From patchwork Wed Jun 4 11:34:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64269 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38975C5B543 for ; Wed, 4 Jun 2025 11:34:32 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.14360.1749036870532928119 for ; Wed, 04 Jun 2025 04:34:30 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8250671ff5=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55456FaQ006575 for ; Wed, 4 Jun 2025 11:34:29 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9q2dt2-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 11:34:29 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:34:29 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:34:28 -0700 From: To: Subject: [scarthgap][PATCH V2 01/14] libsoup-2.4: fix CVE-2025-32052 Date: Wed, 4 Jun 2025 19:34:13 +0800 Message-ID: <20250604113426.464818-2-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250604113426.464818-1-changqing.li@windriver.com> References: <20250604113426.464818-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: X2H4TaunVCCwjjsLtq4ftJGhVK99qtSt X-Authority-Analysis: v=2.4 cv=X8RSKHTe c=1 sm=1 tr=0 ts=68402f45 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=sfOm8-O8AAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 a=TvTJqdcANYtsRzA46cdi:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4OCBTYWx0ZWRfX05UIgsSZCBLU JOs94Aiop3Me/iNKH3HBHYc8Q7Kfs+6PFq4THzkXykOEr88S9ZeuO/aCHAExFxDfdZ7jSTfGzQz j9P9ix9LPaUit0BVWrfAXXaI5L1B7n6K8qd3vwiyRfCrGDjZAL4DDysx3Dl5DNKCPH3/4URiSEz je/6gTjr/9f03tKl3oLHWGIBqwUWRoOjSDL9uCSsOJ6FOiXOCdKEF4x3v+4IzHy0Ogq5NxljJMw PWBgXWqQpwOm30kgiDeqADJrOEazpzmTAWWI/DOxh0IpHhJhFc9tose4qFalOMvJEhXZnUwHznG CukIBergzOxLf9uqPwSpD16wbokZZOSnXHXNoBeca9HEHCJfGhuE6g/25TKE3FVkQn1UNAWAWz3 BebFTjO7fpcNiwKwxDvU1OHpOsrFe3XN3gNcXRJnUAc8HSl6ijVJ744Nhp2lQhJp5/6pkVLW X-Proofpoint-ORIG-GUID: X2H4TaunVCCwjjsLtq4ftJGhVK99qtSt X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 bulkscore=0 priorityscore=1501 mlxscore=0 malwarescore=0 impostorscore=0 suspectscore=0 adultscore=0 clxscore=1015 lowpriorityscore=0 phishscore=0 mlxlogscore=855 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040088 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:34:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217927 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/425 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-32052.patch | 32 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch new file mode 100644 index 0000000000..34bc8113a4 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch @@ -0,0 +1,32 @@ +From f4a67a9a3033586edaee715d40d5992e02d32893 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 16 Nov 2024 12:07:30 -0600 +Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff + +Co-Author: Ar Jun + +CVE: CVE-2025-32052 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652#500da7cfde649872c49169be34b03a1c42a53ddb] + +Signed-off-by: Changqing Li +--- + libsoup/soup-content-sniffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 9554636..eac9e7b 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -504,7 +504,7 @@ sniff_unknown (SoupContentSniffer *sniffer, SoupBuffer *buffer, + guint index_pattern = 0; + gboolean skip_row = FALSE; + +- while ((index_stream < resource_length) && ++ while ((index_stream < resource_length - 1) && + (index_pattern <= type_row->pattern_length)) { + /* Skip insignificant white space ("WS" in the spec) */ + if (type_row->pattern[index_pattern] == ' ') { +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 8f33e935fb..5dddbe87de 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -33,6 +33,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32914.patch \ file://CVE-2025-32907.patch \ file://CVE-2025-32053.patch \ + file://CVE-2025-32052.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed Jun 4 11:34:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64270 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 36176C5B549 for ; Wed, 4 Jun 2025 11:34:42 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.14362.1749036872328833258 for ; Wed, 04 Jun 2025 04:34:32 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8250671ff5=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 554BFFeN003500 for ; Wed, 4 Jun 2025 11:34:31 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9t2cyn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 11:34:31 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:34:30 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:34:29 -0700 From: To: Subject: [scarthgap][PATCH V2 02/14] libsoup: fix CVE-2025-32052 Date: Wed, 4 Jun 2025 19:34:14 +0800 Message-ID: <20250604113426.464818-3-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250604113426.464818-1-changqing.li@windriver.com> References: <20250604113426.464818-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: gAoUm2JBVASr8dTnoqWVfI7NTlQESTmQ X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4OCBTYWx0ZWRfX7c8Oh2EwsfBE eipwAxPC8VUPhr371GoS2FUJRY2F5MPa0+OBZCO2X0674x69z6KhUhpUJ7ORwiUF8IXNl7Ksej8 xB8SWvUu1lKPEF5dpilpKb+9oODZ7SJE09AtA09rhnZJV82kcs7yKwI2/kvL0HclX+fFFoSAW3Y GaDhOpgrjrWuhlbaywPNdSXErJSiGBZbXK2kK6eFZYYyb1L8S1EKtmqda9LsKt4tnCsjNDpagyG zWw5A55MvHiD5zuMkgF2bgK9UywO36AaCwks8okz4iHWWM6P8mkw2/h7gQP0W9jO3aoQeJv3glc mpVlW2zcWERReNdlIzHDQ1OXZ2MTdsvTSepsGOnqREoyH4yEM4BKZJNgKht3oO/tT2rbGAuDWpG WGaP+hFfAY7ArMVNUoAs7Hpo9xdQjSMAvmThzvkOHp5RHE9KrDbyCIIXlKUTue886HHYIqwS X-Proofpoint-GUID: gAoUm2JBVASr8dTnoqWVfI7NTlQESTmQ X-Authority-Analysis: v=2.4 cv=Q4DS452a c=1 sm=1 tr=0 ts=68402f47 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=sfOm8-O8AAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 a=TvTJqdcANYtsRzA46cdi:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 mlxlogscore=871 suspectscore=0 bulkscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 adultscore=0 malwarescore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040088 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:34:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217928 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/425 Signed-off-by: Changqing Li --- .../libsoup-3.4.4/CVE-2025-32052.patch | 31 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32052.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32052.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32052.patch new file mode 100644 index 0000000000..78b712070b --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32052.patch @@ -0,0 +1,31 @@ +From 779bcb279b1dc4eb8bcb22c5e727b1174630c3fc Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 16 Nov 2024 12:07:30 -0600 +Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff + +Co-Author: Ar Jun + +CVE: CVE-2025-32052 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652] + +Signed-off-by: Changqing Li +--- + libsoup/content-sniffer/soup-content-sniffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c +index 23d5aaa..aeee2e2 100644 +--- a/libsoup/content-sniffer/soup-content-sniffer.c ++++ b/libsoup/content-sniffer/soup-content-sniffer.c +@@ -529,7 +529,7 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer, + guint index_pattern = 0; + gboolean skip_row = FALSE; + +- while ((index_stream < resource_length) && ++ while ((index_stream < resource_length - 1) && + (index_pattern <= type_row->pattern_length)) { + /* Skip insignificant white space ("WS" in the spec) */ + if (type_row->pattern[index_pattern] == ' ') { +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 763b787663..87bc155a90 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -36,6 +36,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32907-1.patch \ file://CVE-2025-32907-2.patch \ file://CVE-2025-32053.patch \ + file://CVE-2025-32052.