From patchwork Wed Apr 29 06:15:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 87088 X-Patchwork-Delegate: fabien.thomas@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B150AFF8867 for ; Wed, 29 Apr 2026 06:16:03 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.5393.1777443357380005585 for ; Tue, 28 Apr 2026 23:15:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=fd0+rYcP; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=9579970def=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 63T4hm0G3687161 for ; Tue, 28 Apr 2026 23:15:57 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=PPS06212021; bh=fXrDvpiatgaQAEaLw91R MvWRI4MzWsD9OXEaVfsFYTA=; b=fd0+rYcPVvYblJBnfyNx4nSROHJeeR07so3p 29fpOMuMh0kecP/V/ICIbfPLoW9CMzqxJ+Llm1wA0fPH2uWzv7UeVJs9IBpQegPk aqsiJqyBPS9pIrlWFSk2GcOgLDFc2utO4UzHNSzC+pb9tEWbw2891RNdBp9/pzWH My7XSPgKIa/r9+XfL42qdjXfv6ZP0VAsCSc/z8HuGTGp7pyTtoebvyGZZjjuzsw8 CN/oFHN8scYwV36HYhL7orJooVJbLAQXhjmt0B4UpaJgfUar8XP/d67RjGqczUGD 5S46/qnhjPEB1ZV3lkxVmtcLh04v9PGoDVHDBEEum+3z1B9Zgw== Received: from byapr05cu005.outbound.protection.outlook.com (mail-westusazon11010017.outbound.protection.outlook.com [52.101.85.17]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4drrw2vaqr-2 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Tue, 28 Apr 2026 23:15:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=fuzsvc8TurAABEFft4Y0vEjo0Hz/zW0qnTMZLFORlUYZuEtIWogaRo4n7BbfZKZyiAQtvg4rR6VopdG0xz/5FbL6qrm4m38647kH2BploMzt98nmmiTCLiUK5SeRabEHdgcWChWu76sN2fcN0hrIiQd8GqtM841CGZoIRbz0/XcTfQklVkqQvBAUOrhf6COQcDdc5L/i+kG3YT5+rdSrv6JFp7iul7PR0JiQMJHZpNfxjxwRuZFFF5N8zcCLD/IdU50kFrDHb9TRNzMOfh1RxI9JQQWqBgCGMdywcBJhzOpjDuEvdlgzCDLTozfkOflvvTkPW/78xuLQhi+qTqnSTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fXrDvpiatgaQAEaLw91RMvWRI4MzWsD9OXEaVfsFYTA=; b=PYbF6Locu9ZljOj+/F4Zaf1pxw34Wbcx7LB6OvYkBDEZVVgXJP3WHENU+re4BP/CSFhi2UeuxZF05JHEuEcVCV684m3PrAGiPlIEwvt7MBGFLL7vqfONelRNGWTroMYaOfF6I+8FwmI1ySr215O6Ht56dySB2WXqDm52JQ3eewEJ2XPZ9+tYBgboY72guh08KZbRXKO0JqPy7j4b/1v2puGZKb6SO/8AYOKs5tptRo8k2Elmm476jhW+NUKHx8tb1n9SIXDR33yTrD+s5I+sMnBRcWSZgcP9ZaAI6PM0OlIxuU0vtRZxaSJhmh5YxixZxDx/600J+fhDzhbbFYEI9Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DS0PR11MB7312.namprd11.prod.outlook.com (2603:10b6:8:11f::18) by LV8PR11MB8535.namprd11.prod.outlook.com (2603:10b6:408:1ed::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9870.16; Wed, 29 Apr 2026 06:15:49 +0000 Received: from DS0PR11MB7312.namprd11.prod.outlook.com ([fe80::531e:6ef5:812b:48f6]) by DS0PR11MB7312.namprd11.prod.outlook.com ([fe80::531e:6ef5:812b:48f6%5]) with mapi id 15.20.9870.020; Wed, 29 Apr 2026 06:15:49 +0000 From: Changqing Li To: openembedded-core@lists.openembedded.org Subject: [scarthgap][PATCH 1/4] libsoup: fix CVE-2025-14523 Date: Wed, 29 Apr 2026 14:15:30 +0800 Message-Id: <20260429061533.858115-1-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 X-ClientProxiedBy: SI2PR02CA0054.apcprd02.prod.outlook.com (2603:1096:4:196::13) To DS0PR11MB7312.namprd11.prod.outlook.com (2603:10b6:8:11f::18) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS0PR11MB7312:EE_|LV8PR11MB8535:EE_ X-MS-Office365-Filtering-Correlation-Id: 0d4eab5d-2b5b-4630-4c6c-08dea5b6c213 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|52116014|376014|366016|38350700014|13003099007|56012099003|18002099003; X-Microsoft-Antispam-Message-Info: YZqB8AZ0cKe1h7wEYz83Ga8axpHT3DsD+p0O1crr7YD3LMX408ger33E8iSwFPiJTXek1EQO0f9XouB6b3u81YfVVIw6cEdDD+1/zAHdzOeAxCKhQSbh5Jj3GhOeL2fLj1k2fEHYI0iO0kv6xkDrIWXPgECYVxaf2oo8hzsU5nN74duh6B5pjnKTmbhqVQpv+yEov2xUfHG6vEe92zaptqf6oJUIKtMFRe7K5xyR+dehhxjcTnUTmq63suP/BnjrYnh4KV4AZL4/9xL4kslqfM4jvUVWGeGB/dXDPV5t/QY5iDAO8tBrxkD8Di8E4IqUnL1kwuYF/Ws0HcTnsXPbhBFFn4c3JBdxtbwGoiIIgPxh615gMJYUeB2r87DJNZO2vUNqzzE87wePUuVmwini0k9BG+eHkf9r6awQTKE/6cRLU807UNAS8SZq00E4duqgGZ5mHOLzdoQPk31Tzj6W0kThB+H3S5Y8jt/zK/FmkD+YP/mGjJE9cjxFpg4lZVN//9TT0+71X/H9YJZrartHqvvo99FBP77iF+qTlYTZhgMoOOSqCJLAdeBRxCDen4DRyxtyGOAdPuz6cBInDmEKfH98p+qpTiPRQgL/vbOtWeGMOBqQKq7Ekjc1IqfMWu5gGwWTXD/CvAUPW/38GLnYLmT+j86fnzLm3iCX2G0fLGYxEjYABJvnAKwt0BcA8WwYeOvk4CF2ymXOo+IQN2LnJnRTVw+uD9gnpzTRaJWl/8nxS0rXXNbpwYqjV5xrhh3l X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR11MB7312.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(52116014)(376014)(366016)(38350700014)(13003099007)(56012099003)(18002099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 0NBDqyXSpntrD2OsugVBNKJi5Mb2GVd8JsxuSSYsg/5LTazfjGzdbq/TVLNYHq70lXID1CHxLyDx2abF71y4VRxFC8JfzJyWwnGViD7sz8siP8+qSOHqhUdLAFY1DupeBzOinOEotgp64uXD7OV4W660Mzjw346L9jQQ+2DTjJYusgYPFsgqHhPxGemOAFjv0ld362XT8NPHMrIfVR6pLSLkSaD3lSKhsAWrm7zEACn1bkFtgg2JJRKIia2QzMImzYN3KJbXF6eZnL4cDz+ptC+QnjGfzvmy3A9+KjhRoI0+TwjD/lFvQvSED/tzeFFxx2QMQ4+4ZVcmeB/XBhSYvXvAK2/L3SpXP0p+CsyTVUxvai39MmPDxV/K0WihQ+4W1wONd1VUHUyLNogYDEYQ23U4ARd0j0ptOOWQY8W9H1pK3JxcwAkBIhA5KUw18svSAuze6McmH9m1RWqUjUDcuv4rZ+5eBMz91lkeFAQ3mwf/PJcwKbcGTTyzJ7AHtzOOzENjBmdGLbMypEE8T+fUYU2KV+Vz/e8MIckwiFBsNxAphe0XYyuBFwXgW99L8qVkAlSQjMvGs9UcDyzJ0MKI4UyT32Ewl4jw41Mhyj7ZM4oO36v9Oeb3fP93VNuGDOAnqK4DY+ayAUx+Ph85eLlljKwsBrqZdPfwh3dYHjWKWOMNmdaeSRgyG7FaLB9jcF37OciZGwIcg/gBr99ptDnBZRaKz54wZR084Z48HDIDkJWYwwF7nALcSK0Xo3mw9QYykvJQD2vjBU8yXUQAHhbeOnbL7fHsbPs5gfHYx68qlOnIa6u0ZhXE/TgLPUEZvXvWvrEzvXXPYqWkC5bltz0FYO2kavlRNz/gq2ArSYXmNbQYYNl12HDiMKx8Wlfz2biwEbGRhCa+FKnLE1YbVJl3ENWZ7W5tvlWCcJiXPrtXEFNXItPYVv7Tj3RTUcX+JAcuU3sz8npQzepsFeGRHxQ+yeK+ggOD1z3yUtNFdWrNaoCobEqYlkwoqtwf5cwcqcsuz8HoglRhTZxCl937TeEMXu4rqL/HJ0RRlo3LKTAmAh0XSOWLDrJvifBSkX7y4x2sjyWEqgrmCCHNZX+PPAggJ7e+PHP425VL/Qj3EpdzXUtiD8gLSoj1yQMNpKjLB8I2iIBk+xD/BAECgpSF8DRJ+6f0QRN9c+pwzj4B6+29YvuPxkcJEvN2ToaYzKFYTLQLbjpjI86e95xXRl0tRbqMwC4hfptIl9632Ub2mWwQoEweTWYrLL+5k30Tx//GCgKyV1YI74iEqv7I9bLHde2lDS0B9nGkdyQXznVYsgDJVdTOWUkl/nT5y9Yb6DYDcIKpm5/OS5IVOz6TkBOSQdEeQUGMGtHTHDQ0MwkfF2afD7i3d0s5BLlbUrmjJe3lF3qgPV4w9aAnpCwEET2LKXOX88S5zr57K7uj08pg86iWPNAUCLe8k36gcmNOGItTIB6j+5ibpKbsZ5EqiSy4CpqYHdnxDGkadPgSq5KxTxDzcHRUYOPkiAqjVmH2SKkQbgRQ9Rkbsz6q/8RPyscepAYdfJ6aBB8P4/M1FxHxfm/z/AzG9OLbn19d597xkoHaTRhR22Ni4sPZyTgy0040XSKqPT3dp9XIOs369BR8a69pzZo6TX0d9MJQPvnN36KsOFrxQ44WgCLVyZCsMMfcjI5xx+nUlpwdFFTV60JU78Zi8PQVld8uPxPdmsVOFQsOqUhMs277PY6LPcN3ZnlK61jeXQVCAi+aFT0/QdtHzKbC9Ls= X-Exchange-RoutingPolicyChecked: OoPmxNiWCbubY1o1iPtNqFjcwG/v/lASfRHs3ayv2g91ct3pUs+dU+hkU5uBrFldJkTpV/9qrPcHNl9eqhS4/iOcIwMa+scGFrKD2oAKzHsnFph6GSUzQ2BJf4wtLTm4OLK9XwU/uSY+zPLqu6f07tw7dvx6kj8k90Ouu/ti6lMpNEO0+aScydzwiCDQFhFaLAVlg3GN91Kp+jWR7RgdiOmT08jfHV6QG4EslkpmJr213NyO8J55+EazysjrXs11Sh+gcWFIDaQjEOg0RlnMLIEB4l6XpEbedFtAtibmkmCSQFw7LU6umm7ugjkHWGD7fMB7PWfQaWmSxr0UoaDOOw== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0d4eab5d-2b5b-4630-4c6c-08dea5b6c213 X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB7312.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2026 06:15:49.6032 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: L7wbq5hc34Ogtg9Qd7s8i61x556AJVLX2FizSpKQp3W3H6RUaywd7jl05p1f7QjnHhrsdcKfegrJnDVNBe82zrc0yWey2D2ZpmFyp+3rMwI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR11MB8535 X-Proofpoint-GUID: nnfPj-7_iwJ8OKpmbvk_6l6e_4CrwmSN X-Proofpoint-ORIG-GUID: nnfPj-7_iwJ8OKpmbvk_6l6e_4CrwmSN X-Authority-Analysis: v=2.4 cv=Pu+jqQM3 c=1 sm=1 tr=0 ts=69f1a21c cx=c_pps a=+9lCAQqCkh6G/pz+5LnHJg==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=HK-ge7EqtdluswH-FwHe:22 a=GHR8O2WEAAAA:20 a=A1X0JdhQAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=QIhr-27iAAAA:8 a=Gw6MPTbC6v1-z_N7XooA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=cgaYBWEFosGJW4rWv5Lf:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDI5MDA1OCBTYWx0ZWRfXyOSCwYDTJuDY J9dSsaeUcKd1xVsMXUf36dSqS50Wk+Lr1H1R3+5v2fkJzCF2tOSwifJg+uUsLGsGJNBz1y/YUfh myQuFm1V+DSAqq5Uv0LyIMdmIQJvaOm6bc/Px4FAqjmb6fh0hsKPiB9S8en9oVgMi54W5B5eF22 5EHaXKsf3fBnb6P5MTW04JF9U8uDkVpVMCGCL0tFCJz8lvSpktUd2wXgs7Pw4yf+NCVCpcAUUNY hcfrwQyAqeXri+3TYqNG2oLXafVeRfZJHe1jwWd2MkzvWddOPP2oPKEaLHtZU0DEOro9oMbDRkw 75MTMVlsnuLC68ugiA8qWl+hf3pWFtp7s4EBLHSbsmVLchAV1YEMs/OcaVlaud+dNUEYq29ZSWk YXiT+ZCcKh5RmyzWO6PaV82wOH8aXinM6+zgskcu0x5LOEB0z1og2Q/mk9iZ6yXayTzxWfsWNlO rA019sOAPLAYCD4y+8Q== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-28_05,2026-04-28_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 lowpriorityscore=0 spamscore=0 clxscore=1015 impostorscore=0 suspectscore=0 priorityscore=1501 adultscore=0 phishscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2604290058 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 29 Apr 2026 06:16:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236077 Refer: https://gitlab.gnome.org/GNOME/libsoup/-/work_items/472 Signed-off-by: Changqing Li --- .../libsoup-3.4.4/CVE-2025-14523.patch | 715 ++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 716 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-14523.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-14523.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-14523.patch new file mode 100644 index 0000000000..1cf5c9d667 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-14523.patch @@ -0,0 +1,715 @@ +From 70123da95418f5d6e00e8ac2d586fb6c5d02cdc6 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Wed, 7 Jan 2026 14:50:33 -0600 +Subject: [PATCH] Reject duplicate Host headers + +RFC 9112 section 3.2 says: + +A server MUST respond with a 400 (Bad Request) status code to any +HTTP/1.1 request message that lacks a Host header field and to any +request message that contains more than one Host header field line or a +Host header field with an invalid field value. + +In addition to rejecting a duplicate header when parsing headers, also +reject attempts to add the duplicate header using the +soup_message_headers_append() API, and add tests for both cases. + +These checks will also apply to HTTP/2. I'm not sure whether this is +actually desired or not, but the header processing code is not aware of +which HTTP version is in use. + +(Note that while SoupMessageHeaders does not require the Host header to +be present in an HTTP/1.1 request, SoupServer itself does. So we can't +test the case of missing Host header via the header parsing test, but it +really is enforced.) + +Fixes #472 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/aecd8daadc110f8561fb2d6b2806a4cacf2e4c85] +CVE: CVE-2025-14523 + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 3 +- + libsoup/soup-message-headers-private.h | 4 +- + libsoup/soup-message-headers.c | 80 +++++++------ + tests/header-parsing-test.c | 148 +++++++++++++++++-------- + 4 files changed, 153 insertions(+), 82 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 155c11d..3fec9b3 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -139,7 +139,8 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) + for (p = strchr (value, '\r'); p; p = strchr (p, '\r')) + *p = ' '; + +- soup_message_headers_append_untrusted_data (dest, name, value); ++ if (!soup_message_headers_append_untrusted_data (dest, name, value)) ++ goto done; + } + success = TRUE; + +diff --git a/libsoup/soup-message-headers-private.h b/libsoup/soup-message-headers-private.h +index 9815464..770f3ef 100644 +--- a/libsoup/soup-message-headers-private.h ++++ b/libsoup/soup-message-headers-private.h +@@ -10,10 +10,10 @@ + + G_BEGIN_DECLS + +-void soup_message_headers_append_untrusted_data (SoupMessageHeaders *hdrs, ++gboolean soup_message_headers_append_untrusted_data (SoupMessageHeaders *hdrs, + const char *name, + const char *value); +-void