From patchwork Fri Jun 13 06:54:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64891 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86D69C71150 for ; Fri, 13 Jun 2025 06:54:48 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.3974.1749797685150949757 for ; Thu, 12 Jun 2025 23:54:45 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D60AlK013857 for ; Thu, 12 Jun 2025 23:54:45 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474gq46fp5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 12 Jun 2025 23:54:44 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Thu, 12 Jun 2025 23:54:44 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:43 -0700 From: To: Subject: [master][meta-oe][PATCH 01/18] libsoup-2.4: fix CVE-2025-32053 Date: Fri, 13 Jun 2025 14:54:24 +0800 Message-ID: <20250613065441.3121844-2-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=Qrde3Uyd c=1 sm=1 tr=0 ts=684bcb34 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=oTvTzFMrGgrRAghJrSUA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-GUID: wVz-Fp8daCpFK-D_j0AEVR8C47kKbNvN X-Proofpoint-ORIG-GUID: wVz-Fp8daCpFK-D_j0AEVR8C47kKbNvN X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfXyvxmaH7HMMud papkGsRIYcp3fxCd2THzMHswSwcxK+qiRTiLGpVxWds7YpMJgufKPYGNOIpZDXd4wVntGyFZTGJ vR9whrwtWPWx4FAR0Y3kLdSfJ/m25/3JxYD5takO/1vAcSxVNymNWq3uXslZULGE6pRe6r6DEJH cNEdERQBuNLVCL7TQMzegruYcsr5aH62W/0UCnZXd90FuK+0D/Lb/eZtvLRJIqknCxdpLC1WA/K w7BxbuFiI/F1WxVPRNXZJREJcdotryguKg4ZnX5bQzEWtiBskZw+rOePPz+dQ8kJHb63rNgSvZ/ 2be5EM7qQEgZxtw7LWYfIiBuzvUeeno7R4nqD1fq6qsCmxBH87ERcVFTmOJFtwNZUkMWCL5Q7fo X046mk7r2uUmgAh9kPLnPc1tb/GkaPomQf3UalMvnlmyJKb7sisisnidbSDPQI+DO3w9eKqP X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 adultscore=0 malwarescore=0 lowpriorityscore=0 clxscore=1015 suspectscore=0 impostorscore=0 bulkscore=0 mlxscore=0 mlxlogscore=959 spamscore=0 phishscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:54:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117891 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/426 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-32053.patch | 39 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 5 ++- 2 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch new file mode 100644 index 0000000000..0d829d6200 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch @@ -0,0 +1,39 @@ +From d9bcffd6cd5e8ec32889a594f7348d67a5101b3a Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Mon, 12 May 2025 13:58:42 +0800 +Subject: [PATCH] Fix heap buffer overflow in + soup-content-sniffer.c:sniff_feed_or_html() + +CVE: CVE-2025-32053 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/eaed42ca8d40cd9ab63764e3d63641180505f40a] + +Signed-off-by: Changqing Li +--- + libsoup/soup-content-sniffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 967ec61..5f2896e 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -620,7 +620,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length) + (resource[*pos] == '\x0D')) { + *pos = *pos + 1; + +- if (*pos > resource_length) ++ if (*pos >= resource_length) + return TRUE; + } + +@@ -682,7 +682,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + do { + pos++; + +- if (pos > resource_length) ++ if ((pos + 1) > resource_length) + goto text_html; + } while (resource[pos] != '>'); + +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 7e275a48f4..03ec818ae5 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -18,8 +18,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://0001-Remove-http-and-https-aliases-support-test.patch \ file://CVE-2024-52532-1.patch \ file://CVE-2024-52532-2.patch \ - file://CVE-2024-52532-3.patch" - + file://CVE-2024-52532-3.patch \ + file://CVE-2025-32053.patch \ +" SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" CVE_PRODUCT = "libsoup" From patchwork Fri Jun 13 06:54:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64890 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 850ECC71135 for ; Fri, 13 Jun 2025 06:54:48 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.3975.1749797686277470895 for ; Thu, 12 Jun 2025 23:54:46 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D4cEkC029874 for ; Thu, 12 Jun 2025 23:54:46 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474mxm6b83-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 12 Jun 2025 23:54:45 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Thu, 12 Jun 2025 23:54:45 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:44 -0700 From: To: Subject: [master][meta-oe][PATCH 02/18] libsoup-2.4: fix CVE-2025-2784 Date: Fri, 13 Jun 2025 14:54:25 +0800 Message-ID: <20250613065441.3121844-3-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: IGZtumt_XeJN5UCJgOHcxkj_q-wziUpz X-Authority-Analysis: v=2.4 cv=L74dQ/T8 c=1 sm=1 tr=0 ts=684bcb35 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=9ZAmBD_aSAHDPC3Ooc0A:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfX8hFYRJ47uoM2 eAM7qRVZ9nCF8saOOB4SnTjdphp9I3OCLJgLtx6c8cmnx1y1iW+7vojSaynCRRVAi3NFXY1Mpim /9XJlnNMWQtKebuQAJCESzCjolI9TIXKP0Btc9X3HZdbPfH+c9zO+c6TV3U2XckRE0N12nYLApw rBJn42q1EYKwfwMLc+dms8AG5IKf3OAD5ejEWKEp85n2TynffeFRrF3PjwKk9Bbr2JeML9lFkOi 5r2X7sOtz6kFUqGvw6lqF4hh6tHxFofkDatsmET0OSgApVmFQeMhk0aIDlJ7SCJbC9F5PynrlUW YajDAsJoOopoc8gnWfP6lo3R8hXErU4K6gHeetVXrOyG1mKM1XoHFxcztVDtAPmZTx6ap93CGJn Wnu611EJFMfiX1CUuUxpJi1ElSECFBCkF9Ekl6oxBg6YXV8sKGnPivT8YX/u64zzbWoS8Ubi X-Proofpoint-ORIG-GUID: IGZtumt_XeJN5UCJgOHcxkj_q-wziUpz X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 priorityscore=1501 mlxlogscore=887 adultscore=0 spamscore=0 suspectscore=0 mlxscore=0 lowpriorityscore=0 clxscore=1015 malwarescore=0 phishscore=0 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:54:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117892 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/422 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-2784.patch | 56 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch new file mode 100644 index 0000000000..106f907168 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch @@ -0,0 +1,56 @@ +From 2eacbd762332795e00692ddab2515c6da23198d3 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Mon, 12 May 2025 14:06:41 +0800 +Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space() + +CVE: CVE-2025-2784 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435/diffs?commit_id=242a10fbb12dbdc12d254bd8fc8669a0ac055304; + https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/442/diffs?commit_id=c415ad0b6771992e66c70edf373566c6e247089d] + +Test code is not added since it uses some functions not defined in +version 2.74. These tests are not used now, so just ignore them. + +Signed-off-by: Changqing Li +--- + libsoup/soup-content-sniffer.c | 9 +++---- + 1 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 5f2896e..9554636 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -612,8 +612,10 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer) + } + + static gboolean +-skip_insignificant_space (const char *resource, int *pos, int resource_length) ++skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length) + { ++ if (*pos >= resource_length) ++ return TRUE; + while ((resource[*pos] == '\x09') || + (resource[*pos] == '\x20') || + (resource[*pos] == '\x0A') || +@@ -632,7 +634,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + { + const char *resource = (const char *)buffer->data; + int resource_length = MIN (512, buffer->length); +- int pos = 0; ++ gsize pos = 0; + + if (resource_length < 3) + goto text_html; +@@ -642,9 +644,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) + pos = 3; + + look_for_tag: +- if (pos > resource_length) +- goto text_html; +- + if (skip_insignificant_space (resource, &pos, resource_length)) + goto text_html; + +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 03ec818ae5..db0bf1128f 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -20,6 +20,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52532-2.patch \ file://CVE-2024-52532-3.patch \ file://CVE-2025-32053.patch \ + file://CVE-2025-2784.