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Wed Jun 4 11:34:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64278 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F81DC61DB8 for ; Wed, 4 Jun 2025 11:34:42 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.14363.1749036872933230936 for ; Wed, 04 Jun 2025 04:34:33 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8250671ff5=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 554BFFeO003500 for ; Wed, 4 Jun 2025 11:34:32 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9t2cyn-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 11:34:31 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:34:31 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:34:30 -0700 From: To: Subject: [scarthgap][PATCH V2 03/14] libsoup: fix CVE-2025-32051 Date: Wed, 4 Jun 2025 19:34:15 +0800 Message-ID: <20250604113426.464818-4-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250604113426.464818-1-changqing.li@windriver.com> References: <20250604113426.464818-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: JQ76tFYOtehCrS-ntMuouAsEurEcqsAC X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4OCBTYWx0ZWRfX9T/hMqmTx5Bg pW014ubazdkyuS/5PCt1xVGOnlZRe7PcrfqZpzhHQyjiWILFmHEwRqDFXmEgx4FJIbqlHJ2Buz/ 7bRMo/z+ENnZWOBw6LmkhZQ43QSxgPwStSRTOyDr8XguvjSXdgsLwqTpvqhvhNPfValUnIPKgh/ Wrsmfy+6WEhq+jWa0QAetZvWG7bt8JficdBDIc1DT7EtL+hOgQhtoI7N7SsnAzNLZ8Zg/M4hzBj Jsw9rgWv2rpPogCs8h7rge0FEd5d2GkHGtejd1Yl+bHdpMgmg/89koQNqoDu2cZtIzNt6CfU10U WK1paW8zyfPr42/LPJ587fv8OGldrKPQmG1kdEXMb1CzvsY+ptNpIDttrIrZBOJypcJALt7NVYF 7vw8Zstl7IgDphnt1EWXCLaqz4b1EX4WWEcIdiSU4md1wPE/pL3jdKBy37ZgxQX33Zra+fbU X-Proofpoint-GUID: JQ76tFYOtehCrS-ntMuouAsEurEcqsAC X-Authority-Analysis: v=2.4 cv=Q4DS452a c=1 sm=1 tr=0 ts=68402f47 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=sfOm8-O8AAAA:8 a=V2sgnzSHAAAA:8 a=lz8H-ZI_o7jANyl0rCQA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=TvTJqdcANYtsRzA46cdi:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 mlxlogscore=999 suspectscore=0 bulkscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 adultscore=0 malwarescore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040088 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:34:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217929 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/401 Signed-off-by: Changqing Li --- .../libsoup-3.4.4/CVE-2025-32051-1.patch | 29 ++++++++++ .../libsoup-3.4.4/CVE-2025-32051-2.patch | 57 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 2 + 3 files changed, 88 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-1.patch new file mode 100644 index 0000000000..efeda48b11 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-1.patch @@ -0,0 +1,29 @@ +From dc5db30989f385303c79ec3188c52e33f6f5886e Mon Sep 17 00:00:00 2001 +From: Ar Jun +Date: Sat, 16 Nov 2024 11:50:09 -0600 +Subject: [PATCH 1/2] Fix possible NULL deref in soup_uri_decode_data_uri + +CVE: CVE-2025-32051 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/0713ba4a719da938dc8facc89fca99cd0aa3069f] + +Signed-off-by: Changqing Li +--- + libsoup/soup-uri-utils.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c +index be2b79b..0251279 100644 +--- a/libsoup/soup-uri-utils.c ++++ b/libsoup/soup-uri-utils.c +@@ -303,6 +303,8 @@ soup_uri_decode_data_uri (const char *uri, + + uri_string = g_uri_to_string (soup_uri); + g_uri_unref (soup_uri); ++ if (!uri_string) ++ return NULL; + + start = uri_string + 5; + comma = strchr (start, ','); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-2.patch new file mode 100644 index 0000000000..24c184bb86 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-2.patch @@ -0,0 +1,57 @@ +From 7d1557a60145927806c88d321e8322a9d9f49bb2 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 22 Nov 2024 13:39:51 -0600 +Subject: [PATCH 2/2] soup_uri_decode_data_uri(): Handle URIs with a path + starting with // + +CVE: CVE-2025-32051 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/79cfd65c9bd8024cd45dd725c284766329873709] + +Signed-off-by: Changqing Li +--- + libsoup/soup-uri-utils.c | 8 ++++++++ + tests/uri-parsing-test.c | 2 ++ + 2 files changed, 10 insertions(+) + +diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c +index 0251279..1ff11cd 100644 +--- a/libsoup/soup-uri-utils.c ++++ b/libsoup/soup-uri-utils.c +@@ -286,6 +286,7 @@ soup_uri_decode_data_uri (const char *uri, + gboolean base64 = FALSE; + char *uri_string; + GBytes *bytes; ++ const char *path; + + g_return_val_if_fail (uri != NULL, NULL); + +@@ -301,6 +302,13 @@ soup_uri_decode_data_uri (const char *uri, + if (content_type) + *content_type = NULL; + ++ /* g_uri_to_string() is picky about paths that start with `//` and will assert. */ ++ path = g_uri_get_path (soup_uri); ++ if (path[0] == '/' && path[1] == '/') { ++ g_uri_unref (soup_uri); ++ return NULL; ++ } ++ + uri_string = g_uri_to_string (soup_uri); + g_uri_unref (soup_uri); + if (!uri_string) +diff --git a/tests/uri-parsing-test.c b/tests/uri-parsing-test.c +index 1f16273..418391e 100644 +--- a/tests/uri-parsing-test.c ++++ b/tests/uri-parsing-test.c +@@ -141,6 +141,8 @@ static struct { + { "data:text/plain;base64,aGVsbG8=", "hello", "text/plain" }, + { "data:text/plain;base64,invalid=", "", "text/plain" }, + { "data:,", "", CONTENT_TYPE_DEFAULT }, ++ { "data:.///", NULL, NULL }, ++ { "data:/.//", NULL, NULL }, + }; + + static void +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 87bc155a90..313edb2653 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -37,6 +37,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32907-2.patch \ file://CVE-2025-32053.patch \ file://CVE-2025-32052.patch \ + file://CVE-2025-32051-1.patch \ + file://CVE-2025-32051-2.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Wed Jun 4 11:34:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64279 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7BF1FC678DF for ; Wed, 4 Jun 2025 11:34:42 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.14428.1749036874544594141 for ; Wed, 04 Jun 2025 04:34:34 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8250671ff5=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5544wnNk017294 for ; Wed, 4 Jun 2025 11:34:33 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9t2cyv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 11:34:33 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:34:32 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:34:31 -0700 From: To: Subject: [scarthgap][PATCH V2 04/14] libsoup-2.4: fix CVE-2025-32050 Date: Wed, 4 Jun 2025 19:34:16 +0800 Message-ID: <20250604113426.464818-5-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250604113426.464818-1-changqing.li@windriver.com> References: <20250604113426.464818-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: TzjKdoyTpAzReKZ3OiEcvIT2XBE-Doeq X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4OCBTYWx0ZWRfX1H47ueNpnYRw lrMqpu2dApX6nSBajpMd5C2NVU+tzc3YDI+daOmEikuiZSM7eFW4mfzZ8DaFoejbSyCD2cFAqwU fbGSC/3Q3OrfGmn3ak2A3RVYWjgm9rFeQGb7I5fzF485IKIxyykCKEmHQFkynvSq32IQw/769/i ef5YvKTY1MfY1LXw5eEyFd/S3LTs63miI5+NwnR/ik4SbDl5K+Yq6mjv36f1Pd7Tm5kY8z8SgXk sHmJCB/yFCg9UlaJl2c4AtuPK4YSxkLJaSygUhLEk0WE1gEI8rw57aNqZTQOUw68S1f6vx6YIa5 JBuxq4YRcA72WC3a8JwxxP1AzzkZTDvsszMzHHyQ/w9c5lF9x8QHvW4/WIvn4R3ejQjk5qy6Xxe 1oGK3AH7w7KpI/lfmlsSYhvPcfWWfGkLoMc0tI2NhG945oC7lXzj5DmqTKJiuywy+4oLgAtZ X-Proofpoint-GUID: TzjKdoyTpAzReKZ3OiEcvIT2XBE-Doeq X-Authority-Analysis: v=2.4 cv=Q4DS452a c=1 sm=1 tr=0 ts=68402f49 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 mlxlogscore=850 suspectscore=0 bulkscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 adultscore=0 malwarescore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040088 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:34:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217930 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/424 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-32050.patch | 29 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch new file mode 100644 index 0000000000..c032846ef0 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch @@ -0,0 +1,29 @@ +From 5709dfffb6fdc5b66ce001bf82a755ad8ad1d992 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 28 Oct 2024 12:29:48 -0500 +Subject: [PATCH] Fix using int instead of size_t for strcspn return + +CVE: CVE-2025-32050 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323] + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 9707ca0..67905b2 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -902,7 +902,7 @@ append_param_quoted (GString *string, + const char *name, + const char *value) + { +- int len; ++ gsize len; + + g_string_append (string, name); + g_string_append (string, "=\""); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 5dddbe87de..3f66099361 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -34,6 +34,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32907.patch \ file://CVE-2025-32053.patch \ file://CVE-2025-32052.patch \ + file://CVE-2025-32050.