soup_message_headers_append_common (SoupMessageHeaders *hdrs, ++gboolean soup_message_headers_append_common (SoupMessageHeaders *hdrs, + SoupHeaderName name, + const char *value); + const char *soup_message_headers_get_one_common (SoupMessageHeaders *hdrs, +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index d69d6e8..ce4b3b3 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -267,12 +267,16 @@ soup_message_headers_clean_connection_headers (SoupMessageHeaders *hdrs) + soup_header_free_list (tokens); + } + +-void ++gboolean + soup_message_headers_append_common (SoupMessageHeaders *hdrs, + SoupHeaderName name, + const char *value) + { + SoupCommonHeader header; ++ if (name == SOUP_HEADER_HOST && soup_message_headers_get_one (hdrs, "Host")) { ++ g_warning ("soup_message_headers_append_common: Rejecting duplicate Host header"); ++ return FALSE; ++ } + + if (!hdrs->common_headers) + hdrs->common_headers = g_array_sized_new (FALSE, FALSE, sizeof (SoupCommonHeader), 6); +@@ -284,32 +288,18 @@ soup_message_headers_append_common (SoupMessageHeaders *hdrs, + g_hash_table_remove (hdrs->common_concat, GUINT_TO_POINTER (header.name)); + + soup_message_headers_set (hdrs, name, value); ++ return TRUE; + } + +-/** +- * soup_message_headers_append: +- * @hdrs: a #SoupMessageHeaders +- * @name: the header name to add +- * @value: the new value of @name +- * +- * Appends a new header with name @name and value @value to @hdrs. +- * +- * (If there is an existing header with name @name, then this creates a second +- * one, which is only allowed for list-valued headers; see also +- * [method@MessageHeaders.replace].) +- * +- * The caller is expected to make sure that @name and @value are +- * syntactically correct. +- **/ +-void +-soup_message_headers_append (SoupMessageHeaders *hdrs, +- const char *name, const char *value) ++static gboolean ++soup_message_headers_append_internal (SoupMessageHeaders *hdrs, ++ const char *name, const char *value) + { + SoupUncommonHeader header; + SoupHeaderName header_name; + +- g_return_if_fail (name != NULL); +- g_return_if_fail (value != NULL); ++ g_return_val_if_fail (name != NULL, FALSE); ++ g_return_val_if_fail (value != NULL, FALSE); + + /* Setting a syntactically invalid header name or value is + * considered to be a programming error. However, it can also +@@ -317,23 +307,22 @@ soup_message_headers_append (SoupMessageHeaders *hdrs, + * compiled with G_DISABLE_CHECKS. + */ + #ifndef G_DISABLE_CHECKS +- g_return_if_fail (*name && strpbrk (name, " \t\r\n:") == NULL); +- g_return_if_fail (strpbrk (value, "\r\n") == NULL); ++ g_return_val_if_fail (*name && strpbrk (name, " \t\r\n:") == NULL, FALSE); ++ g_return_val_if_fail (strpbrk (value, "\r\n") == NULL, FALSE); + #else + if (*name && strpbrk (name, " \t\r\n:")) { +- g_warning ("soup_message_headers_append: Ignoring bad name '%s'", name); +- return; ++ g_warning ("soup_message_headers_append: Rejecting bad name '%s'", name); ++ return FALSE; + } + if (strpbrk (value, "\r\n")) { +- g_warning ("soup_message_headers_append: Ignoring bad value '%s'", value); +- return; ++ g_warning ("soup_message_headers_append: Rejecting bad value '%s'", value); ++ return FALSE; + } + #endif + + header_name = soup_header_name_from_string (name); + if (header_name != SOUP_HEADER_UNKNOWN) { +- soup_message_headers_append_common (hdrs, header_name, value); +- return; ++ return soup_message_headers_append_common (hdrs, header_name, value); + } + + if (!hdrs->uncommon_headers) +@@ -344,21 +333,48 @@ soup_message_headers_append (SoupMessageHeaders *hdrs, + g_array_append_val (hdrs->uncommon_headers, header); + if (hdrs->uncommon_concat) + g_hash_table_remove (hdrs->uncommon_concat, header.name); ++ return TRUE; ++} ++ ++/** ++ * soup_message_headers_append: ++ * @hdrs: a #SoupMessageHeaders ++ * @name: the header name to add ++ * @value: the new value of @name ++ * ++ * Appends a new header with name @name and value @value to @hdrs. ++ * ++ * (If there is an existing header with name @name, then this creates a second ++ * one, which is only allowed for list-valued headers; see also ++ * [method@MessageHeaders.replace].) ++ * ++ * The caller is expected to make sure that @name and @value are ++ * syntactically correct. ++ **/ ++void ++soup_message_headers_append (SoupMessageHeaders *hdrs, ++ const char *name, const char *value) ++{ ++ soup_message_headers_append_internal (hdrs, name, value); + } + + /* +- * Appends a header value ensuring that it is valid UTF8. ++ * Appends a header value ensuring that it is valid UTF-8, and also checking the ++ * return value of soup_message_headers_append_internal() to report whether the ++ * headers are invalid for various other reasons. + */ +-void ++gboolean + soup_message_headers_append_untrusted_data (SoupMessageHeaders *hdrs, + const char *name, + const char *value) + { + char *safe_value = g_utf8_make_valid (value, -1); + char *safe_name = g_utf8_make_valid (name, -1); +- soup_message_headers_append (hdrs, safe_name, safe_value); ++ gboolean result = soup_message_headers_append_internal (hdrs, safe_name, safe_value); ++ + g_free (safe_value); + g_free (safe_name); ++ return result; + } + + void +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 9490559..98a22a4 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -24,6 +24,7 @@ static struct RequestTest { + const char *method, *path; + SoupHTTPVersion version; + Header headers[10]; ++ GLogLevelFlags log_flags; + } reqtests[] = { + /**********************/ + /*** VALID REQUESTS ***/ +@@ -33,7 +34,7 @@ static struct RequestTest { + "GET / HTTP/1.0\r\n", -1, + SOUP_STATUS_OK, + "GET", "/", SOUP_HTTP_1_0, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "Req