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64896 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62E8BC7114A for ; Fri, 13 Jun 2025 06:54:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.3977.1749797688642411984 for ; Thu, 12 Jun 2025 23:54:48 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D4p0af007524 for ; Fri, 13 Jun 2025 06:54:47 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474an2pjqv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 13 Jun 2025 06:54:47 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:54:46 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:45 -0700 From: To: Subject: [master][meta-oe][PATCH 03/18] libsoup-2.4: fix CVE-2024-52530 Date: Fri, 13 Jun 2025 14:54:26 +0800 Message-ID: <20250613065441.3121844-4-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfXzpuCMP7IVHTz zW/sK6DNERiWijBPXzm0FsNviF6aFm/H8/PHaWW1cMH1QqxZlTIP+vVBQ569ePnebSzwo/6IC0a f2UB4+pEgolG+PCjhhbsN7i3Gpejw6w4CyeGFOyfT5JlUd3hqeTojqzlGhJ2diZmkwjpg2MijR1 fiwTSNEU/5AbpfLSPzhaOxCH8ew6UF/196VCA78JkF8hUiWIiM1e/kYjURmYCU88JPpBcBe4AYe nk1vRPihVbVR6XwvOxp5aSGy3ZYFjwMT0My4GYwujrRciUBoJ3d4lmBpirOhygEEOHSK7KLvO23 ATtEYevv8cJ0FMEvhVrljBlo+53IKmlWKL/thg59eYrXdDF0DMp0HHaQKvR4wb2iQ2ZxH4Xi8uG AfRGDzLoAHOZqqnTeZe0DWkAHRmSxGX9kHQ+7ooln0kigitNa/FkFbyX4JIZ9hX5m2MZELCe X-Proofpoint-GUID: CGr-0PHAyvW5P-M3B3IBq9pLMCgN2SC4 X-Authority-Analysis: v=2.4 cv=fdSty1QF c=1 sm=1 tr=0 ts=684bcb37 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=V2sgnzSHAAAA:8 a=A1X0JdhQAAAA:8 a=OpW423ZGpPkB8jfHPfgA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-ORIG-GUID: CGr-0PHAyvW5P-M3B3IBq9pLMCgN2SC4 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxlogscore=999 bulkscore=0 impostorscore=0 clxscore=1015 malwarescore=0 suspectscore=0 mlxscore=0 phishscore=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:54:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117893 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2024-52530.patch | 150 ++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 151 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch new file mode 100644 index 0000000000..04713850e1 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch @@ -0,0 +1,150 @@ +From 4a2bb98e03d79146c729dca52c8d6edc635218ff Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 8 Jul 2024 12:33:15 -0500 +Subject: [PATCH] headers: Strictly don't allow NUL bytes + +In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem. + +CVE: CVE-2024-52530 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/402/diffs?commit_id=04df03bc092ac20607f3e150936624d4f536e68b] + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 15 +++------ + tests/header-parsing-test.c | 62 +++++++++++++++++-------------------- + 2 files changed, 32 insertions(+), 45 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index eec28ad..e5d3c03 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -50,13 +50,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) + * ignorable trailing whitespace. + */ + ++ /* No '\0's are allowed */ ++ if (memchr (str, '\0', len)) ++ return FALSE; ++ + /* Skip over the Request-Line / Status-Line */ + headers_start = memchr (str, '\n', len); + if (!headers_start) + return FALSE; +- /* No '\0's in the Request-Line / Status-Line */ +- if (memchr (str, '\0', headers_start - str)) +- return FALSE; + + /* We work on a copy of the headers, which we can write '\0's + * into, so that we don't have to individually g_strndup and +@@ -68,14 +69,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) + headers_copy[copy_len] = '\0'; + value_end = headers_copy; + +- /* There shouldn't be any '\0's in the headers already, but +- * this is the web we're talking about. +- */ +- while ((p = memchr (headers_copy, '\0', copy_len))) { +- memmove (p, p + 1, copy_len - (p - headers_copy)); +- copy_len--; +- } +- + while (*(value_end + 1)) { + name = value_end + 1; + name_end = strchr (name, ':'); +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 752196e..c1d3b33 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -358,24 +358,6 @@ static struct RequestTest { + } + }, + +- { "NUL in header name", "760832", +- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, +- SOUP_STATUS_OK, +- "GET", "/", SOUP_HTTP_1_1, +- { { "Host", "example.com" }, +- { NULL } +- } +- }, +- +- { "NUL in header value", "760832", +- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35, +- SOUP_STATUS_OK, +- "GET", "/", SOUP_HTTP_1_1, +- { { "Host", "examplecom" }, +- { NULL } +- } +- }, +- + /************************/ + /*** INVALID REQUESTS ***/ + /************************/ +@@ -448,6 +430,21 @@ static struct RequestTest { + SOUP_STATUS_EXPECTATION_FAILED, + NULL, NULL, -1, + { { NULL } } ++ }, ++ ++ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 ++ { "NUL in header name", NULL, ++ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } ++ }, ++ ++ { "NUL in header value", NULL, ++ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +@@ -620,22 +617,6 @@ static struct ResponseTest { + { NULL } } + }, + +- { "NUL in header name", "760832", +- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28, +- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK", +- { { "Foo", "bar" }, +- { NULL } +- } +- }, +- +- { "NUL in header value", "760832", +- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, +- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK", +- { { "Foo", "bar" }, +- { NULL } +- } +- }, +- + /********************************/ + /*** VALID CONTINUE RESPONSES ***/ + /********************************/ +@@ -768,6 +749,19 @@ static struct ResponseTest { + { { NULL } + } + }, ++ ++ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 ++ { "NUL in header name", NULL, ++ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28, ++ -1, 0, NULL, ++ { { NULL } } ++ }, ++ ++ { "NUL in header value", "760832", ++ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, ++ -1, 0, NULL, ++ { { NULL } } ++ }, + }; + static const int num_resptests = G_N_ELEMENTS (resptests); + +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index db0bf1128f..fa5ecaa1f5 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -21,6 +21,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52532-3.patch \ file://CVE-2025-32053.patch \ file://CVE-2025-2784.patch \ + file://CVE-2024-52530.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64893 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62DA3C71135 for ; Fri, 13 Jun 2025 06:54:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.4052.1749797689297813718 for ; Thu, 12 Jun 2025 23:54:49 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D4p0ag007524 for ; Fri, 13 Jun 2025 06:54:48 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474an2pjqv-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 13 Jun 2025 06:54:48 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:54:47 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:46 -0700 From: To: Subject: [master][meta-oe][PATCH 04/18] libsoup-2.4: fix CVE-2025-32906 Date: Fri, 13 Jun 2025 14:54:27 +0800 Message-ID: <20250613065441.3121844-5-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfX65J+jDJUwyLu aNhWmMNxXNFMw/FlISjUpVFOLenhGDpJkBAYejFIVyRkiS5bLmeoOoakBeijFG18cTA3nQxN/lg xzFJd3uWZi19Mz/cbSPaEZ9XFHCDpSq7pffDXz8QrBD+ERkOoz/J1lj5v0VxEGUq3oJJg1efhml ivo9GE7gxVuAhlTa0m91EBunIgC4EcR6nz6CoUIprZn0hfUpbFX0Yf0q054ZFSJG93hc7DpOQrE gUxbnayH9H4+E4bM1ham/Kh5AdUXis9iHBVz3fRHHGFcCeJ9cKE7BcGwiRjaudu5Afqfjx2MXwj qGOJY6MJzl+mpKZMGm0YUrDmCJ9ZClkOptS/dZeivnVKGBJQEU1meQS9a5QWOX1XAuZIOBmTuFD RZAXR8UyH5sXhfzc4lAb+QBgvqi5MVfQWKjDejlXh14uiVXW0v5eNoEPeZhMYEaqzSe5/Tez X-Proofpoint-GUID: 5NJNqYJ-mQtP0cYUTPb9drEFHRjkcoQF X-Authority-Analysis: v=2.4 cv=fdSty1QF c=1 sm=1 tr=0 ts=684bcb38 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=V2sgnzSHAAAA:8 a=HORPgCXZuz7RhFxCGcgA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-ORIG-GUID: 5NJNqYJ-mQtP0cYUTPb9drEFHRjkcoQF X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxlogscore=999 bulkscore=0 impostorscore=0 clxscore=1015 malwarescore=0 suspectscore=0 mlxscore=0 phishscore=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:54:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117894 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/404 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-32906.patch | 71 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 72 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch new file mode 100644 index 0000000000..c33ebf8056 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch @@ -0,0 +1,71 @@ +From 4b8809cca4bbcbf9514314d86227f985362258b0 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 12 Feb 2025 11:30:02 -0600 +Subject: [PATCH] headers: Handle parsing only newlines + +Closes #404 +Closes #407 + +CVE: CVE-2025-32906 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f] + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 4 ++-- + tests/header-parsing-test.c | 11 +++++++++++ + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index e5d3c03..87bb3dc 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -185,7 +185,7 @@ soup_headers_parse_request (const char *str, + /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s) + * received where a Request-Line is expected." + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +@@ -369,7 +369,7 @@ soup_headers_parse_response (const char *str, + * after a response, which we then see prepended to the next + * response on that connection. + */ +- while ((*str == '\r' || *str == '\n') && len > 0) { ++ while (len > 0 && (*str == '\r' || *str == '\n')) { + str++; + len--; + } +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index c1d3b33..b811115 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -6,6 +6,10 @@ typedef struct { + const char *name, *value; + } Header; + ++static char only_newlines[] = { ++ '\n', '\n', '\n', '\n' ++}; ++ + static struct RequestTest { + const char *description; + const char *bugref; +@@ -445,6 +449,13 @@ static struct RequestTest { + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, + { { NULL } } ++ }, ++ ++ { "Only newlines", NULL, ++ only_newlines, sizeof (only_newlines), ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } } + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index fa5ecaa1f5..ff37783716 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -22,6 +22,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32053.patch \ file://CVE-2025-2784.patch \ file://CVE-2024-52530.patch \ + file://CVE-2025-32906.