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed Jun 4 11:34:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64277 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6B7CBC67861 for ; Wed, 4 Jun 2025 11:34:42 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.14430.1749036875098064183 for ; Wed, 04 Jun 2025 04:34:35 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8250671ff5=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5544wnNl017294 for ; Wed, 4 Jun 2025 11:34:34 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9t2cyv-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 11:34:34 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:34:33 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:34:32 -0700 From: To: Subject: [scarthgap][PATCH V2 05/14] libsoup: fix CVE-2025-32050 Date: Wed, 4 Jun 2025 19:34:17 +0800 Message-ID: <20250604113426.464818-6-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250604113426.464818-1-changqing.li@windriver.com> References: <20250604113426.464818-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: RELqoY6s4kpyLNKvoDX8T-PuCSf3s4F3 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4OCBTYWx0ZWRfX8/xkkkMEShlI g8/woxVb6mdRhxhQLemIgK6s9YHwmUAx+JNBl8NJsUiPvjKSuUy2y0xvaF8ecRAh1+xx5VHMhVU 3vjUFZN7fEJtfwd+e+zhtW8Av+SG8ueYGJIYCxJQZdshMTlmSVCIcCGrP+BrCAf2+kDsaRoCcOL MJSLRWnHICEHsbxwQBgR5PiAfDrBhv15lL6UC+89PITjpFZjwtHYWigqcm0/XYa1Y3kncXcuMDf zrHTgPFSCtIn8S66nsz0UvSHqyYsb41B6BsAzENW50G/bcP3I3Jo7cDSl1qE/p0KNcnhE/IJ4GL BT2GZj57gS4LVp+rmsf8nfu45kXeNuzsysd12tB694Y5F46McXmynatzJORSlmtUZDkKNqRH57j gA+libNQUGFaW/uCHrdyluUIQ9Q18GrjTjiCw9byphe6rOmpxVUyNdj98MlNePAlJ2gz5GCE X-Proofpoint-GUID: RELqoY6s4kpyLNKvoDX8T-PuCSf3s4F3 X-Authority-Analysis: v=2.4 cv=Q4DS452a c=1 sm=1 tr=0 ts=68402f4a cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 mlxlogscore=862 suspectscore=0 bulkscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 adultscore=0 malwarescore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040088 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:34:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217931 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/424 Signed-off-by: Changqing Li --- .../libsoup-3.4.4/CVE-2025-32050.patch | 29 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32050.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32050.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32050.patch new file mode 100644 index 0000000000..e5a4d747a1 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32050.patch @@ -0,0 +1,29 @@ +From 30c86c9a284cf6f366ac87df0bca3e18a5de8671 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 28 Oct 2024 12:29:48 -0500 +Subject: [PATCH] Fix using int instead of size_t for strcspn return + +CVE: CVE-2025-32050 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323] + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 5fb32c2..52ef2ec 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -906,7 +906,7 @@ append_param_quoted (GString *string, + const char *name, + const char *value) + { +- int len; ++ gsize len; + + g_string_append (string, name); + g_string_append (string, "=\""); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 313edb2653..73b03f109c 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -39,6 +39,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32052.patch \ file://CVE-2025-32051-1.patch \ file://CVE-2025-32051-2.patch \ + file://CVE-2025-32050.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Wed Jun 4 11:34:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64273 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EA4EC677C4 for ; Wed, 4 Jun 2025 11:34:42 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.14434.1749036877544660513 for ; Wed, 04 Jun 2025 04:34:37 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8250671ff5=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 554AgoCo027229 for ; Wed, 4 Jun 2025 11:34:36 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9q2dth-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 11:34:36 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:34:34 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:34:33 -0700 From: To: Subject: [scarthgap][PATCH V2 06/14] libsoup-2.4: fix CVE-2025-46421 Date: Wed, 4 Jun 2025 19:34:18 +0800 Message-ID: <20250604113426.464818-7-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250604113426.464818-1-changqing.li@windriver.com> References: <20250604113426.464818-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: 3V7A5e62azUEYXRuEcHYJx0MHqLJhiqB X-Authority-Analysis: v=2.4 cv=X8RSKHTe c=1 sm=1 tr=0 ts=68402f4c cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4OCBTYWx0ZWRfX850BhXQq0LN5 3SldpxtQMXOCR3vcVnWJh4edpO/Ue8SvG72SoN/oR4eAu33rrhAR29AhbGDhGDXCeiSdo0940rN 92weXmXMtpfiCa6H/K8FFfZpL2klpmvAT8gsDJYwywg/t31dncqMQEAtSTcD4UzBwd+h/JO8T4A VivZggxwoptedfP3pERJzlIjLasK8fa/I1F5L6cIkoTK4xLQMgN2YVYHpWiQn2qQhl/qntoKR9c eXzzFMgjH5ikw4nFU+razOyV7KL+rpe5Xb2pwvNe0tgr2sN4IQPH4fcbHVVN7kpaZSDthlELAYl Tyj2PhseQsOCluPIr9a0jRkn4d+8eqIRMO5Wlui8R9mE2gRb0M8AKqPDs/SB0oUyyaEsUaJnWGz PSQhKtk5HswOklLq3Alg1neAQaMYnXDlSz4QkKix/9+kzjHC+4M9VZ+qFY3olu1lKcagq9AX X-Proofpoint-ORIG-GUID: 3V7A5e62azUEYXRuEcHYJx0MHqLJhiqB X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 bulkscore=0 priorityscore=1501 mlxscore=0 malwarescore=0 impostorscore=0 suspectscore=0 adultscore=0 clxscore=1015 lowpriorityscore=0 phishscore=0 mlxlogscore=904 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040088 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:34:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217933 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/439 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-46421.patch | 48 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch new file mode 100644 index 0000000000..64706f43aa --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch @@ -0,0 +1,48 @@ +From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 16:18:10 -0600 +Subject: [PATCH] session: Strip authentication credentails on + cross-origin redirect + +This should match the behavior of Firefox and Safari but not of Chromium. + +CVE: CVE-2025-46421 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b] + +Test code not added since it included some headers not in version 2.74.3 + +Signed-off-by: Changqing Li +--- + libsoup/soup-session.c | 8 ++++- + tests/auth-test.c | 78 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 85 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c +index 83421ef..8d6ac61 100644 +--- a/libsoup/soup-session.c ++++ b/libsoup/soup-session.c +@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg) + SOUP_ENCODING_NONE); + } + ++ /* Strip all credentials on cross-origin redirect. */ ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { ++ //soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION); ++ soup_message_set_auth (msg, NULL); ++ } ++ + soup_message_set_uri (msg, new_uri); + soup_uri_free (new_uri); + + soup_session_requeue_message (session, msg); + return TRUE; +-} ++} + + static void + redirect_handler (SoupMessage *msg, gpointer user_data) + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 3f66099361..d37b553a92 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -35,6 +35,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32053.patch \ file://CVE-2025-32052.patch \ file://CVE-2025-32050.patch \ + file://CVE-2025-46421.