w/ 1 header", NULL, +@@ -42,7 +43,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 1 header, no leading whitespace", NULL, +@@ -51,7 +52,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 1 header including trailing whitespace", NULL, +@@ -60,7 +61,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 1 header, wrapped", NULL, +@@ -69,7 +70,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Foo", "bar baz" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 1 header, wrapped with additional whitespace", NULL, +@@ -78,7 +79,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Foo", "bar baz" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 1 header, wrapped with tab", NULL, +@@ -87,7 +88,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Foo", "bar baz" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 1 header, wrapped before value", NULL, +@@ -96,7 +97,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Foo", "bar baz" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 1 header with empty value", NULL, +@@ -105,7 +106,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 2 headers", NULL, +@@ -115,7 +116,7 @@ static struct RequestTest { + { { "Host", "example.com" }, + { "Connection", "close" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 3 headers", NULL, +@@ -126,7 +127,7 @@ static struct RequestTest { + { "Connection", "close" }, + { "Blah", "blah" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 3 headers, 1st wrapped", NULL, +@@ -137,7 +138,7 @@ static struct RequestTest { + { "Foo", "bar baz" }, + { "Blah", "blah" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 3 headers, 2nd wrapped", NULL, +@@ -148,7 +149,7 @@ static struct RequestTest { + { "Blah", "blah" }, + { "Foo", "bar baz" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 3 headers, 3rd wrapped", NULL, +@@ -159,7 +160,7 @@ static struct RequestTest { + { "Blah", "blah" }, + { "Foo", "bar baz" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ same header multiple times", NULL, +@@ -168,7 +169,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Foo", "bar, baz, quux" }, + { NULL } +- } ++ }, 0 + }, + + { "Connection header on HTTP/1.0 message", NULL, +@@ -178,21 +179,21 @@ static struct RequestTest { + { { "Connection", "Bar, Quux" }, + { "Foo", "bar" }, + { NULL } +- } ++ }, 0 + }, + + { "GET with full URI", "667637", + "GET http://example.com HTTP/1.1\r\n", -1, + SOUP_STATUS_OK, + "GET", "http://example.com", SOUP_HTTP_1_1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "GET with full URI in upper-case", "667637", + "GET HTTP://example.com HTTP/1.1\r\n", -1, + SOUP_STATUS_OK, + "GET", "HTTP://example.com", SOUP_HTTP_1_1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + /* It's better for this to be passed through: this means a SoupServer +@@ -202,7 +203,7 @@ static struct RequestTest { + "GET AbOuT: HTTP/1.1\r\n", -1, + SOUP_STATUS_OK, + "GET", "AbOuT:", SOUP_HTTP_1_1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + /****************************/ +@@ -217,7 +218,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + /* RFC 2616 section 3.1 says we MUST accept this */ +@@ -228,7 +229,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + /* RFC 2616 section 19.3 says we SHOULD accept these */ +@@ -240,7 +241,7 @@ static struct RequestTest { + { { "Host", "example.com" }, + { "Connection", "close" }, + { NULL } +- } ++ }, 0 + }, + + { "LF instead of CRLF after Request-Line", NULL, +@@ -249,7 +250,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + { "Mixed CRLF/LF", "666316", +@@ -261,7 +262,7 @@ static struct RequestTest { + { "e", "f" }, + { "g", "h" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ incorrect whitespace in Request-Line", NULL, +@@ -270,7 +271,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ incorrect whitespace after Request-Line", "475169", +@@ -279,7 +280,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + /* If the request/status line is parseable, then we +@@ -293,7 +294,7 @@ static struct RequestTest { + { { "Host", "example.com" }, + { "Bar", "two" }, + { NULL } +- } ++ }, 0 + }, + + { "First header line is continuation", "666316", +@@ -303,7 +304,7 @@ static struct RequestTest { + { { "Host", "example.com" }, + { "c", "d" }, + { NULL } +- } ++ }, 0 + }, + + { "Zero-length header name", "666316", +@@ -313,7 +314,7 @@ static struct RequestTest { + { { "a", "b" }, + { "c", "d" }, + { NULL } +- } ++ }, 0 + }, + + { "CR in header name", "666316", +@@ -323,7 +324,7 @@ static struct RequestTest { + { { "a", "b" }, + { "c", "d" }, + { NULL } +- } ++ }, 0 + }, + + { "CR in header value", "666316", +@@ -336,7 +337,7 @@ static struct RequestTest { + { "s", "t" }, /* CR at end is ignored */ + { "c", "d" }, + { NULL } +- } ++ }, 0 + }, + + { "Tab in header name", "666316", +@@ -351,7 +352,7 @@ static struct RequestTest { + { "p", "q z: w" }, + { "c", "d" }, + { NULL } +- } ++ }, 0 + }, + + { "Tab in header value", "666316", +@@ -364,7 +365,7 @@ static struct RequestTest { + { "z", "w" }, /* trailing tab ignored */ + { "c", "d" }, + { NULL } +- } ++ }, 0 + }, + + /************************/ +@@ -375,77 +376,77 @@ static struct RequestTest { + "GET /\r\n", -1, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "HTTP 1.2 request (no such thing)", NULL, + "GET / HTTP/1.2\r\n", -1, + SOUP_STATUS_HTTP_VERSION_NOT_SUPPORTED, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "HTTP 2000 request (no such thing)", NULL, + "GET / HTTP/2000.0\r\n", -1, + SOUP_STATUS_HTTP_VERSION_NOT_SUPPORTED, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404", + unterminated_http_version, sizeof (unterminated_http_version), + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "Non-HTTP request", NULL, + "GET / SOUP/1.1\r\nHost: example.com\r\n", -1, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "Junk after Request-Line", NULL, + "GET / HTTP/1.1 blah\r\nHost: example.com\r\n", -1, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "NUL in Method", NULL, + "G\x00T / HTTP/1.1\r\nHost: example.com\r\n", 37, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "NUL at beginning of Method", "666316", + "\x00 / HTTP/1.1\r\nHost: example.com\r\n", 35, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "NUL in Path", NULL, + "GET /\x00 HTTP/1.1\r\nHost: example.com\r\n", 38, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "No terminating CRLF", NULL, + "GET / HTTP/1.1\r\nHost: example.com", -1, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "Unrecognized expectation", NULL, + "GET / HTTP/1.1\r\nHost: example.com\r\nExpect: the-impossible\r\n", -1, + SOUP_STATUS_EXPECTATION_FAILED, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 +@@ -453,21 +454,40 @@ static struct RequestTest { + "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "NUL in header value", NULL, + "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "Only newlines", NULL, + only_newlines, sizeof (only_newlines), + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 ++ }, ++ { "Duplicate Host headers", ++ "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472", ++ "GET / HTTP/1.1\r\nHost: example.com\r\nHost: example.org\r\n", ++ -1, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } }, ++ G_LOG_LEVEL_WARNING ++ }, ++ ++ { "Duplicate Host headers, case insensitive", ++ "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472", ++ "GET / HTTP/1.1\r\nHost: example.com\r\nhost: example.org\r\n", ++ -1, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } }, ++ G_LOG_LEVEL_WARNING + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +@@ -915,10 +935,17 @@ do_request_tests (void) + len = strlen (reqtests[i].request); + else + len = reqtests[i].length; ++ ++ if (reqtests[i].log_flags) ++ g_test_expect_message ("libsoup", reqtests[i].log_flags, "*"); ++ + status = soup_headers_parse_request (reqtests[i].request, len, + headers, &method, &path, + &version); + g_assert_cmpint (status, ==, reqtests[i].status); ++ if (reqtests[i].log_flags) ++ g_test_assert_expected_messages (); ++ + if (SOUP_STATUS_IS_SUCCESSFUL (status)) { + g_assert_cmpstr (method, ==, reqtests[i].method); + g_assert_cmpstr (path, ==, reqtests[i].path); +@@ -1312,6 +1339,32 @@ do_bad_header_tests (void) + soup_message_headers_unref (hdrs); + } + ++static void ++do_append_duplicate_host_test (void) ++{ ++ SoupMessageHeaders *hdrs; ++ const char *list_value; ++ ++ hdrs = soup_message_headers_new (SOUP_MESSAGE_HEADERS_REQUEST); ++ soup_message_headers_append (hdrs, "Host", "a"); ++ ++ g_test_expect_message ("libsoup", G_LOG_LEVEL_WARNING, ++ "soup_message_headers_append_common: Rejecting duplicate Host header"); ++ soup_message_headers_append (hdrs, "Host", "b"); ++ g_test_assert_expected_messages (); ++ ++ /* Case insensitive */ ++ g_test_expect_message ("libsoup", G_LOG_LEVEL_WARNING, ++ "soup_message_headers_append_common: Rejecting duplicate Host header"); ++ soup_message_headers_append (hdrs, "host", "b"); ++ g_test_assert_expected_messages (); ++ ++ list_value = soup_message_headers_get_list (hdrs, "Host"); ++ g_assert_cmpstr (list_value, ==, "a"); ++ ++ soup_message_headers_unref (hdrs); ++} ++ + int + main (int argc, char **argv) + { +@@ -1327,6 +1380,7 @@ main (int argc, char **argv) + g_test_add_func ("/header-parsing/content-type", do_content_type_tests); + g_test_add_func ("/header-parsing/append-param", do_append_param_tests); + g_test_add_func ("/header-parsing/bad", do_bad_header_tests); ++ g_test_add_func ("/header-parsing/append-duplicate-host", do_append_duplicate_host_test); + + ret = g_test_run (); + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index c09b06fec2..6be31806f1 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -46,6 +46,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-2784.patch \ file://CVE-2025-4945.patch \ file://CVE-2025-12105.patch \ + file://CVE-2025-14523.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Wed Apr 29 06:15:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 87090 X-Patchwork-Delegate: fabien.thomas@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D27B4FF8873 for ; Wed, 29 Apr 2026 06:16:03 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.5392.1777443356722910237 for ; Tue, 28 Apr 2026 23:15:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=dxrZ0mgD; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=9579970def=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 63T4hm0F3687161 for ; Tue, 28 Apr 2026 23:15:56 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=AP6XhXlXF4Y0L0oA66zLnts1PpGu/yMdUesxzty3NGQ=; b=dxrZ0mgDwovr eYKbgeTcjvHNbuuJ5C2q/h7DLtXYCnRdTop6esnxwRfaybkPSbXMOl36owCkrpDx cpnjwIT5+NWygkc9HoGFgodUxxczoMtUieMCmIS/u2/hiJi+Bm93LMp0ZnaoVqio sMe6iRpuiMu83pfQU53iE/3lwH4X1xMrJjRRt7ouz/Dr8onY1QcNBA4uVe07Ptvl 4Xhu4H7D6Q2OXpShcoR3r+FqQlrpbP8amkN6t3cmLcyw7f4LmeNQVdE2M1N9NnEJ tf18S2NWUI202zlWMWsR4hLQAskZ5ipxxuasizgPtxR1v2mWsdlNFzQbD8uyhzqI tCCxtjl7+A== Received: from byapr05cu005.outbound.protection.outlook.com (mail-westusazon11010017.outbound.protection.outlook.com [52.101.85.17]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4drrw2vaqr-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Tue, 28 Apr 2026 