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64895 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7136BC71150 for ; Fri, 13 Jun 2025 06:54:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.4053.1749797689802746127 for ; Thu, 12 Jun 2025 23:54:50 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D4p0ah007524 for ; Fri, 13 Jun 2025 06:54:49 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474an2pjqv-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 13 Jun 2025 06:54:48 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:54:48 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:47 -0700 From: To: Subject: [master][meta-oe][PATCH 05/18] libsoup-2.4: fix CVE-2025-32914 Date: Fri, 13 Jun 2025 14:54:28 +0800 Message-ID: <20250613065441.3121844-6-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfXxjI1SDp06D7V 45j1B/fkjX65dp3Ez+yvkfXzos6tAexyeeHePBJpSy4CvclFsLOqpvzRybzC4mT65sJ9OvVDZPG txcGf0qycJOf59ErNSmuFwhj5ojebEn//bYiDvgenr7uHCPVUK6uPp2mWH9pYwmFFT9ZYbEzdP/ PYm0QFGno2RGDouMbhVfvzQwwhOdZnIH2JWDEBCwrQglAPlei9bW+W4a2ThcNjb3fgfkDvz94fd C3jfLtcpsdgZFE4EbXlpZAW3IYaGo+6IUvtSx1mr/mkzAmAV9UJwsjGoHxXa1Myq6kZHOreEqf/ VVeB4pF8kVq4xgbjzJ2ARMLASPcOaBkW8cBY3PmHAEQb3zECDNlqVZfD+cfqNIGZp73Z0yax9N/ TdhXoZT2v5C/CURmIlKUmbJ3Fiba4aVqodvM4+Ef/79U4YS7/9nD01y8rnMV0Z7sqrpvB7Tg X-Proofpoint-GUID: rsrr_2TiRG8dU0FCZNFrRA1cKKeu_v46 X-Authority-Analysis: v=2.4 cv=fdSty1QF c=1 sm=1 tr=0 ts=684bcb38 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-ORIG-GUID: rsrr_2TiRG8dU0FCZNFrRA1cKKeu_v46 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxlogscore=757 bulkscore=0 impostorscore=0 clxscore=1015 malwarescore=0 suspectscore=0 mlxscore=0 phishscore=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:54:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117895 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-32914.patch | 35 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch new file mode 100644 index 0000000000..9f3bb21a25 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch @@ -0,0 +1,35 @@ +From ac844b9fc7945c38ea21fb7cf1a49a5c226d7c9c Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Mon, 12 May 2025 16:17:20 +0800 +Subject: [PATCH] Resolve "(CVE-2025-32914) (#YWH-PGM9867-23) OOB Read on + libsoup through function "soup_multipart_new_from_message" in + soup-multipart.c leads to crash or exit of process" + +CVE: CVE-2025-32914 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450/diffs?commit_id=5bfcf8157597f2d327050114fb37ff600004dbcf] + +Test code are not added since some functions not aligned with version +2.74.3 + +Signed-off-by: Changqing Li +--- + libsoup/soup-multipart.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index a7e550f..dd93973 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + return NULL; + } + +- split = strstr (start, "\r\n\r\n"); ++ split = g_strstr_len (start, body_end - start, "\r\n\r\n"); + if (!split || split > end) { + soup_multipart_free (multipart); + soup_buffer_free (flattened); + +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index ff37783716..cda6a3b00f 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -23,6 +23,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-2784.patch \ file://CVE-2024-52530.patch \ file://CVE-2025-32906.patch \ + file://CVE-2025-32914.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64894 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7DF9FC71155 for ; Fri, 13 Jun 2025 06:54:58 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.3978.1749797690620395398 for ; Thu, 12 Jun 2025 23:54:50 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D6RjwL023482 for ; Thu, 12 Jun 2025 23:54:50 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474gq46fp6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 12 Jun 2025 23:54:50 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:54:49 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:48 -0700 From: To: Subject: [master][meta-oe][PATCH 06/18] libsoup-2.4: fix CVE-2025-46420 Date: Fri, 13 Jun 2025 14:54:29 +0800 Message-ID: <20250613065441.3121844-7-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=Qrde3Uyd c=1 sm=1 tr=0 ts=684bcb3a cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=V2sgnzSHAAAA:8 a=Ka6kQXwktFwtOCzPnTYA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-GUID: QCNc7uqX-GOT5osIiZar5Z_a8tukr9Pb X-Proofpoint-ORIG-GUID: QCNc7uqX-GOT5osIiZar5Z_a8tukr9Pb X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfX4v0WvZ+72p92 ZpLHb6yhXuL5Yc7BUrwU122KW10WoKu5PCp8MdLT9u+CePaYnXEzvTWBhJl8hgvIRlthC3E0VeT VIBdxPRw7Nf6y2xe92qzHhTW6A/2FahDkGIA+L/oAj5aXTikrzZufPsrW5Jcys531kZt6ZQWTVM 7kuujH+ZlrOyx302P81YRR2IKlDUgDajhK8RyxWNmWKf0lUaEiaEMp8arz0d1Q48r8BDP8zLjBe 6TTn7kGB6w66Tq39kr4NCiFFwk3pMEQTZNROZe4VXCJihKQfjW7nT87sjBz0IMZjhXfG353ElMJ SzS3Nqhcu4QotAj+hZRkI1/67J9165XdlB0t0vlHxBTyua0RwR6bk1zoALKFC3Hv1SqOb+B/AH1 HxLW73xkPlJIAG3mh3mkWtpu4jwL1kpQdaYBLo/QyUg803G+Ca80znm92G8O6Az0BDModEBi X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 adultscore=0 malwarescore=0 lowpriorityscore=0 clxscore=1015 suspectscore=0 impostorscore=0 bulkscore=0 mlxscore=0 mlxlogscore=999 spamscore=0 phishscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:54:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117896 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/438 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-46420.patch | 61 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 62 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch new file mode 100644 index 0000000000..c970661694 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch @@ -0,0 +1,61 @@ +From 81e03c538d6a102406114567f4f1c468033ce2e4 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Thu, 26 Dec 2024 18:31:42 -0600 +Subject: [PATCH] soup_header_parse_quality_list: Fix leak + +When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings. + +CVE: CVE-2025-46420 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/421/diffs?commit_id=c9083869ec2a3037e6df4bd86b45c419ba295f8e] + + Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 87bb3dc..9707ca0 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -528,7 +528,7 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + GSList *unsorted; + QualityItem *array; + GSList *sorted, *iter; +- char *item, *semi; ++ char *semi; + const char *param, *equal, *value; + double qval; + int n; +@@ -541,9 +541,8 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + unsorted = soup_header_parse_list (header); + array = g_new0 (QualityItem, g_slist_length (unsorted)); + for (iter = unsorted, n = 0; iter; iter = iter->next) { +- item = iter->data; + qval = 1.0; +- for (semi = strchr (item, ';'); semi; semi = strchr (semi + 1, ';')) { ++ for (semi = strchr (iter->data, ';'); semi; semi = strchr (semi + 1, ';')) { + param = skip_lws (semi + 1); + if (*param != 'q') + continue; +@@ -575,15 +574,15 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable) + if (qval == 0.0) { + if (unacceptable) { + *unacceptable = g_slist_prepend (*unacceptable, +- item); ++ g_steal_pointer (&iter->data)); + } + } else { +- array[n].item = item; ++ array[n].item = g_steal_pointer (&iter->data); + array[n].qval = qval; + n++; + } + } +- g_slist_free (unsorted); ++ g_slist_free_full (unsorted, g_free); + + qsort (array, n, sizeof (QualityItem), sort_by_qval); + sorted = NULL; +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index cda6a3b00f..7d9cc222f5 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -24,6 +24,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52530.patch \ file://CVE-2025-32906.patch \ file://CVE-2025-32914.patch \ + file://CVE-2025-46420.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64898 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 870F1C71153 for ; Fri, 13 Jun 2025 06:54:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.3979.1749797693954882048 for ; Thu, 12 Jun 2025 23:54:54 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D4o5N5011110 for ; Fri, 13 Jun 2025 06:54:53 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474cd96gbj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 13 Jun 2025 06:54:52 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:54:50 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:49 -0700 From: To: Subject: [master][meta-oe][PATCH 07/18] libsoup-2.4: fix CVE-2025-46421 Date: Fri, 13 Jun 2025 14:54:30 +0800 Message-ID: <20250613065441.3121844-8-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=f+xIBPyM c=1 sm=1 tr=0 ts=684bcb3c cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=V2sgnzSHAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfX2hIJ5iFqWFcM fBc2rF6qzj+DoP2OmeEMo7xBXUGsg//7D4oLyKe0h9n+o6hGo/KumY4L0CKBxSigN0aU4EWM+Qv Fz8RqTfKHVSz2RBdApCIoSZsEmtLayBx2GZcCUwtxd08ZdnXTu1d70PWXP7+NAPb/Z0OUU20H0r qp63qutrrFCFz1rCi9/fxRFnw6SQhpddFlxJAA4Zz7J6hTpYuoAfP7KYIinkuJe2bxjwGxjVn3l fG/mTXObqcX0JhTJaAMb5mrPaL1z8M+fk9VZ7VhR7zSrM/rB5/R/5t326mVr6jT1WTe+YiZUY3K Z9ZD4CdptXniq9KAH4Cc5igC13nbHEzqkj2auqs0i7a2LRaLKFn1k8R7V3EL4V4PjKS3GUVz1XQ eAxyLXf0P1tP/f+c6CrU7CQ8TqOLmGg2F8BCfPxZqDDjsdkD/gw1npvebJU2kmUkKtgkeJfi X-Proofpoint-ORIG-GUID: dlXrSqQqAngrSAR0C0QNcxtjD-qTNCq9 X-Proofpoint-GUID: dlXrSqQqAngrSAR0C0QNcxtjD-qTNCq9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 suspectscore=0 clxscore=1015 bulkscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 spamscore=0 mlxscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:54:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117897 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/439 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-46421.patch | 47 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch new file mode 100644 index 0000000000..3318093400 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch @@ -0,0 +1,47 @@ +From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 16:18:10 -0600 +Subject: [PATCH] session: Strip authentication credentails on + cross-origin redirect + +This should match the behavior of Firefox and Safari but not of Chromium. + +CVE: CVE-2025-46421 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b] + +Test code not added since it included some headers not in version 2.74.3 + +Signed-off-by: Changqing Li +--- + libsoup/soup-session.c | 8 ++++- + 2 files changed, 85 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c +index 83421ef..8d6ac61 100644 +--- a/libsoup/soup-session.c ++++ b/libsoup/soup-session.c +@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg) + SOUP_ENCODING_NONE); + } + ++ /* Strip all credentials on cross-origin redirect. */ ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { ++ soup_message_headers_remove (msg->request_headers, "Authorization"); ++ soup_message_set_auth (msg, NULL); ++ } ++ + soup_message_set_uri (msg, new_uri); + soup_uri_free (new_uri); + + soup_session_requeue_message (session, msg); + return TRUE; +-} ++} + + static void + redirect_handler (SoupMessage *msg, gpointer user_data) + +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 7d9cc222f5..aaeb515585 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -25,6 +25,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32906.patch \ file://CVE-2025-32914.patch \ file://CVE-2025-46420.patch \ + file://CVE-2025-46421.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64897 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97B1AC71156 for ; Fri, 13 Jun 2025 06:54:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.3981.1749797694488182025 for ; Thu, 12 Jun 2025 23:54:54 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D4o5N6011110 for ; Fri, 13 Jun 2025 06:54:53 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474cd96gbj-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 13 Jun 2025 06:54:53 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:54:51 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:50 -0700 From: To: Subject: [master][meta-oe][PATCH 08/18] libsoup-2.4: fix CVE-2025-32050 Date: Fri, 13 Jun 2025 14:54:31 +0800 Message-ID: <20250613065441.3121844-9-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=f+xIBPyM c=1 sm=1 tr=0 ts=684bcb3d cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=V2sgnzSHAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfX4Py14pzSiLgf EtyTrYjLeDs1n7dKlE1sfb5nLI2yy5BFQm4Ub+qbY7yeonW8NN7DHolvDUq7ZcmPKoM3SLSBiz4 C1uXRvL6dqYy47VQY05zBkbFU1VUcgssSwsGoChUF2WlAlV/GYo2TvaF+NFfnHb//k5Q5GXmrY/ XLZ/WEKecH0RCwe+FTuSj65hkWrgJ9bMJoDx6fRCWPBkGjZ1KEOWPJJQa0YkvPPkzr+gtegL4R0 rEKRSki+EHbHIVNRh/nqbLJM5lZQg9zE8Aim4L3RCzhAABsA6dCMYX1hlqvDTYtNvwf/coC+SLZ DgQfsTm7J1CRprRSjctoLz9Q35sryQI3Spi1ESD9Jc+YvFQZkQxW0I/gSpuO+9K3+Id/G0dSrOz i3OX3PZ3PxAiqW8OQIDzUR/5fWK2Wxc3GTfDmHjoNU+/PXVtTtUwSAg5WOwvDLqmp2M3jsoQ X-Proofpoint-ORIG-GUID: O_pYDPJ_0YdW9tow5fPvvvHsiwW9AJGS X-Proofpoint-GUID: O_pYDPJ_0YdW9tow5fPvvvHsiwW9AJGS X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=984 suspectscore=0 clxscore=1015 bulkscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 spamscore=0 mlxscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:54:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117898 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/424 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-32050.patch | 29 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch new file mode 100644 index 0000000000..c032846ef0 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch @@ -0,0 +1,29 @@ +From 5709dfffb6fdc5b66ce001bf82a755ad8ad1d992 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Mon, 28 Oct 2024 12:29:48 -0500 +Subject: [PATCH] Fix using int instead of size_t for strcspn return + +CVE: CVE-2025-32050 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323] + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 9707ca0..67905b2 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -902,7 +902,7 @@ append_param_quoted (GString *string, + const char *name, + const char *value) + { +- int len; ++ gsize len; + + g_string_append (string, name); + g_string_append (string, "=\""); +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index aaeb515585..f35bfffac9 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -26,6 +26,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32914.patch \ file://CVE-2025-46420.patch \ file://CVE-2025-46421.patch \ + file://CVE-2025-32050.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64901 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97B79C71159 for ; Fri, 13 Jun 2025 06:54:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.4054.1749797695126535562 for ; Thu, 12 Jun 2025 23:54:55 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D4o5N7011110 for ; Fri, 13 Jun 2025 06:54:54 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474cd96gbj-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 13 Jun 2025 06:54:54 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:54:52 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:51 -0700 From: To: Subject: [master][meta-oe][PATCH 09/18] libsoup-2.4: fix CVE-2025-32052 Date: Fri, 13 Jun 2025 14:54:32 +0800 Message-ID: <20250613065441.3121844-10-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=f+xIBPyM c=1 sm=1 tr=0 ts=684bcb3e cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=V2sgnzSHAAAA:8 a=sfOm8-O8AAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 a=Z31ocT7rh6aUJxSkT1EX:22 a=TvTJqdcANYtsRzA46cdi:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfX0RsB4iphR+06 lz81F3Xd01a+j0FN6XMJfHqQvd90xb9znzXzZuJd9SQH/02a0nh6w06TMepbwWgAYOd/WPX1cwg P+AC6FCX8HUmYteYX2jv2G3mTgSOcDPTRHr+PGav6r1/+vCkyag4e2ozMvKvxby4X/XWiGp1Nz7 P1PTnFGKU/i8b+XoHc9jSD7ZHO65972Jo+F8irB4baDT0XquktBVSi+VpxFu2Fquym+1bbz8U5w Tdg+RVBv4JAHWeV5ALBQSy5LpZIoKTUY5z2+7gjTB3A5SwbpY7YHLY2YWIbK3q9B95rqx8MVVHf WIpg3QkYC/dS25bbMyRR7oToKYpoD3dApw3DpDza1asbqA3bACIWzo/ywPyTUNnTHztya1E9s/k XkKbV3YADMhIA/hGisyn0YjmtYNce/J6PnErQmjkuHFIJGBtSEYe8MOhuJHw8of7l6dkk4CR X-Proofpoint-ORIG-GUID: hWRzliHqMDz19fa_GYfith0Z1zwEV-Sq X-Proofpoint-GUID: hWRzliHqMDz19fa_GYfith0Z1zwEV-Sq X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=982 suspectscore=0 clxscore=1015 bulkscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 spamscore=0 mlxscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:54:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117899 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/425 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-32052.patch | 32 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch new file mode 100644 index 0000000000..34bc8113a4 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch @@ -0,0 +1,32 @@ +From f4a67a9a3033586edaee715d40d5992e02d32893 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 16 Nov 2024 12:07:30 -0600 +Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff + +Co-Author: Ar Jun + +CVE: CVE-2025-32052 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652#500da7cfde649872c49169be34b03a1c42a53ddb] + +Signed-off-by: Changqing Li +--- + libsoup/soup-content-sniffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 9554636..eac9e7b 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -504,7 +504,7 @@ sniff_unknown (SoupContentSniffer *sniffer, SoupBuffer *buffer, + guint index_pattern = 0; + gboolean skip_row = FALSE; + +- while ((index_stream < resource_length) && ++ while ((index_stream < resource_length - 1) && + (index_pattern <= type_row->pattern_length)) { + /* Skip insignificant white space ("WS" in the spec) */ + if (type_row->pattern[index_pattern] == ' ') { +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index f35bfffac9..126184730c 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -27,6 +27,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-46420.patch \ file://CVE-2025-46421.patch \ file://CVE-2025-32050.patch \ + file://CVE-2025-32052.