From patchwork Fri Jun 6 06:49:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64421 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF17DC5B555 for ; Fri, 6 Jun 2025 06:50:17 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.27938.1749192609175784445 for ; Thu, 05 Jun 2025 23:50:09 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8252d755fa=changqing.li@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5565V5g2012130 for ; Thu, 5 Jun 2025 23:50:09 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rw0f9-6 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 05 Jun 2025 23:50:08 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 5 Jun 2025 23:50:05 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 5 Jun 2025 23:50:04 -0700 From: To: Subject: [scarthgap][PATCH V3 01/12] libsoup-2.4: fix CVE-2025-32052 Date: Fri, 6 Jun 2025 14:49:52 +0800 Message-ID: <20250606065003.3681416-2-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250606065003.3681416-1-changqing.li@windriver.com> References: <20250606065003.3681416-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: 2mlw-WmTPkk0os3uSkI25qDXUmY_Nd9M X-Authority-Analysis: v=2.4 cv=VIHdn8PX c=1 sm=1 tr=0 ts=68428fa0 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=sfOm8-O8AAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 a=TvTJqdcANYtsRzA46cdi:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA2MDA2MSBTYWx0ZWRfXwRfvMqby3TrC m/TtMkIGXR7PxO3geok2HwV0UQFJydjmhZLNJ7OF/ih7vSBmcG740UOgc5IxRhlustrSb0hgfqY KPpR6oWjQ6FDVL6rhzelUxQmMptmJmZ7ogz4tHTJZmBfjjH6ev0xZqvKczNMU/eRx53xXvGK7pE 6WDvlsoK0MuXCEe2ZWQQD7Fuv3tqy7tPEy4GNnXi4SziCUFsJkRCZX9TUfJR4F0VXGjbrcBs5BP 1s2wKZvSPQIDnxy3vOK7d9t/iMlulhvRzkYyaGIqIABdBHxeaBWWqkwdmHE2F8XbKdwkvmcobWl 51rz5QxM5FLUvY/SS2ujfPq1fyRZh3LoXsjivgSDgphsX5/YCKBEA1BxDCIl5qswTfLnZbhl4zJ +yuAqHGBb+vo969j0AnuxdNdgGhgTsyz6jGFinRIgISPPdtT+dqLrYHVxV0ZnU8Ksp1Plc7f X-Proofpoint-ORIG-GUID: 2mlw-WmTPkk0os3uSkI25qDXUmY_Nd9M X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-06_01,2025-06-05_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=892 adultscore=0 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0 bulkscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506060061 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 06 Jun 2025 06:50:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218098 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/425 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-32052.patch | 32 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch new file mode 100644 index 00000000000..34bc8113a40 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch @@ -0,0 +1,32 @@ +From f4a67a9a3033586edaee715d40d5992e02d32893 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 16 Nov 2024 12:07:30 -0600 +Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff + +Co-Author: Ar Jun + +CVE: CVE-2025-32052 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652#500da7cfde649872c49169be34b03a1c42a53ddb] + +Signed-off-by: Changqing Li +--- + libsoup/soup-content-sniffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 9554636..eac9e7b 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -504,7 +504,7 @@ sniff_unknown (SoupContentSniffer *sniffer, SoupBuffer *buffer, + guint index_pattern = 0; + gboolean skip_row = FALSE; + +- while ((index_stream < resource_length) && ++ while ((index_stream < resource_length - 1) && + (index_pattern <= type_row->pattern_length)) { + /* Skip insignificant white space ("WS" in the spec) */ + if (type_row->pattern[index_pattern] == ' ') { +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 9a2778bf924..96bb53a0339 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -34,6 +34,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-4969.patch \ file://CVE-2025-32907.patch \ file://CVE-2025-32053.patch \ + file://CVE-2025-32052.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 6 06:49:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64416 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8442C5AD49 for ; Fri, 6 Jun 2025 06:50:17 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.27939.1749192609476011083 for ; Thu, 05 Jun 2025 23:50:09 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8252d755fa=changqing.li@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5565V5g3012130 for ; Thu, 5 Jun 2025 23:50:09 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rw0f9-7 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 05 Jun 2025 23:50:09 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 5 Jun 2025 23:50:06 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 5 Jun 2025 23:50:05 -0700 From: To: Subject: [scarthgap][PATCH V3 02/12] libsoup: fix CVE-2025-32052 Date: Fri, 6 Jun 2025 14:49:53 +0800 Message-ID: <20250606065003.3681416-3-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250606065003.3681416-1-changqing.li@windriver.com> References: <20250606065003.3681416-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: vZV-aHtZjQfwAwtop6AgA2eYXVCpMwC3 X-Authority-Analysis: v=2.4 cv=VIHdn8PX c=1 sm=1 tr=0 ts=68428fa1 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=sfOm8-O8AAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 a=TvTJqdcANYtsRzA46cdi:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA2MDA2MSBTYWx0ZWRfX/iZPhhg++Kik Gmtilfd09Ws9+Gx2ZR0v7IObZd7cE4pjFSTklHty+Gbzmf3Nw+N0o7/7ySJCiZo/ZUF8bjJQ9DU 7lElDw9CCjFajWrIAg+azSa/JAg2tk9yNiBnS6nvLAijuX1q3j5NriiT6j2chqMFA6BU5qUrkNg 4M5cUWV+kViit0wjYm1Bc81aE6nbmiCQpLiscrpOHxqm/n8T6Gg2YHJQz64VwoflUZn+biiYOe8 hdFgCRjxkK/TD40CajWmnYuu233BccHZVo8wReO4UA3GD1ZAfU4FiialLaUPkNwTJU0yW9eRGX0 L3wnR5HOo/rBxQOaObBr+C71m2099JJ+Bd9hDVVXK4EfHYHfZ8nbQdaxIfjZlgha64ElFH0D1/B 0jDoRVvHXAVKVSGgOePehFp3NJQuLepT4xYQbhacg54kZkMJC8QMoeMcDhxzNod50qCdbQgR X-Proofpoint-ORIG-GUID: vZV-aHtZjQfwAwtop6AgA2eYXVCpMwC3 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-06_01,2025-06-05_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=909 adultscore=0 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0 bulkscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506060061 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 06 Jun 2025 06:50:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218100 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/425 Signed-off-by: Changqing Li --- .../libsoup-3.4.4/CVE-2025-32052.patch | 31 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32052.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32052.