From patchwork Wed Jun 18 02:59:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 65204 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40E54C71157 for ; Wed, 18 Jun 2025 02:59:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.37495.1750215590025089162 for ; Tue, 17 Jun 2025 19:59:50 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=82648703cf=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55I2v3Pk005276 for ; Wed, 18 Jun 2025 02:59:49 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 478xa1m2gu-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 18 Jun 2025 02:59:48 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Tue, 17 Jun 2025 19:59:47 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Tue, 17 Jun 2025 19:59:47 -0700 From: To: Subject: [kirkstone][PATCH V2 01/11] libsoup: patch CVE-2025-4476 Date: Wed, 18 Jun 2025 10:59:35 +0800 Message-ID: <20250618025945.2504711-2-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250618025945.2504711-1-changqing.li@windriver.com> References: <20250618025945.2504711-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=PuiTbxM3 c=1 sm=1 tr=0 ts=68522ba4 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=fk1lIlRQAAAA:8 a=_enOPnqeAAAA:8 a=20KFwNOVAAAA:8 a=NolvJAtuIQBC2-SIXlgA:9 a=U75ogvRika4pmaD_UPO0:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-ORIG-GUID: _rHed51pEuSinZaSQ2Xh-Ah67ebpSyjV X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjE4MDAyNCBTYWx0ZWRfX0w74A6aFKbR/ pLmRzhbaP1or1L9U8ITTX1Z1K4LTfU0A8TIzKpOxtNqStL6aWTJVLOmUYZ9Dy9UH7lXMGbPybwI Bx6FfjGlrxmrzbEYABO5Wa23+srciZL0EnnfN7SHx0oJ4lcRK0abEHadv1G11dJXJFMe2UWhPK5 0pQ29naescGkytrWzumjZW8Wpi7t0JbMRcEIP1xVThwwzhhlaLEJvYDiJ4lsv5qsUlw/PDF12uH d2FqtI3tzZGdLSHZFPtTtakJtWr2d6Hpr0TpIq6FQj0X2oSjqmgef+OBhBFDWS05Z9f80JfZ4h3 /WuDSgSpaUFDTWJ5SPnfPDoTU6POoUP+APnerGQEnSv1wd6ar2dufNEMJNN9TujdkhT511Lnb+v sBjOoB7WVyJCZRw8ug7ZMR5zMYIbFayIns+MouaubtxJw2T6BS6Nus+Dl3Kmrrchm9Fh6arI X-Proofpoint-GUID: _rHed51pEuSinZaSQ2Xh-Ah67ebpSyjV X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-18_01,2025-06-13_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 adultscore=0 bulkscore=0 phishscore=0 suspectscore=0 mlxlogscore=991 lowpriorityscore=0 priorityscore=1501 impostorscore=0 mlxscore=0 malwarescore=0 clxscore=1015 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506180024 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 02:59:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218957 From: Ashish Sharma Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c] Signed-off-by: Ashish Sharma Signed-off-by: Steve Sakoman --- .../libsoup/libsoup/CVE-2025-4476.patch | 38 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.0.7.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-4476.patch diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-4476.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-4476.patch new file mode 100644 index 00000000000..cd5619d6209 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-4476.patch @@ -0,0 +1,38 @@ +From e64c221f9c7d09b48b610c5626b3b8c400f0907c Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 8 May 2025 09:27:01 -0500 +Subject: [PATCH] auth-digest: fix crash in + soup_auth_digest_get_protection_space() + +We need to validate the Domain parameter in the WWW-Authenticate header. + +Unfortunately this crash only occurs when listening on default ports 80 +and 443, so there's no good way to test for this. The test would require +running as root. + +Fixes #440 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c] +CVE: CVE-2025-4476 +Signed-off-by: Ashish Sharma + + + libsoup/auth/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index d8bb2910..292f2045 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -220,7 +220,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, GUri *source_uri) + if (uri && + g_strcmp0 (g_uri_get_scheme (uri), g_uri_get_scheme (source_uri)) == 0 && + g_uri_get_port (uri) == g_uri_get_port (source_uri) && +- !strcmp (g_uri_get_host (uri), g_uri_get_host (source_uri))) ++ !g_strcmp0 (g_uri_get_host (uri), g_uri_get_host (source_uri))) + dir = g_strdup (g_uri_get_path (uri)); + else + dir = NULL; +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb index 67aa180612e..83ed88e785c 100644 --- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb +++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb @@ -36,6 +36,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32052.patch \ file://CVE-2025-32053.patch \ file://CVE-2025-46420.patch \ + file://CVE-2025-4476.patch \ " SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8" From patchwork Wed Jun 18 02:59:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 65203 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41BDCC7115A for ; Wed, 18 Jun 2025 02:59:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.37429.1750215590747147998 for ; Tue, 17 Jun 2025 19:59:50 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=82648703cf=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55I2v3Pl005276 for ; Wed, 18 Jun 2025 02:59:50 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 478xa1m2gu-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 18 Jun 2025 02:59:49 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Tue, 17 Jun 2025 19:59:48 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Tue, 17 Jun 2025 19:59:48 -0700 From: To: Subject: [kirkstone][PATCH V2 02/11] libsoup: Fix CVE-2025-4969 Date: Wed, 18 Jun 2025 10:59:36 +0800 Message-ID: <20250618025945.2504711-3-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250618025945.2504711-1-changqing.li@windriver.com> References: <20250618025945.2504711-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=PuiTbxM3 c=1 sm=1 tr=0 ts=68522ba5 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=fk1lIlRQAAAA:8 a=_enOPnqeAAAA:8 a=20KFwNOVAAAA:8 a=ExAG2EzZOsbCA4H3ouoA:9 a=U75ogvRika4pmaD_UPO0:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-ORIG-GUID: x-A-JuzepYw14ez_8v2oky1XN1EHAf87 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjE4MDAyNCBTYWx0ZWRfXznR65ZqVinSt +ygCeuLBD1JpMMcet5bf58CxNjGXe7XuxCEall4ENDkh3dPHwajoRN+FlX5AhKBTslFQE1z1QeD J0mnkPXkQPvppfL7FJ/ku1Ln2sxOhg1tods8Sg6nRLsc9wq9rfNlfOckIC0NnKUlmonhfnjtrW+ WtBHVaipocwFMQH7KQ8IhF+Vfzm/yEGKxkp5JBPGJH5WsZWZGDjUTmKw3rEgaVgw89N9c18EGXU CqHbgNyHSCMyeBDP2K+IIXKy9vfKTGdDk0L19uzhHprOk3ReVQG1ROy10vVZEkDb6DgeAVb4XES U7jO31xpm8y2q7DYWCsXEQlOiqDh1L3I35t4CQbtrmLDRFx32mNythEO9Xqy1nvFzR778tTM+v7 y/xQboDyOVnmFiwnn8WsPZ8KgLjr8l7qvmE1YSdOpdZr3CtkpyD7GRKavjJHEhlbFuSVGB22 X-Proofpoint-GUID: x-A-JuzepYw14ez_8v2oky1XN1EHAf87 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-18_01,2025-06-13_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 adultscore=0 bulkscore=0 phishscore=0 suspectscore=0 mlxlogscore=837 lowpriorityscore=0 priorityscore=1501 impostorscore=0 mlxscore=0 malwarescore=0 clxscore=1015 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506180024 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 02:59:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218958 From: Hitendra Prajapati Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/07b94e27afafebf31ef3cd868866a1e383750086 Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../libsoup/libsoup/CVE-2025-4969.patch | 76 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.0.7.bb | 1 + 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-4969.patch diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-4969.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-4969.patch new file mode 100644 index 00000000000..70c5fd5593e --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-4969.patch @@ -0,0 +1,76 @@ +From 07b94e27afafebf31ef3cd868866a1e383750086 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Mon, 19 May 2025 17:48:27 +0200 +Subject: [PATCH] soup-multipart: Verify array bounds before accessing its + members + +The boundary could be at a place which, calculated, pointed +before the beginning of the array. Check the bounds, to avoid +read out of the array bounds. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/07b94e27afafebf31ef3cd868866a1e383750086] +CVE: CVE-2025-4969 +Signed-off-by: Hitendra Prajapati +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 22 ++++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index 102ce37..e1c442e 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -104,7 +104,7 @@ find_boundary (const char *start, const char *end, + continue; + + /* Check that it's at start of line */ +- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r'))) ++ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r'))) + continue; + + /* Check for "--" or "\r\n" after boundary */ +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index ab5f41c..84852e2 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -527,6 +527,27 @@ test_multipart_bounds_bad (void) + g_bytes_unref (bytes); + } + ++static void ++test_multipart_bounds_bad_2 (void) ++{ ++ SoupMultipart *multipart; ++ SoupMessageHeaders *headers; ++ GBytes *bytes; ++ const char *raw_data = "\n--123\r\nline\r\n--123--\r"; ++ ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); ++ ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); ++ ++ multipart = soup_multipart_new_from_message (headers, bytes); ++ g_assert_nonnull (multipart); ++ ++ soup_multipart_free (multipart); ++ soup_message_headers_unref (headers); ++ g_bytes_unref (bytes); ++} ++ + int + main (int argc, char **argv) + { +@@ -556,6 +577,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); ++ g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2); + + ret = g_test_run (); + +-- +2.49.0 + diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb index 83ed88e785c..d0cd1f436a1 100644 --- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb +++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb @@ -37,6 +37,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32053.patch \ file://CVE-2025-46420.patch \ file://CVE-2025-4476.patch \ + file://CVE-2025-4969.patch \ " SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8" From patchwork Wed Jun 18 02:59:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 65207 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 52C70C7115B for ; Wed, 18 Jun 2025 02:59:58 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.37496.1750215591357016435 for ; Tue, 17 Jun 2025 19:59:51 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=82648703cf=changqing.li@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55I1A2Lb017752 for ; Tue, 17 Jun 2025 19:59:51 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4798kkkrxk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 17 Jun 2025 19:59:50 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Tue, 17 Jun 2025 19:59:49 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Tue, 17 Jun 2025 19:59:49 -0700 From: To: Subject: [kirkstone][PATCH V2 03/11] libsoup: fix CVE-2025-32907 Date: Wed, 18 Jun 2025 10:59:37 +0800 Message-ID: <20250618025945.2504711-4-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250618025945.2504711-1-changqing.li@windriver.com> References: <20250618025945.2504711-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: me2JygbyYaN3XgTa4_At5nlXdtQz1NPF X-Proofpoint-ORIG-GUID: me2JygbyYaN3XgTa4_At5nlXdtQz1NPF X-Authority-Analysis: v=2.4 cv=MaFsu4/f c=1 sm=1 tr=0 ts=68522ba6 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=20KFwNOVAAAA:8 a=Hyvt-9qr23Gm4iXa-ggA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjE4MDAyNCBTYWx0ZWRfXwRCEHEQuATSK OKCu71dFLk0+VnRB2MP8K8D6It7xYsc5SvBjyStMUMbbJCshHJmpIjJ55wjZh2UirIZYJvrwSC9 di9BFV6Blsqs3SzFSI05dJx0w0NOfbGH0abnTVxxXkdjXSLU0qkPxHG2gTJfvZmQHKAO4C6jvZH YXXJ/62opP06Hn/TcBcaapBCW/0SRVV78anhI9XWX3opMK25zFLzSgizN8a54tVF+/BRSXFLffF bSTf2Vp2fPgXnFUQ8mFkt8iWiUx/LjTJAgik+KJbbQhKxMj1Gs6mIFYd8wwOXZ27bw2Ai6JTXfD JPMsZxfkYhnhEOP6imRXKhYVGmWEftNNC/1LL4bCXEx9ZVHrqZf2VNUezL2HxO4sJZ2TIr0sNzb NQxGjDhBF+UaULu0n3VNwWvwtsk6P/bJGKF6eozSu0/tfiqnM8AADithdQ4VJnOZfXN3f/Tl X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-18_01,2025-06-13_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 clxscore=1015 bulkscore=0 priorityscore=1501 malwarescore=0 mlxlogscore=999 phishscore=0 adultscore=0 suspectscore=0 impostorscore=0 mlxscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506180024 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 02:59:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218959 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/429 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup/CVE-2025-32907-1.patch | 200 ++++++++++++++++++ .../libsoup/libsoup/CVE-2025-32907-2.patch | 68 ++++++ meta/recipes-support/libsoup/libsoup_3.0.7.bb | 2 + 3 files changed, 270 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32907-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32907-2.patch diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32907-1.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32907-1.patch new file mode 100644 index 00000000000..41b7d276a4a --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32907-1.patch @@ -0,0 +1,200 @@ +From 7507b0713c2f02af1cd561ebb99477e0a099419d Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 15 Apr 2025 12:17:39 +0200 +Subject: [PATCH 1/2] soup-message-headers: Correct merge of ranges + +It had been skipping every second range, which generated an array +of a lot of insane ranges, causing large memory usage by the server. + +Closes #428 + +Part-of: + +CVE: CVE-2025-32907 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452/commits] + +Signed-off-by: Changqing Li +--- + libsoup/soup-message-headers.c | 1 + + tests/meson.build | 1 + + tests/server-mem-limit-test.c | 144 +++++++++++++++++++++++++++++++++ + 3 files changed, 146 insertions(+) + create mode 100644 tests/server-mem-limit-test.c + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index ee7a3cb..f101d4b 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1244,6 +1244,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs, + if (cur->start <= prev->end) { + prev->end = MAX (prev->end, cur->end); + g_array_remove_index (array, i); ++ i--; + } + } + } +diff --git a/tests/meson.build b/tests/meson.build +index ee118a0..8e7b51d 100644 +--- a/tests/meson.build ++++ b/tests/meson.build +@@ -102,6 +102,7 @@ tests = [ + {'name': 'samesite'}, + {'name': 'session'}, + {'name': 'server-auth'}, ++ {'name': 'server-mem-limit'}, + {'name': 'server'}, + {'name': 'sniffing', + 'depends': [test_resources], +diff --git a/tests/server-mem-limit-test.c b/tests/server-mem-limit-test.c +new file mode 100644 +index 0000000..98f1c40 +--- /dev/null ++++ b/tests/server-mem-limit-test.c +@@ -0,0 +1,144 @@ ++/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */ ++/* ++ * Copyright (C) 2025 Red Hat ++ */ ++ ++#include "test-utils.h" ++ ++#include ++ ++/* ++ This test limits memory usage to trigger too large buffer allocation crash. ++ As restoring the limits back to what it was does not always work, it's split ++ out of the server-test.c test with copied minimal server code. ++ */ ++ ++typedef struct { ++ SoupServer *server; ++ GUri *base_uri, *ssl_base_uri; ++ GSList *handlers; ++} ServerData; ++ ++static void ++server_setup_nohandler (ServerData *sd, gconstpointer test_data) ++{ ++ sd->server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ sd->base_uri = soup_test_server_get_uri (sd->server, "http", NULL); ++ if (tls_available) ++ sd->ssl_base_uri = soup_test_server_get_uri (sd->server, "https", NULL); ++} ++ ++static void ++server_add_handler (ServerData *sd, ++ const char *path, ++ SoupServerCallback callback, ++ gpointer user_data, ++ GDestroyNotify destroy) ++{ ++ soup_server_add_handler (sd->server, path, callback, user_data, destroy); ++ sd->handlers = g_slist_prepend (sd->handlers, g_strdup (path)); ++} ++ ++static void ++server_setup (ServerData *sd, gconstpointer test_data) ++{ ++ server_setup_nohandler (sd, test_data); ++} ++ ++static void ++server_teardown (ServerData *sd, gconstpointer test_data) ++{ ++ GSList *iter; ++ ++ for (iter = sd->handlers; iter; iter = iter->next) ++ soup_server_remove_handler (sd->server, iter->data); ++ g_slist_free_full (sd->handlers, g_free); ++ ++ g_clear_pointer (&sd->server, soup_test_server_quit_unref); ++ g_clear_pointer (&sd->base_uri, g_uri_unref); ++ g_clear_pointer (&sd->ssl_base_uri, g_uri_unref); ++} ++ ++static void ++server_file_callback (SoupServer *server, ++ SoupServerMessage *msg, ++ const char *path, ++ GHashTable *query, ++ gpointer data) ++{ ++ void *mem; ++ ++ g_assert_cmpstr (path, ==, "/file"); ++ g_assert_cmpstr (soup_server_message_get_method (msg), ==, SOUP_METHOD_GET); ++ ++ mem = g_malloc0 (sizeof (char) * 1024 * 1024); ++ /* fedora-scan CI claims a warning about possibly leaked `mem` variable, thus use ++ the copy and free it explicitly, to workaround the false positive; the g_steal_pointer() ++ did not help for the malloc-ed memory */ ++ soup_server_message_set_response (msg, "application/octet-stream", SOUP_MEMORY_COPY, mem, sizeof (char) * 1024 *1024); ++ soup_server_message_set_status (msg, SOUP_STATUS_OK, NULL); ++ g_free (mem); ++} ++ ++static void ++do_ranges_overlaps_test (ServerData *sd, gconstpointer test_data) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ GString *range; ++ GUri *uri; ++ const char *chunk = ",0,0,0,0,0,0,0,0,0,0,0"; ++ ++ g_test_bug ("428"); ++ ++ #ifdef G_OS_WIN32 ++ g_test_skip ("Cannot run under windows"); ++ return; ++ #endif ++ ++ range = g_string_sized_new (99 * 1024); ++ g_string_append (range, "bytes=1024"); ++ while (range->len < 99 * 1024) ++ g_string_append (range, chunk); ++ ++ session = soup_test_session_new (NULL); ++ server_add_handler (sd, "/file", server_file_callback, NULL, NULL); ++ ++ uri = g_uri_parse_relative (sd->base_uri, "/file", SOUP_HTTP_URI_FLAGS, NULL); ++ ++ msg = soup_message_new_from_uri ("GET", uri); ++ soup_message_headers_append (soup_message_get_request_headers (msg), "Range", range->str); ++ ++ soup_test_session_send_message (session, msg); ++ ++ soup_test_assert_message_status (msg, SOUP_STATUS_PARTIAL_CONTENT); ++ ++ g_object_unref (msg); ++ ++ g_string_free (range, TRUE); ++ g_uri_unref (uri); ++ ++ soup_test_session_abort_unref (session); ++} ++ ++int ++main (int argc, char **argv) ++{ ++ int ret; ++ ++ test_init (argc, argv, NULL); ++ ++ #ifndef G_OS_WIN32 ++ struct rlimit new_rlimit = { 1024 * 1024 * 64, 1024 * 1024 * 64 }; ++ /* limit memory usage, to trigger too large memory allocation abort */ ++ g_assert_cmpint (setrlimit (RLIMIT_DATA, &new_rlimit), ==, 0); ++ #endif ++ ++ g_test_add ("/server-mem/range-overlaps", ServerData, NULL, ++ server_setup, do_ranges_overlaps_test, server_teardown); ++ ++ ret = g_test_run (); ++ ++ test_cleanup (); ++ return ret; ++} +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32907-2.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32907-2.patch new file mode 100644 index 00000000000..9c838a55af7 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32907-2.patch @@ -0,0 +1,68 @@ +From f31dfc357ffdd8d18d3593a06cd4acb888eaba70 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 13 May 2025 14:20:46 +0200 +Subject: [PATCH 2/2] server-mem-limit-test: Limit memory usage only when not + built witha sanitizer + +A build with -Db_sanitize=address crashes with failed mmap(), which is done +inside libasan. The test requires 20.0TB of virtual memory when running with +the sanitizer, which is beyond unsigned integer limits and may not trigger +the bug anyway. + +Part-of: + +CVE: CVE-2025-32907 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452/commits] + +Signed-off-by: Changqing Li +--- + meson.build | 4 ++++ + tests/server-mem-limit-test.c | 13 +++++++++---- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/meson.build b/meson.build +index d4110da..74323ea 100644 +--- a/meson.build ++++ b/meson.build +@@ -357,6 +357,10 @@ configinc = include_directories('.') + + prefix = get_option('prefix') + ++if get_option('b_sanitize') != 'none' ++ cdata.set_quoted('B_SANITIZE_OPTION', get_option('b_sanitize')) ++endif ++ + cdata.set_quoted('PACKAGE_VERSION', soup_version) + cdata.set_quoted('LOCALEDIR', join_paths(prefix, get_option('localedir'))) + cdata.set_quoted('GETTEXT_PACKAGE', libsoup_api_name) +diff --git a/tests/server-mem-limit-test.c b/tests/server-mem-limit-test.c +index 98f1c40..65dc875 100644 +--- a/tests/server-mem-limit-test.c ++++ b/tests/server-mem-limit-test.c +@@ -126,14 +126,19 @@ main (int argc, char **argv) + { + int ret; + +- test_init (argc, argv, NULL); +- +- #ifndef G_OS_WIN32 +- struct rlimit new_rlimit = { 1024 * 1024 * 64, 1024 * 1024 * 64 }; ++ /* a build with an address sanitizer may crash on mmap() with the limit, ++ thus skip the limit set in such case, even it may not necessarily ++ trigger the bug if it regresses */ ++ #if !defined(G_OS_WIN32) && !defined(B_SANITIZE_OPTION) ++ struct rlimit new_rlimit = { 1024UL * 1024UL * 1024UL * 2UL, 1024UL * 1024UL * 1024UL * 2UL }; + /* limit memory usage, to trigger too large memory allocation abort */ + g_assert_cmpint (setrlimit (RLIMIT_DATA, &new_rlimit), ==, 0); ++ #else ++ g_message ("server-mem-limit-test: Running without memory limit"); + #endif + ++ test_init (argc, argv, NULL); ++ + g_test_add ("/server-mem/range-overlaps", ServerData, NULL, + server_setup, do_ranges_overlaps_test, server_teardown); + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb index d0cd1f436a1..90733a73e85 100644 --- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb +++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb @@ -38,6 +38,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-46420.patch \ file://CVE-2025-4476.patch \ file://CVE-2025-4969.patch \ + file://CVE-2025-32907-1.patch \ + file://CVE-2025-32907-2.patch \ " SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8" From patchwork Wed Jun 18 02:59:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 65205 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 59DD9C7115D for ; Wed, 18 Jun 2025 02:59:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.37431.1750215593504034261 for ; Tue, 17 Jun 2025 19:59:53 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=82648703cf=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55I0sJPB022283 for ; Wed, 18 Jun 2025 02:59:52 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4790283yr5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 18 Jun 2025 02:59:52 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Tue, 17 Jun 2025 19:59:50 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Tue, 17 Jun 2025 19:59:50 -0700 From: To: Subject: [kirkstone][PATCH V2 04/11] libsoup: fix CVE-2025-32051 Date: Wed, 18 Jun 2025 10:59:38 +0800 Message-ID: <20250618025945.2504711-5-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250618025945.2504711-1-changqing.li@windriver.com> References: <20250618025945.2504711-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjE4MDAyNCBTYWx0ZWRfX3H0RxcDB2xES W06vfLYButR0zbalGgUYSTBno/E+mHieICcxN7WnHbAj70g8OFx8XC+43Xef+PZSVEfMHZoT5KC yUONfPjwZzaidp5D1RCCntLn6KvwsD8ImhEtw0qfricg3n4/29Y5iLHj+19Cv3i1POv4B/zAeaG dHZLLNdRpzitfV4jTqWutWzMaqWn0WLNiWc4hN6k48yvaWBzAX4UWw+1u3S+q95wfvXd/M2PWzu Pjs1VFGVyH4DmhcR9EW8CaVPHOA7b126V8zDgW18tmIst3XlJlfZOFYH5Z+e0WOJl6y/6SrRfWh iAMFIv3ekR1ETOoK+NwwycF2JOgttLrjeFzgLUsEXIFH8oBk4ocqcY29l/RvRqa0vwmDFfqF/OZ KanZZq15ml1VefDkApjwKk/o+AmmL3N1Sk11SlQfNi+3rX+5AGe6gx4ncCLtHt7Rh+WpSc+B X-Proofpoint-GUID: 1fVyW25iQXjOz740aOYEyX9Q377_eOJo X-Authority-Analysis: v=2.4 cv=ar2yCTZV c=1 sm=1 tr=0 ts=68522ba8 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=sfOm8-O8AAAA:8 a=V2sgnzSHAAAA:8 a=lz8H-ZI_o7jANyl0rCQA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 a=TvTJqdcANYtsRzA46cdi:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-ORIG-GUID: 1fVyW25iQXjOz740aOYEyX9Q377_eOJo X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-18_01,2025-06-13_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 phishscore=0 mlxscore=0 lowpriorityscore=0 suspectscore=0 priorityscore=1501 malwarescore=0 mlxlogscore=999 impostorscore=0 clxscore=1015 bulkscore=0 adultscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506180024 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 02:59:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218960 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/401 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup/CVE-2025-32051-1.patch | 29 ++++++++++ .../libsoup/libsoup/CVE-2025-32051-2.patch | 57 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.0.7.bb | 2 + 3 files changed, 88 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32051-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32051-2.patch diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-1.