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64899 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A474EC71157 for ; Fri, 13 Jun 2025 06:54:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.3983.1749797695695517159 for ; Thu, 12 Jun 2025 23:54:55 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D4o5N8011110 for ; Fri, 13 Jun 2025 06:54:55 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474cd96gbj-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 13 Jun 2025 06:54:54 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:54:53 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:52 -0700 From: To: Subject: [master][meta-oe][PATCH 10/18] libsoup-2.4: fix CVE-2025-32909 Date: Fri, 13 Jun 2025 14:54:33 +0800 Message-ID: <20250613065441.3121844-11-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=f+xIBPyM c=1 sm=1 tr=0 ts=684bcb3e cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfX6P5Kq3Ft4Iee g+3FHrZIoc4ck49vGEt1AERaaTPhbuYotyqZgXnNwQsY0414llYFSL/9Ica3HgmPizclSeoN2/D bbP6bPDQ+h/SVnY6YB3AOEleGPEKI6Kh0pGZoR3uzVJQEYHvFuCtJu6Mb2KXnqgxEUVkldq6YT0 T288JLPqWmQHRNj9kKfZz/RP1kKUf57Dc8xQAGYW2+vppb8nZuNwLYdaaRuP7/34mqeItNu0rmB RVa1ZzeLCXEK/WZtMpqkB6Kjg3lF76AFXZoBIovD7aafILjXatpY52gjSuETcyEBQssrqUscvnD kkmr6qQ5ekX4EeH/SaM/p3qH3bdaMWOBZFsMrnjyj4R33WTlqU0VF1RCKwki2/8f8GWcWwz7/XR bMhcsSSPZQGD6u7wiSJ6o6yRrnil5zDyVELxnZr1N8oj38VcpFTDrZ6Ytk6hnfV+Ib1rxvxh X-Proofpoint-ORIG-GUID: yTnOssDunj4gbz3PI8NX1aeb-TP4qieV X-Proofpoint-GUID: yTnOssDunj4gbz3PI8NX1aeb-TP4qieV X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=722 suspectscore=0 clxscore=1015 bulkscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 spamscore=0 mlxscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:54:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117900 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/431 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-32909.patch | 38 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch new file mode 100644 index 0000000000..2f5366348d --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch @@ -0,0 +1,38 @@ +From e6e088e62c10ab91fa2f2ad5c122332aa7cde97c Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Mon, 12 May 2025 16:55:37 +0800 +Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than + 4 bytes + +CVE: CVE-2025-32909 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92] + +Signed-off-by: Changqing Li +--- + libsoup/soup-content-sniffer.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index eac9e7b..73d2245 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -227,9 +227,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, SoupBuffer *buffer) + { + const char *resource = (const char *)buffer->data; + guint resource_length = MIN (512, buffer->length); +- guint32 box_size = *((guint32*)resource); ++ guint32 box_size; + guint i; + ++ if (resource_length < sizeof (guint32)) ++ return FALSE; ++ ++ box_size = *((guint32*)resource); ++ + #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + box_size = ((box_size >> 24) | + ((box_size << 8) & 0x00FF0000) | +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 126184730c..6d6a6420d2 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -28,6 +28,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-46421.patch \ file://CVE-2025-32050.patch \ file://CVE-2025-32052.patch \ + file://CVE-2025-32909.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64900 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB825C7115A for ; Fri, 13 Jun 2025 06:54:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.3984.1749797696331525294 for ; Thu, 12 Jun 2025 23:54:56 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D4o5N9011110 for ; Fri, 13 Jun 2025 06:54:55 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474cd96gbj-5 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 13 Jun 2025 06:54:55 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:54:54 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:53 -0700 From: To: Subject: [master][meta-oe][PATCH 11/18] libsoup-2.4: fix CVE-2025-32910 Date: Fri, 13 Jun 2025 14:54:34 +0800 Message-ID: <20250613065441.3121844-12-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=f+xIBPyM c=1 sm=1 tr=0 ts=684bcb3f cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=HSGOHi6-cxt6zTWKGw0A:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfX5YjKgzr9Sx0i MwQtfWZcJVZ9U4eyOJo3aKd3DcKNiKQGXuxOHE9XUYLKUz5FIaKxXeOfb02EfWEARiBFuFWPfSD nKngdNdd7GYXz/aM/SitRtRUUhbyiaZSFlPGyyh5Sq0BVORFBJ8SSrlaL6kd+WWpobfHZXzzA/g SPm4T+ysYVD4r2zeDFOZRZKd/wZV089TOtf8PvvKtyx1KIdSUWKjeny/NbJd4OhgOET6olzvSzS J5sAMu/35wszeKXlUb+j5d/XyezHy9ZhDTRJEf/4bbROlngwnAaTR+VvIsRXqIOPjPzBjBl2Mop UqzsbLbp6RTWGeLPpdFkpe1Kxhtj3nj+Abb21KtR330qN8vS8IY4+yx8fLYLeLtHWFhaKboeyYx cUjZMcHG/TzVanOqkH2PwZmKVBL2MV1m88qNk4PyVIjn9+/pvEVKauZ1qJEV3C84i2wmcIu3 X-Proofpoint-ORIG-GUID: Psbs0OShNoQuDC1FWT_z4TGffR4fCBp6 X-Proofpoint-GUID: Psbs0OShNoQuDC1FWT_z4TGffR4fCBp6 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=979 suspectscore=0 clxscore=1015 bulkscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 spamscore=0 mlxscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:54:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117901 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/432 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup-2.4/CVE-2025-32910-1.patch | 32 +++++++ .../libsoup-2.4/CVE-2025-32910-2.patch | 94 +++++++++++++++++++ .../libsoup-2.4/CVE-2025-32910-3.patch | 28 ++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 3 + 4 files changed, 157 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch new file mode 100644 index 0000000000..c1dc6860f2 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch @@ -0,0 +1,32 @@ +From a7e711d0f162c6edc8acad2a96981d4890784ea3 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Mon, 12 May 2025 17:02:55 +0800 +Subject: [PATCH] auth-digest: Handle missing realm/nonce in authenticate + header + +CVE: CVE-2025-32910 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=e40df6d48a1cbab56f5d15016cc861a503423cfe] + +Signed-off-by: Changqing Li +--- + libsoup/soup-auth-digest.c | 3 +++ + 1 files changed, 3 insertions(+) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index e8ba990..0ab3499 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + ++ if (!soup_auth_get_realm (auth)) ++ return FALSE; ++ + g_free (priv->domain); + g_free (priv->nonce); + g_free (priv->opaque); + +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch new file mode 100644 index 0000000000..019a35e3be --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch @@ -0,0 +1,94 @@ +From eccfca1074fc485a0b60dfb9c8385429a226bf73 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 13:19:38 +0800 +Subject: [PATCH] auth-digest: Handle missing nonce + +CVE: CVE-2025-32910 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=405a8a34597a44bd58c4759e7d5e23f02c3b556a] + +Signed-off-by: Changqing Li +--- + libsoup/soup-auth-digest.c | 45 ++++++++++++++++++++++++++++---------- + 1 files changed, 28 insertions(+), 10 deletions(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 0ab3499..10a8591 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop) + return g_string_free (out, FALSE); + } + ++static gboolean ++validate_params (SoupAuthDigest *auth_digest) ++{ ++ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest); ++ ++ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) { ++ if (!priv->nonce) ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ + static gboolean + soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + GHashTable *auth_params) +@@ -169,17 +182,22 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + if (priv->algorithm == -1) + ok = FALSE; + +- stale = g_hash_table_lookup (auth_params, "stale"); +- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) +- recompute_hex_a1 (priv); +- else { +- g_free (priv->user); +- priv->user = NULL; +- g_free (priv->cnonce); +- priv->cnonce = NULL; +- memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); +- memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); +- } ++ if (!validate_params (auth_digest)) ++ ok = FALSE; ++ ++ if (ok) { ++ stale = g_hash_table_lookup (auth_params, "stale"); ++ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) ++ recompute_hex_a1 (priv); ++ else { ++ g_free (priv->user); ++ priv->user = NULL; ++ g_free (priv->cnonce); ++ priv->cnonce = NULL; ++ memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); ++ memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ } ++ } + + return ok; + } +@@ -359,6 +377,8 @@ soup_auth_digest_compute_response (const char *method, + if (qop) { + char tmp[9]; + ++ g_assert (cnonce); ++ + g_snprintf (tmp, 9, "%.8x", nc); + g_checksum_update (checksum, (guchar *)tmp, strlen (tmp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -422,6 +442,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg) + g_return_val_if_fail (uri != NULL, NULL); + url = soup_uri_to_string (uri, TRUE); + ++ g_assert (priv->nonce); ++ g_assert (!priv->qop || priv->cnonce); ++ + soup_auth_digest_compute_response (msg->method, url, priv->hex_a1, + priv->qop, priv->nonce, + priv->cnonce, priv->nc, + +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch new file mode 100644 index 0000000000..bdf4d64ca3 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch @@ -0,0 +1,28 @@ +From 74c95d54fe42041fe161cb74c76d942ffd37a5dd Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 13:21:43 +0800 +Subject: [PATCH] auth-digest: Fix leak + +CVE: CVE-2025-32910 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=ea16eeacb052e423eb5c3b0b705e5eab34b13832] + +Signed-off-by: Changqing Li +--- + libsoup/soup-auth-digest.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 10a8591..6d965d2 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object) + g_free (priv->nonce); + g_free (priv->domain); + g_free (priv->cnonce); ++ g_free (priv->opaque); + + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 6d6a6420d2..3e4a8e14d4 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -29,6 +29,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32050.patch \ file://CVE-2025-32052.patch \ file://CVE-2025-32909.patch \ + file://CVE-2025-32910-1.patch \ + file://CVE-2025-32910-2.patch \ + file://CVE-2025-32910-3.