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32052.patch new file mode 100644 index 00000000000..78b712070b4 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32052.patch @@ -0,0 +1,31 @@ +From 779bcb279b1dc4eb8bcb22c5e727b1174630c3fc Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 16 Nov 2024 12:07:30 -0600 +Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff + +Co-Author: Ar Jun + +CVE: CVE-2025-32052 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652] + +Signed-off-by: Changqing Li +--- + libsoup/content-sniffer/soup-content-sniffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c +index 23d5aaa..aeee2e2 100644 +--- a/libsoup/content-sniffer/soup-content-sniffer.c ++++ b/libsoup/content-sniffer/soup-content-sniffer.c +@@ -529,7 +529,7 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer, + guint index_pattern = 0; + gboolean skip_row = FALSE; + +- while ((index_stream < resource_length) && ++ while ((index_stream < resource_length - 1) && + (index_pattern <= type_row->pattern_length)) { + /* Skip insignificant white space ("WS" in the spec) */ + if (type_row->pattern[index_pattern] == ' ') { +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index ff0ae0afad1..e7dccb63802 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -37,6 +37,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32907-1.patch \ file://CVE-2025-32907-2.patch \ file://CVE-2025-32053.patch \ + file://CVE-2025-32052.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Fri Jun 6 06:49:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64423 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5593AC678DA for ; Fri, 6 Jun 2025 06:50:18 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.27984.1749192609869096297 for ; Thu, 05 Jun 2025 23:50:09 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8252d755fa=changqing.li@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5565V5g4012130 for ; Thu, 5 Jun 2025 23:50:09 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rw0f9-8 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 05 Jun 2025 23:50:09 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 5 Jun 2025 23:50:07 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 5 Jun 2025 23:50:06 -0700 From: To: Subject: [scarthgap][PATCH V3 03/12] libsoup: fix CVE-2025-32051 Date: Fri, 6 Jun 2025 14:49:54 +0800 Message-ID: <20250606065003.3681416-4-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250606065003.3681416-1-changqing.li@windriver.com> References: <20250606065003.3681416-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: dBpdXxyIc7TKoCELG9RyaFhB1GyX0GMx X-Authority-Analysis: v=2.4 cv=VIHdn8PX c=1 sm=1 tr=0 ts=68428fa1 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=sfOm8-O8AAAA:8 a=V2sgnzSHAAAA:8 a=lz8H-ZI_o7jANyl0rCQA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=TvTJqdcANYtsRzA46cdi:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA2MDA2MSBTYWx0ZWRfX+ZsZlvcGh1is c4XfiLlNGEO34ri4zMWGIbeQZodReLLjG54eSunNhm2+2duM9qzv4fIqrOS53gRUjWVJyTU5VlV iWg7hcBXs/15W8MfE/mfrf9dUYi2qsBbkGCw93sSTBjvHm7P9aJYu68v4V0HOfx4C74ZUB5WbLZ kJT1O7W/tMKGa6fBm0eLqVax4R2817wkubcWJUFEsxKxOqqhd19h7AOVwsbp26axVKLMmC8CSqy +m8GZZ5xVM5jluZs0011MKL0wmqo92q8Hx9Mn6evcdEzX3To0SoKpNaYOIRFHNQKbbWDtpGj9I7 +WCg3Q3zct6qYsG3ONLSeDmlBMBHXF4wFBS99DdHqqhcAT/4/auR/iinm//ApsjVu1qmvCAQwja x/Y1ZjTzvIVA6JZlynczXUx3sJKIKShUC6+kZIdtyUfF81un6+AlcSxvg+I8q1o4/1mdPIfU X-Proofpoint-ORIG-GUID: dBpdXxyIc7TKoCELG9RyaFhB1GyX0GMx X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-06_01,2025-06-05_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=999 adultscore=0 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0 bulkscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506060061 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 06 Jun 2025 06:50:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218101 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/401 Signed-off-by: Changqing Li --- .../libsoup-3.4.4/CVE-2025-32051-1.patch | 29 ++++++++++ .../libsoup-3.4.4/CVE-2025-32051-2.patch | 57 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 2 + 3 files changed, 88 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-1.patch new file mode 100644 index 00000000000..efeda48b11f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-1.patch @@ -0,0 +1,29 @@ +From dc5db30989f385303c79ec3188c52e33f6f5886e Mon Sep 17 00:00:00 2001 +From: Ar Jun +Date: Sat, 16 Nov 2024 11:50:09 -0600 +Subject: [PATCH 1/2] Fix possible NULL deref in soup_uri_decode_data_uri + +CVE: CVE-2025-32051 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/0713ba4a719da938dc8facc89fca99cd0aa3069f] + +Signed-off-by: Changqing Li +--- + libsoup/soup-uri-utils.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c +index be2b79b..0251279 100644 +--- a/libsoup/soup-uri-utils.c ++++ b/libsoup/soup-uri-utils.c +@@ -303,6 +303,8 @@ soup_uri_decode_data_uri (const char *uri, + + uri_string = g_uri_to_string (soup_uri); + g_uri_unref (soup_uri); ++ if (!uri_string) ++ return NULL; + + start = uri_string + 5; + comma = strchr (start, ','); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-2.patch new file mode 100644 index 00000000000..24c184bb86f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-2.patch @@ -0,0 +1,57 @@ +From 7d1557a60145927806c88d321e8322a9d9f49bb2 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 22 Nov 2024 13:39:51 -0600 +Subject: [PATCH 2/2] soup_uri_decode_data_uri(): Handle URIs with a path + starting with // + +CVE: CVE-2025-32051 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/79cfd65c9bd8024cd45dd725c284766329873709] + +Signed-off-by: Changqing Li +--- + libsoup/soup-uri-utils.c | 8 ++++++++ + tests/uri-parsing-test.c | 2 ++ + 2 files changed, 10 insertions(+) + +diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c +index 0251279..1ff11cd 100644 +--- a/libsoup/soup-uri-utils.c ++++ b/libsoup/soup-uri-utils.c +@@ -286,6 +286,7 @@ soup_uri_decode_data_uri (const char *uri, + gboolean base64 = FALSE; + char *uri_string; + GBytes *bytes; ++ const char *path; + + g_return_val_if_fail (uri != NULL, NULL); + +@@ -301,6 +302,13 @@ soup_uri_decode_data_uri (const char *uri, + if (content_type) + *content_type = NULL; + ++ /* g_uri_to_string() is picky about paths that start with `//` and will assert. */ ++ path = g_uri_get_path (soup_uri); ++ if (path[0] == '/' && path[1] == '/') { ++ g_uri_unref (soup_uri); ++ return NULL; ++ } ++ + uri_string = g_uri_to_string (soup_uri); + g_uri_unref (soup_uri); + if (!uri_string) +diff --git a/tests/uri-parsing-test.c b/tests/uri-parsing-test.c +index 1f16273..418391e 100644 +--- a/tests/uri-parsing-test.c ++++ b/tests/uri-parsing-test.c +@@ -141,6 +141,8 @@ static struct { + { "data:text/plain;base64,aGVsbG8=", "hello", "text/plain" }, + { "data:text/plain;base64,invalid=", "", "text/plain" }, + { "data:,", "", CONTENT_TYPE_DEFAULT }, ++ { "data:.///", NULL, NULL }, ++ { "data:/.//", NULL, NULL }, + }; + + static void +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index e7dccb63802..9af7de192fa 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -38,6 +38,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32907-2.patch \ file://CVE-2025-32053.patch \ file://CVE-2025-32052.patch \ + file://CVE-2025-32051-1.patch \ + file://CVE-2025-32051-2.