From patchwork Fri May 30 07:12:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63861 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 988A8C3ABB2 for ; Fri, 30 May 2025 07:13:23 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.1288.1748589193449720007 for ; Fri, 30 May 2025 00:13:13 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U5sj36016799 for ; Fri, 30 May 2025 07:13:12 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u5396873-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:12 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:12:52 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:12:51 -0700 From: To: Subject: [walnascar][PATCH 01/15] libsoup-2.4: update patch 0001-CVE-2025-32911.patch Date: Fri, 30 May 2025 15:12:55 +0800 Message-ID: <20250530071309.1603334-2-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfXwwmWlDqQHiqA wj5b4V3shhm3adfqFmFrIrzFbFPSLShw1DPab/GkGUBm7ziqfAfhFRovbnnjryxWuwBBjVQSOfV Hbrw7YX8vdXsjG0g4JHgRNh+saI2yY+fjQa/u4P5z5y5RonbDX3nElPVV9vGPHta6q3uRKEuLrE OSUKCDROrQ9Eq0XAMyxWbsstsyUWpEPwIXpfuFIvMztntZC6VyabH38yNDBEgCp3EdOcIAy3zK/ cbI6EPbk3IlKWwYUHgH+CSFjTGt0OxLku3VPbGYyPydUNEZDO3bv47OG4o/h1SIUHQUzowN7Ylk MOboNWfTARHIZalIxhn5pm5gY+v/juX/P9bFab2qZ2kWl9GiZTQnCjhKcO+czwPJ8HHAHktFcAL WsSZ9YFQ+IXO+/6ZiKQEDZd6fB8MMY7dtqobYKan1Yrg+VuedIR0LQQti6HhKRR46Jj4WrF/ X-Authority-Analysis: v=2.4 cv=NsDRc9dJ c=1 sm=1 tr=0 ts=68395a88 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=dh6BuYzfZ955n3HdoDEA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: ixdGR9SqkBjrhkp3Wcyhlm2XHn2OORxJ X-Proofpoint-GUID: ixdGR9SqkBjrhkp3Wcyhlm2XHn2OORxJ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=833 impostorscore=0 mlxscore=0 spamscore=0 adultscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217470 From: Changqing Li CVE-2025-32913 also fixed in this patch Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/435 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/0001-CVE-2025-32911.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch b/meta/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch index 9ef0643837..d75594bb4f 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch +++ b/meta/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch @@ -3,7 +3,7 @@ From: Changqing Li Date: Wed, 30 Apr 2025 14:59:55 +0800 Subject: [PATCH] CVE-2025-32911 -CVE: CVE-2025-32911 +CVE: CVE-2025-32911 CVE-2025-32913 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/422/commits] Signed-off-by: Changqing Li From patchwork Fri May 30 07:12:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63862 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F2CDC54F30 for ; Fri, 30 May 2025 07:13:23 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.1352.1748589194887598127 for ; Fri, 30 May 2025 00:13:15 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U5cb3m026262 for ; Fri, 30 May 2025 07:13:14 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u5396875-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:13 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:12:53 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:12:52 -0700 From: To: Subject: [walnascar][PATCH 02/15] libsoup-2.4: fix CVE-2025-32053 Date: Fri, 30 May 2025 15:12:56 +0800 Message-ID: <20250530071309.1603334-3-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfX1pX4pb9fN6bW nJmZzGf4jX4o90IL2scLMFitwWfmhNwosh0eziX2Ur8imA/vuH5BMtE6KNeLJjAEweRuN5LfEpn ejTZiA/I260XwlcpbO+32BXB7qFC808oXp2z+HgOL6c7GXLJq2SnKc4Rs1o5kCH2x4+EjOb4nnG gWdhFfZcyjYcpl/CTjDXAPPXWFR7tLo/6Jo9/sIh4bRnoVphpSKKzUiNULSRImIxX1bJ7FQmYzM iAUqUHcmcRKKAfomHdv+zuXaNdOXrmjOInkHMvGftA3/36OugDjo/gnmso0kr7fVzDbtKkNeS0a I5zOQB1enp2lKEyGT914i/pyId2dV0cU/czZOdlwk4h4tNCvitxrGRM+5aaOrh2sIO3R4esOi4/ 1nRPfeyJibUiW8LDaXb4x4g9y+6AxftCwZNliJNPXpDMG9Hqr+yUTuPdvTTUfScGddSU8U+1 X-Authority-Analysis: v=2.4 cv=NsDRc9dJ c=1 sm=1 tr=0 ts=68395a89 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=oTvTzFMrGgrRAghJrSUA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: elPAgWz49uegkDDEhPBYcrE-2jJidTq1 X-Proofpoint-GUID: elPAgWz49uegkDDEhPBYcrE-2jJidTq1 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=700 impostorscore=0 mlxscore=0 spamscore=0 adultscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217471 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/426 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-32053.patch | 39 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 4 +- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch new file mode 100644 index 0000000000..0d829d6200 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch @@ -0,0 +1,39 @@ +From d9bcffd6cd5e8ec32889a594f7348d67a5101b3a Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Mon, 12 May 2025 13:58:42 +0800 +Subject: [PATCH] Fix heap buffer overflow in + soup-content-sniffer.c:sniff_feed_or_html() + +CVE: CVE-2025-32053 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/eaed42ca8d40cd9ab63764e3d63641180505f40a] + +Signed-off-by: Changqing Li +--- + libsoup/soup-content-sniffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 967ec61..5f2896e 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -620,7 +620,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length) + (resource[*pos] == '\x0D')) { + *pos = *pos + 1; + +- if (*pos > resource_length) ++ if (*pos >= resource_length) + return TRUE; + } + +@@ -682,7 +682,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + do { + pos++; + +- if (pos > resource_length) ++ if ((pos + 1) > resource_length) + goto text_html; + } while (resource[pos] != '>'); + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 22cbbdb1b8..b42a8f9520 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -16,7 +16,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://0001-CVE-2025-32911.patch \ file://CVE-2024-52532-1.patch \ file://CVE-2024-52532-2.patch \ - file://CVE-2024-52532-3.patch" + file://CVE-2024-52532-3.patch \ + file://CVE-2025-32053.patch \ +" SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" CVE_PRODUCT = "libsoup" From patchwork Fri May 30 07:12:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63868 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8D3BC5B555 for ; Fri, 30 May 2025 07:13:23 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.1354.1748589195549990922 for ; Fri, 30 May 2025 00:13:15 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U5cb3n026262 for ; Fri, 30 May 2025 07:13:14 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u5396875-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:14 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:12:54 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:12:53 -0700 From: To: Subject: [walnascar][PATCH 03/15] libsoup-2.4: fix CVE-2025-2784 Date: Fri, 30 May 2025 15:12:57 +0800 Message-ID: <20250530071309.1603334-4-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfX9MUOTf8jTUA0 YGiCw5nmupN5qQlzxYtAnEVnclupDFyY0W5468GyF5DODb6ZwNv3V0bwcQunIqAMptGh3p97xwF 4e4pvHdQZU/Xt03KmVe1OZ1G3BmYgEOwUGH9YttKafXP7hQidi5yh+AZSIuIiRUK8YyhCe1xcFp qstoUehCM9HCmsFQWxoWmswLHuCBqrXUYdCEYY7hO8E4yO+2K0/F8iE3jPNEKfCK2jrHHh3bNZ3 7wBu7Slu8M4OTLvKjgPGU2Ex7o18gz0uNeffD+pC6Eia0HZc2WWy5vGZCpTXAOPnnXUZa1gM9mP CVK3oSscxy4sVZgzO2E8FYPNSgciFwAf0K3oknXIprJx2AFXT9+MmrJiBaxo+3KkV0za0EVd4gL bmKqXw10tihu/EpouwXBhQkQEayiV5ZhD+WA1nfMABrGZa1v97pCGPJNF89YNeLY9kcWdXBM X-Authority-Analysis: v=2.4 cv=NsDRc9dJ c=1 sm=1 tr=0 ts=68395a8a cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=9ZAmBD_aSAHDPC3Ooc0A:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: IlSZjmpvOljB0cHeKEZDtgCxDvDvlUOB X-Proofpoint-GUID: IlSZjmpvOljB0cHeKEZDtgCxDvDvlUOB X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=739 impostorscore=0 mlxscore=0 spamscore=0 adultscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217472 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/422 