiKTx viStefzMrVTFzoJSb0uxbWMHBr6grZb/0vQFaSA0r9OdwRC6ioGlfgQ152V61GS3KLVRoHSoixK ORonusgI= X-Gm-Gg: ASbGncsG3O2nqbrujN9fHHU0FYlvV+tKnHsTfVWlgwlMT83ipBkdzT9mJTb90yJIxIG HzFZr8LsgfYsUkrEFf1JrNiCqHrmS5HMuD3gvyPqQYdJjyRdlMTPCtZOmB29S0FWlxMNInjewzr Notu7kg+Yujgr1Hnhgwrq6ZWy1rLSgoE+zuxKyPDmNZ5mDENYbj48coXVNIs6kBrC37QN9c4X2b v5Fc3jH9Xvw/81HpBjRZ9ExdMguPwljXKQlsAnBxutxLKlOVhlydnnJhXSTsbeb1Bk2ObvQDB0c 8CvI+kUx22Nx3crqpyFkpOc6QApZ6clrIzmXNMeKFQy1/Qc0EStotBMYV8jf8Tf5/hRxgFV6G1I DBuoYEwTw X-Google-Smtp-Source: AGHT+IFTuPO01fekHuhSbuWboRWdiMM4lQTCMP0qqwAfkCMtFpE24IY1mQuFgCdxZtokDkQc/YQ0PA== X-Received: by 2002:a05:6a00:2da5:b0:73f:f816:dd78 with SMTP id d2e1a72fcca58-742a98b2e69mr25533543b3a.15.1747821225883; Wed, 21 May 2025 02:53:45 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.212.152]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-742a9829cb7sm9241325b3a.111.2025.05.21.02.53.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 May 2025 02:53:45 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 3/4] libsoup-2.4: Fix CVE-2025-32912 Date: Wed, 21 May 2025 15:23:23 +0530 Message-Id: <20250521095324.92028-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250521095324.92028-1-vanusuri@mvista.com> References: <20250521095324.92028-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 21 May 2025 09:53:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217014 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f Signed-off-by: Vijay Anusuri --- .../libsoup-2.4/CVE-2025-32912-1.patch | 41 +++++++++++++++++++ .../libsoup-2.4/CVE-2025-32912-2.patch | 30 ++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 2 + 3 files changed, 73 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch new file mode 100644 index 0000000000..2a6f37cb58 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch @@ -0,0 +1,41 @@ +From cd077513f267e43ce4b659eb18a1734d8a369992 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 14:03:05 -0600 +Subject: [PATCH 1/2] auth-digest: Handle missing nonce + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992] +CVE: CVE-2025-32912 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-auth-digest.c | 2 +- + tests/auth-test.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index a1db188..f0edb81 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + +- if (!soup_auth_get_realm (auth)) ++ if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce")) + return FALSE; + + g_free (priv->domain); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 6fb1e4a..343d7a5 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1629,6 +1629,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test); + + ret = g_test_run (); + +-- +2.25.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch new file mode 100644 index 0000000000..4898068115 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch @@ -0,0 +1,30 @@ +From 910ebdcd3dd82386717a201c13c834f3a63eed7f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 8 Feb 2025 12:30:13 -0600 +Subject: [PATCH 2/2] digest-auth: Handle NULL nonce + +`contains` only handles a missing nonce, `lookup` handles both missing and empty. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f] +CVE: CVE-2025-32912 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index f0edb81..c49ffd9 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + +- if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce")) ++ if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce")) + return FALSE; + + g_free (priv->domain); +-- +2.25.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 8d974c2d59..509026c4ff 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -28,6 +28,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32910-3.patch \ file://CVE-2025-32911_CVE-2025-32913-1.patch \ file://CVE-2025-32911_CVE-2025-32913-2.patch \ + file://CVE-2025-32912-1.patch \ + file://CVE-2025-32912-2.