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Fri Jun 6 06:49:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64422 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6413BC67861 for ; Fri, 6 Jun 2025 06:50:18 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.27985.1749192610243492378 for ; Thu, 05 Jun 2025 23:50:10 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8252d755fa=changqing.li@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5565V5g5012130 for ; Thu, 5 Jun 2025 23:50:10 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rw0f9-9 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 05 Jun 2025 23:50:09 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 5 Jun 2025 23:50:08 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 5 Jun 2025 23:50:08 -0700 From: To: Subject: [scarthgap][PATCH V3 04/12] libsoup-2.4: fix CVE-2025-32050 Date: Fri, 6 Jun 2025 14:49:55 +0800 Message-ID: <20250606065003.3681416-5-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250606065003.3681416-1-changqing.li@windriver.com> References: <20250606065003.3681416-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: viaQB_R-10FFuwCPW_iKfWOBcK_UKMC8 X-Authority-Analysis: v=2.4 cv=VIHdn8PX c=1 sm=1 tr=0 ts=68428fa1 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA2MDA2MSBTYWx0ZWRfX+9bpzKk03MkN KEuRSN2NkDvGirlc6zwtcf/PIKUl68bPX+R+M5XO6MG9qJXsj3lgeR6FUXEOth/Z1GqTyC9Pts8 RrE8rkJ//F9hbXcxZAzlrCZk3p/OIl2nsFNGDwabLq5HSgZId5auNyZN2QVMS+m1EfUKPX623ME DyUWZOfiC9i+Ga7D2HW/Kz+ogXyLVcRy52mAWzGX3wlyVtk33OEkoByqdVfGieeQWlviG4rOTuC wt+of7xto26J1GJCkz1aSmD/TFwcDyAkCIce6LPa0NzDZ8L2SUa6LNM+u6coCdm2/IyZsJKcabR pzOku4+faUpwxFCFluST3twIdXSh028/Q/AKhEPR5Vsq8nO+W2KCRUZ04VNz8LJPA7rzhgqWiKj 8S3H+a8hee5GOeCOc0PX0qGWvG77giSrhbb0FDBBQBvsAZt6A+izCT6BzXd5eZQEaYVZbT6q X-Proofpoint-ORIG-GUID: viaQB_R-10FFuwCPW_iKfWOBcK_UKMC8 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-06_01,2025-06-05_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=888 adultscore=0 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0 bulkscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506060061 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 06 Jun 2025 06:50:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218102 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/424 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-32050.patch | 29 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch new file mode 100644 index 00000000000..c032846ef04 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch @@ -0,0 +1,29 @@ +From 5709dfffb6fdc5b66ce001bf82a755ad8ad1d992 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 28 Oct 2024 12:29:48 -0500 +Subject: [PATCH] Fix using int instead of size_t for strcspn return + +CVE: CVE-2025-32050 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323] + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 9707ca0..67905b2 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -902,7 +902,7 @@ append_param_quoted (GString *string, + const char *name, + const char *value) + { +- int len; ++ gsize len; + + g_string_append (string, name); + g_string_append (string, "=\""); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 96bb53a0339..a4a8a031522 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -35,6 +35,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32907.patch \ file://CVE-2025-32053.patch \ file://CVE-2025-32052.patch \ + file://CVE-2025-32050.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 6 06:49:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64419 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40491C61DB8 for ; Fri, 6 Jun 2025 06:50:18 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.27941.1749192610577375134 for ; Thu, 05 Jun 2025 23:50:10 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8252d755fa=changqing.li@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5565V5g6012130 for ; Thu, 5 Jun 2025 23:50:10 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rw0f9-10 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 05 Jun 2025 23:50:10 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 5 Jun 2025 23:50:09 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 5 Jun 2025 23:50:09 -0700 From: To: Subject: [scarthgap][PATCH V3 05/12] libsoup: fix CVE-2025-32050 Date: Fri, 6 Jun 2025 14:49:56 +0800 Message-ID: <20250606065003.3681416-6-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250606065003.3681416-1-changqing.li@windriver.com> References: <20250606065003.3681416-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: mibNqE5oAF2HKE6B8bIARKaCQSQh6X0n X-Authority-Analysis: v=2.4 cv=VIHdn8PX c=1 sm=1 tr=0 ts=68428fa2 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA2MDA2MSBTYWx0ZWRfXxpDEk8qtZq91 PTFOSN2RwNS6n0fk6YChy8zGAKRhFtX75xYy4P2FXgLdxwpudtr8xhmzQzhPo4jrAcYS2ODDpWl G9xEfZuAdfb930cB4YLoWMUlpesjnldQJHjpW0qSW3tvxIe/f6KI3M6OR2wOx4IwZlFCw9sw4/3 DmaN5SPSQeDfuneUTYFwSmivQSMgoVMSPo5QecAMPQpiyJvVD2i5D2V2fbQl+ifwKlJlhmw3Dju L3ZVbv9zjrm+wo1tA+Z6LHreSpbhl5E/SupRkKw946x0gkK9kprtxUqlJoTlsw3wrYef0gFqW5J UQmazsQKnQpr/s9/K72AD66Bm61xVFweHWnm4ADzj+PcBLk+BVUGUUAKCnErv17LpDze+Lofy1N EkKyHxCzgjW3rWNelNcc1c4l3Fh0vJIjPHLL+32yI9LWaPk3h1i/DDxmEGXDsHx0aGv6CVDZ X-Proofpoint-ORIG-GUID: mibNqE5oAF2HKE6B8bIARKaCQSQh6X0n X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-06_01,2025-06-05_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=900 adultscore=0 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0 bulkscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506060061 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 06 Jun 2025 06:50:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218103 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/424 Signed-off-by: Changqing Li --- .../libsoup-3.4.4/CVE-2025-32050.patch | 29 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32050.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32050.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32050.patch new file mode 100644 index 00000000000..e5a4d747a16 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32050.patch @@ -0,0 +1,29 @@ +From 30c86c9a284cf6f366ac87df0bca3e18a5de8671 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 28 Oct 2024 12:29:48 -0500 +Subject: [PATCH] Fix using int instead of size_t for strcspn return + +CVE: CVE-2025-32050 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323] + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 5fb32c2..52ef2ec 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -906,7 +906,7 @@ append_param_quoted (GString *string, + const char *name, + const char *value) + { +- int len; ++ gsize len; + + g_string_append (string, name); + g_string_append (string, "=\""); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 9af7de192fa..23d44d15725 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -40,6 +40,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32052.patch \ file://CVE-2025-32051-1.patch \ file://CVE-2025-32051-2.patch \ + file://CVE-2025-32050.