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-2784.patch | 56 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch new file mode 100644 index 0000000000..106f907168 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch @@ -0,0 +1,56 @@ +From 2eacbd762332795e00692ddab2515c6da23198d3 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Mon, 12 May 2025 14:06:41 +0800 +Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space() + +CVE: CVE-2025-2784 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435/diffs?commit_id=242a10fbb12dbdc12d254bd8fc8669a0ac055304; + https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/442/diffs?commit_id=c415ad0b6771992e66c70edf373566c6e247089d] + +Test code is not added since it uses some functions not defined in +version 2.74. These tests are not used now, so just ignore them. + +Signed-off-by: Changqing Li +--- + libsoup/soup-content-sniffer.c | 9 +++---- + 1 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 5f2896e..9554636 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -612,8 +612,10 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer) + } + + static gboolean +-skip_insignificant_space (const char *resource, int *pos, int resource_length) ++skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length) + { ++ if (*pos >= resource_length) ++ return TRUE; + while ((resource[*pos] == '\x09') || + (resource[*pos] == '\x20') || + (resource[*pos] == '\x0A') || +@@ -632,7 +634,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + { + const char *resource = (const char *)buffer->data; + int resource_length = MIN (512, buffer->length); +- int pos = 0; ++ gsize pos = 0; + + if (resource_length < 3) + goto text_html; +@@ -642,9 +644,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + pos = 3; + + look_for_tag: +- if (pos > resource_length) +- goto text_html; +- + if (skip_insignificant_space (resource, &pos, resource_length)) + goto text_html; + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index b42a8f9520..f66ea6105c 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52532-2.patch \ file://CVE-2024-52532-3.patch \ file://CVE-2025-32053.patch \ + file://CVE-2025-2784.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri May 30 07:12:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63869 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D3F81C5B559 for ; Fri, 30 May 2025 07:13:23 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.1356.1748589196940684356 for ; Fri, 30 May 2025 00:13:17 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U415Fn011491 for ; Fri, 30 May 2025 07:13:16 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u5396879-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:15 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:12:55 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:12:54 -0700 From: To: Subject: [walnascar][PATCH 04/15] libsoup-2.4: fix CVE-2024-52530 Date: Fri, 30 May 2025 15:12:58 +0800 Message-ID: <20250530071309.1603334-5-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfX12f1tL6Ui/ZT mPbIMBn10CvdkoIs8Ds7apleP8BFEyYmrdQiYA6uXnVWy2slMJHYKw2StSaKtfZoRfmbqSlF/Kl zujPyH79PZDXGC/NvDvBQaFNS+as40g58QLIFBIohGirFGB+gtr2LpPZhHnVYs+HxcpB7bSdYdy s7NvMReZHpZQXlh/hwGS//08GTzpQNBivZIeCuPJi1QW5kprYQ3RvQZxcaJNBG/LD5j2gtwcq4K SJaPjtxWylv9RrFpqiFmwxWfOBtvEhRqN/u206ttJOl47GWxSimcrlOG0TB2znkVoE7xKmkrPaa MZ6XQasG1zmvq0CsD++GQWJqsXT3K7yoEbVAkeYwCCc0dZI2ivmslD7PJFQN679H5dviDX6ulyP 1LBTLn+sOzsJFSleKC3Q3KKjmwk25z8dbbWipKuz9rwltxgvsFYg3ClcH7pCxY88yVhDU9wu X-Authority-Analysis: v=2.4 cv=NsDRc9dJ c=1 sm=1 tr=0 ts=68395a8b cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=A1X0JdhQAAAA:8 a=OpW423ZGpPkB8jfHPfgA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-ORIG-GUID: xrzx07XpF6bJupIr6BL6TBj-Nc3Y1J_9 X-Proofpoint-GUID: xrzx07XpF6bJupIr6BL6TBj-Nc3Y1J_9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 impostorscore=0 mlxscore=0 spamscore=0 adultscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217473 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2024-52530.patch | 150 ++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 151 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch new file mode 100644 index 0000000000..04713850e1 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch @@ -0,0 +1,150 @@ +From 4a2bb98e03d79146c729dca52c8d6edc635218ff Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 8 Jul 2024 12:33:15 -0500 +Subject: [PATCH] headers: Strictly don't allow NUL bytes + +In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem. + +CVE: CVE-2024-52530 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/402/diffs?commit_id=04df03bc092ac20607f3e150936624d4f536e68b] + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 15 +++------ + tests/header-parsing-test.c | 62 +++++++++++++++++-------------------- + 2 files changed, 32 insertions(+), 45 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index eec28ad..e5d3c03 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -50,13 +50,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) + * ignorable trailing whitespace. + */ + ++ /* No '\0's are allowed */ ++ if (memchr (str, '\0', len)) ++ return FALSE; ++ + /* Skip over the Request-Line / Status-Line */ + headers_start = memchr (str, '\n', len); + if (!headers_start) + return FALSE; +- /* No '\0's in the Request-Line / Status-Line */ +- if (memchr (str, '\0', headers_start - str)) +- return FALSE; + + /* We work on a copy of the headers, which we can write '\0's + * into, so that we don't have to individually g_strndup and +@@ -68,14 +69,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) + headers_copy[copy_len] = '\0'; + value_end = headers_copy; + +- /* There shouldn't be any '\0's in the headers already, but +- * this is the web we're talking about. +- */ +- while ((p = memchr (headers_copy, '\0', copy_len))) { +- memmove (p, p + 1, copy_len - (p - headers_copy)); +- copy_len--; +- } +- + while (*(value_end + 1)) { + name = value_end + 1; + name_end = strchr (name, ':'); +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 752196e..c1d3b33 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -358,24 +358,6 @@ static struct RequestTest { + } + }, + +- { "NUL in header name", "760832", +- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, +- SOUP_STATUS_OK, +- "GET", "/", SOUP_HTTP_1_1, +- { { "Host", "example.com" }, +- { NULL } +- } +- }, +- +- { "NUL in header value", "760832", +- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35, +- SOUP_STATUS_OK, +- "GET", "/", SOUP_HTTP_1_1, +- { { "Host", "examplecom" }, +- { NULL } +- } +- }, +- + /************************/ + /*** INVALID REQUESTS ***/ + /************************/ +@@ -448,6 +430,21 @@ static struct RequestTest { + SOUP_STATUS_EXPECTATION_FAILED, + NULL, NULL, -1, + { { NULL } } ++ }, ++ ++ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 ++ { "NUL in header name", NULL, ++ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } ++ }, ++ ++ { "NUL in header value", NULL, ++ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +@@ -620,22 +617,6 @@ static struct ResponseTest { + { NULL } } + }, + +- { "NUL in header name", "760832", +- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28, +- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK", +- { { "Foo", "bar" }, +- { NULL } +- } +- }, +- +- { "NUL in header value", "760832", +- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, +- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK", +- { { "Foo", "bar" }, +- { NULL } +- } +- }, +- + /********************************/ + /*** VALID CONTINUE RESPONSES ***/ + /********************************/ +@@ -768,6 +749,19 @@ static struct ResponseTest { + { { NULL } + } + }, ++ ++ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 ++ { "NUL in header name", NULL, ++ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28, ++ -1, 0, NULL, ++ { { NULL } } ++ }, ++ ++ { "NUL in header value", "760832", ++ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, ++ -1, 0, NULL, ++ { { NULL } } ++ }, + }; + static const int num_resptests = G_N_ELEMENTS (resptests); + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index f66ea6105c..64383e1221 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -19,6 +19,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52532-3.patch \ file://CVE-2025-32053.patch \ file://CVE-2025-2784.patch \ + file://CVE-2024-52530.