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed May 21 09:53:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 63452 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4CE5DC2D0CD for ; Wed, 21 May 2025 09:53:57 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web11.7480.1747821231760809302 for ; Wed, 21 May 2025 02:53:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=gldu0D/T; spf=pass (domain: mvista.com, ip: 209.85.210.172, mailfrom: vanusuri@mvista.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-7426c44e014so6573716b3a.3 for ; Wed, 21 May 2025 02:53:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1747821231; x=1748426031; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=HyUPPXtiT4FWfga1mpHaMPGcPN+Fj3mj+A5uunqkpug=; b=gldu0D/TXlmIFQPEi3zPbZ55vqY2oMzwULix1y2b8QskhewR5NHr0PjTyRanNcxPjp kxoWvXkfSumbyjBR0nBta5+/mfVNhoEhmmZRiXra4hp2lBNp/RjUAGL/9+JDXB1GvHgj jxp2PusoqGXKISpheTjKpYZ8oQpMz+6TIC0TY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747821231; x=1748426031; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HyUPPXtiT4FWfga1mpHaMPGcPN+Fj3mj+A5uunqkpug=; b=RlOL1uHpvpXpbSzNSSIz1MTISBAyW9nUa0+7oRScBpG1RhM+Sex4+npZjkrVPsAMAX Dtg4wdUvf+d/vL/9S9Esrqh05Lk6Wr7qql2henM1/7ngkaMhsBiHe0kWK4JYI98kg0n5 9lffhpFyXvFmA8DFiE+AskGJ9wCLX3acqy2pvQTTnkLcqL4TDivFpZXPLVsMscL8l916 1VT54CkXPkyM0RAIBWQFPlFFaOinT16yWw90Z1RQItErH9hWvIW6FSrOtuT4oQYfNxnZ 6OJrzwTunjlJXgQCBslBGIpqd//2XOW5zcAVMz1Vt7EuVc5KFSzqRVJqlddYMPSB7Rkg qhsQ== X-Gm-Message-State: AOJu0YzhU6M+faMqe4xMENYKemntXQYzh6eUEH4/sAHQQ7HEF5++v/hr bT+k/K6SNNr+ck6A1gvI55rZCCnYCsj7fIuZO6nXNfZEGOpe4pFDQFSVb/9/mFBDh8mIa0XmWjB ZjIUTMlk= X-Gm-Gg: ASbGncvaYjagXeiNAe67dEHUgJFEnP3MjJQZ/NK0nNEDfPWkuj9R6s/lh6uSFjjlRiw WsYS5EVimLbvq6izDBKpK+VaXP53sdQ5pEvp2TGj7R0ox6kSpb8KqpPz3D0nsL3QIQKbvPmt9cE tT0U2fOzlQX8ymaWkYE0FASLJtl7/CLRX8CyGxrAMmPQk6VqgXeRT1+VINnOhHUTETMOuy3/y9e c5Xa334GB6kL3R1TamY6kwl/ouQl5g2pQ38LYATz4NWm3wOhrH0NQ7T8m25Btq5GUId3OhOOhZ9 ILUKpwAqM4j8lCabUuK9z+o5GmkqP57PGKLo5/eXLU73lKbzret5fUcoOqfnnrI= X-Google-Smtp-Source: AGHT+IFVC2fEZ5J+6aMuXpyxNnyN/1BOVqUgE/UnVZGHLb1M1l/InAEvWduu/F1pYVzYaG6OT2giAQ== X-Received: by 2002:a05:6a00:3985:b0:742:a334:466a with SMTP id d2e1a72fcca58-742a97eb677mr27932502b3a.12.1747821230657; Wed, 21 May 2025 02:53:50 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.212.152]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-742a9829cb7sm9241325b3a.111.2025.05.21.02.53.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 May 2025 02:53:50 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][scarthgap][PATCH 4/4] libsoup-2.4: Fix CVE-2025-32914 Date: Wed, 21 May 2025 15:23:24 +0530 Message-Id: <20250521095324.92028-4-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250521095324.92028-1-vanusuri@mvista.com> References: <20250521095324.92028-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 21 May 2025 09:53:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217015 From: Vijay Anusuri import patch from debian to fix CVE-2025-32914 Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf] Reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450 https://security-tracker.debian.org/tracker/CVE-2025-32914 Signed-off-by: Vijay Anusuri --- .../libsoup/libsoup-2.4/CVE-2025-32914.patch | 137 ++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 138 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch new file mode 100644 index 0000000000..e6d4607b5e --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch @@ -0,0 +1,137 @@ +From: Milan Crha +Date: Tue, 15 Apr 2025 09:03:00 +0200 +Subject: multipart: Fix read out of buffer bounds under + soup_multipart_new_from_message() + +This is CVE-2025-32914, special crafted input can cause read out of buffer bounds +of the body argument. + +Closes #436 + +(cherry picked from commit 5bfcf8157597f2d327050114fb37ff600004dbcf) + +Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32914.patch?ref_type=heads +Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf] +CVE: CVE-2025-32914 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 85 ++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 