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed Jun 4 11:34:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64274 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 43657C61CE7 for ; Wed, 4 Jun 2025 11:34:42 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14433.1749036877058418551 for ; Wed, 04 Jun 2025 04:34:37 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8250671ff5=changqing.li@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5544Eb9H018125 for ; Wed, 4 Jun 2025 04:34:36 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rtdcc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 04:34:36 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:34:35 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:34:35 -0700 From: To: Subject: [scarthgap][PATCH V2 07/14] libsoup: fix CVE-2025-46421 Date: Wed, 4 Jun 2025 19:34:19 +0800 Message-ID: <20250604113426.464818-8-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250604113426.464818-1-changqing.li@windriver.com> References: <20250604113426.464818-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: O-syjuozwjxsLBQSUvZrO9J7HMzbEE13 X-Authority-Analysis: v=2.4 cv=VIHdn8PX c=1 sm=1 tr=0 ts=68402f4c cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=QbgcUSsBnVzo0aMhA2UA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4OCBTYWx0ZWRfX0un4sM3l09sH 3yqnzvufd8n1crgF3pRltQe2YIjBiCykQEKkGXIIl8zJTDINrCO5L/LrL7cyesxxQKsw/f383ha fyaffe7Av43inaqtLCUbD/altwn4fFD0z/31XmS9rXj/gR6qcVJb+l/BiNSbAoxLBojHZPAxJCo IkoAMVGEqV+FfBEuMTEk7uCrdiiyx0HcT7s2yKLRodIC5dbGPqdrN4cKo35+rFs7Kw7fCf9wXgv /NvwMmJZQVxbkNo3tb8kUyUnFLZp0+sYDZTQ59AB3jA5bORVl1MTkzA07os6cm6KCNAQXcYHhqE aTasBhPrpN1LwhLaa8Ab1b9WPJfgVeFRG7bL7NPB1DGbPB73Rx7GeLEaDex7XvbWtDiCWziYrCT /NpIy3bbJs+gVxkjRFLTRSxvfejvIm149BWyTQXlmRKVKqSMCkOkkInoZrVBOiW3IXN9cbq2 X-Proofpoint-ORIG-GUID: O-syjuozwjxsLBQSUvZrO9J7HMzbEE13 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=881 adultscore=0 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0 bulkscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040088 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:34:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217932 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/439 Signed-off-by: Changqing Li --- .../libsoup-3.4.4/CVE-2025-46421.patch | 139 ++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 140 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46421.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46421.patch new file mode 100644 index 0000000000..72683d8fce --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46421.patch @@ -0,0 +1,139 @@ +From 85c5227eef7370832044eb918e8a99c0bcbab86f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 16:18:10 -0600 +Subject: [PATCH] session: Strip authentication credentails on cross-origin + redirect + +This should match the behavior of Firefox and Safari but not of Chromium. + +CVE: CVE-2025-46421 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b] + +Signed-off-by: Changqing Li +--- + libsoup/soup-session.c | 6 ++++ + tests/auth-test.c | 77 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 83 insertions(+) + +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c +index 631bec0..9f00b05 100644 +--- a/libsoup/soup-session.c ++++ b/libsoup/soup-session.c +@@ -1230,6 +1230,12 @@ soup_session_redirect_message (SoupSession *session, + SOUP_ENCODING_NONE); + } + ++ /* Strip all credentials on cross-origin redirect. */ ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { ++ soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION); ++ soup_message_set_auth (msg, NULL); ++ } ++ + soup_message_set_request_host_from_uri (msg, new_uri); + soup_message_set_uri (msg, new_uri); + g_uri_unref (new_uri); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 484097f..7c3b551 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1,6 +1,7 @@ + /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */ + + #include "test-utils.h" ++#include "soup-uri-utils-private.h" + + static const char *base_uri; + static GMainLoop *loop; +@@ -1916,6 +1917,81 @@ do_missing_params_test (gconstpointer auth_header) + soup_test_server_quit_unref (server); + } + ++static void ++redirect_server_callback (SoupServer *server, ++ SoupServerMessage *msg, ++ const char *path, ++ GHashTable *query, ++ gpointer user_data) ++{ ++ static gboolean redirected = FALSE; ++ ++ if (!redirected) { ++ char *redirect_uri = g_uri_to_string (user_data); ++ soup_server_message_set_redirect (msg, SOUP_STATUS_MOVED_PERMANENTLY, redirect_uri); ++ g_free (redirect_uri); ++ redirected = TRUE; ++ return; ++ } ++ ++ g_assert_not_reached (); ++} ++ ++static gboolean ++auth_for_redirect_callback (SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer user_data) ++{ ++ GUri *known_server_uri = user_data; ++ ++ if (!soup_uri_host_equal (known_server_uri, soup_message_get_uri (msg))) ++ return FALSE; ++ ++ soup_auth_authenticate (auth, "user", "good-basic"); ++ ++ return TRUE; ++} ++ ++static void ++do_strip_on_crossorigin_redirect (void) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ SoupServer *server1, *server2; ++ SoupAuthDomain *auth_domain; ++ GUri *uri; ++ gint status; ++ ++ server1 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ server2 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ ++ /* Both servers have the same credentials. */ ++ auth_domain = soup_auth_domain_basic_new ("realm", "auth-test", "auth-callback", server_basic_auth_callback, NULL); ++ soup_auth_domain_add_path (auth_domain, "/"); ++ soup_server_add_auth_domain (server1, auth_domain); ++ soup_server_add_auth_domain (server2, auth_domain); ++ g_object_unref (auth_domain); ++ ++ /* Server 1 asks for auth, then redirects to Server 2. */ ++ soup_server_add_handler (server1, NULL, ++ redirect_server_callback, ++ soup_test_server_get_uri (server2, "http", NULL), (GDestroyNotify)g_uri_unref); ++ /* Server 2 requires auth. */ ++ soup_server_add_handler (server2, NULL, server_callback, NULL, NULL); ++ ++ session = soup_test_session_new (NULL); ++ uri = soup_test_server_get_uri (server1, "http", NULL); ++ msg = soup_message_new_from_uri ("GET", uri); ++ /* The client only sends credentials for the host it knows. */ ++ g_signal_connect (msg, "authenticate", G_CALLBACK (auth_for_redirect_callback), uri); ++ ++ status = soup_test_session_send_message (session, msg); ++ ++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED); ++ ++ g_uri_unref (uri); ++ soup_test_server_quit_unref (server1); ++ soup_test_server_quit_unref (server2); ++} ++ + int + main (int argc, char **argv) + { +@@ -1949,6 +2025,7 @@ main (int argc, char **argv) + g_test_add_func ("/auth/auth-uri", do_auth_uri_test); + g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate); + g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms); ++ g_test_add_func ("/auth/strip-on-crossorigin-redirect", do_strip_on_crossorigin_redirect); + g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 73b03f109c..885e570ab8 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -40,6 +40,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32051-1.patch \ file://CVE-2025-32051-2.patch \ file://CVE-2025-32050.patch \ + file://CVE-2025-46421.