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Fri Jun 6 06:49:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64424 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A2A1C678DF for ; Fri, 6 Jun 2025 06:50:18 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.27947.1749192613179236603 for ; Thu, 05 Jun 2025 23:50:13 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8252d755fa=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5564asUB030820 for ; Fri, 6 Jun 2025 06:50:12 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9t4xsg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 06 Jun 2025 06:50:12 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 5 Jun 2025 23:50:10 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 5 Jun 2025 23:50:10 -0700 From: To: Subject: [scarthgap][PATCH V3 06/12] libsoup-2.4: fix CVE-2025-46421 Date: Fri, 6 Jun 2025 14:49:57 +0800 Message-ID: <20250606065003.3681416-7-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250606065003.3681416-1-changqing.li@windriver.com> References: <20250606065003.3681416-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: 0inwcjK-KvLtaR_Is5ILury7ikHzmKEL X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA2MDA2MSBTYWx0ZWRfX9SdBjoSMP33b AlwoF9K0CCEo8piKpp9WYHFF3Jg9jsVMq3fGGQXCLEvktO/GHeD7tKUt4jd+pmuNSxODyUQYfG5 2ebgOGMEY/UGii0nruULPb17a46OSZKc95d+5yU11qOzLJgrIy7m/uF6U/l/4Tt+lad5BN8r44N KWiAXmey61Io6d+C8tkrZDnFsZVTQRCNzh69je0lPXrevTUqitkofiKQ3WIVz4gWGaJi4avqNQ9 DffBMuatY89wwqCPCgZ2iUwZUOErp+OBHow+Bmc2pztF3g1Bcr2/RbJEfB+b5rtWQbShTeQIJL+ JS42ew4jGoM3+NdoiE7TjwYpHSr2G0E9bc1hK8gW/Nh3EiqfT9BQROIdadW+Ml1nh9dAuoMqj/I ftUWYF7CvQpTwNX6yvAF84yqT/+KdJUyr1YPrnoV9+krgFSsvOPoZj37tMuEVfFWeSm0GJlz X-Proofpoint-GUID: 0inwcjK-KvLtaR_Is5ILury7ikHzmKEL X-Authority-Analysis: v=2.4 cv=Q4DS452a c=1 sm=1 tr=0 ts=68428fa4 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-06_01,2025-06-05_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 mlxlogscore=972 suspectscore=0 bulkscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 adultscore=0 malwarescore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506060061 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 06 Jun 2025 06:50:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218104 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/439 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-46421.patch | 47 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch new file mode 100644 index 00000000000..26067c4bb84 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch @@ -0,0 +1,47 @@ +From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 16:18:10 -0600 +Subject: [PATCH] session: Strip authentication credentails on + cross-origin redirect + +This should match the behavior of Firefox and Safari but not of Chromium. + +CVE: CVE-2025-46421 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b] + +Test code not added since it included some headers not in version 2.74.3 + +Signed-off-by: Changqing Li +--- + libsoup/soup-session.c | 8 +++++++- + 1 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c +index 83421ef..8d6ac61 100644 +--- a/libsoup/soup-session.c ++++ b/libsoup/soup-session.c +@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg) + SOUP_ENCODING_NONE); + } + ++ /* Strip all credentials on cross-origin redirect. */ ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { ++ soup_message_headers_remove (msg->request_headers, "Authorization"); ++ soup_message_set_auth (msg, NULL); ++ } ++ + soup_message_set_uri (msg, new_uri); + soup_uri_free (new_uri); + + soup_session_requeue_message (session, msg); + return TRUE; +-} ++} + + static void + redirect_handler (SoupMessage *msg, gpointer user_data) + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index a4a8a031522..4a00dafe470 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -36,6 +36,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32053.patch \ file://CVE-2025-32052.patch \ file://CVE-2025-32050.patch \ + file://CVE-2025-46421.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 6 06:49:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64420 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 557DCC677C4 for ; Fri, 6 Jun 2025 06:50:18 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.27948.1749192613988530179 for ; Thu, 05 Jun 2025 23:50:14 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8252d755fa=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5564asUC030820 for ; Fri, 6 Jun 2025 06:50:13 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9t4xsg-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 06 Jun 2025 06:50:12 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 5 Jun 2025 23:50:12 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 5 Jun 2025 23:50:11 -0700 From: To: Subject: [scarthgap][PATCH V3 07/12] libsoup: fix CVE-2025-46421 Date: Fri, 6 Jun 2025 14:49:58 +0800 Message-ID: <20250606065003.3681416-8-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250606065003.3681416-1-changqing.li@windriver.com> References: <20250606065003.3681416-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: ktHPPp0mZWDGzkeQ3tg_foW_SYSPB4Nw X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA2MDA2MSBTYWx0ZWRfX2C+1mTWeS7gi mtHL2loomHDdCxXu8++iQOXaTpTL5+S4j27mral3mOfYJzQSpbiPUGQed4t/yf04qhcZzsxPjFU FzCymTFV/ApaRlrHuZVhGyvYEEVN8R5BobNfiS9sVoH3UXuly+DOqv8/D5ef7eNiwqO23QLzHJk Nje76V6maUZsu8ZUtTS1MJkX2MKaca16glwctWolUVL+Yy6XGXjNY/7urMdoBVRENzReZlBcUuU tJlyGNhetPagqmGF0wOu0jp8Gl1m1DNfISFUvzhjXXCzzSGREMHjG/aUdkJF6wDxLj/jDKB3IcS RjmQTuHIVv8JcaqUEMD01WEIuMMcqyZr8LZZej4zlOQFccLtpFERA+uCvp+zRwycYSt0zm2Ob/y 4mPUD18783UMBKj8idrHjXRrrQdzCExxieVrl6jquBPbrxkVb7zgLOL2IY1vA6PRsC56aVcz X-Proofpoint-GUID: ktHPPp0mZWDGzkeQ3tg_foW_SYSPB4Nw X-Authority-Analysis: v=2.4 cv=Q4DS452a c=1 sm=1 tr=0 ts=68428fa4 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=QbgcUSsBnVzo0aMhA2UA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-06_01,2025-06-05_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 mlxlogscore=930 suspectscore=0 bulkscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 adultscore=0 malwarescore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506060061 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 06 Jun 2025 06:50:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218105 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/439 Signed-off-by: Changqing Li --- .../libsoup-3.4.4/CVE-2025-46421.patch | 139 ++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 140 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46421.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46421.patch new file mode 100644 index 00000000000..72683d8fce5 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46421.patch @@ -0,0 +1,139 @@ +From 85c5227eef7370832044eb918e8a99c0bcbab86f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 16:18:10 -0600 +Subject: [PATCH] session: Strip authentication credentails on cross-origin + redirect + +This should match the behavior of Firefox and Safari but not of Chromium. + +CVE: CVE-2025-46421 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b] + +Signed-off-by: Changqing Li +--- + libsoup/soup-session.c | 6 ++++ + tests/auth-test.c | 77 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 83 insertions(+) + +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c +index 631bec0..9f00b05 100644 +--- a/libsoup/soup-session.c ++++ b/libsoup/soup-session.c +@@ -1230,6 +1230,12 @@ soup_session_redirect_message (SoupSession *session, + SOUP_ENCODING_NONE); + } + ++ /* Strip all credentials on cross-origin redirect. */ ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { ++ soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION); ++ soup_message_set_auth (msg, NULL); ++ } ++ + soup_message_set_request_host_from_uri (msg, new_uri); + soup_message_set_uri (msg, new_uri); + g_uri_unref (new_uri); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 484097f..7c3b551 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1,6 +1,7 @@ + /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */ + + #include "test-utils.h" ++#include "soup-uri-utils-private.h" + + static const char *base_uri; + static GMainLoop *loop; +@@ -1916,6 +1917,81 @@ do_missing_params_test (gconstpointer auth_header) + soup_test_server_quit_unref (server); + } + ++static void ++redirect_server_callback (SoupServer *server, ++ SoupServerMessage *msg, ++ const char *path, ++ GHashTable *query, ++ gpointer user_data) ++{ ++ static gboolean redirected = FALSE; ++ ++ if (!redirected) { ++ char *redirect_uri = g_uri_to_string (user_data); ++ soup_server_message_set_redirect (msg, SOUP_STATUS_MOVED_PERMANENTLY, redirect_uri); ++ g_free (redirect_uri); ++ redirected = TRUE; ++ return; ++ } ++ ++ g_assert_not_reached (); ++} ++ ++static gboolean ++auth_for_redirect_callback (SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer user_data) ++{ ++ GUri *known_server_uri = user_data; ++ ++ if (!soup_uri_host_equal (known_server_uri, soup_message_get_uri (msg))) ++ return FALSE; ++ ++ soup_auth_authenticate (auth, "user", "good-basic"); ++ ++ return TRUE; ++} ++ ++static void ++do_strip_on_crossorigin_redirect (void) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ SoupServer *server1, *server2; ++ SoupAuthDomain *auth_domain; ++ GUri *uri; ++ gint status; ++ ++ server1 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ server2 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ ++ /* Both servers have the same credentials. */ ++ auth_domain = soup_auth_domain_basic_new ("realm", "auth-test", "auth-callback", server_basic_auth_callback, NULL); ++ soup_auth_domain_add_path (auth_domain, "/"); ++ soup_server_add_auth_domain (server1, auth_domain); ++ soup_server_add_auth_domain (server2, auth_domain); ++ g_object_unref (auth_domain); ++ ++ /* Server 1 asks for auth, then redirects to Server 2. */ ++ soup_server_add_handler (server1, NULL, ++ redirect_server_callback, ++ soup_test_server_get_uri (server2, "http", NULL), (GDestroyNotify)g_uri_unref); ++ /* Server 2 requires auth. */ ++ soup_server_add_handler (server2, NULL, server_callback, NULL, NULL); ++ ++ session = soup_test_session_new (NULL); ++ uri = soup_test_server_get_uri (server1, "http", NULL); ++ msg = soup_message_new_from_uri ("GET", uri); ++ /* The client only sends credentials for the host it knows. */ ++ g_signal_connect (msg, "authenticate", G_CALLBACK (auth_for_redirect_callback), uri); ++ ++ status = soup_test_session_send_message (session, msg); ++ ++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED); ++ ++ g_uri_unref (uri); ++ soup_test_server_quit_unref (server1); ++ soup_test_server_quit_unref (server2); ++} ++ + int + main (int argc, char **argv) + { +@@ -1949,6 +2025,7 @@ main (int argc, char **argv) + g_test_add_func ("/auth/auth-uri", do_auth_uri_test); + g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate); + g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms); ++ g_test_add_func ("/auth/strip-on-crossorigin-redirect", do_strip_on_crossorigin_redirect); + g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 23d44d15725..473a980b1aa 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -41,6 +41,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32051-1.patch \ file://CVE-2025-32051-2.patch \ file://CVE-2025-32050.patch \ + file://CVE-2025-46421.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Fri Jun 6 06:49:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64425 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78503C71131 for ; Fri, 6 Jun 2025 06:50:18 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.27986.1749192614249840052 for ; Thu, 05 Jun 2025 23:50:14 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8252d755fa=changqing.li@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5565V5g7012130 for ; Thu, 5 Jun 2025 23:50:14 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rw0fe-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 05 Jun 2025 23:50:13 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 5 Jun 2025 23:50:13 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 5 Jun 2025 23:50:12 -0700 From: To: Subject: [scarthgap][PATCH V3 08/12] libsoup-2.4: fix CVE-2025-4948 Date: Fri, 6 Jun 2025 14:49:59 +0800 Message-ID: <20250606065003.3681416-9-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250606065003.3681416-1-changqing.li@windriver.com> References: <20250606065003.3681416-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: a0Az1F5vutTm7cQ2IyrwRadyW8-fvsno X-Authority-Analysis: v=2.4 cv=VIHdn8PX c=1 sm=1 tr=0 ts=68428fa5 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=_9wbE66-DFzY0cZEwEkA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA2MDA2MSBTYWx0ZWRfX1J9oEs424NNd f+yiYHQ4Kzh4j3Zo8BFbgQvHVn54jPaV6ZuEpAdiNu4XfE/CMFPg63NaezwIaDNX1gvewryzY/Z M9rIzMf5VLX+uR8IOVO1R2LK2SrUcLfoXp4fCk1i9t0GEBaUqWuebowkYMmdqZFkizE+1bV9GjR Q1Ybk9X+0bym8aPrM9mEiL9fiiYbPKMY4x2sPl5KG4gvHZBno66EyG0ULRzTAX8rmMY2Bjaqbd7 EbYnAanX7lXxqY1Y2cX9N05gYQIayg6EcWsM+SCi6pUCtj97vjswh2zqub5ttWDPR7gAvf5mq+Y KEqoOzrzBeW2WA1ZD5LsqKm/fs/r+FrHa69ZaHmNjqmkxNgsIozZdHmI8CQrMNycLD2BLRN3DKv pWKbfYFNjW3BLHJf+pmrZGzbi2SMy6D7wvzoRLdskWDE49CIxN0gS+LGIPCJxtfg7qT19t3d X-Proofpoint-ORIG-GUID: a0Az1F5vutTm7cQ2IyrwRadyW8-fvsno X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-06_01,2025-06-05_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=781 adultscore=0 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0 bulkscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506060061 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 06 Jun 2025 06:50:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218106 From: Changqing Li Refer: http://gitlab.gnome.org/GNOME/libsoup/-/issues/449 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-4948.patch | 38 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch new file mode 100644 index 00000000000..b15b8c763d2 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch @@ -0,0 +1,38 @@ +From dfdc9b3cc73e6fe88cc12792ba00e14642572339 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Thu, 15 May 2025 17:49:11 +0200 +Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body + +It could happen that the boundary started at a place which resulted into +a negative number, which in an unsigned integer is a very large value. +Check the body size is not a negative value before setting it. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 + +Part-of: + +CVE: CVE-2025-4948 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463/diffs?commit_id=f2f28afe0b3b2b3009ab67d6874457ec6bac70c0] + +Signed-off-by: Changqing Li +--- + libsoup/soup-multipart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index dd93973..ce2fc10 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -214,7 +214,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + */ + part_body = soup_buffer_new_subbuffer (flattened, + split - flattened->data, +- end - 2 - split); ++ end - 2 >= split ? end - 2 - split : 0); + g_ptr_array_add (multipart->bodies, part_body); + + start = end; +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 4a00dafe470..5c834e394ac 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -37,6 +37,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32052.patch \ file://CVE-2025-32050.patch \ file://CVE-2025-46421.patch \ + file://CVE-2025-4948.