86 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index a7e550f..dd93973 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + return NULL; + } + +- split = strstr (start, "\r\n\r\n"); ++ split = g_strstr_len (start, body_end - start, "\r\n\r\n"); + if (!split || split > end) { + soup_multipart_free (multipart); + soup_buffer_free (flattened); +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index 64a5ebf..834b181 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -479,6 +479,89 @@ test_multipart (gconstpointer data) + g_main_loop_unref (loop); + } + ++static void ++test_multipart_bounds_good (void) ++{ ++ #define TEXT "line1\r\nline2" ++ SoupMultipart *multipart; ++ SoupMessageHeaders *headers, *set_headers = NULL; ++ //GBytes *bytes, *set_bytes = NULL; ++ GBytes *bytes; ++ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\n\r\n" TEXT "\r\n--123--\r\n"; ++ gboolean success; ++ SoupMessageBody *body = soup_message_body_new (); ++ SoupBuffer *set_buffer = NULL; ++ gconstpointer data; ++ gsize size; ++ ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); ++ ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); ++ ++ data = g_bytes_get_data(bytes, NULL); ++ size = g_bytes_get_size(bytes); ++ ++ soup_message_body_append(body, SOUP_MEMORY_STATIC, data, size); ++ ++ //multipart = soup_multipart_new_from_message (headers, bytes); ++ multipart = soup_multipart_new_from_message (headers, body); ++ ++ soup_message_body_free (body); ++ ++ g_assert_nonnull (multipart); ++ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1); ++ success = soup_multipart_get_part (multipart, 0, &set_headers, &set_buffer); ++ g_assert_true (success); ++ g_assert_nonnull (set_headers); ++ //g_assert_nonnull (set_bytes); ++ g_assert_nonnull (set_buffer); ++ //g_assert_cmpint (strlen (TEXT), ==, g_bytes_get_size (set_bytes)); ++ g_assert_cmpint (strlen (TEXT), ==, set_buffer->length); ++ g_assert_cmpstr ("text/plain", ==, soup_message_headers_get_content_type (set_headers, NULL)); ++ //g_assert_cmpmem (TEXT, strlen (TEXT), g_bytes_get_data (set_bytes, NULL), g_bytes_get_size (set_bytes)); ++ g_assert_cmpmem(TEXT, strlen(TEXT), set_buffer->data, set_buffer->length); ++ ++ soup_message_headers_free (headers); ++ g_bytes_unref (bytes); ++ ++ soup_multipart_free (multipart); ++ ++ #undef TEXT ++} ++ ++static void ++test_multipart_bounds_bad (void) ++{ ++ SoupMultipart *multipart; ++ SoupMessageHeaders *headers; ++ GBytes *bytes; ++ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\nline1\r\nline2\r\n--123--\r\n"; ++ SoupMessageBody *body = soup_message_body_new (); ++ gconstpointer data; ++ gsize size; ++ ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); ++ ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); ++ ++ data = g_bytes_get_data(bytes, NULL); ++ size = g_bytes_get_size(bytes); ++ ++ soup_message_body_append(body, SOUP_MEMORY_STATIC, data, size); ++ ++ /* it did read out of raw_data/bytes bounds */ ++ //multipart = soup_multipart_new_from_message (headers, bytes); ++ multipart = soup_multipart_new_from_message (headers, body); ++ g_assert_null (multipart); ++ ++ soup_message_body_free (body); ++ ++ soup_message_headers_free (headers); ++ g_bytes_unref (bytes); ++} ++ + int + main (int argc, char **argv) + { +@@ -508,6 +591,8 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart); + g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart); + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); ++ g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); ++ g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); + + ret = g_test_run (); + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 509026c4ff..b986e2eea2 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -30,6 +30,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32911_CVE-2025-32913-2.patch \ file://CVE-2025-32912-1.patch \ file://CVE-2025-32912-2.patch \ + file://CVE-2025-32914.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"