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri May 30 07:12:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63867 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BDF02C5B558 for ; Fri, 30 May 2025 07:13:23 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.1357.1748589197902454773 for ; Fri, 30 May 2025 00:13:18 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U415Fp011491 for ; Fri, 30 May 2025 07:13:17 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u5396879-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:16 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:12:56 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:12:55 -0700 From: To: Subject: [walnascar][PATCH 05/15] libsoup-2.4: fix CVE-2025-32906 Date: Fri, 30 May 2025 15:12:59 +0800 Message-ID: <20250530071309.1603334-6-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfX4eB8+9oY7xjO q/9i76KKiasvv1JBqDLxd1QPg0O3bTqx0MHtpqVI9mCI6qcGCLAzGSrph5U/N6mW1nW5zC8+MWy y0NCMHt4DXc/P3LTA2ptl/26IRC5rL2izCI8ELPH4hzdRdAKU9AwUWUIA2UWiD9R7GkeJxejs1U YCBvVOxKXSgJR4tD2ZCwpdFmTNnICO1yzZ6iLrC+0AOmhEBhfmx2TSbOtKGWcajvwyOBCZrmquj HqixZClkqN7f8PouZ+94KlG3/M6qGK/+/1jpKYwFWNsE/lNu7bnudhgIb0bYXs7EoNYMhSq5fny djz2HWGPDJaFLHSsn3yK4m60fg3glGIAwT9/NTwuyecQfnAPr4m68nLIo6HOUHR0Waf/l6lE2Gg jGiQ/me1SkpFBext1mKFJKnpZyuUVYPnuSKDi1voCE4wprtd2vl+CBSTHT+/yA+DfHuBcP// X-Authority-Analysis: v=2.4 cv=NsDRc9dJ c=1 sm=1 tr=0 ts=68395a8c cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=HORPgCXZuz7RhFxCGcgA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-ORIG-GUID: rnDJTQn-5YmMwUc3u6_E1mudJbmj7Kri X-Proofpoint-GUID: rnDJTQn-5YmMwUc3u6_E1mudJbmj7Kri X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=933 impostorscore=0 mlxscore=0 spamscore=0 adultscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217474 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/404 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-32906.patch | 71 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 72 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch new file mode 100644 index 0000000000..c33ebf8056 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch @@ -0,0 +1,71 @@ +From 4b8809cca4bbcbf9514314d86227f985362258b0 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 12 Feb 2025 11:30:02 -0600 +Subject: [PATCH] headers: Handle parsing only newlines + +Closes #404 +Closes #407 + +CVE: CVE-2025-32906 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f] + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 4 ++-- + tests/header-parsing-test.c | 11 +++++++++++ + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index e5d3c03..87bb3dc 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -185,7 +185,7 @@ soup_headers_parse_request (const char *str, + /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s) + * received where a Request-Line is expected." + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +@@ -369,7 +369,7 @@ soup_headers_parse_response (const char *str, + * after a response, which we then see prepended to the next + * response on that connection. + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index c1d3b33..b811115 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -6,6 +6,10 @@ typedef struct { + const char *name, *value; + } Header; + ++static char only_newlines[] = { ++ '\n', '\n', '\n', '\n' ++}; ++ + static struct RequestTest { + const char *description; + const char *bugref; +@@ -445,6 +449,13 @@ static struct RequestTest { + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, + { { NULL } } ++ }, ++ ++ { "Only newlines", NULL, ++ only_newlines, sizeof (only_newlines), ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 64383e1221..79ffa19c20 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -20,6 +20,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32053.patch \ file://CVE-2025-2784.patch \ file://CVE-2024-52530.patch \ + file://CVE-2025-32906.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri May 30 07:13:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63865 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AFDB9C5B556 for ; Fri, 30 May 2025 07:13:23 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.1358.1748589198459994143 for ; Fri, 30 May 2025 00:13:18 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U415Fq011491 for ; Fri, 30 May 2025 07:13:17 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u5396879-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:17 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:12:57 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:12:56 -0700 From: To: Subject: [walnascar][PATCH 06/15] libsoup-2.4: fix CVE-2025-32914 Date: Fri, 30 May 2025 15:13:00 +0800 Message-ID: <20250530071309.1603334-7-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfX44yLiuIiC0El iPsD5xzvgZ4Blvo4o2b1Fn9XJqMLpt0N8PSDRgCjMbmdk69dv9FC9iCP3iLNPbOK/giS7jtlX74 yQzKELwoKUMzO/KgCe5Clsna/chgPOy/wRlX2LbOrs7SZ2kSxMYPQ8x+rVXvC0FQp1CvoYRm03z 5wweKekN8oDwqF2drTyM3RQKeZf6ZjBa66AlLDvChSjbY+r4arjRYrs04E9Qhu2OO9bwqD+HI7p OUcJ1oX8UwutNAbtAZcDve0ZIIQTZ7CK0zETNgx+tC27sXuhmJOU0TcgViYpUttOB9OQDZeQual cqqPftw8PxTlY8Hnh/SrVMiEQHlZ9uw/vFb7Tu+c5tvtn4Xa68AIoGeyzYTyYCKLNt52I316YqZ B7ncfioVzuut0S2Ze0gj0LylcjPovYcCwgwT90IIUv+MYBacF9WZmHKu8b9cDitKjsEozqdk X-Authority-Analysis: v=2.4 cv=NsDRc9dJ c=1 sm=1 tr=0 ts=68395a8d cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: zGLxTMv1fZ3remQFod9ekqpMY5CiUFhm X-Proofpoint-GUID: zGLxTMv1fZ3remQFod9ekqpMY5CiUFhm X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=625 impostorscore=0 mlxscore=0 spamscore=0 adultscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217475 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-32914.patch | 36 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch new file mode 100644 index 0000000000..42bad3c1a1 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch @@ -0,0 +1,36 @@ +From ac844b9fc7945c38ea21fb7cf1a49a5c226d7c9c Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Mon, 12 May 2025 16:17:20 +0800 +Subject: [PATCH] Resolve "(CVE-2025-32914) (#YWH-PGM9867-23) OOB Read on + libsoup through function "soup_multipart_new_from_message" in + soup-multipart.c leads to crash or exit of process" + +CVE: CVE-2025-32914 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450/diffs?commit_id=5bfcf8157597f2d327050114fb37ff600004dbcf] + +Test code are not added since some functions not aligned with version +2.74.3 + +Signed-off-by: Changqing Li +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 60 ++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 1 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index a7e550f..dd93973 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + return NULL; + } + +- split = strstr (start, "\r\n\r\n"); ++ split = g_strstr_len (start, body_end - start, "\r\n\r\n"); + if (!split || split > end) { + soup_multipart_free (multipart); + soup_buffer_free (flattened); + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 79ffa19c20..7c1de29fd5 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -21,6 +21,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-2784.patch \ file://CVE-2024-52530.patch \ file://CVE-2025-32906.patch \ + file://CVE-2025-32914.