23:15:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=hny++jGgIFo4hrN/oiVX/1Naqjv46f1aLBxlpR1jCrO89QJMMtYC3v90ZAXauStSw01uGUQNKkgSeTkAkKIYnbatcyVetamk41FdGlM/kfBdurKYQhUokvgH0kvQmVnWou7Af1S31gGM3f++ahsWV9S6EgoqkodbrcMuV2//WJ/k+PTsHyttGda/XubtTk7AkecKIibqFjviSQnLQmYOqiB4yYrsnx7LZQMBLG4ikDu+7b68/qvM8Gn559NPu6PSNhaNlc6eQO4oGG3b9d9tMVjCCgc049fCRDyLaXdqbGOvx1fh2SXXErzpsBaXX0y+wb+KNhAdd/OJA+BgyBisLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AP6XhXlXF4Y0L0oA66zLnts1PpGu/yMdUesxzty3NGQ=; b=cltTrAfKfqwgdmAlRcg4fq+xXfn2hrCXmYDD42wK7jm/NBNnS+6xFMkIakWwabj3LY737Q+pmkTYtTv7GowKDK1thfgjw5olLrMvFl4h6xpITBIWB8DAdDH73GjbhRpX2BXRK4KgB1f6wP+BFYWHVh+fYxsC2w2v3zNr/JxWZF04UU51wBy2Xp05XIuezdazhK6YiDH0rA5e6TnmiFUuO4RCT5pW8xsfUCBr684ZMooGnRhmv5Y3ZcPDPr1M+1c3rA/BXWsMbMPKzpmLjDDj1x8Rp46mWUQuq+vqbIpC23b/gjxccw8uygu+j0QuqZVe5a8X3TCHIQUPOry8sq0l6g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DS0PR11MB7312.namprd11.prod.outlook.com (2603:10b6:8:11f::18) by LV8PR11MB8535.namprd11.prod.outlook.com (2603:10b6:408:1ed::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9870.16; Wed, 29 Apr 2026 06:15:51 +0000 Received: from DS0PR11MB7312.namprd11.prod.outlook.com ([fe80::531e:6ef5:812b:48f6]) by DS0PR11MB7312.namprd11.prod.outlook.com ([fe80::531e:6ef5:812b:48f6%5]) with mapi id 15.20.9870.020; Wed, 29 Apr 2026 06:15:51 +0000 From: Changqing Li To: openembedded-core@lists.openembedded.org Subject: [scarthgap][PATCH 2/4] libsoup: fix CVE-2025-32049 Date: Wed, 29 Apr 2026 14:15:31 +0800 Message-Id: <20260429061533.858115-2-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260429061533.858115-1-changqing.li@windriver.com> References: <20260429061533.858115-1-changqing.li@windriver.com> X-ClientProxiedBy: SI2PR02CA0054.apcprd02.prod.outlook.com (2603:1096:4:196::13) To DS0PR11MB7312.namprd11.prod.outlook.com (2603:10b6:8:11f::18) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS0PR11MB7312:EE_|LV8PR11MB8535:EE_ X-MS-Office365-Filtering-Correlation-Id: bf5bfa31-14d5-487e-05e0-08dea5b6c30e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|52116014|376014|366016|38350700014|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: E+344I3XCm0uw0ITbWAnK4zk9oFgiWGi8Q2MlaFMnkA/Tx4wDYBRJLsSBoOp9w3NxWoa7YcAFuygr2hjDBHt5r8axUbg1n2XZP9OVR38sya1p9KDxdmoa/I7sgKn9lKmXHL18ubEQqGiqD9+6tF8GrLr1Kp0Capv9biX4FUsiR1XJPe5BhN2801/gKGTWzOOFB86RTELFOkFsaHDb5Tl6WMPSkMfRd1MY5k7Bwe1GzLkZC0tTbJyAaSWbezP4tu+gP/uMpUO6MhPl6dm3JuKBoYL4B4jbiOg5O0KUKVA6PRYtYd3/SAPg4XIb4jNdIti2ahre1d13nKsWNlAOSll7P45OoHvudecY1WZqhoKl28OS6oWx0xWAyjWpKyKghbD9VOwik5hv6o0z+p/4N8D+RHzR2h82W07l4t4yCXYvGEXa71ffdjFBo+Iw77zeo4xKcrF7DrURSKii2DYaQjxK+HBe7MeIjG5sQrFUzer+jJ4MN8iffkSeiNl2Y9hnWb2zXKqgYCQtfBJpE+48f+O8JWK51OIQWxIG9DQTOmWWUTpnhaR8+cAgy5+K1Bkt3QkocDeW/03Cp4tXllYe4mm3om+5e0RfKUqAPa88rMP6pcjp7liMGQcTmXi89SA2A296bPsilvYyRMI+LwIF297Ihc9tr1PWXw0eIqRzgKxIaBG+CuGTg48bxwB2qmFsxwRWDTTm6DPWvXCW2t0aBsRUEbUYnE1lpXGiLSGwnGl/voWWWYPQfyybz9SWWW553Nz X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR11MB7312.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(52116014)(376014)(366016)(38350700014)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: WRaK+jZYZ52jnR3VoFJC/ov3t/FeExWmbsyJMt/cYvaMdX3SoKdWqGNoT83xNes94PcbXtFFf/Vs40Qa4QX6/v+Wt2Qm1dM9MPceMDDvHY1W7CpJmN7mFAPRbFbsvutzSKr7ivzpY6ryFZgITiN7jLhsBs+rDFLEt/9/1gEM4+YjL8py8zQnYCDiy0D6oWdC1FnUgoSFCESCrWWSh7M6YHOHPzDZsDcmoUNLz/6UeVrPXgOaW9oK2oQs7xGmnx+3ZLP62VM9bd8rql37ZoMFZ3HNy6SmSUc0BVvXvWQJiMBVchKxoQyeToZVJUz8S1Klh2mBQywwLZqdn0dBMusV8s7KPB/mZElzRgi0SzQGGPZfugI7pND9MEIs9XPELUoYS6I/HF0B0CectYlm8NBtk783CYuklB2G16goPg1sx8hGDYMnX8yVjVNS8xbCFDmXhgX9Ycq69YTN26Tclih6TOoLThWgsfLEZJod0YOgqxU6XJQwpHay9Vu85XXV4ciBCbAfCbRQhEfX5A1uMzPGxNssyOA9MsFtnvhQkNcsvHvfvYKECJcAKge20pU4soCjFQqN7Oq4XB6OqlSolhTtNuc/03OnB19Yq2RdT3xmJnvqyFig1RJRaezYTpYfuy7sudKsD5sylSLahCM6mHHwu0QS1Uu1//yVqa2iJ4nZFih25dFIw6oq+2pw/FnawoUfkUaAQqOsHtTGtlD/AhZsiRjgjE+LUhfTaaWrZ3P2qB4IN0YrzMqeoyTAv9rr6I3q5TFmTpBu1UtMp+k7cjtc3dHv97nmZIFaR3SUw7Bx5aYxalqSurTCeWPFxvKY3wT2+j8HFc8wpPzGaxfjiCUlMjvafM+Oc506i6UV4bfN7+VVinDQCPmEvKmEt/EBfvlDujMCOA6H7RBQFi1GlLb6bD/L30cWp83SsA97XcychH2qZkc5oFW7n4Pek+p2jn6NIGXb/CQWoIdhrS0pTvaWKXn6+nWSBaOfjBG/rsekf1YFUiHheOLSqUvRe6GWsnATTSGPTVuWxJonUTYduUgtm7SNPtkzdkEFapYxp67vzILV+WnCjBfzd9DsTuUl+x+edaFJv2Ie02QinBx/cE1UkHAqvbR+7zXpGJPPgeHFC+XTDNuQDrOYtHpmT6qPd+8hdS69Faa5mmLwO9Ge/hNJUpbqYZYF7ZOiN98mU5WO+pB3z6JFL3mASwFcJuAcHlfrUvnOzMdv5dQTMLweCVScrYwKqUSAuXCoJu3hhnuy+b0+6XiGd2cip36vSaCTUFpo9A9x2xqGmpSicyxlqjpXDhtvzFXHlM8iybYf3EeWtolczCxC+Os+OGERnGnYhzcTrcoiUdJf3ZJD05ay4sBpXbTBhyElvU9RQcdrCnX8VFf+nMQ47wSGEXJh86AyeaTNFZmGGRsjYlMiNwX7D6W8Tfl0sdcyLlK4eZjJwPpKbV+5SEOV91IRUWChiN77aqu9RezaFALI31rOHuKekDrO45xUdwtlsqe/HbzlmH7VjIrqxuU84aCK21/n4Dwe3ZcKzFaDArz1Uap0MpIiHzrQRh1b53PkyAxoUlNyE7U0Ae1h5p/SLbCTc8E+dUc4vOSNnRF3WNXqAHRQfZFcWsqnGnNkHJIO2/UonKrGtrfHJpwmotFpVt6MuZsJorC5JxE9VsuVbWXMYL/M7VIM66ft8ibmSpSkz6zhaFjiJThmd6VmRzMaEtOZ9ENPd5tlhju5Ni53vdFVd5O+VQ2ltzS84nXEIM46aUMKIuSnsydkqwE= X-Exchange-RoutingPolicyChecked: VPBfqa9KeOlvEKc9YFYlK/3W/p+YaA64GFc5nF1VeccUtzK9Y05pi1SwHf4LeyXQ+edFgnjXUQMf6nYL40yjA3ZtJKzNe0/0fYzLeXx+SPjXOFEV1hhXuZptbyb2hUegEi3W2GznD+w/mQRR5t7W7nU1x0PUuN+KhIqDxV5SIdppjSzSeIsS8koE0E0xLvbmhQ+3V1rGo2J+T/tlmObcm7TOMDAWaHBJ+vlmuy9o1yh7N7ueTW5Gpd4wCJrmpj7fs9exHKE3S9b1cz4OBMsw17Xssgiqu/nkQPHaC8vSE7/eiKfvE3Gi2ltbgJI3fHxvwHgb7GuDIK3aQJi2w5QprA== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: bf5bfa31-14d5-487e-05e0-08dea5b6c30e X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB7312.