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 6 06:50:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64418 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40415C5B559 for ; Fri, 6 Jun 2025 06:50:18 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.27987.1749192616568042173 for ; Thu, 05 Jun 2025 23:50:16 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8252d755fa=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5565cIho023182 for ; Fri, 6 Jun 2025 06:50:15 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9t4xsr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 06 Jun 2025 06:50:15 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 5 Jun 2025 23:50:14 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 5 Jun 2025 23:50:13 -0700 From: To: Subject: [scarthgap][PATCH V3 09/12] libsoup: fix CVE-2025-4948 Date: Fri, 6 Jun 2025 14:50:00 +0800 Message-ID: <20250606065003.3681416-10-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250606065003.3681416-1-changqing.li@windriver.com> References: <20250606065003.3681416-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: 0VmwQUG9Lx3FJUwKVNE0iS4J3ptoVfsA X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA2MDA2MSBTYWx0ZWRfX6HTjXSYon1v9 n60yGLDDj88WYgFP3qVj+ztp7x0JP5TxTlSZsOC524aLq/JRQ3aBTGw1f115xMAzJASFlr8qa9Q FeWis8OtFTkcvaSIujgFDXEs5sjLTV5Q7ygCdIRTeb45PfvfGpX6SZEmC5E88G6nWJoVkMmpJwR 1M6gwKSjHQ8iogVQ4ipW9MrF6c8VI2YRyX+0wytHlD4uCGc+zINBV4DVx65sfRR+j0owHzCa7gI AoRJS0qqbGa8+76siiMKH62ePARepqVs818kOTRi+vX0UKCaZfe/17+TpE8dbQClALtgo+j9tsz X9o0jjHegIrP+2qLy5AyeLZhGtw9rpOIrH84RwpvWJ1WDrxYRINQ7xY5JdHYhhBN1DCHfYDSN0X uyEPMvi5vFtkqCs7wB88ujc4j2vwbjAeUEvDWrJN9XHc6Og6p8ad9/hmVu44tCNcE28AO/XL X-Proofpoint-GUID: 0VmwQUG9Lx3FJUwKVNE0iS4J3ptoVfsA X-Authority-Analysis: v=2.4 cv=Q4DS452a c=1 sm=1 tr=0 ts=68428fa7 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=o19dcwqJu1wBlOUGTbIA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-06_01,2025-06-05_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 mlxlogscore=797 suspectscore=0 bulkscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 adultscore=0 malwarescore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506060061 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 06 Jun 2025 06:50:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218107 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 Signed-off-by: Changqing Li --- .../libsoup/libsoup-3.4.4/CVE-2025-4948.patch | 97 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 98 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4948.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4948.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4948.patch new file mode 100644 index 00000000000..07c85f53815 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4948.patch @@ -0,0 +1,97 @@ +From a23ce8f8e60e79990e26376c8b0d40841aed4b81 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Thu, 15 May 2025 17:49:11 +0200 +Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body + +It could happen that the boundary started at a place which resulted into +a negative number, which in an unsigned integer is a very large value. +Check the body size is not a negative value before setting it. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 + +Part-of: + +CVE: CVE-2025-4948 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463/diffs?commit_id=f2f28afe0b3b2b3009ab67d6874457ec6bac70c0] + +Signed-off-by: Changqing Li +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 40 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index e1c442e..27257e4 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -204,7 +204,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + */ + part_body = g_bytes_new_from_bytes (body, // FIXME + split - body_data, +- end - 2 - split); ++ end - 2 >= split ? end - 2 - split : 0); + g_ptr_array_add (multipart->bodies, part_body); + + start = end; +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index 84852e2..2ae888c 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -548,6 +548,45 @@ test_multipart_bounds_bad_2 (void) + g_bytes_unref (bytes); + } + ++static void ++test_multipart_too_large (void) ++{ ++ const char *raw_body = ++ "-------------------\r\n" ++ "-\n" ++ "Cont\"\r\n" ++ "Content-Tynt----e:n\x8erQK\r\n" ++ "Content-Disposition: name= form-; name=\"file\"; filename=\"ype:i/ -d; ----\xae\r\n" ++ "Content-Typimag\x01/png--\\\n" ++ "\r\n" ++ "---:\n\r\n" ++ "\r\n" ++ "-------------------------------------\r\n" ++ "---------\r\n" ++ "----------------------"; ++ GBytes *body; ++ GHashTable *params; ++ SoupMessageHeaders *headers; ++ SoupMultipart *multipart; ++ ++ params = g_hash_table_new (g_str_hash, g_str_equal); ++ g_hash_table_insert (params, (gpointer) "boundary", (gpointer) "-----------------"); ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_set_content_type (headers, "multipart/form-data", params); ++ g_hash_table_unref (params); ++ ++ body = g_bytes_new_static (raw_body, strlen (raw_body)); ++ multipart = soup_multipart_new_from_message (headers, body); ++ soup_message_headers_unref (headers); ++ g_bytes_unref (body); ++ ++ g_assert_nonnull (multipart); ++ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1); ++ g_assert_true (soup_multipart_get_part (multipart, 0, &headers, &body)); ++ g_assert_cmpint (g_bytes_get_size (body), ==, 0); ++ soup_multipart_free (multipart); ++} ++ + int + main (int argc, char **argv) + { +@@ -578,6 +617,7 @@ main (int argc, char **argv) + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); + g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2); ++ g_test_add_func ("/multipart/too-large", test_multipart_too_large); + + ret = g_test_run (); + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 473a980b1aa..9b8bf5b9a2a 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -42,6 +42,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32051-2.patch \ file://CVE-2025-32050.patch \ file://CVE-2025-46421.patch \ + file://CVE-2025-4948.