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Wed Jun 4 11:34:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64276 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EA0CC61CE8 for ; Wed, 4 Jun 2025 11:34:42 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14435.1749036878344385307 for ; Wed, 04 Jun 2025 04:34:38 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8250671ff5=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55448x9v006347 for ; Wed, 4 Jun 2025 04:34:37 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rtevb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 04:34:37 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:34:37 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:34:36 -0700 From: To: Subject: [scarthgap][PATCH V2 08/14] libsoup-2.4: fix CVE-2025-4948 Date: Wed, 4 Jun 2025 19:34:20 +0800 Message-ID: <20250604113426.464818-9-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250604113426.464818-1-changqing.li@windriver.com> References: <20250604113426.464818-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4OCBTYWx0ZWRfXx3sv+XoOiEVy NDQkTHL1VdxBO1Vnrv/zQt/oGA8EMHJHaIbjrcaRwArt+Q/g+iCvbXPgF4V3tELHLXtf6KFD31M e9OnYk/cXGOfh04sA035bPzHTLp766SCcet2bBDC+cZPJbv3iRVBoXGHq7B91LOLlzpYBy6z4+e gLSpdTYY/z/O0lkPvVWHyRSr5LbPIc/cR1WBk0eoCeYCIUEvk03N6DKCf3E5KGv0ehDFhLdpw+7 f/ZTGEtscPEbI0JljEInR8cLnof8W5aRhiu6NH9EUwdvl3pPmNwTRoFlfJKTyxeDAaLKV5fM3fq SvNLzBVyxLjG2wVVNx7IAn7QP+oEDgxfwfjPtCyzLE0W10qE8xXDyH0c5QzPEoy54uTRj1hNDRp AyK+txobpMjYMLgWqL6Tecn5gtoX47zJSGVrtjmKi8ceDllwNq1Y7bkYXJznmGUPNRUIpMj2 X-Authority-Analysis: v=2.4 cv=PvyTbxM3 c=1 sm=1 tr=0 ts=68402f4d cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=_9wbE66-DFzY0cZEwEkA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: RtK3t5C4ECb-AdVyIMJ6L3Ns4Wuh5DMe X-Proofpoint-ORIG-GUID: RtK3t5C4ECb-AdVyIMJ6L3Ns4Wuh5DMe X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 clxscore=1015 bulkscore=0 adultscore=0 mlxscore=0 mlxlogscore=730 impostorscore=0 lowpriorityscore=0 phishscore=0 suspectscore=0 spamscore=0 priorityscore=1501 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040088 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:34:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217934 From: Changqing Li Refer: http://gitlab.gnome.org/GNOME/libsoup/-/issues/449 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-4948.patch | 38 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch new file mode 100644 index 0000000000..b15b8c763d --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch @@ -0,0 +1,38 @@ +From dfdc9b3cc73e6fe88cc12792ba00e14642572339 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Thu, 15 May 2025 17:49:11 +0200 +Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body + +It could happen that the boundary started at a place which resulted into +a negative number, which in an unsigned integer is a very large value. +Check the body size is not a negative value before setting it. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 + +Part-of: + +CVE: CVE-2025-4948 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463/diffs?commit_id=f2f28afe0b3b2b3009ab67d6874457ec6bac70c0] + +Signed-off-by: Changqing Li +--- + libsoup/soup-multipart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index dd93973..ce2fc10 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -214,7 +214,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + */ + part_body = soup_buffer_new_subbuffer (flattened, + split - flattened->data, +- end - 2 - split); ++ end - 2 >= split ? end - 2 - split : 0); + g_ptr_array_add (multipart->bodies, part_body); + + start = end; +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index d37b553a92..1c7b13001e 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -36,6 +36,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32052.patch \ file://CVE-2025-32050.patch \ file://CVE-2025-46421.patch \ + file://CVE-2025-4948.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed Jun 4 11:34:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64275 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 436A5C61DB2 for ; Wed, 4 Jun 2025 11:34:42 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14436.1749036879426036652 for ; Wed, 04 Jun 2025 04:34:39 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8250671ff5=changqing.li@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5544Eb9I018125 for ; Wed, 4 Jun 2025 04:34:39 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rtdce-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 04:34:38 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:34:38 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:34:37 -0700 From: To: Subject: [scarthgap][PATCH V2 09/14] libsoup: fix CVE-2025-4948 Date: Wed, 4 Jun 2025 19:34:21 +0800 Message-ID: <20250604113426.464818-10-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250604113426.464818-1-changqing.li@windriver.com> References: <20250604113426.464818-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: DhvjVrcnzX5Axl0MDEu22SXWnBZm3oBJ X-Authority-Analysis: v=2.4 cv=VIHdn8PX c=1 sm=1 tr=0 ts=68402f4e cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=o19dcwqJu1wBlOUGTbIA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4OCBTYWx0ZWRfXyynAd9NYO9Z/ ufp9Ws4XlRtYHmA2gQsWeB4PZsOghd/8JhmhLm2+UojEfobCrCc3LQZL96YGIJE1FZ59VMClXGU zRFC6QqxHMrzv898DXIFXkdjamuVWKB3HXTCrloO5N/G7Ucmv5ohOLjbViqk8qR6Vsqe3HUiKB3 R7nUFJp4mvICDz/CTUbb7cZphdQI5B4UrwKL+psSkYL5HeP07Zr9LBZi0BzuXvuSjsFYzW04VBI TMg74pk1foHumQlzv/GCKc6gef8jSo0udl7RY4Slb9wv6Lszx94BSJeBbQ7yEfOem/zXDpdXfnH 0rX9n8JjbDnCOvDnjbUzaO84Eq3WyCUEkSdEa+/2FCb7Tt3V1G/VRqUvagxsYypLB7h37AjZmTh Fdosd/vX74e0g/lr0Uz65D1h6YpcBYwQCNcl7k49TVuikWEVGWaZtPrCyuUi6rLdbx2AvAHm X-Proofpoint-ORIG-GUID: DhvjVrcnzX5Axl0MDEu22SXWnBZm3oBJ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=821 adultscore=0 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0 bulkscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040088 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:34:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217935 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 Signed-off-by: Changqing Li --- .../libsoup/libsoup-3.4.4/CVE-2025-4948.patch | 97 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 98 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4948.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4948.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4948.patch new file mode 100644 index 0000000000..e0e7b7a44f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4948.patch @@ -0,0 +1,97 @@ +From 0076a5ef3f2a3d11805438e7fd90775f8c40569e Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Thu, 15 May 2025 17:49:11 +0200 +Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body + +It could happen that the boundary started at a place which resulted into +a negative number, which in an unsigned integer is a very large value. +Check the body size is not a negative value before setting it. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 + +Part-of: + +CVE: CVE-2025-4948 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463/diffs?commit_id=f2f28afe0b3b2b3009ab67d6874457ec6bac70c0] + +Signed-off-by: Changqing Li +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 40 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index 102ce37..a587fe7 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -204,7 +204,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + */ + part_body = g_bytes_new_from_bytes (body, // FIXME + split - body_data, +- end - 2 - split); ++ end - 2 >= split ? end - 2 - split : 0); + g_ptr_array_add (multipart->bodies, part_body); + + start = end; +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index f5b9868..92b673e 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -527,6 +527,45 @@ test_multipart_bounds_bad (void) + g_bytes_unref (bytes); + } + ++static void ++test_multipart_too_large (void) ++{ ++ const char *raw_body = ++ "-------------------\r\n" ++ "-\n" ++ "Cont\"\r\n" ++ "Content-Tynt----e:n\x8erQK\r\n" ++ "Content-Disposition: name= form-; name=\"file\"; filename=\"ype:i/ -d; ----\xae\r\n" ++ "Content-Typimag\x01/png--\\\n" ++ "\r\n" ++ "---:\n\r\n" ++ "\r\n" ++ "-------------------------------------\r\n" ++ "---------\r\n" ++ "----------------------"; ++ GBytes *body; ++ GHashTable *params; ++ SoupMessageHeaders *headers; ++ SoupMultipart *multipart; ++ ++ params = g_hash_table_new (g_str_hash, g_str_equal); ++ g_hash_table_insert (params, (gpointer) "boundary", (gpointer) "-----------------"); ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_set_content_type (headers, "multipart/form-data", params); ++ g_hash_table_unref (params); ++ ++ body = g_bytes_new_static (raw_body, strlen (raw_body)); ++ multipart = soup_multipart_new_from_message (headers, body); ++ soup_message_headers_unref (headers); ++ g_bytes_unref (body); ++ ++ g_assert_nonnull (multipart); ++ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1); ++ g_assert_true (soup_multipart_get_part (multipart, 0, &headers, &body)); ++ g_assert_cmpint (g_bytes_get_size (body), ==, 0); ++ soup_multipart_free (multipart); ++} ++ + int + main (int argc, char **argv) + { +@@ -556,6 +595,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); ++ g_test_add_func ("/multipart/too-large", test_multipart_too_large); + + ret = g_test_run (); + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 885e570ab8..0510511b24 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -41,6 +41,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32051-2.patch \ file://CVE-2025-32050.patch \ file://CVE-2025-46421.patch \ + file://CVE-2025-4948.