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri May 30 07:13:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63866 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AF9E8C5B553 for ; Fri, 30 May 2025 07:13:23 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.1289.1748589200023625763 for ; Fri, 30 May 2025 00:13:20 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U5hfKH020638 for ; Fri, 30 May 2025 07:13:19 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u3b1699k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:19 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:12:58 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:12:57 -0700 From: To: Subject: [walnascar][PATCH 07/15] libsoup-2.4: fix CVE-2025-46420 Date: Fri, 30 May 2025 15:13:01 +0800 Message-ID: <20250530071309.1603334-8-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: 4F9PyRFm5tnfBOj860BJQ8Op90ULrvzW X-Authority-Analysis: v=2.4 cv=VpYjA/2n c=1 sm=1 tr=0 ts=68395a8f cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=Ka6kQXwktFwtOCzPnTYA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-GUID: 4F9PyRFm5tnfBOj860BJQ8Op90ULrvzW X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfXyS/ZD/lmsuU1 yMR9mptv2JLogDjDyXP+TgL8a17oVdWJbdsqWZVNQwHgkhFow2Fa9NetOVgRr+nJS5ApeNgq6XL KNhTYSuojizyxoUhewHGzlLaoRxsFqx8whjNI2mXe6NYGDeAW0F9TZGoJuLtVW16WSEP1MwUtap y6xzoRabLUqnkxfo1AF57XcQciu1jjRctxvYvBnZqeVN4GF6iHtS3oLAx61ZK+rOD3e5I1eqGMT yRB+0KfLJ9foqSB9hiPJuHe0yOWXhkQWSTdfW5dG7T0KoiqssKPPjSn9vPBrgt8mqzthipaoT9Y dQxhEwdaQFDqXBSEfzZgDVbW5vc7Shervav+wSkRF/YHfOyQIV6EsBiANUBTMWQ5Hlb0aR2LbOK fQcyTiaJs5wLsBvTsF5r+GZyb4lnkoUTDV+BeJJFFaTguoDu+SviM7bOBhuvpIZ20GiP/VV7 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxlogscore=954 malwarescore=0 mlxscore=0 lowpriorityscore=0 adultscore=0 suspectscore=0 priorityscore=1501 spamscore=0 bulkscore=0 clxscore=1015 phishscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217476 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/438 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-46420.patch | 61 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 62 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch new file mode 100644 index 0000000000..c970661694 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch @@ -0,0 +1,61 @@ +From 81e03c538d6a102406114567f4f1c468033ce2e4 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Thu, 26 Dec 2024 18:31:42 -0600 +Subject: [PATCH] soup_header_parse_quality_list: Fix leak + +When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings. + +CVE: CVE-2025-46420 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/421/diffs?commit_id=c9083869ec2a3037e6df4bd86b45c419ba295f8e] + + Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 87bb3dc..9707ca0 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -528,7 +528,7 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + GSList *unsorted; + QualityItem *array; + GSList *sorted, *iter; +- char *item, *semi; ++ char *semi; + const char *param, *equal, *value; + double qval; + int n; +@@ -541,9 +541,8 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + unsorted = soup_header_parse_list (header); + array = g_new0 (QualityItem, g_slist_length (unsorted)); + for (iter = unsorted, n = 0; iter; iter = iter->next) { +- item = iter->data; + qval = 1.0; +- for (semi = strchr (item, ';'); semi; semi = strchr (semi + 1, ';')) { ++ for (semi = strchr (iter->data, ';'); semi; semi = strchr (semi + 1, ';')) { + param = skip_lws (semi + 1); + if (*param != 'q') + continue; +@@ -575,15 +574,15 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + if (qval == 0.0) { + if (unacceptable) { + *unacceptable = g_slist_prepend (*unacceptable, +- item); ++ g_steal_pointer (&iter->data)); + } + } else { +- array[n].item = item; ++ array[n].item = g_steal_pointer (&iter->data); + array[n].qval = qval; + n++; + } + } +- g_slist_free (unsorted); ++ g_slist_free_full (unsorted, g_free); + + qsort (array, n, sizeof (QualityItem), sort_by_qval); + sorted = NULL; +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 7c1de29fd5..1ef9303fb8 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -22,6 +22,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52530.patch \ file://CVE-2025-32906.patch \ file://CVE-2025-32914.patch \ + file://CVE-2025-46420.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri May 30 07:13:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63863 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4FCCC5B552 for ; Fri, 30 May 2025 07:13:23 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.1360.1748589200597599068 for ; Fri, 30 May 2025 00:13:20 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U5hfKI020638 for ; Fri, 30 May 2025 07:13:19 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u3b1699k-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:19 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:12:59 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:12:58 -0700 From: To: Subject: [walnascar][PATCH 08/15] libsoup-2.4: fix CVE-2025-46421 Date: Fri, 30 May 2025 15:13:02 +0800 Message-ID: <20250530071309.1603334-9-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: -8i3ZXFxJO66Cw49u3VWTXCPcS-eYF_d X-Authority-Analysis: v=2.4 cv=VpYjA/2n c=1 sm=1 tr=0 ts=68395a8f cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-GUID: -8i3ZXFxJO66Cw49u3VWTXCPcS-eYF_d X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfX66qotS8JHRKs urn25kslXytt4ZXnwbU9LShU/CWhEnariz6YcrmaJAa1rksE09TyrsfS9rOHY/1tRW9mOMokiKm jDdk6kX0TLEQj4Oag8XcsvI0MEH/7Mg8Iq52+PWMKb7E7Xg20XCYkN/ZuOMizvX/3ZnX8h+6MzN I6UJNvko+ufp9lTt0/a7sF389O3AqHZGZnUfxSmvq+1FkJGoCOe9XIgpRmB2/ZfXaz2JJzBlv5h osgBrWPm0HcQvXvG1rOzToldSNq9K4+RmBwzQqrkrntC7l8H2C1WM4XkJudltpSpdoELT0mM+MM jksm6EIySVJbalzYSldCXxO/pkX582OWTpPag9WQJoqIhz8HsGe+f2gkQy/aSOBrBbFsCTAG2zP 6z1lLPnHyAT/JDllbsWe/VFXF0syNT8WftJKeiGZmzevQV8Ljzarya+kJFI5+7CuGpYsYu/C X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxlogscore=905 malwarescore=0 mlxscore=0 lowpriorityscore=0 adultscore=0 suspectscore=0 priorityscore=1501 spamscore=0 bulkscore=0 clxscore=1015 phishscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217477 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/439 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-46421.patch | 48 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch new file mode 100644 index 0000000000..64706f43aa --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch @@ -0,0 +1,48 @@ +From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 16:18:10 -0600 +Subject: [PATCH] session: Strip authentication credentails on + cross-origin redirect + +This should match the behavior of Firefox and Safari but not of Chromium. + +CVE: CVE-2025-46421 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b] + +Test code not added since it included some headers not in version 2.74.3 + +Signed-off-by: Changqing Li +--- + libsoup/soup-session.c | 8 ++++- + tests/auth-test.c | 78 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 85 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c +index 83421ef..8d6ac61 100644 +--- a/libsoup/soup-session.c ++++ b/libsoup/soup-session.c +@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg) + SOUP_ENCODING_NONE); + } + ++ /* Strip all credentials on cross-origin redirect. */ ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { ++ //soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION); ++ soup_message_set_auth (msg, NULL); ++ } ++ + soup_message_set_uri (msg, new_uri); + soup_uri_free (new_uri); + + soup_session_requeue_message (session, msg); + return TRUE; +-} ++} + + static void + redirect_handler (SoupMessage *msg, gpointer user_data) + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 1ef9303fb8..3b460852f3 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -23,6 +23,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32906.patch \ file://CVE-2025-32914.patch \ file://CVE-2025-46420.patch \ + file://CVE-2025-46421.