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Fri Jun 6 06:50:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64417 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4AE30C61DB2 for ; Fri, 6 Jun 2025 06:50:18 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.27988.1749192617151339416 for ; Thu, 05 Jun 2025 23:50:17 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8252d755fa=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5565cIhp023182 for ; Fri, 6 Jun 2025 06:50:16 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9t4xsr-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 06 Jun 2025 06:50:16 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 5 Jun 2025 23:50:15 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 5 Jun 2025 23:50:14 -0700 From: To: Subject: [scarthgap][PATCH V3 10/12] libsoup-2.4: fix CVE-2025-4476 Date: Fri, 6 Jun 2025 14:50:01 +0800 Message-ID: <20250606065003.3681416-11-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250606065003.3681416-1-changqing.li@windriver.com> References: <20250606065003.3681416-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: vWisIFn3NQIHOTOmrCt2Ty0v3qm_auVX X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA2MDA2MSBTYWx0ZWRfXxyZjTvydDzr0 MMFMqRPtfAbCcOQTJJZzT2XqWPZ6htrLBwJiNbJ7DKGaLHTwY4WF+s4Vh9DOb4gLCKWRPLrl7As A6VWJSkT/4S1hNuZZWwMgsIx+IUFGE/tnspA5a7jTOF8UQzvNDA/CIgPpZkhPFYNKJOZatZQJ0i FI5PPfCMdaoIB/uT1Jq3YSvI96EY95t9k+SHEEKn5+NOwTRbiRqmsnxPe7hhOcVRel5wpk9mZIL 672PdiZhV4NaHjWwofplRaNnzOr3YU0ilRl5KD6qiBgBWJnS49VSoIP8CcjyWwzM47/gcmmFGoS fP8NCRXPPgbzYL/D7v+FFwXbGJNDmWu74XsM+SNv1Pa4CP1ALZAEdeVqvjxi+j/BFaIdYD3LQYh Zw19rakHh5s49wkkhydhOX/V+Xj5NLfMdDLQk1mIj2r8GhNd6zpr9idT77TlTR1DIPnhRxbr X-Proofpoint-GUID: vWisIFn3NQIHOTOmrCt2Ty0v3qm_auVX X-Authority-Analysis: v=2.4 cv=Q4DS452a c=1 sm=1 tr=0 ts=68428fa8 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=+jEqtf1s3R9VXZ0wqowq2kgwd+I=:19 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-06_01,2025-06-05_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 mlxlogscore=963 suspectscore=0 bulkscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 adultscore=0 malwarescore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506060061 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 06 Jun 2025 06:50:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218108 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/440 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-4476.patch | 38 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch new file mode 100644 index 00000000000..874f62e7ad5 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch @@ -0,0 +1,38 @@ +From 52a0f9234d384b9dab368835b22e5a5a01542168 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 14:16:10 +0800 +Subject: [PATCH] auth-digest: fix crash in + soup_auth_digest_get_protection_space() + +We need to validate the Domain parameter in the WWW-Authenticate header. + +Unfortunately this crash only occurs when listening on default ports 80 +and 443, so there's no good way to test for this. The test would require +running as root. + +Fixes #440 + +CVE: CVE-2025-4476 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c?merge_request_iid=457] + +Signed-off-by: Changqing Li +--- + libsoup/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index f1621ec..a2dc560 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -229,7 +229,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, SoupURI *source_uri) + uri = soup_uri_new (d); + if (uri && uri->scheme == source_uri->scheme && + uri->port == source_uri->port && +- !strcmp (uri->host, source_uri->host)) ++ !g_strcmp0 (uri->host, source_uri->host)) + dir = g_strdup (uri->path); + else + dir = NULL; +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 5c834e394ac..8f0b7062762 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -38,6 +38,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32050.patch \ file://CVE-2025-46421.patch \ file://CVE-2025-4948.patch \ + file://CVE-2025-4476.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 6 06:50:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64426 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8315EC5B549 for ; Fri, 6 Jun 2025 06:50:38 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.27997.1749192632947683525 for ; Thu, 05 Jun 2025 23:50:32 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8252d755fa=changqing.li@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5565umRa017749 for ; Thu, 5 Jun 2025 23:50:32 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rw0fg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 05 Jun 2025 23:50:32 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 5 Jun 2025 23:50:16 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 5 Jun 2025 23:50:15 -0700 From: To: Subject: [scarthgap][PATCH V3 11/12] libsoup-2.4: fix CVE-2025-2784 Date: Fri, 6 Jun 2025 14:50:02 +0800 Message-ID: <20250606065003.3681416-12-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250606065003.3681416-1-changqing.li@windriver.com> References: <20250606065003.3681416-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: r6fHY4htTkQxxJtdEvqxELXsj-QlWRpi X-Authority-Analysis: v=2.4 cv=VIHdn8PX c=1 sm=1 tr=0 ts=68428fb8 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=9ZAmBD_aSAHDPC3Ooc0A:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA2MDA2MiBTYWx0ZWRfX3DCdcTF+CESk 4fEx4bS/hxhHOZgpVtrvAX404gMmlN1Yg7D4RDoCIRATF7KqF8U/Ob3EbnzaHeUpIZSAt3vBOkJ tcFdIWyMSaqqL4+365D3EfWo9KYmk1uPxLhn7EEyhmlROOO8Wqcrea1+iHf2IKPusNDskePh+on QjIdS4w4hVY9yo07bHuY1fKahSzUdhZrpjkcaM+MahMG/GJJJBnfbyrL68e8pWiyCwSWtVqlWgj f5m+tiN/MsEXqrHiepatP76jrwXhLn2tNzQkxp4QFlOdPlbrEpLTNUYHXd7t98Nd94mmeO+55/D IBhINIzyEoJu9EZALidpvya06BPhZg3lpp3aSRCjOEHbHRFXvt00w/Lbg2z39vMjWFPXM3Bdsm7 jQQ0LoCWJpKTwDREC7Bb7ZVW2LerMbmK6Gojz5XcIiVY2Az86denfy5+LqRpe9+0H4YHsohC X-Proofpoint-ORIG-GUID: r6fHY4htTkQxxJtdEvqxELXsj-QlWRpi X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-06_01,2025-06-05_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=777 adultscore=0 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0 bulkscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506060062 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 06 Jun 2025 06:50:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218110 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/422 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-2784.patch | 56 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch new file mode 100644 index 00000000000..106f9071683 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch @@ -0,0 +1,56 @@ +From 2eacbd762332795e00692ddab2515c6da23198d3 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Mon, 12 May 2025 14:06:41 +0800 +Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space() + +CVE: CVE-2025-2784 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435/diffs?commit_id=242a10fbb12dbdc12d254bd8fc8669a0ac055304; + https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/442/diffs?commit_id=c415ad0b6771992e66c70edf373566c6e247089d] + +Test code is not added since it uses some functions not defined in +version 2.74. These tests are not used now, so just ignore them. + +Signed-off-by: Changqing Li +--- + libsoup/soup-content-sniffer.c | 9 +++---- + 1 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 5f2896e..9554636 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -612,8 +612,10 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer) + } + + static gboolean +-skip_insignificant_space (const char *resource, int *pos, int resource_length) ++skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length) + { ++ if (*pos >= resource_length) ++ return TRUE; + while ((resource[*pos] == '\x09') || + (resource[*pos] == '\x20') || + (resource[*pos] == '\x0A') || +@@ -632,7 +634,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + { + const char *resource = (const char *)buffer->data; + int resource_length = MIN (512, buffer->length); +- int pos = 0; ++ gsize pos = 0; + + if (resource_length < 3) + goto text_html; +@@ -642,9 +644,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + pos = 3; + + look_for_tag: +- if (pos > resource_length) +- goto text_html; +- + if (skip_insignificant_space (resource, &pos, resource_length)) + goto text_html; + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 8f0b7062762..0da309ebd8a 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -39,6 +39,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-46421.patch \ file://CVE-2025-4948.patch \ file://CVE-2025-4476.patch \ + file://CVE-2025-2784.