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64892 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6B82CC61DB2 for ; Fri, 13 Jun 2025 06:54:58 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.4056.1749797696628695452 for ; Thu, 12 Jun 2025 23:54:56 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D6WHuR030464 for ; Thu, 12 Jun 2025 23:54:56 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474gq46fp9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 12 Jun 2025 23:54:56 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:54:55 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:54 -0700 From: To: Subject: [master][meta-oe][PATCH 12/18] libsoup-2.4: fix CVE-2025-32912 Date: Fri, 13 Jun 2025 14:54:35 +0800 Message-ID: <20250613065441.3121844-13-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=Qrde3Uyd c=1 sm=1 tr=0 ts=684bcb40 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-GUID: samQXdpCNAXc8_zob4PAOL7Pe5C4eWco X-Proofpoint-ORIG-GUID: samQXdpCNAXc8_zob4PAOL7Pe5C4eWco X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfXzk39slwWEdWX HX9bTPxLTXzhAc/pU3XGE0aclCBR7mbkKxmtzAfMK2M5O56zKP3PsGchfRP/FmQ7UyQw+fSCraK WrFNo7hPkKm4yefPrU41qeyQTuVVuT2mv5ijGX8HLZf0s7KLlZSFqTl+0TTddn5has4kuB3MlTC jpkoMnMNczSiS1SZTKKZdHsD1Pr6XzYiTEy6j7/lKUaEb0VkevuQjCSmr+/6Vsg2x9XnIvwTq64 iS6SRhm01DRiQl98DAx/2EL5zWe2ieuOfjJ0UDIYsgS04wJdMlAZxIHHH0wy8B2TmHe8JfHc/Rt iVTCenDVTgYNO0uqNkJwhfzENUZrPx4f18p6Cwk05PgSeh0lrXBCm1nKqE/TYHvtp2D1HIoE7hl I23oqHdgjOdOHt60qb5zDbAkz//OvisSViSCmYOrQDfCmhwgsBCUmNOLgGhTCdt66qi9xNe0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 adultscore=0 malwarescore=0 lowpriorityscore=0 clxscore=1015 suspectscore=0 impostorscore=0 bulkscore=0 mlxscore=0 mlxlogscore=657 spamscore=0 phishscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:54:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117902 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/434 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-32912.patch | 32 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch new file mode 100644 index 0000000000..b3ce9d8bc3 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch @@ -0,0 +1,32 @@ +From 0984dddb11daf14fdf5ca24077cd0ebda796439a Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 13:25:32 +0800 +Subject: [PATCH] auth-digest: Handle missing nonce + +CVE: CVE-2025-32912 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992?merge_request_iid=434 +https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f] + +Signed-off-by: Changqing Li +--- + libsoup/soup-auth-digest.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 6d965d2..f1621ec 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + +- if (!soup_auth_get_realm (auth)) ++ if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce")) + return FALSE; + + g_free (priv->domain); + +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 3e4a8e14d4..09881f9062 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -32,6 +32,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32910-1.patch \ file://CVE-2025-32910-2.patch \ file://CVE-2025-32910-3.patch \ + file://CVE-2025-32912.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64903 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F8BBC7114A for ; Fri, 13 Jun 2025 06:55:08 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.3985.1749797699005742994 for ; Thu, 12 Jun 2025 23:54:59 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D4p0al007524 for ; Fri, 13 Jun 2025 06:54:58 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474an2pjrb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 13 Jun 2025 06:54:57 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:54:56 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:55 -0700 From: To: Subject: [master][meta-oe][PATCH 13/18] libsoup-2.4: fix CVE-2024-52531 Date: Fri, 13 Jun 2025 14:54:36 +0800 Message-ID: <20250613065441.3121844-14-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfX6+EmAbVJO2bu UmWz+w0qBMi5rHg3OsKeNtDbCnR/nTJDxPdHKYJdlWjjjIOTjOiGzY6ZwV8nShmXF14SUIJwK6u o+QwZG0oXDiRoH5kQSfOUCrB9Lyg2yBkw6mo5zTiNOQlUaSoBP2pNCDHbHE7HAWRIq+fLLq5KwO PIloOUlgc8YdSEeUHksv4vJuhThVEr39Qbo0eFEv3HD/EeVCso5y9iwf1UHSoqnXdvFsR7F0VV9 q26+kMUErO80vsZkJgdyKbmXJyih/5Iaq5bS9xOuEdp4bVGNe/KB1Z8UvYKnmwehkELX7zv91wH QgVfh5ow2Dpds+L15q+ndN6ENr1pliBEawb5Frc2PHgmSqKPj33RwhvRUoLVelORgGgR5exHhtL Y2eIWQvMkzj746jwfXP5Ce7TmyeIlzyhf0186/LZH4fFmNBLJNNFWpM8WxY7k5aiA7ck9fy7 X-Proofpoint-GUID: bbIg4uRJ5sq42XdRXoTEI4D9cmjfqxbS X-Authority-Analysis: v=2.4 cv=fdSty1QF c=1 sm=1 tr=0 ts=684bcb41 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=1EUBBC3AoEohvajmceIA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-ORIG-GUID: bbIg4uRJ5sq42XdRXoTEI4D9cmjfqxbS X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxlogscore=999 bulkscore=0 impostorscore=0 clxscore=1015 malwarescore=0 suspectscore=0 mlxscore=0 phishscore=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:55:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117903 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/423 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup-2.4/CVE-2024-52531-1.patch | 39 +++++ .../libsoup-2.4/CVE-2024-52531-2.patch | 133 ++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 2 + 3 files changed, 174 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch new file mode 100644 index 0000000000..9de0310c8d --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch @@ -0,0 +1,39 @@ +From 8331e681c85c3b1893d8d5193783f631bfc07acb Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 13:42:08 +0800 +Subject: [PATCH] tests: Add test for passing invalid UTF-8 to + soup_header_parse_semi_param_list() + +CVE: CVE-2024-52531 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=825fda3425546847b42ad5270544e9388ff349fe] + +Signed-off-by: Changqing Li +--- + tests/header-parsing-test.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index b811115..cfcc003 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -836,6 +836,17 @@ static struct ParamListTest { + { "filename", "t\xC3\xA9st.txt" }, + }, + }, ++ ++/* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */ ++ { TRUE, ++ "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo", ++ { ++ { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" }, ++ { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" }, ++ { "foo", NULL }, ++ }, ++ } ++ + }; + static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests); + +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch new file mode 100644 index 0000000000..740c28c016 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch @@ -0,0 +1,133 @@ +From 12523a592f1216450d18706bcf6c16e0f1ab0ce0 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 13:52:37 +0800 +Subject: [PATCH] headers: Be more robust against invalid input when + parsing params + +If you pass invalid input to a function such as soup_header_parse_param_list_strict() +it can cause an overflow if it decodes the input to UTF-8. + +This should never happen with valid UTF-8 input which libsoup's client API +ensures, however it's server API does not currently. + +CVE: CVE-2024-52531 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=a35222dd0bfab2ac97c10e86b95f762456628283] + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 45 +++++++++++++++++++++--------------------- + 1 file changed, 23 insertions(+), 22 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 67905b2..39e8d34 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -642,8 +642,9 @@ soup_header_contains (const char *header, const char *token) + } + + static void +-decode_quoted_string (char *quoted_string) ++decode_quoted_string_inplace (GString *quoted_gstring) + { ++ char *quoted_string = quoted_gstring->str; + char *src, *dst; + + src = quoted_string + 1; +@@ -657,10 +658,11 @@ decode_quoted_string (char *quoted_string) + } + + static gboolean +-decode_rfc5987 (char *encoded_string) ++decode_rfc5987_inplace (GString *encoded_gstring) + { + char *q, *decoded; + gboolean iso_8859_1 = FALSE; ++ const char *encoded_string = encoded_gstring->str; + + q = strchr (encoded_string, '\''); + if (!q) +@@ -689,14 +691,7 @@ decode_rfc5987 (char *encoded_string) + decoded = utf8; + } + +- /* If encoded_string was UTF-8, then each 3-character %-escape +- * will be converted to a single byte, and so decoded is +- * shorter than encoded_string. If encoded_string was +- * iso-8859-1, then each 3-character %-escape will be +- * converted into at most 2 bytes in UTF-8, and so it's still +- * shorter. +- */ +- strcpy (encoded_string, decoded); ++ g_string_assign (encoded_gstring, decoded); + g_free (decoded); + return TRUE; + } +@@ -706,15 +701,16 @@ parse_param_list (const char *header, char delim, gboolean strict) + { + GHashTable *params; + GSList *list, *iter; +- char *item, *eq, *name_end, *value; +- gboolean override, duplicated; + + params = g_hash_table_new_full (soup_str_case_hash, + soup_str_case_equal, +- g_free, NULL); ++ g_free, g_free); + + list = parse_list (header, delim); + for (iter = list; iter; iter = iter->next) { ++ char *item, *eq, *name_end; ++ gboolean override, duplicated; ++ GString *parsed_value = NULL; + item = iter->data; + override = FALSE; + +@@ -729,19 +725,19 @@ parse_param_list (const char *header, char delim, gboolean strict) + + *name_end = '\0'; + +- value = (char *)skip_lws (eq + 1); ++ parsed_value = g_string_new ((char *)skip_lws (eq + 1)); + + if (name_end[-1] == '*' && name_end > item + 1) { + name_end[-1] = '\0'; +- if (!decode_rfc5987 (value)) { ++ if (!decode_rfc5987_inplace (parsed_value)) { ++ g_string_free (parsed_value, TRUE); + g_free (item); + continue; + } + override = TRUE; +- } else if (*value == '"') +- decode_quoted_string (value); +- } else +- value = NULL; ++ } else if (parsed_value->str[0] == '"') ++ decode_quoted_string_inplace (parsed_value); ++ } + + duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL); + +@@ -749,11 +745,16 @@ parse_param_list (const char *header, char delim, gboolean strict) + soup_header_free_param_list (params); + params = NULL; + g_slist_foreach (iter, (GFunc)g_free, NULL); ++ if (parsed_value) ++ g_string_free (parsed_value, TRUE); + break; +- } else if (override || !duplicated) +- g_hash_table_replace (params, item, value); +- else ++ } else if (override || !duplicated) { ++ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL); ++ } else { ++ if (parsed_value) ++ g_string_free (parsed_value, TRUE); + g_free (item); ++ } + } + + g_slist_free (list); +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 09881f9062..51e0368f34 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -33,6 +33,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32910-2.patch \ file://CVE-2025-32910-3.patch \ file://CVE-2025-32912.patch \ + file://CVE-2024-52531-1.patch \ + file://CVE-2024-52531-2.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64902 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F882C71135 for ; Fri, 13 Jun 2025 06:55:08 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.3986.1749797699601995508 for ; Thu, 12 Jun 2025 23:54:59 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D4p0an007524 for ; Fri, 13 Jun 2025 06:54:58 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474an2pjrb-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 13 Jun 2025 06:54:58 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:54:57 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:57 -0700 From: To: Subject: [master][meta-oe][PATCH 14/18] libsoup-2.4: fix CVE-2025-4476 Date: Fri, 13 Jun 2025 14:54:37 +0800 Message-ID: <20250613065441.3121844-15-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfX3UHWQMT8cLPt gNomZPhn0t7j+ivFtoe29t+UnfetNtKfTkcOJPFhUeauMqYXpmDwC+6NuZ/sKGJpJHaAr5mw1A1 5Opej+PRspSWNmZevL/NTUIkd/9urFLNvM2rayaAjPbmsxIS5G9kSqgE+mlqiRvCj9YLLTK47QD H8sV6HPPv1sdFUGbUWXs+esRvYxwGhrETI5xqaHGsSa5+2CX94i8SP2pzEDNRPfj0WgEO8gLP2q uJ9wGeDNQ1neaylmr5XYhkvsml2qpbWYETiZjmTHLpJF7n+hQ+Dyn0ecptr4Hf8NVDWJRst5aGb 8XcJC8d3JgZnQsZpqlTtoWtkdfJfOUXlwOiDmr7kkrosul+4lSwU6+PUuyj8kaK4x9jCoNvays6 ZIqu/E6k9lIBdkKmJJcRiIpH+jECqYtr/smi9CcQZjCHMo6dWzEJQynirTUkkshULhV8TjP6 X-Proofpoint-GUID: KQ1HKtwXgDyZWzwIRwxjpy24DnlUPWLw X-Authority-Analysis: v=2.4 cv=fdSty1QF c=1 sm=1 tr=0 ts=684bcb42 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=+jEqtf1s3R9VXZ0wqowq2kgwd+I=:19 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-ORIG-GUID: KQ1HKtwXgDyZWzwIRwxjpy24DnlUPWLw X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxlogscore=999 bulkscore=0 impostorscore=0 clxscore=1015 malwarescore=0 suspectscore=0 mlxscore=0 phishscore=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:55:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117904 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/440 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-4476.patch | 38 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch new file mode 100644 index 0000000000..874f62e7ad --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch @@ -0,0 +1,38 @@ +From 52a0f9234d384b9dab368835b22e5a5a01542168 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 14:16:10 +0800 +Subject: [PATCH] auth-digest: fix crash in + soup_auth_digest_get_protection_space() + +We need to validate the Domain parameter in the WWW-Authenticate header. + +Unfortunately this crash only occurs when listening on default ports 80 +and 443, so there's no good way to test for this. The test would require +running as root. + +Fixes #440 + +CVE: CVE-2025-4476 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c?merge_request_iid=457] + +Signed-off-by: Changqing Li +--- + libsoup/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index f1621ec..a2dc560 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -229,7 +229,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, SoupURI *source_uri) + uri = soup_uri_new (d); + if (uri && uri->scheme == source_uri->scheme && + uri->port == source_uri->port && +- !strcmp (uri->host, source_uri->host)) ++ !g_strcmp0 (uri->host, source_uri->host)) + dir = g_strdup (uri->path); + else + dir = NULL; +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 51e0368f34..507cbbe7ae 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -35,6 +35,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32912.patch \ file://CVE-2024-52531-1.patch \ file://CVE-2024-52531-2.patch \ + file://CVE-2025-4476.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64906 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6671C61DB2 for ; Fri, 13 Jun 2025 06:55:08 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.4058.1749797700190784510 for ; Thu, 12 Jun 2025 23:55:00 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D4p0ao007524 for ; Fri, 13 Jun 2025 06:54:59 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474an2pjrb-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 13 Jun 2025 06:54:59 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:54:58 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:58 -0700 From: To: Subject: [master][meta-oe][PATCH 15/18] libsoup-2.4: fix CVE-2025-32907 Date: Fri, 13 Jun 2025 14:54:38 +0800 Message-ID: <20250613065441.3121844-16-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfXxPMOWiQFB0Mr I7y49Ks8c4akuKwYVmdupl9bUFHXi/20vyYqQQFQlPzmwm7wAWV9xrXcaLU2m+gsIWAeMFDXbj6 WJaWFAmK1BvZZ14ZrMEAWQ+7191pBZo6SKKRPT86aYjnVwC24R7e3plXpv8OW55k7XrrEw291qR d8oHss/gREbFMCS3COPzW9NyXHsqNl4c2f4W52/xop1AFIhaZ10RkxctZflBhwyzD6QEnIrsF97 T349QNVK7zrAy62LKBEFs31M/pdgweU+Epqqy93E1Nz5khMl2I9A5MkUksP1OhQE8oSR3Uvjjpe K1faQkqPuMbOeVt54WNzOkV/n3jzFcq8ReenaL5wlO+M++gCMX/wd9xHiYlgMFJ39lwrg2ihOsB wY+/ghuiJRLoVxFcDySshtDANxA9LmIlywn5hbMXkIMa3pxP9Ypi5ihI/PAL1BL014A6ONuN X-Proofpoint-GUID: q1TKU-c34uA2mgMOFqNNxFp9lkAdia-7 X-Authority-Analysis: v=2.4 cv=fdSty1QF c=1 sm=1 tr=0 ts=684bcb43 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=20KFwNOVAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-ORIG-GUID: q1TKU-c34uA2mgMOFqNNxFp9lkAdia-7 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxlogscore=746 bulkscore=0 impostorscore=0 clxscore=1015 malwarescore=0 suspectscore=0 mlxscore=0 phishscore=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:55:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117905 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/428 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-32907.patch | 39 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch new file mode 100644 index 0000000000..41dd3ff3f4 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch @@ -0,0 +1,39 @@ +From 8158b4084dcba2a233dfcb7359c53ab2840148f7 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 15 Apr 2025 12:17:39 +0200 +Subject: [PATCH 1/2] soup-message-headers: Correct merge of ranges + +It had been skipping every second range, which generated an array +of a lot of insane ranges, causing large memory usage by the server. + +Closes #428 + +Part-of: + +CVE: CVE-2025-32907 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452/diffs?commit_id=9bb92f7a685e31e10e9e8221d0342280432ce836] + +Test part not applied since test codes use some functions not in this +version + +Signed-off-by: Changqing Li +--- + libsoup/soup-message-headers.c | 1 + + 1 files changed, 1 insertions(+) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 78b2455..00b9763 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1024,6 +1024,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs, + if (cur->start <= prev->end) { + prev->end = MAX (prev->end, cur->end); + g_array_remove_index (array, i); ++ i--; + } + } + } +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 507cbbe7ae..4918236b61 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -36,6 +36,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52531-1.patch \ file://CVE-2024-52531-2.patch \ file://CVE-2025-4476.patch \ + file://CVE-2025-32907.