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri May 30 07:13:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63864 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4FFEC5B554 for ; Fri, 30 May 2025 07:13:23 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.1361.1748589202260398151 for ; Fri, 30 May 2025 00:13:22 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U5qgWt014684 for ; Fri, 30 May 2025 07:13:21 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u539687n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:21 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:13:00 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:12:59 -0700 From: To: Subject: [walnascar][PATCH 09/15] libsoup-2.4: fix CVE-2025-32050 Date: Fri, 30 May 2025 15:13:03 +0800 Message-ID: <20250530071309.1603334-10-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfXx1gtC1XiaBBd seerDyjWWthjtznhlHCBjnCwYmpDi/C4PI4SpCTX7pxtnU5I90BSQ4Y+NPV0y1IQ23WzoWeJ9Mm XA18VKJ2gqhuXv9lsif+iFkV6bEi7xX8ldrh8Z/Ka07fGH3SOu3oUvueqyVvBhxu1TU9kiMev23 fjyN5GaTMmzGt8tKwmTdSSfkNezydYwnz919YSXTu3FDWolxHPiLBs5h3AnhrMWUNJaOJaQwfwF DAbwc6z3cCJ9/mo6AyC9A/vFr1LjPSvKszN3FOo+ffta5QPdS106V0NuziwA8n4WWKin5IkvTIV St+UXuULgy4lbn1rDeJxBRmdC7rjaFadFJ8bPF0CGggbeFT1cE4/Oi9qJ0lLID/zfC6rii2ce24 2M6BopfkbXr5pLRm9VD48ojvh+MsUhAPsseyfHKnRygx2btqVro7cHDMgAq3e1W1JK4GnO3a X-Authority-Analysis: v=2.4 cv=NsDRc9dJ c=1 sm=1 tr=0 ts=68395a91 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-ORIG-GUID: 2O8-yt2WxSdixYDwe7aH4RId0qzXw-X_ X-Proofpoint-GUID: 2O8-yt2WxSdixYDwe7aH4RId0qzXw-X_ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=839 impostorscore=0 mlxscore=0 spamscore=0 adultscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217478 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/424 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-32050.patch | 29 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch new file mode 100644 index 0000000000..c032846ef0 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch @@ -0,0 +1,29 @@ +From 5709dfffb6fdc5b66ce001bf82a755ad8ad1d992 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 28 Oct 2024 12:29:48 -0500 +Subject: [PATCH] Fix using int instead of size_t for strcspn return + +CVE: CVE-2025-32050 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323] + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 9707ca0..67905b2 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -902,7 +902,7 @@ append_param_quoted (GString *string, + const char *name, + const char *value) + { +- int len; ++ gsize len; + + g_string_append (string, name); + g_string_append (string, "=\""); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 3b460852f3..4ddcd1734d 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -24,6 +24,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32914.patch \ file://CVE-2025-46420.patch \ file://CVE-2025-46421.patch \ + file://CVE-2025-32050.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri May 30 07:13:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63860 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 995ECC5AD49 for ; Fri, 30 May 2025 07:13:23 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.1362.1748589202852002038 for ; Fri, 30 May 2025 00:13:23 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U5qgWu014684 for ; Fri, 30 May 2025 07:13:22 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u539687n-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:21 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:13:01 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:13:00 -0700 From: To: Subject: [walnascar][PATCH 10/15] libsoup-2.4: fix CVE-2025-32052 Date: Fri, 30 May 2025 15:13:04 +0800 Message-ID: <20250530071309.1603334-11-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfX0HUi6zZElz+w 0rtrHWtSqP95hlGHXvRNe/rvWkltfllFcHSEGAZexaV3hYYh8JwTMFFt/pkcpdxXuqk56uLfRsY wOQOok4t8CX+Fxw5F5s7kQMm78C4D4W+6gSW13VyfRTKOIKBaR1d/Kg8Otxu5aNWWq26jaXQVU6 fiRvvboVwQ+t03zOkEc1GoiGs6+Byj3N2vVAC8GyVCDbMBOEp0+tRvnffhuv3oTvJSDLeU79rGp ryXLjYc/+ToT4ASidKZGZkxWSeJgcBfM9Ryfh5uho2JRVxUrTBXvJzTZFmEOpbE0/b6XM26VsXo geFzX25wJqFAA3q5peASwRUpSSB4m3NwPR0/1zeY9MFqHhdzuYA7FtxFDVgkbgxX1nXPQe15GPk h6ORq/5T3fg3Xjkwky/ATlvLu19J6eRwsiI0n/UUj+/Lu6EjRhKW4f94Z3Po2/KVxsY9NXbV X-Authority-Analysis: v=2.4 cv=NsDRc9dJ c=1 sm=1 tr=0 ts=68395a91 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=sfOm8-O8AAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 a=TvTJqdcANYtsRzA46cdi:22 X-Proofpoint-ORIG-GUID: wC0TBV1a05nrMNO3s1Nhc1weCCf9HvrY X-Proofpoint-GUID: wC0TBV1a05nrMNO3s1Nhc1weCCf9HvrY X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=843 impostorscore=0 mlxscore=0 spamscore=0 adultscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217479 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/425 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-32052.patch | 32 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch new file mode 100644 index 0000000000..34bc8113a4 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch @@ -0,0 +1,32 @@ +From f4a67a9a3033586edaee715d40d5992e02d32893 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 16 Nov 2024 12:07:30 -0600 +Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff + +Co-Author: Ar Jun + +CVE: CVE-2025-32052 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652#500da7cfde649872c49169be34b03a1c42a53ddb] + +Signed-off-by: Changqing Li +--- + libsoup/soup-content-sniffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 9554636..eac9e7b 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -504,7 +504,7 @@ sniff_unknown (SoupContentSniffer *sniffer, SoupBuffer *buffer, + guint index_pattern = 0; + gboolean skip_row = FALSE; + +- while ((index_stream < resource_length) && ++ while ((index_stream < resource_length - 1) && + (index_pattern <= type_row->pattern_length)) { + /* Skip insignificant white space ("WS" in the spec) */ + if (type_row->pattern[index_pattern] == ' ') { +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 4ddcd1734d..01ca9f8966 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -25,6 +25,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-46420.patch \ file://CVE-2025-46421.patch \ file://CVE-2025-32050.patch \ + file://CVE-2025-32052.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri May 30 07:13:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63871 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D0A2FC3ABB2 for ; Fri, 30 May 2025 07:13:33 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.1291.1748589204344899590 for ; Fri, 30 May 2025 00:13:24 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U5A3OA003997 for ; Fri, 30 May 2025 07:13:23 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u3b1699v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:23 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:13:02 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:13:01 -0700 From: To: Subject: [walnascar][PATCH 11/15] libsoup-2.4: fix CVE-2025-32909 Date: Fri, 30 May 2025 15:13:05 +0800 Message-ID: <20250530071309.1603334-12-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: c-0581aQRpZ_Y6pZaXbjKSjsbavUiVvW X-Authority-Analysis: v=2.4 cv=VpYjA/2n c=1 sm=1 tr=0 ts=68395a93 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: c-0581aQRpZ_Y6pZaXbjKSjsbavUiVvW X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfX/3X9ihUjSpUk F3nakN9k8hHlRFIw4Qr++k+mvdzztp7lsHDOTEyBnLdi/aVKiPDGN7tp0YlcLr6G6/VM8+p41ww rCIKmjU6DViLzYQGLXNVj+nA3Mv7KyrUsriIILWa+hEf380YGWfFPMJZEJBAa1oLdD0oz8AE623 0/s5ovSBKjc+QOUZBJJFny1MRzWMzbbGxX83OgV2+MCmpqrOImGUx0qcN1x8CaWnSjT9UAIjgSA nWBAWYkwEH5siV2Yt9853gxAxGPOwreMv4S0NTdU95bnhNEfhjsxo47sjVsp+xOuFYlj0Tt77tO z8flE3VbpxlnDyTh4ZSbe4LrlJa300vrfvFbvMfmdwJFdc18rq2m6e1hwVVQP1JSlAEdfGk0acH us2ZmBjmoj2kjApW4W82jofglxcttr3/hDpuDQG2RqPHCu2eGo/4UunsLaNClBVf6vUT36cZ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxlogscore=582 malwarescore=0 mlxscore=0 lowpriorityscore=0 adultscore=0 suspectscore=0 priorityscore=1501 spamscore=0 bulkscore=0 clxscore=1015 phishscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217480 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/431 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-32909.patch | 38 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch new file mode 100644 index 0000000000..2f5366348d --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch @@ -0,0 +1,38 @@ +From e6e088e62c10ab91fa2f2ad5c122332aa7cde97c Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Mon, 12 May 2025 16:55:37 +0800 +Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than + 4 bytes + +CVE: CVE-2025-32909 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92] + +Signed-off-by: Changqing Li +--- + libsoup/soup-content-sniffer.