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-1.patch new file mode 100644 index 00000000000..efeda48b11f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-1.patch @@ -0,0 +1,29 @@ +From dc5db30989f385303c79ec3188c52e33f6f5886e Mon Sep 17 00:00:00 2001 +From: Ar Jun +Date: Sat, 16 Nov 2024 11:50:09 -0600 +Subject: [PATCH 1/2] Fix possible NULL deref in soup_uri_decode_data_uri + +CVE: CVE-2025-32051 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/0713ba4a719da938dc8facc89fca99cd0aa3069f] + +Signed-off-by: Changqing Li +--- + libsoup/soup-uri-utils.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c +index be2b79b..0251279 100644 +--- a/libsoup/soup-uri-utils.c ++++ b/libsoup/soup-uri-utils.c +@@ -303,6 +303,8 @@ soup_uri_decode_data_uri (const char *uri, + + uri_string = g_uri_to_string (soup_uri); + g_uri_unref (soup_uri); ++ if (!uri_string) ++ return NULL; + + start = uri_string + 5; + comma = strchr (start, ','); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-2.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-2.patch new file mode 100644 index 00000000000..24c184bb86f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-2.patch @@ -0,0 +1,57 @@ +From 7d1557a60145927806c88d321e8322a9d9f49bb2 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 22 Nov 2024 13:39:51 -0600 +Subject: [PATCH 2/2] soup_uri_decode_data_uri(): Handle URIs with a path + starting with // + +CVE: CVE-2025-32051 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/79cfd65c9bd8024cd45dd725c284766329873709] + +Signed-off-by: Changqing Li +--- + libsoup/soup-uri-utils.c | 8 ++++++++ + tests/uri-parsing-test.c | 2 ++ + 2 files changed, 10 insertions(+) + +diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c +index 0251279..1ff11cd 100644 +--- a/libsoup/soup-uri-utils.c ++++ b/libsoup/soup-uri-utils.c +@@ -286,6 +286,7 @@ soup_uri_decode_data_uri (const char *uri, + gboolean base64 = FALSE; + char *uri_string; + GBytes *bytes; ++ const char *path; + + g_return_val_if_fail (uri != NULL, NULL); + +@@ -301,6 +302,13 @@ soup_uri_decode_data_uri (const char *uri, + if (content_type) + *content_type = NULL; + ++ /* g_uri_to_string() is picky about paths that start with `//` and will assert. */ ++ path = g_uri_get_path (soup_uri); ++ if (path[0] == '/' && path[1] == '/') { ++ g_uri_unref (soup_uri); ++ return NULL; ++ } ++ + uri_string = g_uri_to_string (soup_uri); + g_uri_unref (soup_uri); + if (!uri_string) +diff --git a/tests/uri-parsing-test.c b/tests/uri-parsing-test.c +index 1f16273..418391e 100644 +--- a/tests/uri-parsing-test.c ++++ b/tests/uri-parsing-test.c +@@ -141,6 +141,8 @@ static struct { + { "data:text/plain;base64,aGVsbG8=", "hello", "text/plain" }, + { "data:text/plain;base64,invalid=", "", "text/plain" }, + { "data:,", "", CONTENT_TYPE_DEFAULT }, ++ { "data:.///", NULL, NULL }, ++ { "data:/.//", NULL, NULL }, + }; + + static void +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb index 90733a73e85..be29ff0e5d0 100644 --- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb +++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb @@ -40,6 +40,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-4969.patch \ file://CVE-2025-32907-1.patch \ file://CVE-2025-32907-2.patch \ + file://CVE-2025-32051-1.patch \ + file://CVE-2025-32051-2.patch \ " SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8" From patchwork Wed Jun 18 02:59:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 65208 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6B1E3C761AE for ; Wed, 18 Jun 2025 02:59:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.37497.1750215594129429271 for ; Tue, 17 Jun 2025 19:59:54 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=82648703cf=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55I0sJPC022283 for ; Wed, 18 Jun 2025 02:59:53 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4790283yr5-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 18 Jun 2025 02:59:53 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Tue, 17 Jun 2025 19:59:51 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Tue, 17 Jun 2025 19:59:51 -0700 From: To: Subject: [kirkstone][PATCH V2 05/11] libsoup: fix CVE-2025-46421 Date: Wed, 18 Jun 2025 10:59:39 +0800 Message-ID: <20250618025945.2504711-6-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250618025945.2504711-1-changqing.li@windriver.com> References: <20250618025945.2504711-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjE4MDAyNCBTYWx0ZWRfX+PgVGf4xjn/v m9iefD/aLeRyjePRGdtchSYvl+lscacsQZRpWRkDO1l4NpR7jDS+fVVZJs4MAm5mZNPEcQ/FZ/F p8LtXQatMOBfwh5d6XYO6VJiFIotXkoU0/TbBos3+EniLpugm+BojdKcevW3HtZ5dH8Bdl2lNKK 47IFuGg4+F0fqTVrY/eZ9+m/qm6Lh8qdylNUX7A6Uncrhxhzc94erXBVDAjOTy4CWtt6+WqIxjH yBkfQ9nZXPC5HzQKi10jamLRFviRVDRxHik6haHTTqUA/UA4umejQnfF1TpfzDSeRj26INFacQF c1RCexYC7kWmznbEseU4GYn70NcrTrPYThFLLrupQOzSNO+1pG40sYIHALKwQJ0f3LlOnS1WKZB Da2J5ad5RQxwSPJuBp1TKDMA8Z40dFTKmMjMABxqu6cRW0HbMaVVQ1I0KrUHNiA5dXMdWWmy X-Proofpoint-GUID: r8ii2itingHsyvq4iZcOr_hFlilNWW-T X-Authority-Analysis: v=2.4 cv=ar2yCTZV c=1 sm=1 tr=0 ts=68522ba9 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=V2sgnzSHAAAA:8 a=QbgcUSsBnVzo0aMhA2UA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-ORIG-GUID: r8ii2itingHsyvq4iZcOr_hFlilNWW-T X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-18_01,2025-06-13_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 phishscore=0 mlxscore=0 lowpriorityscore=0 suspectscore=0 priorityscore=1501 malwarescore=0 mlxlogscore=893 impostorscore=0 clxscore=1015 bulkscore=0 adultscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506180024 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 02:59:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218961 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/439 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup/CVE-2025-46421.patch | 139 ++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.0.7.bb | 1 + 2 files changed, 140 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-46421.patch diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-46421.patch new file mode 100644 index 00000000000..72683d8fce5 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-46421.patch @@ -0,0 +1,139 @@ +From 85c5227eef7370832044eb918e8a99c0bcbab86f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 16:18:10 -0600 +Subject: [PATCH] session: Strip authentication credentails on cross-origin + redirect + +This should match the behavior of Firefox and Safari but not of Chromium. + +CVE: CVE-2025-46421 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b] + +Signed-off-by: Changqing Li +--- + libsoup/soup-session.c | 6 ++++ + tests/auth-test.c | 77 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 83 insertions(+) + +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c +index 631bec0..9f00b05 100644 +--- a/libsoup/soup-session.c ++++ b/libsoup/soup-session.c +@@ -1230,6 +1230,12 @@ soup_session_redirect_message (SoupSession *session, + SOUP_ENCODING_NONE); + } + ++ /* Strip all credentials on cross-origin redirect. */ ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { ++ soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION); ++ soup_message_set_auth (msg, NULL); ++ } ++ + soup_message_set_request_host_from_uri (msg, new_uri); + soup_message_set_uri (msg, new_uri); + g_uri_unref (new_uri); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 484097f..7c3b551 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1,6 +1,7 @@ + /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */ + + #include "test-utils.h" ++#include "soup-uri-utils-private.h" + + static const char *base_uri; + static GMainLoop *loop; +@@ -1916,6 +1917,81 @@ do_missing_params_test (gconstpointer auth_header) + soup_test_server_quit_unref (server); + } + ++static void ++redirect_server_callback (SoupServer *server, ++ SoupServerMessage *msg, ++ const char *path, ++ GHashTable *query, ++ gpointer user_data) ++{ ++ static gboolean redirected = FALSE; ++ ++ if (!redirected) { ++ char *redirect_uri = g_uri_to_string (user_data); ++ soup_server_message_set_redirect (msg, SOUP_STATUS_MOVED_PERMANENTLY, redirect_uri); ++ g_free (redirect_uri); ++ redirected = TRUE; ++ return; ++ } ++ ++ g_assert_not_reached (); ++} ++ ++static gboolean ++auth_for_redirect_callback (SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer user_data) ++{ ++ GUri *known_server_uri = user_data; ++ ++ if (!soup_uri_host_equal (known_server_uri, soup_message_get_uri (msg))) ++ return FALSE; ++ ++ soup_auth_authenticate (auth, "user", "good-basic"); ++ ++ return TRUE; ++} ++ ++static void ++do_strip_on_crossorigin_redirect (void) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ SoupServer *server1, *server2; ++ SoupAuthDomain *auth_domain; ++ GUri *uri; ++ gint status; ++ ++ server1 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ server2 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ ++ /* Both servers have the same credentials. */ ++ auth_domain = soup_auth_domain_basic_new ("realm", "auth-test", "auth-callback", server_basic_auth_callback, NULL); ++ soup_auth_domain_add_path (auth_domain, "/"); ++ soup_server_add_auth_domain (server1, auth_domain); ++ soup_server_add_auth_domain (server2, auth_domain); ++ g_object_unref (auth_domain); ++ ++ /* Server 1 asks for auth, then redirects to Server 2. */ ++ soup_server_add_handler (server1, NULL, ++ redirect_server_callback, ++ soup_test_server_get_uri (server2, "http", NULL), (GDestroyNotify)g_uri_unref); ++ /* Server 2 requires auth. */ ++ soup_server_add_handler (server2, NULL, server_callback, NULL, NULL); ++ ++ session = soup_test_session_new (NULL); ++ uri = soup_test_server_get_uri (server1, "http", NULL); ++ msg = soup_message_new_from_uri ("GET", uri); ++ /* The client only sends credentials for the host it knows. */ ++ g_signal_connect (msg, "authenticate", G_CALLBACK (auth_for_redirect_callback), uri); ++ ++ status = soup_test_session_send_message (session, msg); ++ ++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED); ++ ++ g_uri_unref (uri); ++ soup_test_server_quit_unref (server1); ++ soup_test_server_quit_unref (server2); ++} ++ + int + main (int argc, char **argv) + { +@@ -1949,6 +2025,7 @@ main (int argc, char **argv) + g_test_add_func ("/auth/auth-uri", do_auth_uri_test); + g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate); + g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms); ++ g_test_add_func ("/auth/strip-on-crossorigin-redirect", do_strip_on_crossorigin_redirect); + g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb index be29ff0e5d0..49aa28964ca 100644 --- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb +++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb @@ -42,6 +42,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32907-2.patch \ file://CVE-2025-32051-1.patch \ file://CVE-2025-32051-2.patch \ + file://CVE-2025-46421.patch \ " SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8" From patchwork Wed Jun 18 02:59:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 65206 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7098DC7115F for ; Wed, 18 Jun 2025 02:59:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.37498.1750215594753980918 for ; Tue, 17 Jun 2025 19:59:54 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=82648703cf=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55I0sJPD022283 for ; Wed, 18 Jun 2025 02:59:54 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4790283yr5-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 18 Jun 2025 02:59:53 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Tue, 17 Jun 2025 19:59:52 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Tue, 17 Jun 2025 19:59:52 -0700 From: To: Subject: [kirkstone][PATCH V2 06/11] libsoup: fix CVE-2025-4948 Date: Wed, 18 Jun 2025 10:59:40 +0800 Message-ID: <20250618025945.2504711-7-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250618025945.2504711-1-changqing.li@windriver.com> References: <20250618025945.2504711-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjE4MDAyNCBTYWx0ZWRfX2ysECVf4tiUs aanY8CR0O/Q+dV5MIOw7FjzimDaYkUH+YCeB+Zf9Zf7eSWop1y+aPYMiFkCVBwgrTUhLoYc4dai 2ccluNWuDn3vHet/QEjcICFcIz6uZ6ys5lFC2CnR0aUm9n4OmJdUpttMVvjxN+GKTwF0gBVP0fz 4fqexPrLBFeUGdg8im4iLOsOXajdXFGRtxWCYsdbThDlk7DP30JEXBaaUelGnfB16ckvWCblyEQ gnDaFc3spgznnbgJxEV+RPiQdo7PiEl0lb7JGPLhAYTvSGM5T0VuTENzh3pj0DmXlFptlnsexII Bt5g2PYKTlII6N3rNqrcnXERpENOZIuNXOxfw66Oe2W8CjWPdEAEviiFsaj23ifyKP4Yp3JRdtS TbtCLyE3roeNGfxqBrk/V1hEJVZmZMW4Iy1hRBLMMDJWwbJ/j9k5TzqnvuB/ecBXdp5OnIVC X-Proofpoint-GUID: I1sWTIbc8pRoDkoeIJmmscwQiM7XIo2k X-Authority-Analysis: v=2.4 cv=ar2yCTZV c=1 sm=1 tr=0 ts=68522ba9 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=20KFwNOVAAAA:8 a=o19dcwqJu1wBlOUGTbIA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-ORIG-GUID: I1sWTIbc8pRoDkoeIJmmscwQiM7XIo2k X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-18_01,2025-06-13_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 phishscore=0 mlxscore=0 lowpriorityscore=0 suspectscore=0 priorityscore=1501 malwarescore=0 mlxlogscore=767 impostorscore=0 clxscore=1015 bulkscore=0 adultscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506180024 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 02:59:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218962 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup/CVE-2025-4948.patch | 97 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.0.7.bb | 1 + 2 files changed, 98 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-4948.patch diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-4948.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-4948.patch new file mode 100644 index 00000000000..07c85f53815 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-4948.patch @@ -0,0 +1,97 @@ +From a23ce8f8e60e79990e26376c8b0d40841aed4b81 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Thu, 15 May 2025 17:49:11 +0200 +Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body + +It could happen that the boundary started at a place which resulted into +a negative number, which in an unsigned integer is a very large value. +Check the body size is not a negative value before setting it. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 + +Part-of: + +CVE: CVE-2025-4948 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463/diffs?commit_id=f2f28afe0b3b2b3009ab67d6874457ec6bac70c0] + +Signed-off-by: Changqing Li +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 40 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index e1c442e..27257e4 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -204,7 +204,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + */ + part_body = g_bytes_new_from_bytes (body, // FIXME + split - body_data, +- end - 2 - split); ++ end - 2 >= split ? end - 2 - split : 0); + g_ptr_array_add (multipart->bodies, part_body); + + start = end; +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index 84852e2..2ae888c 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -548,6 +548,45 @@ test_multipart_bounds_bad_2 (void) + g_bytes_unref (bytes); + } + ++static void ++test_multipart_too_large (void) ++{ ++ const char *raw_body = ++ "-------------------\r\n" ++ "-\n" ++ "Cont\"\r\n" ++ "Content-Tynt----e:n\x8erQK\r\n" ++ "Content-Disposition: name= form-; name=\"file\"; filename=\"ype:i/ -d; ----\xae\r\n" ++ "Content-Typimag\x01/png--\\\n" ++ "\r\n" ++ "---:\n\r\n" ++ "\r\n" ++ "-------------------------------------\r\n" ++ "---------\r\n" ++ "----------------------"; ++ GBytes *body; ++ GHashTable *params; ++ SoupMessageHeaders *headers; ++ SoupMultipart *multipart; ++ ++ params = g_hash_table_new (g_str_hash, g_str_equal); ++ g_hash_table_insert (params, (gpointer) "boundary", (gpointer) "-----------------"); ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_set_content_type (headers, "multipart/form-data", params); ++ g_hash_table_unref (params); ++ ++ body = g_bytes_new_static (raw_body, strlen (raw_body)); ++ multipart = soup_multipart_new_from_message (headers, body); ++ soup_message_headers_unref (headers); ++ g_bytes_unref (body); ++ ++ g_assert_nonnull (multipart); ++ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1); ++ g_assert_true (soup_multipart_get_part (multipart, 0, &headers, &body)); ++ g_assert_cmpint (g_bytes_get_size (body), ==, 0); ++ soup_multipart_free (multipart); ++} ++ + int + main (int argc, char **argv) + { +@@ -578,6 +617,7 @@ main (int argc, char **argv) + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); + g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2); ++ g_test_add_func ("/multipart/too-large", test_multipart_too_large); + + ret = g_test_run (); + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb index 49aa28964ca..3ddcb3e568c 100644 --- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb +++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb @@ -43,6 +43,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32051-1.patch \ file://CVE-2025-32051-2.patch \ file://CVE-2025-46421.patch \ + file://CVE-2025-4948.patch \ " SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8" From patchwork Wed Jun 18 02:59:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 65212 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 741E3C77B7A for ; Wed, 18 Jun 2025 02:59:58 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.37499.1750215595211995128 for ; Tue, 17 Jun 2025 19:59:55 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=82648703cf=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55HNu3Zn030859 for ; Tue, 17 Jun 2025 19:59:55 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4794c3uwxp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 17 Jun 2025 19:59:54 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Tue, 17 Jun 2025 19:59:54 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Tue, 17 Jun 2025 19:59:53 -0700 From: To: Subject: [kirkstone][PATCH V2 07/11] libsoup-2.4: Fix CVE-2025-4969 Date: Wed, 18 Jun 2025 10:59:41 +0800 Message-ID: <20250618025945.2504711-8-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250618025945.2504711-1-changqing.li@windriver.com> References: <20250618025945.2504711-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: XSonAoo8z9au2YHGx-L_xDuYFbsbHICe X-Authority-Analysis: v=2.4 cv=b9Gy4sGx c=1 sm=1 tr=0 ts=68522baa cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=fk1lIlRQAAAA:8 a=_enOPnqeAAAA:8 a=20KFwNOVAAAA:8 a=ExAG2EzZOsbCA4H3ouoA:9 a=U75ogvRika4pmaD_UPO0:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-GUID: XSonAoo8z9au2YHGx-L_xDuYFbsbHICe X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjE4MDAyNCBTYWx0ZWRfXztgcLwAoIunJ sCl7jxQ7c6OI4ZHgh2OuE9x85rsj0a3UXGi+CpmWrWde9iRgvpRK6dGWzpTGW6NNn4AqqOFhovZ y57ZQe3I3ViwVgsAuZMIp/etjUhx1h6jHiciFb1X29LsvOdWRlH3U19CcxiX0PYjForkWYCiidt cHEeyC1s2nWXL2GrJpEy7howLPoilXFqUtcsmiBR/kNCqhyknJgNZWrAy4bV+oVH31TFaAGGCsf c7YY0L2/oMex+LTHJS+SgpdkFlQPFdehprU+8wUj5q33liNQiJnt1IpUc5tbVGC1K+WV6CjYW+b tjM9fiiU8h8nA26KMXL3V+BT9eQlfzZ4bcOeJ1+GsRO8ywAxDGfIDUah2/9A8XQq8iWSHTKDShT VHa9uXs8Uk6T3KskDrCToE5uzOp37qiVetORs3KvhWbOLRy43Dnxrl5irwaGd94G6S0n8wlu X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-18_01,2025-06-13_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 suspectscore=0 spamscore=0 clxscore=1015 impostorscore=0 malwarescore=0 priorityscore=1501 lowpriorityscore=0 bulkscore=0 phishscore=0 mlxlogscore=837 adultscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506180024 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 02:59:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218963 From: Hitendra Prajapati Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/07b94e27afafebf31ef3cd868866a1e383750086 Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-4969.patch | 76 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.2.bb | 1 + 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch new file mode 100644 index 00000000000..d45b2a2cb06 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch @@ -0,0 +1,76 @@ +From 07b94e27afafebf31ef3cd868866a1e383750086 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Mon, 19 May 2025 17:48:27 +0200 +Subject: [PATCH] soup-multipart: Verify array bounds before accessing its + members + +The boundary could be at a place which, calculated, pointed +before the beginning of the array. Check the bounds, to avoid +read out of the array bounds. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/07b94e27afafebf31ef3cd868866a1e383750086] +CVE: CVE-2025-4969 +Signed-off-by: Hitendra Prajapati +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 22 ++++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index dd93973..b3611db 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -108,7 +108,7 @@ find_boundary (const char *start, const char *end, + continue; + + /* Check that it's at start of line */ +- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r'))) ++ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r'))) + continue; + + /* Check for "--" or "\r\n" after boundary */ +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index 834b181..980eb68 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -562,6 +562,27 @@ test_multipart_bounds_bad (void) + g_bytes_unref (bytes); + } + ++static void ++test_multipart_bounds_bad_2 (void) ++{ ++ SoupMultipart *multipart; ++ SoupMessageHeaders *headers; ++ GBytes *bytes; ++ const char *raw_data = "\n--123\r\nline\r\n--123--\r"; ++ ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); ++ ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); ++ ++ multipart = soup_multipart_new_from_message (headers, bytes); ++ g_assert_nonnull (multipart); ++ ++ soup_multipart_free (multipart); ++ soup_message_headers_free (headers); ++ g_bytes_unref (bytes); ++} ++ + int + main (int argc, char **argv) + { +@@ -593,6 +614,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); ++ g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2); + + ret = g_test_run (); + +-- +2.49.0 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb index 61ebebeacd8..11552df80a5 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb @@ -37,6 +37,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32050.patch \ file://CVE-2025-32052.patch \ file://CVE-2025-32053.patch \ + file://CVE-2025-4969.patch \ " SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159" From patchwork Wed Jun 18 02:59:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 65209 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7EA49C77B7C for ; Wed, 18 Jun 2025 02:59:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.37433.1750215597409338262 for ; Tue, 17 Jun 2025 19:59:57 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=82648703cf=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55I2e21a015709 for ; Wed, 18 Jun 2025 02:59:56 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4790283yrb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 18 Jun 2025 02:59:56 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Tue, 17 Jun 2025 19:59:55 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Tue, 17 Jun 2025 19:59:54 -0700 From: To: Subject: [kirkstone][PATCH V2 08/11] libsoup-2.4: fix CVE-2025-32907 Date: Wed, 18 Jun 2025 10:59:42 +0800 Message-ID: <20250618025945.2504711-9-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250618025945.2504711-1-changqing.li@windriver.com> References: <20250618025945.2504711-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjE4MDAyNCBTYWx0ZWRfX/y4S9rYTS15e UeGKiUTHeiL7zsXoXcofa9miZhj8LFO+PUysRjsiYncQi0yGcYmsjVi2uYPPtffgP8OY/7eIe29 ZjoXhcN1kqxpD7u2lzmKnFD5FnO4BEdnsA3qfYkB8Xy8/uhQVbQzVMKpc1p1Q4IXrJYF81YjViJ KvGUgcKLRELJ4IV36p6ars1/oZi6PDRTY1mJtuGktlwhf6/8eksDizRf/RwTDq+TWRQ7vUr9Cfc SBWf5fvtd2NpHb9bZBn2+sa9KIkLBrFOIxmcz8TisexI/m+jDXpxVkl1mHR7DAiqy6Jw6NAlKi3 viOUq2HdBafC4BEodEa+QvjSJi4FAnRA6ElUXuLPZh5Oho+vXL76Vq1gT2OTWZ+FALDMDwqKHRD Glk/WloKcz9UsQKjNWr0fJ5k7Cvk6VHbXjep5FZdFrP6w5JA7P26D6y+NTTA0gelMhlfZc/9 X-Proofpoint-GUID: QUtQIbWY5euV5V4STXd0UUpRjqSmhYbm X-Authority-Analysis: v=2.4 cv=ar2yCTZV c=1 sm=1 tr=0 ts=68522bac cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=20KFwNOVAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-ORIG-GUID: QUtQIbWY5euV5V4STXd0UUpRjqSmhYbm X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-18_01,2025-06-13_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 phishscore=0 mlxscore=0 lowpriorityscore=0 suspectscore=0 priorityscore=1501 malwarescore=0 mlxlogscore=591 impostorscore=0 clxscore=1015 bulkscore=0 adultscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506180024 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 02:59:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218964 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/428 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-32907.patch | 39 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.2.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch new file mode 100644 index 00000000000..41dd3ff3f42 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch @@ -0,0 +1,39 @@ +From 8158b4084dcba2a233dfcb7359c53ab2840148f7 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 15 Apr 2025 12:17:39 +0200 +Subject: [PATCH 1/2] soup-message-headers: Correct merge of ranges + +It had been skipping every second range, which generated an array +of a lot of insane ranges, causing large memory usage by the server. + +Closes #428 + +Part-of: + +CVE: CVE-2025-32907 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452/diffs?commit_id=9bb92f7a685e31e10e9e8221d0342280432ce836] + +Test part not applied since test codes use some functions not in this +version + +Signed-off-by: Changqing Li +--- + libsoup/soup-message-headers.c | 1 + + 1 files changed, 1 insertions(+) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 78b2455..00b9763 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1024,6 +1024,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs, + if (cur->start <= prev->end) { + prev->end = MAX (prev->end, cur->end); + g_array_remove_index (array, i); ++ i--; + } + } + } +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb index 11552df80a5..38307fa3d57 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb @@ -38,6 +38,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32052.patch \ file://CVE-2025-32053.patch \ file://CVE-2025-4969.patch \ + file://CVE-2025-32907.patch \ " SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159" From patchwork Wed Jun 18 02:59:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 65210 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 845BFC77B73 for ; Wed, 18 Jun 2025 02:59:58 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.37435.1750215598055760692 for ; Tue, 17 Jun 2025 19:59:58 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=82648703cf=changqing.li@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55I2e21b015709 for ; Wed, 18 Jun 2025 02:59:57 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4790283yrb-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 18 Jun 2025 02:59:57 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Tue, 17 Jun 2025 19:59:56 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Tue, 17 Jun 2025 19:59:55 -0700 From: To: Subject: [kirkstone][PATCH V2 09/11] libsoup-2.4: fix CVE-2025-46421 Date: Wed, 18 Jun 2025 10:59:43 +0800 Message-ID: <20250618025945.2504711-10-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250618025945.2504711-1-changqing.li@windriver.com> References: <20250618025945.2504711-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjE4MDAyNCBTYWx0ZWRfX3lIky+7mVfPx 58WzuLJV0+WpxMeuypwMUczzk9sTnVML8yXYk8sz8rBWiM/9+4PQ/z6q8d7IBOFHsl6EczzYeR9 hjPPFGko/Jzy/LDkxNoAWZxtZcJyQhqwfIluuR431/SuTo73HinND8c9Z1Y7VoW425YQRd+MO70 cO0I4rAYdbBctkJ9RRMUDXRzHoRJnVKZoZF2mwnaktBXOl45uctF5kZA8jVUBu8WV50BaG6Hfi5 iMXazywuYi5adf6ixHaUCc0Alw23hBuB618wHiMa87WWp2A1K3RfmLysWqbsxS+VUYxRgyo2y+W QI/ei/E8ep2YUZZASMD7Gf4obUHwL+JXJ4LRB0yUonb1/+gAoXhQpBjNmz4Wx2xWbukWQOwlO4N orOj2VIWiZoQcno9+HwJA5nqVyUpN5eMxWkEIn7Z56ldhlDB5O8GXzk8LOIxag5FijVlVTF/ X-Proofpoint-GUID: 3SZTRKhy047lGCA7OV72ilPhIWx3Cl1l X-Authority-Analysis: v=2.4 cv=ar2yCTZV c=1 sm=1 tr=0 ts=68522bad cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=V2sgnzSHAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 a=Z31ocT7rh6aUJxSkT1EX:22 X-Proofpoint-ORIG-GUID: 3SZTRKhy047lGCA7OV72ilPhIWx3Cl1l X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-18_01,2025-06-13_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 phishscore=0 mlxscore=0 lowpriorityscore=0 suspectscore=0 priorityscore=1501 malwarescore=0 mlxlogscore=921 impostorscore=0 clxscore=1015 bulkscore=0 adultscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506180024 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 02:59:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218965 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/439 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-46421.patch | 47 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.2.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch new file mode 100644 index 00000000000..26067c4bb84 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch @@ -0,0 +1,47 @@ +From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 16:18:10 -0600 +Subject: [PATCH] session: Strip authentication credentails on + cross-origin redirect + +This should match the behavior of Firefox and Safari but not of Chromium. + +CVE: CVE-2025-46421 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b] + +Test code not added since it included some headers not in version 2.74.3 + +Signed-off-by: Changqing Li +--- + libsoup/soup-session.c | 8 +++++++- + 1 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c +index 83421ef..8d6ac61 100644 +--- a/libsoup/soup-session.c ++++ b/libsoup/soup-session.c +@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg) + SOUP_ENCODING_NONE); + } + ++ /* Strip all credentials on cross-origin redirect. */ ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { ++ soup_message_headers_remove (msg->request_headers, "Authorization"); ++ soup_message_set_auth (msg, NULL); ++ } ++ + soup_message_set_uri (msg, new_uri); + soup_uri_free (new_uri); + + soup_session_requeue_message (session, msg); + return TRUE; +-} ++} + + static void + redirect_handler (SoupMessage *msg, gpointer user_data) + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb index 38307fa3d57..347fe1aa212 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb @@ -39,6 +39,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32053.patch \ file://CVE-2025-4969.patch \ file://CVE-2025-32907.patch \ + file://CVE-2025-46421.patch \ " SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159" From patchwork Wed Jun 18 02:59:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 65211 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 847A1C7EE24 for ; Wed, 18 Jun 2025 02:59:58 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.37500.1750215598339819721 for ; Tue, 17 Jun 2025 19:59:58 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=82648703cf=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55I206r9016602 for ; Tue, 17 Jun 2025 19:59:58 -0700 Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4794c3uwxq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 17 Jun 2025 19:59:57 