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 6 06:50:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64427 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 894D2C5B559 for ; Fri, 6 Jun 2025 06:50:38 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.27949.1749192633621468731 for ; Thu, 05 Jun 2025 23:50:33 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8252d755fa=changqing.li@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5565umRb017749 for ; Thu, 5 Jun 2025 23:50:33 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rw0fg-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 05 Jun 2025 23:50:33 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 5 Jun 2025 23:50:17 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Thu, 5 Jun 2025 23:50:17 -0700 From: To: Subject: [scarthgap][PATCH V3 12/12] libsoup: fix CVE-2025-2784 Date: Fri, 6 Jun 2025 14:50:03 +0800 Message-ID: <20250606065003.3681416-13-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250606065003.3681416-1-changqing.li@windriver.com> References: <20250606065003.3681416-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: pv4_iWAoFqQJDccGeTh8qsxtGfajkvdG X-Authority-Analysis: v=2.4 cv=VIHdn8PX c=1 sm=1 tr=0 ts=68428fb9 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=QIhr-27iAAAA:8 a=SSmOFEACAAAA:8 a=L3Y5zZzAAAAA:8 a=t7CeM3EgAAAA:8 a=V2sgnzSHAAAA:8 a=6Ti6dSN5qNGnjUcMqEUA:9 a=cgaYBWEFosGJW4rWv5Lf:22 a=FdTzh2GWekK77mhwV6Dw:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA2MDA2MiBTYWx0ZWRfXzLFS5jKPA20e WV0ytVVYVVaIuKj/0+NkJj4QQphFmki1JseaZNdcmvNJ8qn2fM0RUu6duggdqAOR4NZ12ZP3UY5 cw4VdYfUgyrs30uhOTbQjNLAij9JdrSYwi07bEQwgCQ0Y/s091Pz3chL3hDcQ80cjs/nLwYoPuY w2vza+NkPeElln4g8lAayznrmnxbCKwFsrYfDFE+FPkor/aeLAk9qzqy318Vk9G1yzTPioA+Vb3 eT89ioRLKDaOiDUaYIKqrnp92lpZU+DfDOzeuvNxoWKzLeiLCZN/MLVvyc3GwDs7kAmaRKldAcv 9nUj3BjU4WbfACT2oCz2nQiXQMKUeYphNJqhTdhz0CgiSHw/+IV7su88mmMAVqXTCU5Wis+qgqA 3HBokycBp0++LTf6o9s8a5nxrv8+8T5aUO6eHgOzmN2VJOhnqun6dxZEfkYPsV+35v2eZlaA X-Proofpoint-ORIG-GUID: pv4_iWAoFqQJDccGeTh8qsxtGfajkvdG X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-06_01,2025-06-05_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=998 adultscore=0 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0 bulkscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506060062 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 06 Jun 2025 06:50:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218111 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/422 Signed-off-by: Changqing Li --- .../libsoup/libsoup-3.4.4/CVE-2025-2784.patch | 137 ++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 138 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch new file mode 100644 index 00000000000..b2e1c12d48d --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch @@ -0,0 +1,137 @@ +From dd10ae267e33bcc35646610d7cc1841da77d05e7 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 14:39:42 -0600 +Subject: [PATCH] Fix CVE-2025-2784 + +CVE: CVE-2025-2784 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435/diffs?commit_id=242a10fbb12dbdc12d254bd8fc8669a0ac055304 +https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/442/diffs?commit_id=c415ad0b6771992e66c70edf373566c6e247089d] + +Signed-off-by: Changqing Li +--- + .../content-sniffer/soup-content-sniffer.c | 10 ++-- + tests/meson.build | 4 +- + tests/sniffing-test.c | 48 +++++++++++++++++++ + 3 files changed, 56 insertions(+), 6 deletions(-) + +diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c +index aeee2e2..a5e18d5 100644 +--- a/libsoup/content-sniffer/soup-content-sniffer.c ++++ b/libsoup/content-sniffer/soup-content-sniffer.c +@@ -638,8 +638,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, GBytes *buffer) + } + + static gboolean +-skip_insignificant_space (const char *resource, int *pos, int resource_length) ++skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length) + { ++ if (*pos >= resource_length) ++ return TRUE; ++ + while ((resource[*pos] == '\x09') || + (resource[*pos] == '\x20') || + (resource[*pos] == '\x0A') || +@@ -659,7 +662,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer) + gsize resource_length; + const char *resource = g_bytes_get_data (buffer, &resource_length); + resource_length = MIN (512, resource_length); +- int pos = 0; ++ gsize pos = 0; + + if (resource_length < 3) + goto text_html; +@@ -669,9 +672,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer) + pos = 3; + + look_for_tag: +- if (pos > resource_length) +- goto text_html; +- + if (skip_insignificant_space (resource, &pos, resource_length)) + goto text_html; + +diff --git a/tests/meson.build b/tests/meson.build +index 7ef7ac5..95b13b8 100644 +--- a/tests/meson.build ++++ b/tests/meson.build +@@ -95,7 +95,9 @@ tests = [ + {'name': 'server-auth'}, + {'name': 'server-mem-limit'}, + {'name': 'server'}, +- {'name': 'sniffing'}, ++ {'name': 'sniffing', ++ 'depends': [test_resources], ++ }, + {'name': 'ssl', + 'dependencies': [gnutls_dep], + 'depends': mock_pkcs11_module, +diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c +index 6116719..7857732 100644 +--- a/tests/sniffing-test.c ++++ b/tests/sniffing-test.c +@@ -342,6 +342,52 @@ test_disabled (gconstpointer data) + g_uri_unref (uri); + } + ++static const gsize MARKUP_LENGTH = strlen (""); ++ ++static void ++do_skip_whitespace_test (void) ++{ ++ SoupContentSniffer *sniffer = soup_content_sniffer_new (); ++ SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org"); ++ const char *test_cases[] = { ++ "", ++ "$trailing_data ++ memcpy (p, "", strlen ("-->")); ++ p += strlen ("-->"); ++ if (strlen (trailing_data)) ++ memcpy (p, trailing_data, strlen (trailing_data)); ++ // Purposefully not NUL terminated. ++ ++ buffer = g_bytes_new_take (g_steal_pointer (&data), testsize); ++ content_type = soup_content_sniffer_sniff (sniffer, msg, buffer, NULL); ++ ++ g_free (content_type); ++ g_bytes_unref (buffer); ++ } ++ ++ g_object_unref (msg); ++ g_object_unref (sniffer); ++} ++ + int + main (int argc, char **argv) + { +@@ -517,6 +563,8 @@ main (int argc, char **argv) + "/text_or_binary/home.gif", + test_disabled); + ++ g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test); ++ + ret = g_test_run (); + + g_uri_unref (base_uri); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 9b8bf5b9a2a..37319f007f4 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -43,6 +43,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32050.patch \ file://CVE-2025-46421.patch \ file://CVE-2025-4948.patch \ + file://CVE-2025-2784.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"