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index eac9e7b..73d2245 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -227,9 +227,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, SoupBuffer *buffer) + { + const char *resource = (const char *)buffer->data; + guint resource_length = MIN (512, buffer->length); +- guint32 box_size = *((guint32*)resource); ++ guint32 box_size; + guint i; + ++ if (resource_length < sizeof (guint32)) ++ return FALSE; ++ ++ box_size = *((guint32*)resource); ++ + #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + box_size = ((box_size >> 24) | + ((box_size << 8) & 0x00FF0000) | +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 01ca9f8966..510d1128db 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -26,6 +26,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-46421.patch \ file://CVE-2025-32050.patch \ file://CVE-2025-32052.patch \ + file://CVE-2025-32909.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri May 30 07:13:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63873 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D806EC5AD49 for ; Fri, 30 May 2025 07:13:33 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.1363.1748589204950184633 for ; Fri, 30 May 2025 00:13:25 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U5A3OB003997 for ; Fri, 30 May 2025 07:13:24 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u3b1699v-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:23 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:13:03 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:13:03 -0700 From: To: Subject: [walnascar][PATCH 12/15] libsoup-2.4: fix CVE-2025-32910 Date: Fri, 30 May 2025 15:13:06 +0800 Message-ID: <20250530071309.1603334-13-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: LNn-uPufD_6KD3nWxcV-CvNm6Wzwm28f X-Authority-Analysis: v=2.4 cv=VpYjA/2n c=1 sm=1 tr=0 ts=68395a93 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=HSGOHi6-cxt6zTWKGw0A:9 a=QrmQ1pHUhKzEwlcV:21 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: LNn-uPufD_6KD3nWxcV-CvNm6Wzwm28f X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfX0meb0pYmLtKz noxIlD8s1wtaHsiDRd8qkVG3OnZ4rStv9uxEtJAgQrFhs2zcavTypZNX/P3JFBGPdBFWSyvM4fC BiAkzrzIk9ulZ+YbL8Lg8Sq73LK+PbcvTZHNGQxE5s5PPDktepneGKqrEeHC6KNJOYP+V4hqOHS 17qWq9yvjI6cpsp+ObxOVJFG3872510bRvtpFlXAdtG9fv7EAYIHuA/0c8OaJuPcTuYpoKCfTp5 g//OkOYmrEFoIPHnZy81puYTsUYYzZY7RkqrxYwgEAEwJpPOnQL4Rkdv6fNLuAdJsmcZN3qfg1S uOAsFp0m8tDhLmYBjbjGJNNjOI1CNnckfwjK9OxKw85K5sXTKRaSrYpf7NaBViVyHi+YdsPjW1U arZcZMzIBVQVHHhePQLbXb/sClq48aXdtcKJ0w5G9MB6/UjAWCkafoGYh3RWkMigEawd3epx X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxlogscore=872 malwarescore=0 mlxscore=0 lowpriorityscore=0 adultscore=0 suspectscore=0 priorityscore=1501 spamscore=0 bulkscore=0 clxscore=1015 phishscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217481 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/432 Signed-off-by: Changqing Li --- .../libsoup-2.4/CVE-2025-32910-1.patch | 32 +++++++ .../libsoup-2.4/CVE-2025-32910-2.patch | 94 +++++++++++++++++++ .../libsoup-2.4/CVE-2025-32910-3.patch | 28 ++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 3 + 4 files changed, 157 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch new file mode 100644 index 0000000000..c1dc6860f2 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch @@ -0,0 +1,32 @@ +From a7e711d0f162c6edc8acad2a96981d4890784ea3 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Mon, 12 May 2025 17:02:55 +0800 +Subject: [PATCH] auth-digest: Handle missing realm/nonce in authenticate + header + +CVE: CVE-2025-32910 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=e40df6d48a1cbab56f5d15016cc861a503423cfe] + +Signed-off-by: Changqing Li +--- + libsoup/soup-auth-digest.c | 3 +++ + 1 files changed, 3 insertions(+) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index e8ba990..0ab3499 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + ++ if (!soup_auth_get_realm (auth)) ++ return FALSE; ++ + g_free (priv->domain); + g_free (priv->nonce); + g_free (priv->opaque); + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch new file mode 100644 index 0000000000..019a35e3be --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch @@ -0,0 +1,94 @@ +From eccfca1074fc485a0b60dfb9c8385429a226bf73 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 13:19:38 +0800 +Subject: [PATCH] auth-digest: Handle missing nonce + +CVE: CVE-2025-32910 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=405a8a34597a44bd58c4759e7d5e23f02c3b556a] + +Signed-off-by: Changqing Li +--- + libsoup/soup-auth-digest.c | 45 ++++++++++++++++++++++++++++---------- + 1 files changed, 28 insertions(+), 10 deletions(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 0ab3499..10a8591 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop) + return g_string_free (out, FALSE); + } + ++static gboolean ++validate_params (SoupAuthDigest *auth_digest) ++{ ++ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest); ++ ++ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) { ++ if (!priv->nonce) ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ + static gboolean + soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + GHashTable *auth_params) +@@ -169,17 +182,22 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + if (priv->algorithm == -1) + ok = FALSE; + +- stale = g_hash_table_lookup (auth_params, "stale"); +- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) +- recompute_hex_a1 (priv); +- else { +- g_free (priv->user); +- priv->user = NULL; +- g_free (priv->cnonce); +- priv->cnonce = NULL; +- memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); +- memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); +- } ++ if (!validate_params (auth_digest)) ++ ok = FALSE; ++ ++ if (ok) { ++ stale = g_hash_table_lookup (auth_params, "stale"); ++ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) ++ recompute_hex_a1 (priv); ++ else { ++ g_free (priv->user); ++ priv->user = NULL; ++ g_free (priv->cnonce); ++ priv->cnonce = NULL; ++ memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); ++ memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ } ++ } + + return ok; + } +@@ -359,6 +377,8 @@ soup_auth_digest_compute_response (const char *method, + if (qop) { + char tmp[9]; + ++ g_assert (cnonce); ++ + g_snprintf (tmp, 9, "%.8x", nc); + g_checksum_update (checksum, (guchar *)tmp, strlen (tmp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -422,6 +442,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg) + g_return_val_if_fail (uri != NULL, NULL); + url = soup_uri_to_string (uri, TRUE); + ++ g_assert (priv->nonce); ++ g_assert (!priv->qop || priv->cnonce); ++ + soup_auth_digest_compute_response (msg->method, url, priv->hex_a1, + priv->qop, priv->nonce, + priv->cnonce, priv->nc, + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch new file mode 100644 index 0000000000..bdf4d64ca3 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch @@ -0,0 +1,28 @@ +From 74c95d54fe42041fe161cb74c76d942ffd37a5dd Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 13:21:43 +0800 +Subject: [PATCH] auth-digest: Fix leak + +CVE: CVE-2025-32910 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=ea16eeacb052e423eb5c3b0b705e5eab34b13832] + +Signed-off-by: Changqing Li +--- + libsoup/soup-auth-digest.