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Tue, 17 Jun 2025 19:59:57 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Tue, 17 Jun 2025 19:59:56 -0700 From: To: Subject: [kirkstone][PATCH V2 10/11] libsoup-2.4: fix CVE-2025-4948 Date: Wed, 18 Jun 2025 10:59:44 +0800 Message-ID: <20250618025945.2504711-11-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250618025945.2504711-1-changqing.li@windriver.com> References: <20250618025945.2504711-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: ujQpHsPL8uxhQ1wtDCaw4pkCrtuKEYRK X-Authority-Analysis: v=2.4 cv=b9Gy4sGx c=1 sm=1 tr=0 ts=68522bad cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=20KFwNOVAAAA:8 a=_9wbE66-DFzY0cZEwEkA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-GUID: ujQpHsPL8uxhQ1wtDCaw4pkCrtuKEYRK X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjE4MDAyNCBTYWx0ZWRfX0z0R1iIX8vFN 9ms6wII5GfeRONpHRQZ711w8oYBcJpY4UxgHSHmUmDzLSJR5/mULJLOTAMM+cZHCRDbZj2yPHjo c4n/BH3AyCgKmC8WnP2K3XUD1Ol6ycu18TvqN2hJxHHwqy3jwX3bMCwv/qNdOpPsgogh9aFfIj1 0/NuSealkold88ADhwbf6/m80kkOZ5V91gEcX7WPE4EJ7D1LBfXwU2ki1BErpijN0BfIP0W4TDJ pcDtWSYaAtIGzHJyT3SOIAzt8/8hhprEn4BnALW/GTEl3TAhmGR8NjRWNqhZQwul6iTXoqlPdR7 r5Hw+vydrcZlmov+VN4dkW/Ef03jeoNFhwrN0AeDRlW6oD79pIMq1NbPwVU01Od9/kljzLGEu1D DeSd2T5FB/SYjwjAFevtTnCKgQYW7Cis8uWA2vYy7dv/g1VRtzF6O+Hi2JfaEmI+6jkp5Y07 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-18_01,2025-06-13_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 suspectscore=0 spamscore=0 clxscore=1015 impostorscore=0 malwarescore=0 priorityscore=1501 lowpriorityscore=0 bulkscore=0 phishscore=0 mlxlogscore=735 adultscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506180024 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 02:59:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218966 From: Changqing Li Refer: http://gitlab.gnome.org/GNOME/libsoup/-/issues/449 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-4948.patch | 38 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.2.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch new file mode 100644 index 00000000000..b15b8c763d2 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch @@ -0,0 +1,38 @@ +From dfdc9b3cc73e6fe88cc12792ba00e14642572339 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Thu, 15 May 2025 17:49:11 +0200 +Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body + +It could happen that the boundary started at a place which resulted into +a negative number, which in an unsigned integer is a very large value. +Check the body size is not a negative value before setting it. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 + +Part-of: + +CVE: CVE-2025-4948 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463/diffs?commit_id=f2f28afe0b3b2b3009ab67d6874457ec6bac70c0] + +Signed-off-by: Changqing Li +--- + libsoup/soup-multipart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index dd93973..ce2fc10 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -214,7 +214,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + */ + part_body = soup_buffer_new_subbuffer (flattened, + split - flattened->data, +- end - 2 - split); ++ end - 2 >= split ? end - 2 - split : 0); + g_ptr_array_add (multipart->bodies, part_body); + + start = end; +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb index 347fe1aa212..aa2903030d6 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb @@ -40,6 +40,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-4969.patch \ file://CVE-2025-32907.patch \ file://CVE-2025-46421.patch \ + file://CVE-2025-4948.patch \ " SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159" From patchwork Wed Jun 18 02:59:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 65213 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8A29BC71157 for ; Wed, 18 Jun 2025 03:00:08 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.37436.1750215600530289988 for ; Tue, 17 Jun 2025 20:00:00 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=82648703cf=changqing.li@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55I2xxKi009128; Wed, 18 Jun 2025 02:59:59 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 478xa1m2h8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 18 Jun 2025 02:59:59 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Tue, 17 Jun 2025 19:59:58 -0700 Received: from pek-lpg-core6.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Tue, 17 Jun 2025 19:59:57 -0700 From: To: Subject: [kirkstone][PATCH V2 11/11] libsoup-2.4: fix CVE-2025-4476 Date: Wed, 18 Jun 2025 10:59:45 +0800 Message-ID: <20250618025945.2504711-12-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250618025945.2504711-1-changqing.li@windriver.com> References: <20250618025945.2504711-1-changqing.li@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=PuiTbxM3 c=1 sm=1 tr=0 ts=68522baf cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=6IFa9wvqVegA:10 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=_enOPnqeAAAA:8 a=eXHZBV4ZpkldoAy6WkEA:9 a=+jEqtf1s3R9VXZ0wqowq2kgwd+I=:19 a=FdTzh2GWekK77mhwV6Dw:22 a=XAbD3I9PDrnSMThV5XoS:22 X-Proofpoint-ORIG-GUID: eBmBkj-BTbyLqlclRGZOZCipKsfNK5WD X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjE4MDAyNCBTYWx0ZWRfX95yUgCnfTJnt xXoZzrxXvvobmgTafEVVbZoalqnoWTEVbiIkCewZcq1qCaizEOHWxeiqn0dp9mWbrWrOCdw6jl9 vNn6gbfTHVkIIhTIJnQq7P1eFrrOjldXg4vtHdyiclnxb7LkpeID+BOfIOSmBoXhaLl26H9jXle Yy4cibQtcyQ4kCL3lykZHdn/R5niZI1QMkcAr8mzLJ9/lPvrhgClOdkvClQCRLadlVSiqXkl1P3 CMiozCOOzXAIapEpcjEGxvsjVjEEhzQYsVWQqSbJ9MAcI6gkISVhbvf/TKN6lPDDkr4XBg45/H1 4HiVqVZjveSGmohET27UTPxGkM42CGRqgdI4lZ7yu0hsvpgHrKvvEzHKAOx1Adont0IUUpNgk2q w+Y10Kvrf9QVVHZuYi5o6L6f19LDU1P+B3zqTHblYbH3QD3HXJnt5D5W2s3UejOy8lCr/87d X-Proofpoint-GUID: eBmBkj-BTbyLqlclRGZOZCipKsfNK5WD X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-18_01,2025-06-13_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 adultscore=0 bulkscore=0 phishscore=0 suspectscore=0 mlxlogscore=911 lowpriorityscore=0 priorityscore=1501 impostorscore=0 mlxscore=0 malwarescore=0 clxscore=1015 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506180024 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 03:00:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218967 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/440 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-4476.patch | 38 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.2.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch new file mode 100644 index 00000000000..874f62e7ad5 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch @@ -0,0 +1,38 @@ +From 52a0f9234d384b9dab368835b22e5a5a01542168 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 16 May 2025 14:16:10 +0800 +Subject: [PATCH] auth-digest: fix crash in + soup_auth_digest_get_protection_space() + +We need to validate the Domain parameter in the WWW-Authenticate header. + +Unfortunately this crash only occurs when listening on default ports 80 +and 443, so there's no good way to test for this. The test would require +running as root. + +Fixes #440 + +CVE: CVE-2025-4476 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c?merge_request_iid=457] + +Signed-off-by: Changqing Li +--- + libsoup/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index f1621ec..a2dc560 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -229,7 +229,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, SoupURI *source_uri) + uri = soup_uri_new (d); + if (uri && uri->scheme == source_uri->scheme && + uri->port == source_uri->port && +- !strcmp (uri->host, source_uri->host)) ++ !g_strcmp0 (uri->host, source_uri->host)) + dir = g_strdup (uri->path); + else + dir = NULL; +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb index aa2903030d6..686e3b67208 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb @@ -41,6 +41,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32907.patch \ file://CVE-2025-46421.patch \ file://CVE-2025-4948.patch \ + file://CVE-2025-4476.patch \ " SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"