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Wed Jun 4 11:34:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64272 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3DB8EC5B543 for ; Wed, 4 Jun 2025 11:34:42 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14437.1749036880485260511 for ; Wed, 04 Jun 2025 04:34:40 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8250671ff5=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 554Ap19J024793 for ; Wed, 4 Jun 2025 04:34:40 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rtevd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 04:34:39 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:34:39 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:34:38 -0700 From: To: Subject: [scarthgap][PATCH V2 10/14] libsoup-2.4: fix CVE-2025-4969 Date: Wed, 4 Jun 2025 19:34:22 +0800 Message-ID: <20250604113426.464818-11-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250604113426.464818-1-changqing.li@windriver.com> References: <20250604113426.464818-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4OCBTYWx0ZWRfX0CjCRZz3nf/u HVB+XSee7yg7aLEVhj9aWT9njef1NRMg4GktX9sGb+mK6e8F2mbPJFzkI2Bm/MPQKcGV1n6SS0X Ar2K2HW2LjaUDzk4CXKCzENn9Uo0liKIbuorwQuEiDb6my2smjr/h8aTeBgZrjbby5WX0C3PYiO CW/hG8/v4oHfMQ7CZj+K0BtvMC/vEgS+1WOhcBZxjFbPCTXMStS+MPuFYwSUhUjqIe7bno7gRNr yTJQ9Hi/vLasGFtuTIfVOn/Ej3QzAFsZ0jmaSvaq/QqHQAtHp2BeLeWNPe+cK7X3aUS1d8JT7K+ ibc1ApFa+eUhFOjX2JQpQJwO3K4kWUzjxNEWZGOYyjqLExIg4tuCA0WAro9PlGNs2BIYVtvQ1nf CeAZNnURrMXAh7zf0T6E7QmTAqKuchxBc4Dd1hQbFisWSdiW7ZA1HIrdFiJZda5yjsMAVCS9 X-Authority-Analysis: v=2.4 cv=PvyTbxM3 c=1 sm=1 tr=0 ts=68402f4f cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: iB1FCGq6WIDJz7JlzlSuiuzp5dtZ4WPg X-Proofpoint-ORIG-GUID: iB1FCGq6WIDJz7JlzlSuiuzp5dtZ4WPg X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 clxscore=1015 bulkscore=0 adultscore=0 mlxscore=0 mlxlogscore=744 impostorscore=0 lowpriorityscore=0 phishscore=0 suspectscore=0 spamscore=0 priorityscore=1501 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040088 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:34:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217936 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-4969.patch | 37 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch new file mode 100644 index 0000000000..7bc3e8da99 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch @@ -0,0 +1,37 @@ +From a7d0c58608ed830bedfb6b92aea11e00feb55aa9 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Mon, 19 May 2025 17:48:27 +0200 +Subject: [PATCH] soup-multipart: Verify array bounds before accessing its + members + +The boundary could be at a place which, calculated, pointed +before the beginning of the array. Check the bounds, to avoid +read out of the array bounds. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 + +CVE: CVE-2025-4969 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/467/diffs?commit_id=b5b4dd10d4810f0c87b4eaffe88504f06e502f33] + +Signed-off-by: Changqing Li +--- + libsoup/soup-multipart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index ce2fc10..a29cdf0 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -108,7 +108,7 @@ find_boundary (const char *start, const char *end, + continue; + + /* Check that it's at start of line */ +- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r'))) ++ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r'))) + continue; + + /* Check for "--" or "\r\n" after boundary */ +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 1c7b13001e..f2ed9945cf 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -37,6 +37,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32050.patch \ file://CVE-2025-46421.patch \ file://CVE-2025-4948.patch \ + file://CVE-2025-4969.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed Jun 4 11:34:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64271 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 361B5C5B552 for ; Wed, 4 Jun 2025 11:34:42 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14439.1749036881724921213 for ; Wed, 04 Jun 2025 04:34:41 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8250671ff5=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5546H58h002578 for ; Wed, 4 Jun 2025 04:34:41 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rtevf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 04:34:41 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:34:40 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:34:39 -0700 From: To: Subject: [scarthgap][PATCH V2 11/14] libsoup: fix CVE-2025-4969 Date: Wed, 4 Jun 2025 19:34:23 +0800 Message-ID: <20250604113426.464818-12-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250604113426.464818-1-changqing.li@windriver.com> References: <20250604113426.464818-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4OCBTYWx0ZWRfX1dhoLVZaJOEF nz2rMiW9gFMRuEqsW6bLxWLHJ6Q4uFkYUGLwhopqIlW0pfa/ARoytaj4ra8AwquClokalp1juiC 9T0V8GmqPolPO7EtfUhOEqLXjgvVwPJVpkuCw7GV8vj9e1PeNCQ16pmQ7qHDLefzbyrHLZQ+OnQ uRIEfkcwSglNFPZVPIvpNlABuJysru+H3e+X0dzoShGHprOInHFsVan2Udw2zflbx7eDlzIuHl6 uIQGUdAJ8GBbDzga631LeFh2pOTkwD/IUEaIW35mFCKpRT2DsFGK95fsRsTHqNvLwPjfEtREGDl Dn4QmzBwYnVc9YEzQHpE3A7ZuMMIF4XxFnDgilhZpv0GH4ZYoRCHX/QKdqUGuSl8GjCR+RiipE3 lSZIMM3lvKUCrsmyCe438gwS+K++DuOZAFL8zQYTbrcwIXzUnsixzRdNy6Eik+YtM1V4OxwM X-Authority-Analysis: v=2.4 cv=PvyTbxM3 c=1 sm=1 tr=0 ts=68402f51 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=EBpV3xrsuWrfeO8Jag4A:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: SOBeUiN77VsmTiQ2VF7Ri9XHJLQtxwfZ X-Proofpoint-ORIG-GUID: SOBeUiN77VsmTiQ2VF7Ri9XHJLQtxwfZ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 clxscore=1015 bulkscore=0 adultscore=0 mlxscore=0 mlxlogscore=847 impostorscore=0 lowpriorityscore=0 phishscore=0 suspectscore=0 spamscore=0 priorityscore=1501 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040088 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:34:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217937 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 Signed-off-by: Changqing Li --- .../libsoup/libsoup-3.4.4/CVE-2025-4969.patch | 78 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 79 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4969.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4969.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4969.patch new file mode 100644 index 0000000000..97702a3d08 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4969.patch @@ -0,0 +1,78 @@ +From e8ef88ed86929c9a0dc343a4c7d29a8f2bcf400f Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Mon, 19 May 2025 17:48:27 +0200 +Subject: [PATCH] soup-multipart: Verify array bounds before accessing its + members + +The boundary could be at a place which, calculated, pointed +before the beginning of the array. Check the bounds, to avoid +read out of the array bounds. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 + +CVE: CVE-2025-4969 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/467/commits] + +Signed-off-by: Changqing Li +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 22 ++++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index a587fe7..27257e4 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -104,7 +104,7 @@ find_boundary (const char *start, const char *end, + continue; + + /* Check that it's at start of line */ +- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r'))) ++ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r'))) + continue; + + /* Check for "--" or "\r\n" after boundary */ +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index 92b673e..3792563 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -527,6 +527,27 @@ test_multipart_bounds_bad (void) + g_bytes_unref (bytes); + } + ++static void ++test_multipart_bounds_bad_2 (void) ++{ ++ SoupMultipart *multipart; ++ SoupMessageHeaders *headers; ++ GBytes *bytes; ++ const char *raw_data = "\n--123\r\nline\r\n--123--\r"; ++ ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); ++ ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); ++ ++ multipart = soup_multipart_new_from_message (headers, bytes); ++ g_assert_nonnull (multipart); ++ ++ soup_multipart_free (multipart); ++ soup_message_headers_unref (headers); ++ g_bytes_unref (bytes); ++} ++ + static void + test_multipart_too_large (void) + { +@@ -595,6 +616,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); ++ g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2); + g_test_add_func ("/multipart/too-large", test_multipart_too_large); + + ret = g_test_run (); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 0510511b24..a650eed520 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -42,6 +42,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32050.patch \ file://CVE-2025-46421.patch \ file://CVE-2025-4948.patch \ + file://CVE-2025-4969.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Wed Jun 4 11:34:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64281 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 74D04C5B549 for ; Wed, 4 Jun 2025 11:34:52 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14440.1749036882935244144 for ; Wed, 04 Jun 2025 04:34:42 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8250671ff5=changqing.li@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5547o5n7016945 for ; Wed, 4 Jun 2025 04:34:42 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rtdcj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 04:34:42 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:34:42 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:34:41 -0700 From: To: Subject: [scarthgap][PATCH V2 12/14] libsoup-2.4: fix CVE-2025-4476 Date: Wed, 4 Jun 2025 19:34:24 +0800 Message-ID: <20250604113426.464818-13-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250604113426.464818-1-changqing.li@windriver.com> References: <20250604113426.464818-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: n4Dc8X_K3ymJ2mpQM6ScuPbD8bs3It7I X-Authority-Analysis: v=2.4 cv=VIHdn8PX c=1 sm=1 tr=0 ts=68402f52 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=+jEqtf1s3R9VXZ0wqowq2kgwd+I=:19 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4OCBTYWx0ZWRfXz1ZgP+kIX48O O2R8C/c2/49yQstm66zF8Up9CyBMwbngQbo1Jt3RJJyXR9UmYG4Wzr9yuFsBwQLqtgEa3YrYiNE xONbNcvatYMU36FsyWtJ1cbf5z2DwgJ2kmnKO6IbnFKi1J2wEDNIX87pkHL9Z6DLaxmZbItBDar ajjcRkDhGAO4MVTLoFXp+yD94e9by77TOIHGb7cgWwhdJYzJfcdYijQltLmkijMIj0W0pq7cph2 X3F/kk7+/9hsvTMu9WJYSTTolY3iE5bz3RHMWc7Z+tsONSTaFyL/2RVDKx9q15v2eFrLbT3XBmm WrGqIVnhA7/T7juzxmNQ52OhAFQE0/eMaSRTzQBdULbo78hwHuSbF8lmlfYS7eWQ6L688Clc1HC Gj8SpvsruTZr8n7brUbdLxRocdQ7TfUAUEvKykDIppNHEqEOaUTCpoc3O/dSC8tOLqRNfc8z X-Proofpoint-ORIG-GUID: n4Dc8X_K3ymJ2mpQM6ScuPbD8bs3It7I X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=953 adultscore=0 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0 bulkscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040088 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:34:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217938 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/440 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-4476.patch | 38 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch new file mode 100644 index 0000000000..874f62e7ad --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch @@ -0,0 +1,38 @@ +From 52a0f9234d384b9dab368835b22e5a5a01542168 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 14:16:10 +0800 +Subject: [PATCH] auth-digest: fix crash in + soup_auth_digest_get_protection_space() + +We need to validate the Domain parameter in the WWW-Authenticate header. + +Unfortunately this crash only occurs when listening on default ports 80 +and 443, so there's no good way to test for this. The test would require +running as root. + +Fixes #440 + +CVE: CVE-2025-4476 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c?merge_request_iid=457] + +Signed-off-by: Changqing Li +--- + libsoup/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index f1621ec..a2dc560 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -229,7 +229,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, SoupURI *source_uri) + uri = soup_uri_new (d); + if (uri && uri->scheme == source_uri->scheme && + uri->port == source_uri->port && +- !strcmp (uri->host, source_uri->host)) ++ !g_strcmp0 (uri->host, source_uri->host)) + dir = g_strdup (uri->path); + else + dir = NULL; +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index f2ed9945cf..b36bd64e89 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -38,6 +38,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-46421.patch \ file://CVE-2025-4948.patch \ file://CVE-2025-4969.patch \ + file://CVE-2025-4476.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed Jun 4 11:34:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64280 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 74D34C5B552 for ; Wed, 4 Jun 2025 11:34:52 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.14364.1749036884392361956 for ; Wed, 04 Jun 2025 04:34:44 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8250671ff5=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 554AJ5Xi008566 for ; Wed, 4 Jun 2025 04:34:44 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rtevn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 04:34:43 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:34:43 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:34:42 -0700 From: To: Subject: [scarthgap][PATCH V2 13/14] libsoup-2.4: fix CVE-2025-2784 Date: Wed, 4 Jun 2025 19:34:25 +0800 Message-ID: <20250604113426.464818-14-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250604113426.464818-1-changqing.li@windriver.com> References: <20250604113426.464818-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4OCBTYWx0ZWRfX4YnVNtakAwXF grIN50QlV5/xa2cJFvvZRICVbxGEPZ4QgA34IGRwTCIGk36Y7YRxc/+wM2jP41Cn5Oz0phYviD7 NMRamJZ6Z37z51GPsHjAltl0EI20htgnJ9mcdlerlvDMANNwK0ymzIq2tqX206r1DBQKD8bIsY+ Vj0pPPI/axpkiwIVs2FlvCUTXhcidt0QD3FIM4KLbhu8rpMBCFOq6sGIRGffHi1vy9R6hE7CMGo vVTiIZKgCmxo+C38BqoTCQVJRtX4zmeS64lV9/8HJbNgSffzaidzbBhhgzGIxYoL+6RR6TTHnQn EiuMdsgrEa7ChfbzOEoXBXk4BKSJFcf8Lq5c0F6VeUF4H9nDc/+qkH0HPpBbc2rC+xmfMZ3uVXr fmCw+wYyU6KIRaXakN28EhD/9LBTxFh3QidcrE89sHTijNm+UtIjsZVaBL5k4imEicFD2JNL X-Authority-Analysis: v=2.4 cv=PvyTbxM3 c=1 sm=1 tr=0 ts=68402f53 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=9ZAmBD_aSAHDPC3Ooc0A:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: 4Zd3YTlvKJGd_mBWb7WpzhL6APMnz_gj X-Proofpoint-ORIG-GUID: 4Zd3YTlvKJGd_mBWb7WpzhL6APMnz_gj X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 clxscore=1015 bulkscore=0 adultscore=0 mlxscore=0 mlxlogscore=728 impostorscore=0 lowpriorityscore=0 phishscore=0 suspectscore=0 spamscore=0 priorityscore=1501 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040088 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:34:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217939 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/422 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-2784.patch | 56 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch new file mode 100644 index 0000000000..106f907168 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch @@ -0,0 +1,56 @@ +From 2eacbd762332795e00692ddab2515c6da23198d3 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Mon, 12 May 2025 14:06:41 +0800 +Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space() + +CVE: CVE-2025-2784 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435/diffs?commit_id=242a10fbb12dbdc12d254bd8fc8669a0ac055304; + https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/442/diffs?commit_id=c415ad0b6771992e66c70edf373566c6e247089d] + +Test