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 10a8591..6d965d2 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object) + g_free (priv->nonce); + g_free (priv->domain); + g_free (priv->cnonce); ++ g_free (priv->opaque); + + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 510d1128db..b8b7bc1df7 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -27,6 +27,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32050.patch \ file://CVE-2025-32052.patch \ file://CVE-2025-32909.patch \ + file://CVE-2025-32910-1.patch \ + file://CVE-2025-32910-2.patch \ + file://CVE-2025-32910-3.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri May 30 07:13:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63872 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E279AC5B552 for ; Fri, 30 May 2025 07:13:33 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.1292.1748589206449632336 for ; Fri, 30 May 2025 00:13:26 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U58EGp013455 for ; Fri, 30 May 2025 07:13:25 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u539687x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:25 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:13:04 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:13:04 -0700 From: To: Subject: [walnascar][PATCH 13/15] libsoup-2.4: fix CVE-2025-32912 Date: Fri, 30 May 2025 15:13:07 +0800 Message-ID: <20250530071309.1603334-14-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfX9xX5AXEQ8P2T civzshdjUhHpNgka3TN6kHhcNHKw0dgZgrF8b97IeCYBhQBT4XWAPWioshQbyHnvYZswPdei499 cB7MwKLBoFoEjJxJorJb0lYSZQD8ITN9V4JBmzgpiy5FF/jVYRhKBhoY9DF9Gcs1izQ5T/ZV4Ah LpUc1s3HjUmBF17DTgV2oSoo3iZM7raO2YBARlaO0LXVv0ZZ76ZY6Zafsywa/vidzLWtFYoTbpr Z/UuPJDyOM32KBnYsqqIE1fufWoxd5SULl1C7oH0pw65blSyZXZHo229hqEXT1hA9gNSff1vmSS novYgFn9fDpergale+pU5RqwVCP4ZVD3frqKif74lnfUYz6qm9hajcKcHJ4OLa7mRTHqUf+IAOV /PItf5oBPoPuWaSIsJyi5o2PnO7TPbdwnhfAqL+JE08IC0jY79F4rPqwPAoeXWLDOrTvRbhg X-Authority-Analysis: v=2.4 cv=NsDRc9dJ c=1 sm=1 tr=0 ts=68395a95 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: Wb-K1eQd6mRdOOdOuPUIOf0FCr-Ysquo X-Proofpoint-GUID: Wb-K1eQd6mRdOOdOuPUIOf0FCr-Ysquo X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=471 impostorscore=0 mlxscore=0 spamscore=0 adultscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217482 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/434 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-32912.patch | 32 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch new file mode 100644 index 0000000000..b3ce9d8bc3 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch @@ -0,0 +1,32 @@ +From 0984dddb11daf14fdf5ca24077cd0ebda796439a Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 13:25:32 +0800 +Subject: [PATCH] auth-digest: Handle missing nonce + +CVE: CVE-2025-32912 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992?merge_request_iid=434 +https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f] + +Signed-off-by: Changqing Li +--- + libsoup/soup-auth-digest.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 6d965d2..f1621ec 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + +- if (!soup_auth_get_realm (auth)) ++ if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce")) + return FALSE; + + g_free (priv->domain); + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index b8b7bc1df7..ed36d7c12b 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -30,6 +30,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32910-1.patch \ file://CVE-2025-32910-2.patch \ file://CVE-2025-32910-3.patch \ + file://CVE-2025-32912.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri May 30 07:13:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63874 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E292EC5B554 for ; Fri, 30 May 2025 07:13:33 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.1364.1748589207077143003 for ; Fri, 30 May 2025 00:13:27 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U58EGq013455 for ; Fri, 30 May 2025 07:13:26 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u539687x-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:26 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:13:05 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:13:05 -0700 From: To: Subject: [walnascar][PATCH 14/15] libsoup-2.4: fix CVE-2024-52531 Date: Fri, 30 May 2025 15:13:08 +0800 Message-ID: <20250530071309.1603334-15-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfXyAPkVIlPBGSn tjpoH2uL1sM6IW5+Fi153cXTYkAYVl/Zz/RWz289v1dPdezeoUZMSYBC13dTnnFM2un9J9uHDjB QWon69IRpcSXr9s3OBiLovgXhN+th5WwphfmzW2P7c0HT4bqTntFGnBzUMg3GVulxfTxmduX7Tx qkWnmP5F7zbwPZagIb7Iqt0XZrIJhHdXF9qJV7Id7qTzkBhU1HckVf4FCxnNuUiYKdumgTfoDEH nJBEhkTIi6jF7w5qly1BX5zscQqV4W9ByCfeAnbAp1BQc/lI3IlHvW7nTYateaEoEYTY7pc54i4 26LGPD0jDtmXi5jjl0vaX6GZdts3PSeqDasQeruN9bXRLUQqjlF04PeNupWOVRkn8YJC21HS+Ow wIuOvqPNvb2j9Im+54aDTAhiT0pd8XGSISqHUDaWUhjN+XPZXIJDla9k9QxpfjGmPGI+LZtM X-Authority-Analysis: v=2.4 cv=NsDRc9dJ c=1 sm=1 tr=0 ts=68395a96 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=1EUBBC3AoEohvajmceIA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: CV-z4PpiwWry8OWrTnQv08Zugu0qK6lN X-Proofpoint-GUID: CV-z4PpiwWry8OWrTnQv08Zugu0qK6lN X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 impostorscore=0 mlxscore=0 spamscore=0 adultscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217483 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/423 Signed-off-by: Changqing Li --- .../libsoup-2.4/CVE-2024-52531-1.patch | 39 +++++ .../libsoup-2.4/CVE-2024-52531-2.patch | 133 ++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 2 + 3 files changed, 174 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch new file mode 100644 index 0000000000..9de0310c8d --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch @@ -0,0 +1,39 @@ +From 8331e681c85c3b1893d8d5193783f631bfc07acb Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 13:42:08 +0800 +Subject: [PATCH] tests: Add test for passing invalid UTF-8 to + soup_header_parse_semi_param_list() + +CVE: CVE-2024-52531 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=825fda3425546847b42ad5270544e9388ff349fe] + +Signed-off-by: Changqing Li +--- + tests/header-parsing-test.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index b811115..cfcc003 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -836,6 +836,17 @@ static struct ParamListTest { + { "filename", "t\xC3\xA9st.txt" }, + }, + }, ++ ++/* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */ ++ { TRUE, ++ "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo", ++ { ++ { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" }, ++ { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" }, ++ { "foo", NULL }, ++ }, ++ } ++ + }; + static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests); + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch new file mode 100644 index 0000000000..740c28c016 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch @@ -0,0 +1,133 @@ +From 12523a592f1216450d18706bcf6c16e0f1ab0ce0 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 13:52:37 +0800 +Subject: [PATCH] headers: Be more robust against invalid input when + parsing params + +If you pass invalid input to a function such as soup_header_parse_param_list_strict() +it can cause an overflow if it decodes the input to UTF-8. + +This should never happen with valid UTF-8 input which libsoup's client API +ensures, however it's