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64904 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AD9BBC71150 for ; Fri, 13 Jun 2025 06:55:08 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.4059.1749797700784584439 for ; Thu, 12 Jun 2025 23:55:00 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D5U28T001742 for ; Thu, 12 Jun 2025 23:55:00 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474gq46fpc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 12 Jun 2025 23:55:00 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:54:59 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:54:59 -0700 From: To: Subject: [master][meta-oe][PATCH 16/18] libsoup-2.4: fix CVE-2025-4948 Date: Fri, 13 Jun 2025 14:54:39 +0800 Message-ID: <20250613065441.3121844-17-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=Qrde3Uyd c=1 sm=1 tr=0 ts=684bcb44 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=20KFwNOVAAAA:8 a=_9wbE66-DFzY0cZEwEkA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-GUID: -Lg-7eOchoqLvlzb3LWpzb8gYuEpjEnp X-Proofpoint-ORIG-GUID: -Lg-7eOchoqLvlzb3LWpzb8gYuEpjEnp X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfXxjt4SRnW/3b6 1VuDxrwIEY9YmIXPJNYjkKQCkLHaVUxcTROfNiJIOfpZJ/XNIZ67NAnQeS8/iJ2qcvBWZT4jmn/ NEqzmTFkd9N26y1Kt40rzyWFGzqRwyJjaDQ95V2jINGvWHS86h7BXNmo/c6njtC3i3x8RpijOLQ h+uW1fLVnaqvc8ZzK671tJrTw1mJCHLqXhL2gABX76CuF4+0OEx1VagZXBkUfGBGQRmY02uDFHx PGecic9HVoH57HNFryyHW2fofp0A7+1PxK3fQWayD6lqdnLzUedGY3/bmO9LCQj7aLJd7UqKVxU BnSX8XBkpXlZ2mL8WUi+d5P2YmvEf6rhrnrvOiFI4jPfD7+40nqQc5A/Sewb5CwOyJh0bXxFHj6 KkLl5Q6nWSbBlfM4GMCmEiBVT4ORU9M8wgKJZvS0rhn7O59ySExvmuR0tOVhGF8EyKJR26dX X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 adultscore=0 malwarescore=0 lowpriorityscore=0 clxscore=1015 suspectscore=0 impostorscore=0 bulkscore=0 mlxscore=0 mlxlogscore=878 spamscore=0 phishscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:55:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117906 From: Changqing Li Refer: http://gitlab.gnome.org/GNOME/libsoup/-/issues/449 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-4948.patch | 38 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch new file mode 100644 index 0000000000..b15b8c763d --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch @@ -0,0 +1,38 @@ +From dfdc9b3cc73e6fe88cc12792ba00e14642572339 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Thu, 15 May 2025 17:49:11 +0200 +Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body + +It could happen that the boundary started at a place which resulted into +a negative number, which in an unsigned integer is a very large value. +Check the body size is not a negative value before setting it. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 + +Part-of: + +CVE: CVE-2025-4948 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463/diffs?commit_id=f2f28afe0b3b2b3009ab67d6874457ec6bac70c0] + +Signed-off-by: Changqing Li +--- + libsoup/soup-multipart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index dd93973..ce2fc10 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -214,7 +214,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + */ + part_body = soup_buffer_new_subbuffer (flattened, + split - flattened->data, +- end - 2 - split); ++ end - 2 >= split ? end - 2 - split : 0); + g_ptr_array_add (multipart->bodies, part_body); + + start = end; +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 4918236b61..a7e5354eb9 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -37,6 +37,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52531-2.patch \ file://CVE-2025-4476.patch \ file://CVE-2025-32907.patch \ + file://CVE-2025-4948.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64905 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BBEAFC71153 for ; Fri, 13 Jun 2025 06:55:08 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.3988.1749797703028969261 for ; Thu, 12 Jun 2025 23:55:03 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D59MVm007724 for ; Fri, 13 Jun 2025 06:55:02 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474cd96gc2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 13 Jun 2025 06:55:02 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:55:00 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:55:00 -0700 From: To: Subject: [master][meta-oe][PATCH 17/18] libsoup-2.4: fix CVE-2025-4969 Date: Fri, 13 Jun 2025 14:54:40 +0800 Message-ID: <20250613065441.3121844-18-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=f+xIBPyM c=1 sm=1 tr=0 ts=684bcb46 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=20KFwNOVAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfX7bp+e09ozLz7 9a1ORzKmJQSgFeajXc8icKNTJ6WYkcBjYY4KB98nxblw+6EYgdRv0ZBmvZK0XTxHdFDPEEM0cpz rAbjPEnQuyjcXyPNopiiSN6MDjcSDX0iY461LyPuRPJTf5UK9t4hlvDStjX5uPuLTJ0CgSFVlks 0H4UiceFAH8EOc9v4hO7RFTs/rPcZ90cSdsp50zCqafNCCdYtoJkhIInZn0Zuz6uwgkZquJvwX0 IdLxtQd7A+y34RahI+YwX+j8hwtNYfxyshuGrAYsENFPf/pFDwOdQ/zRA7fzyAXQQwIj0AkyVYG BvHoJTmKjgEbJrtnvOpckDhafykihairFn28Tbakw+/uP8YeMkviuzZLRKyYOSTu8V5ZrKbn5SZ 6y2i2GfkOcPUJxz06XpIDcytcZXYzYTmGyHjaqMLSu3VjHUknVT8gyxbAR74+BGYFgBTg2iK X-Proofpoint-ORIG-GUID: bnlZ3oTx8zfE1hGbrIF_rJwXpx0JzBXc X-Proofpoint-GUID: bnlZ3oTx8zfE1hGbrIF_rJwXpx0JzBXc X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=886 suspectscore=0 clxscore=1015 bulkscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 spamscore=0 mlxscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:55:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117907 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-4969.patch | 37 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch new file mode 100644 index 0000000000..7bc3e8da99 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch @@ -0,0 +1,37 @@ +From a7d0c58608ed830bedfb6b92aea11e00feb55aa9 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Mon, 19 May 2025 17:48:27 +0200 +Subject: [PATCH] soup-multipart: Verify array bounds before accessing its + members + +The boundary could be at a place which, calculated, pointed +before the beginning of the array. Check the bounds, to avoid +read out of the array bounds. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 + +CVE: CVE-2025-4969 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/467/diffs?commit_id=b5b4dd10d4810f0c87b4eaffe88504f06e502f33] + +Signed-off-by: Changqing Li +--- + libsoup/soup-multipart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index ce2fc10..a29cdf0 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -108,7 +108,7 @@ find_boundary (const char *start, const char *end, + continue; + + /* Check that it's at start of line */ +- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r'))) ++ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r'))) + continue; + + /* Check for "--" or "\r\n" after boundary */ +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index a7e5354eb9..52e732b78d 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -38,6 +38,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-4476.patch \ file://CVE-2025-32907.patch \ file://CVE-2025-4948.patch \ + file://CVE-2025-4969.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Fri Jun 13 06:54:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 64907 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2B9FC71155 for ; Fri, 13 Jun 2025 06:55:08 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.4061.1749797703576623532 for ; Thu, 12 Jun 2025 23:55:03 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8259073970=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55D59MVn007724 for ; Fri, 13 Jun 2025 06:55:02 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 474cd96gc2-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 13 Jun 2025 06:55:02 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Thu, 12 Jun 2025 23:55:01 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Thu, 12 Jun 2025 23:55:01 -0700 From: To: Subject: [master][meta-oe][PATCH 18/18] libsoup-2.4: update patch 0001-CVE-2025-32911.patch Date: Fri, 13 Jun 2025 14:54:41 +0800 Message-ID: <20250613065441.3121844-19-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250613065441.3121844-1-changqing.li@windriver.com> References: <20250613065441.3121844-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=f+xIBPyM c=1 sm=1 tr=0 ts=684bcb46 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=dh6BuYzfZ955n3HdoDEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjEzMDA1MCBTYWx0ZWRfXwE2n3xhwwWZP ScmVy4db/rHx4P0naQifu4IU3iDSRTA6GSqzBGt042Sac5G39s0RLP+dARtlwSkgHZELbGXSl3T V7/eTJELWjnKblH+ovOev74kTz+CkOcw/TofYslG72AyoVSdZ4SOfPPLbRib4X6ZROIoktdVFSK H47hJJtZVDzlrhtLAnRHwR0aSmY5rROqUgN3EHkyUtf1p0NeiQoCbYIhzgYvEa3U5z6Ko741CRC dl+BTjnjUiDh5ZpfwVEs8SFb/VZpWl7Zy/cgAz7Wp4yP1pAlsCgw5T7nWdaPRkjOSj93wKRFaRD nlkcgnvBOjzwzoUVgZnr/Ne76546/7ji9sLRoRhEcqrC37lS3nhaeSMpTONNL5bVkFZxOtlmJEm gOhfTVhII9VN/jWaEDjSxhIv/ty9ML5hoAmqH0HcpgGshaFFOY2Ekb8U+LM7XdV3dEqx3Wdc X-Proofpoint-ORIG-GUID: vRKxsiu8DNDf0krh88HBoochDUf0Vc_t X-Proofpoint-GUID: vRKxsiu8DNDf0krh88HBoochDUf0Vc_t X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-12_10,2025-06-12_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=965 suspectscore=0 clxscore=1015 bulkscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 spamscore=0 mlxscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506130050 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 13 Jun 2025 06:55:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117908 From: Changqing Li CVE-2025-32913 also fixed in this patch Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/435 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/0001-CVE-2025-32911.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch index 9ef0643837..d75594bb4f 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch @@ -3,7 +3,7 @@ From: Changqing Li Date: Wed, 30 Apr 2025 14:59:55 +0800 Subject: [PATCH] CVE-2025-32911 -CVE: CVE-2025-32911 +CVE: CVE-2025-32911 CVE-2025-32913 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/422/commits] Signed-off-by: Changqing Li