code is not added since it uses some functions not defined in +version 2.74. These tests are not used now, so just ignore them. + +Signed-off-by: Changqing Li +--- + libsoup/soup-content-sniffer.c | 9 +++---- + 1 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 5f2896e..9554636 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -612,8 +612,10 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer) + } + + static gboolean +-skip_insignificant_space (const char *resource, int *pos, int resource_length) ++skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length) + { ++ if (*pos >= resource_length) ++ return TRUE; + while ((resource[*pos] == '\x09') || + (resource[*pos] == '\x20') || + (resource[*pos] == '\x0A') || +@@ -632,7 +634,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + { + const char *resource = (const char *)buffer->data; + int resource_length = MIN (512, buffer->length); +- int pos = 0; ++ gsize pos = 0; + + if (resource_length < 3) + goto text_html; +@@ -642,9 +644,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + pos = 3; + + look_for_tag: +- if (pos > resource_length) +- goto text_html; +- + if (skip_insignificant_space (resource, &pos, resource_length)) + goto text_html; + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index b36bd64e89..84730fb2b5 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -39,6 +39,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-4948.patch \ file://CVE-2025-4969.patch \ file://CVE-2025-4476.patch \ + file://CVE-2025-2784.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed Jun 4 11:34:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64282 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 811B8C5B543 for ; Wed, 4 Jun 2025 11:34:52 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14441.1749036885380387924 for ; Wed, 04 Jun 2025 04:34:45 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8250671ff5=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5545o2f3025602 for ; Wed, 4 Jun 2025 04:34:45 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rtevp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 04:34:44 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:34:44 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:34:43 -0700 From: To: Subject: [scarthgap][PATCH V2 14/14] libsoup: fix CVE-2025-2784 Date: Wed, 4 Jun 2025 19:34:26 +0800 Message-ID: <20250604113426.464818-15-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250604113426.464818-1-changqing.li@windriver.com> References: <20250604113426.464818-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4OCBTYWx0ZWRfXzobCfiM/jxqd /uIvNtaEppyrpA/zo5qAfWqa4+5h4kD1wvw3UbUzFJy8PBm/fe+7KQOoXdoKoCrGjQa7LONVAOS ZhATvPn9KMsRLSbWz5d0879S3JgJVRwuR7flUBrWQUm7dVOv74Pwz5qK6Ef949InXfsVry3iXRI zPWSfKf7JHlGNwStV4zDdRiWpRR0wzYal9sWgfILvtkg9WMAXSEF1KiKbhen3rsyBjBcBdzWAin KpQozgyC1bAGMaDmXwtHlseBxuwVXHZ5pED/aC/pCaNJ3xSIW5nGfB2wZdXYTmwviUcJ9tUxMkE 6mn/eJBLZtliWxG+89lmmRzpIsVSldzH4N0+uGgEp7LFVJGmFwxFxxNJ8Z6xouHZxM+e7DLQITF pfUEvu1AD0IxkXlkHYXZ1DABteBF0Wb7ARxq8TNs0Zo6J8Gpv089bfqpWogprRy0qPwo6JfO X-Authority-Analysis: v=2.4 cv=PvyTbxM3 c=1 sm=1 tr=0 ts=68402f54 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=QIhr-27iAAAA:8 a=SSmOFEACAAAA:8 a=L3Y5zZzAAAAA:8 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=6Ti6dSN5qNGnjUcMqEUA:9 a=cgaYBWEFosGJW4rWv5Lf:22 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-GUID: 2j7FAtYvv4YgyPkOdCGhgOBjLHK-vj5_ X-Proofpoint-ORIG-GUID: 2j7FAtYvv4YgyPkOdCGhgOBjLHK-vj5_ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 clxscore=1015 bulkscore=0 adultscore=0 mlxscore=0 mlxlogscore=948 impostorscore=0 lowpriorityscore=0 phishscore=0 suspectscore=0 spamscore=0 priorityscore=1501 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040088 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:34:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217940 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/422 Signed-off-by: Changqing Li --- .../libsoup/libsoup-3.4.4/CVE-2025-2784.patch | 137 ++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 138 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch new file mode 100644 index 0000000000..b2e1c12d48 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch @@ -0,0 +1,137 @@ +From dd10ae267e33bcc35646610d7cc1841da77d05e7 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 14:39:42 -0600 +Subject: [PATCH] Fix CVE-2025-2784 + +CVE: CVE-2025-2784 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435/diffs?commit_id=242a10fbb12dbdc12d254bd8fc8669a0ac055304 +https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/442/diffs?commit_id=c415ad0b6771992e66c70edf373566c6e247089d] + +Signed-off-by: Changqing Li +--- + .../content-sniffer/soup-content-sniffer.c | 10 ++-- + tests/meson.build | 4 +- + tests/sniffing-test.c | 48 +++++++++++++++++++ + 3 files changed, 56 insertions(+), 6 deletions(-) + +diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c +index aeee2e2..a5e18d5 100644 +--- a/libsoup/content-sniffer/soup-content-sniffer.c ++++ b/libsoup/content-sniffer/soup-content-sniffer.c +@@ -638,8 +638,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, GBytes *buffer) + } + + static gboolean +-skip_insignificant_space (const char *resource, int *pos, int resource_length) ++skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length) + { ++ if (*pos >= resource_length) ++ return TRUE; ++ + while ((resource[*pos] == '\x09') || + (resource[*pos] == '\x20') || + (resource[*pos] == '\x0A') || +@@ -659,7 +662,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer) + gsize resource_length; + const char *resource = g_bytes_get_data (buffer, &resource_length); + resource_length = MIN (512, resource_length); +- int pos = 0; ++ gsize pos = 0; + + if (resource_length < 3) + goto text_html; +@@ -669,9 +672,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer) + pos = 3; + + look_for_tag: +- if (pos > resource_length) +- goto text_html; +- + if (skip_insignificant_space (resource, &pos, resource_length)) + goto text_html; + +diff --git a/tests/meson.build b/tests/meson.build +index 7ef7ac5..95b13b8 100644 +--- a/tests/meson.build ++++ b/tests/meson.build +@@ -95,7 +95,9 @@ tests = [ + {'name': 'server-auth'}, + {'name': 'server-mem-limit'}, + {'name': 'server'}, +- {'name': 'sniffing'}, ++ {'name': 'sniffing', ++ 'depends': [test_resources], ++ }, + {'name': 'ssl', + 'dependencies': [gnutls_dep], + 'depends': mock_pkcs11_module, +diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c +index 6116719..7857732 100644 +--- a/tests/sniffing-test.c ++++ b/tests/sniffing-test.c +@@ -342,6 +342,52 @@ test_disabled (gconstpointer data) + g_uri_unref (uri); + } + ++static const gsize MARKUP_LENGTH = strlen (""); ++ ++static void ++do_skip_whitespace_test (void) ++{ ++ SoupContentSniffer *sniffer = soup_content_sniffer_new (); ++ SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org"); ++ const char *test_cases[] = { ++ "", ++ "$trailing_data ++ memcpy (p, "", strlen ("-->")); ++ p += strlen ("-->"); ++ if (strlen (trailing_data)) ++ memcpy (p, trailing_data, strlen (trailing_data)); ++ // Purposefully not NUL terminated. ++ ++ buffer = g_bytes_new_take (g_steal_pointer (&data), testsize); ++ content_type = soup_content_sniffer_sniff (sniffer, msg, buffer, NULL); ++ ++ g_free (content_type); ++ g_bytes_unref (buffer); ++ } ++ ++ g_object_unref (msg); ++ g_object_unref (sniffer); ++} ++ + int + main (int argc, char **argv) + { +@@ -517,6 +563,8 @@ main (int argc, char **argv) + "/text_or_binary/home.gif", + test_disabled); + ++ g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test); ++ + ret = g_test_run (); + + g_uri_unref (base_uri); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index a650eed520..5b91acf36a 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -43,6 +43,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-46421.patch \ file://CVE-2025-4948.patch \ file://CVE-2025-4969.patch \ + file://CVE-2025-2784.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"