server API does not currently. + +CVE: CVE-2024-52531 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=a35222dd0bfab2ac97c10e86b95f762456628283] + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 45 +++++++++++++++++++++--------------------- + 1 file changed, 23 insertions(+), 22 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 67905b2..39e8d34 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -642,8 +642,9 @@ soup_header_contains (const char *header, const char *token) + } + + static void +-decode_quoted_string (char *quoted_string) ++decode_quoted_string_inplace (GString *quoted_gstring) + { ++ char *quoted_string = quoted_gstring->str; + char *src, *dst; + + src = quoted_string + 1; +@@ -657,10 +658,11 @@ decode_quoted_string (char *quoted_string) + } + + static gboolean +-decode_rfc5987 (char *encoded_string) ++decode_rfc5987_inplace (GString *encoded_gstring) + { + char *q, *decoded; + gboolean iso_8859_1 = FALSE; ++ const char *encoded_string = encoded_gstring->str; + + q = strchr (encoded_string, '\''); + if (!q) +@@ -689,14 +691,7 @@ decode_rfc5987 (char *encoded_string) + decoded = utf8; + } + +- /* If encoded_string was UTF-8, then each 3-character %-escape +- * will be converted to a single byte, and so decoded is +- * shorter than encoded_string. If encoded_string was +- * iso-8859-1, then each 3-character %-escape will be +- * converted into at most 2 bytes in UTF-8, and so it's still +- * shorter. +- */ +- strcpy (encoded_string, decoded); ++ g_string_assign (encoded_gstring, decoded); + g_free (decoded); + return TRUE; + } +@@ -706,15 +701,16 @@ parse_param_list (const char *header, char delim, gboolean strict) + { + GHashTable *params; + GSList *list, *iter; +- char *item, *eq, *name_end, *value; +- gboolean override, duplicated; + + params = g_hash_table_new_full (soup_str_case_hash, + soup_str_case_equal, +- g_free, NULL); ++ g_free, g_free); + + list = parse_list (header, delim); + for (iter = list; iter; iter = iter->next) { ++ char *item, *eq, *name_end; ++ gboolean override, duplicated; ++ GString *parsed_value = NULL; + item = iter->data; + override = FALSE; + +@@ -729,19 +725,19 @@ parse_param_list (const char *header, char delim, gboolean strict) + + *name_end = '\0'; + +- value = (char *)skip_lws (eq + 1); ++ parsed_value = g_string_new ((char *)skip_lws (eq + 1)); + + if (name_end[-1] == '*' && name_end > item + 1) { + name_end[-1] = '\0'; +- if (!decode_rfc5987 (value)) { ++ if (!decode_rfc5987_inplace (parsed_value)) { ++ g_string_free (parsed_value, TRUE); + g_free (item); + continue; + } + override = TRUE; +- } else if (*value == '"') +- decode_quoted_string (value); +- } else +- value = NULL; ++ } else if (parsed_value->str[0] == '"') ++ decode_quoted_string_inplace (parsed_value); ++ } + + duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL); + +@@ -749,11 +745,16 @@ parse_param_list (const char *header, char delim, gboolean strict) + soup_header_free_param_list (params); + params = NULL; + g_slist_foreach (iter, (GFunc)g_free, NULL); ++ if (parsed_value) ++ g_string_free (parsed_value, TRUE); + break; +- } else if (override || !duplicated) +- g_hash_table_replace (params, item, value); +- else ++ } else if (override || !duplicated) { ++ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL); ++ } else { ++ if (parsed_value) ++ g_string_free (parsed_value, TRUE); + g_free (item); ++ } + } + + g_slist_free (list); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index ed36d7c12b..089a032a4f 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -31,6 +31,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32910-2.patch \ file://CVE-2025-32910-3.patch \ file://CVE-2025-32912.patch \ + file://CVE-2024-52531-1.patch \ + file://CVE-2024-52531-2.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri May 30 07:13:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 63870 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D0A7DC54F30 for ; Fri, 30 May 2025 07:13:33 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.1365.1748589208478569303 for ; Fri, 30 May 2025 00:13:28 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8245d0438c=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54U5fTVe030425 for ; Fri, 30 May 2025 07:13:27 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 46u5396884-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 30 May 2025 07:13:27 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 30 May 2025 00:13:06 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 30 May 2025 00:13:06 -0700 From: To: Subject: [walnascar][PATCH 15/15] libsoup-2.4: fix CVE-2025-4476 Date: Fri, 30 May 2025 15:13:09 +0800 Message-ID: <20250530071309.1603334-16-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250530071309.1603334-1-changqing.li@windriver.com> References: <20250530071309.1603334-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTMwMDA1OSBTYWx0ZWRfX2ht8mZQnZghv f+q7rCoflu4B2xVVenKpbVY8hpAOAisJow5vNeTCyhuIklR17JYct5AAhdUBW0ua9inuu2ApCfX PqgmpIrruLVibRbGkf0iLzN1ERmJnrtNUzSJw2zo4/rZ3VqvXzZW00gPsTyCF0zjIGwQFUzhVcY Yp8PgyuUimeHEx6N4TsLrxCUn8cZtJxSxUUtjLjzA476pWuw/CWGTo6iFC1X3zb3WC+9ZEVIuRC 33cRUG+EUKFF+6To4vtvn4Y14z5EJ8LFRcUndE3VpfEGF53/lAeEC1wsyuyk5mU+Gmq5tSDXews B/KAktxIUvWHXnwOa8flzAF6UWWlJkPQxyZVwWNUKAzeOL4HyVhLHopqHNIkY5l65b+TMqgAYj/ Q2eGT8l19t4iEoPNScpHxcPswN94qvf9fS2EJwBgVFgOJGaeX7cTg2WFtwq0201mnbSVH7Ya X-Authority-Analysis: v=2.4 cv=NsDRc9dJ c=1 sm=1 tr=0 ts=68395a97 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=dt9VzEwgFbYA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=+jEqtf1s3R9VXZ0wqowq2kgwd+I=:19 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: 3L7YMmnRXwOdbI56LqFr5DOZqi-r8l8w X-Proofpoint-GUID: 3L7YMmnRXwOdbI56LqFr5DOZqi-r8l8w X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-30_03,2025-05-29_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=927 impostorscore=0 mlxscore=0 spamscore=0 adultscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505160000 definitions=main-2505300059 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 30 May 2025 07:13:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217484 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/440 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-4476.patch | 38 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch new file mode 100644 index 0000000000..874f62e7ad --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch @@ -0,0 +1,38 @@ +From 52a0f9234d384b9dab368835b22e5a5a01542168 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 14:16:10 +0800 +Subject: [PATCH] auth-digest: fix crash in + soup_auth_digest_get_protection_space() + +We need to validate the Domain parameter in the WWW-Authenticate header. + +Unfortunately this crash only occurs when listening on default ports 80 +and 443, so there's no good way to test for this. The test would require +running as root. + +Fixes #440 + +CVE: CVE-2025-4476 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c?merge_request_iid=457] + +Signed-off-by: Changqing Li +--- + libsoup/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index f1621ec..a2dc560 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -229,7 +229,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, SoupURI *source_uri) + uri = soup_uri_new (d); + if (uri && uri->scheme == source_uri->scheme && + uri->port == source_uri->port && +- !strcmp (uri->host, source_uri->host)) ++ !g_strcmp0 (uri->host, source_uri->host)) + dir = g_strdup (uri->path); + else + dir = NULL; +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 089a032a4f..45add2e3e0 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -33,6 +33,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32912.patch \ file://CVE-2024-52531-1.patch \ file://CVE-2024-52531-2.patch \ + file://CVE-2025-4476.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"