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2026 06:15:51.1768 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: NOKquozjAWoD3uhVbN/wuQrpPN8sGofnSyifLWd1OC+/xlLfKOs4y1PFD96C30LhqlRHIpXo7cljfEp5iqGQFNscsskNmkAXk39qds+loGs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR11MB8535 X-Proofpoint-GUID: 2oGgXUhnJVgKXr9DwXzx_tuCZOQqpcwN X-Proofpoint-ORIG-GUID: 2oGgXUhnJVgKXr9DwXzx_tuCZOQqpcwN X-Authority-Analysis: v=2.4 cv=Pu+jqQM3 c=1 sm=1 tr=0 ts=69f1a21c cx=c_pps a=+9lCAQqCkh6G/pz+5LnHJg==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=HK-ge7EqtdluswH-FwHe:22 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=vggBfdFIAAAA:8 a=20KFwNOVAAAA:8 a=Lez6CERpBNXRBGNPCzgA:9 a=cnOIiujR4QmY3nRb:21 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDI5MDA1OCBTYWx0ZWRfX2TIMOm4X/czx PybbEf2mu4e7a863g3t6WXy7tpmM5qDf6BEi+mzeR+eVkSuakwOX5AETgi5G7LiTwCQCXQwDTn8 VkhumsBL9wVlYuXbyyr+FPATVPG2KwLCSvy2L6PQIIAxsaVAH2D4YqBs1QfX5gWucRzcMKsoMZB OpLKegMXIZGaz3G80gNOGOltunG7auTHLvcT618m1ffeuB2FbmXdenVUonEHQYddOjC+8J7pCwT t9guVmpdFd48fz6mUQ79WVfum+X9dp5XmKPRRhf1cHOBtNvciz03JBvxKlnaickADkR4K8ONeGI ODcgYGSRr20QksdglLb5QT0JfSPyUTbYfVznCoZdUQkNXRRYfYZgSnGvyeW+ewFulk455O8FZml fdgs9XRYmVONuX1gFN5xdcT4gE1Uob9MKDylw/r/Dd1qU+padBVI3ftpVTAR2s1g7nO8bfRQ7Yw EUKb1tJ0jFLlciDv7Yg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-28_05,2026-04-28_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 lowpriorityscore=0 spamscore=0 clxscore=1015 impostorscore=0 suspectscore=0 priorityscore=1501 adultscore=0 phishscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2604290058 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 29 Apr 2026 06:16:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236078 Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/390 Signed-off-by: Changqing Li --- .../libsoup-3.4.4/CVE-2025-32049-1.patch | 229 ++++++++++++++ .../libsoup-3.4.4/CVE-2025-32049-2.patch | 34 ++ .../libsoup-3.4.4/CVE-2025-32049-3.patch | 134 ++++++++ .../libsoup-3.4.4/CVE-2025-32049-4.patch | 292 ++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 4 + 5 files changed, 693 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-2.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-3.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-4.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-1.patch new file mode 100644 index 0000000000..0772c759dc --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-1.patch @@ -0,0 +1,229 @@ +From 176cb31003252a69d3fc7908e8f505c0ee006b7a Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Wed, 24 Jul 2024 15:20:35 +0200 +Subject: [PATCH 1/4] websocket: add a way to restrict the total message size + +Otherwise a client could send small packages smaller than +total-incoming-payload-size but still to break the server +with a big allocation + +Fixes: #390 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/db87805ab565d67533dfed2cb409dbfd63c7fdce] +CVE: CVE-2025-32049 + +Signed-off-by: Changqing Li +--- + libsoup/websocket/soup-websocket-connection.c | 107 +++++++++++++++++- + libsoup/websocket/soup-websocket-connection.h | 7 ++ + 2 files changed, 110 insertions(+), 4 deletions(-) + +diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c +index 5eb8150..19bdd39 100644 +--- a/libsoup/websocket/soup-websocket-connection.c ++++ b/libsoup/websocket/soup-websocket-connection.c +@@ -84,7 +84,7 @@ enum { + PROP_MAX_INCOMING_PAYLOAD_SIZE, + PROP_KEEPALIVE_INTERVAL, + PROP_EXTENSIONS, +- ++ PROP_MAX_TOTAL_MESSAGE_SIZE, + LAST_PROPERTY + }; + +@@ -126,6 +126,7 @@ typedef struct { + char *origin; + char *protocol; + guint64 max_incoming_payload_size; ++ guint64 max_total_message_size; + guint keepalive_interval; + + gushort peer_close_code; +@@ -156,6 +157,7 @@ typedef struct { + } SoupWebsocketConnectionPrivate; + + #define MAX_INCOMING_PAYLOAD_SIZE_DEFAULT 128 * 1024 ++#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024 + #define READ_BUFFER_SIZE 1024 + #define MASK_LENGTH 4 + +@@ -670,8 +672,8 @@ bad_data_error_and_close (SoupWebsocketConnection *self) + } + + static void +-too_big_error_and_close (SoupWebsocketConnection *self, +- guint64 payload_len) ++too_big_incoming_payload_error_and_close (SoupWebsocketConnection *self, ++ guint64 payload_len) + { + SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self); + GError *error; +@@ -687,6 +689,24 @@ too_big_error_and_close (SoupWebsocketConnection *self, + emit_error_and_close (self, error, TRUE); + } + ++static void ++too_big_message_error_and_close (SoupWebsocketConnection *self, ++ guint64 len) ++{ ++ SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self); ++ GError *error; ++ ++ error = g_error_new_literal (SOUP_WEBSOCKET_ERROR, ++ SOUP_WEBSOCKET_CLOSE_TOO_BIG, ++ priv->connection_type == SOUP_WEBSOCKET_CONNECTION_SERVER ? ++ "Received WebSocket payload from the client larger than configured max-total-message-size" : ++ "Received WebSocket payload from the server larger than configured max-total-message-size"); ++ g_debug ("%s received message of size %" G_GUINT64_FORMAT " or greater, but max supported size is %" G_GUINT64_FORMAT, ++ priv->connection_type == SOUP_WEBSOCKET_CONNECTION_SERVER ? "server" : "client", ++ len, priv->max_total_message_size); ++ emit_error_and_close (self, error, TRUE); ++} ++ + static void + close_connection (SoupWebsocketConnection *self, + gushort code, +@@ -918,6 +938,12 @@ process_contents (SoupWebsocketConnection *self, + switch (priv->message_opcode) { + case 0x01: + case 0x02: ++ /* Safety valve */ ++ if (priv->max_total_message_size > 0 && ++ (priv->message_data->len + payload_len) > priv->max_total_message_size) { ++ too_big_message_error_and_close (self, (priv->message_data->len + payload_len)); ++ return; ++ } + g_byte_array_append (priv->message_data, payload, payload_len); + break; + default: +@@ -1056,7 +1082,7 @@ process_frame (SoupWebsocketConnection *self) + /* Safety valve */ + if (priv->max_incoming_payload_size > 0 && + payload_len > priv->max_incoming_payload_size) { +- too_big_error_and_close (self, payload_len); ++ too_big_incoming_payload_error_and_close (self, payload_len); + return FALSE; + } + +@@ -1363,6 +1389,10 @@ soup_websocket_connection_get_property (GObject *object, + g_value_set_pointer (value, priv->extensions); + break; + ++ case PROP_MAX_TOTAL_MESSAGE_SIZE: ++ g_value_set_uint64 (value, priv->max_total_message_size); ++ break; ++ + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; +@@ -1416,6 +1446,10 @@ soup_websocket_connection_set_property (GObject *object, + priv->extensions = g_value_get_pointer (value); + break; + ++ case PROP_MAX_TOTAL_MESSAGE_SIZE: ++ priv->max_total_message_size = g_value_get_uint64 (value); ++ break; ++ + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; +@@ -1628,6 +1662,26 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + G_PARAM_CONSTRUCT_ONLY | + G_PARAM_STATIC_STRINGS); + ++ /** ++ * SoupWebsocketConnection:max-total-message-size: ++ * ++ * The total message size for incoming packets. ++ * ++ * The protocol expects or 0 to not limit it. ++ * ++ * Since: 3.8 ++ */ ++ properties[PROP_MAX_TOTAL_MESSAGE_SIZE] = ++ g_param_spec_uint64 ("max-total-message-size", ++ "Max total message size", ++ "Max total message size ", ++ 0, ++ G_MAXUINT64, ++ MAX_TOTAL_MESSAGE_SIZE_DEFAULT, ++ G_PARAM_READWRITE | ++ G_PARAM_CONSTRUCT | ++ G_PARAM_STATIC_STRINGS); ++ + g_object_class_install_properties (gobject_class, LAST_PROPERTY, properties); + + /** +@@ -2111,6 +2165,51 @@ soup_websocket_connection_set_max_incoming_payload_size (SoupWebsocketConnection + } + } + ++/** ++ * soup_websocket_connection_get_max_total_message_size: ++ * @self: the WebSocket ++ * ++ * Gets the maximum total message size allowed for packets. ++ * ++ * Returns: the maximum total message size. ++ * ++ * Since: 3.8 ++ */ ++guint64 ++soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *self) ++{ ++ SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self); ++ ++ g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), MAX_TOTAL_MESSAGE_SIZE_DEFAULT); ++ ++ return priv->max_total_message_size; ++} ++ ++/** ++ * soup_websocket_connection_set_max_total_message_size: ++ * @self: the WebSocket ++ * @max_total_message_size: the maximum total message size ++ * ++ * Sets the maximum total message size allowed for packets. ++ * ++ * It does not limit the outgoing packet size. ++ * ++ * Since: 3.8 ++ */ ++void ++soup_websocket_connection_set_max_total_message_size (SoupWebsocketConnection *self, ++ guint64 max_total_message_size) ++{ ++ SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self); ++ ++ g_return_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self)); ++ ++ if (priv->max_total_message_size != max_total_message_size) { ++ priv->max_total_message_size = max_total_message_size; ++ g_object_notify_by_pspec (G_OBJECT (self), properties[PROP_MAX_TOTAL_MESSAGE_SIZE]); ++ } ++} ++ + /** + * soup_websocket_connection_get_keepalive_interval: + * @self: the WebSocket +diff --git a/libsoup/websocket/soup-websocket-connection.h b/libsoup/websocket/soup-websocket-connection.h +index eeb093d..922de56 100644 +--- a/libsoup/websocket/soup-websocket-connection.h ++++ b/libsoup/websocket/soup-websocket-connection.h +@@ -88,6 +88,13 @@ SOUP_AVAILABLE_IN_ALL + void soup_websocket_connection_set_max_incoming_payload_size (SoupWebsocketConnection *self, + guint64 max_incoming_payload_size); + ++SOUP_AVAILABLE_IN_3_0 ++guint64 soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *self); ++ ++SOUP_AVAILABLE_IN_3_0 ++void soup_websocket_connection_set_max_total_message_size (SoupWebsocketConnection *self, ++ guint64 max_total_message_size); ++ + SOUP_AVAILABLE_IN_ALL + guint soup_websocket_connection_get_keepalive_interval (SoupWebsocketConnection *self); + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-2.patch new file mode 100644 index 0000000000..6f00fabfdb --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-2.patch @@ -0,0 +1,34 @@ +From 81eb7cf7422878f0b78b833a3b741f734502921f Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Fri, 20 Sep 2024 12:12:38 +0200 +Subject: [PATCH 2/4] websocket-test: set the total message size + +This is required when sending a big amount of data + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/4904a46a2d9a014efa6be01a186ac353dbf5047b] +CVE: CVE-2025-32049 + +Signed-off-by: Changqing Li +--- + tests/websocket-test.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tests/websocket-test.c b/tests/websocket-test.c +index a0b8334..827b041 100644 +--- a/tests/websocket-test.c ++++ b/tests/websocket-test.c +@@ -567,6 +567,11 @@ test_send_big_packets (Test *test, + soup_websocket_connection_set_max_incoming_payload_size (test->server, 1000 * 1000 + 1); + g_assert (soup_websocket_connection_get_max_incoming_payload_size (test->server) == (1000 * 1000 + 1)); + ++ soup_websocket_connection_set_max_total_message_size (test->client, 1000 * 1000 + 1); ++ g_assert (soup_websocket_connection_get_max_total_message_size (test->client) == (1000 * 1000 + 1)); ++ soup_websocket_connection_set_max_total_message_size (test->server, 1000 * 1000 + 1); ++ g_assert (soup_websocket_connection_get_max_total_message_size (test->server) == (1000 * 1000 + 1)); ++ + sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000); + soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL)); + WAIT_UNTIL (received != NULL); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-3.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-3.patch new file mode 100644 index 0000000000..29fb0d7ddb --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-3.patch @@ -0,0 +1,134 @@ +From 25616e1a958bc1503cc24d6845a6e80ffc287727 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 8 May 2025 16:16:25 -0500 +Subject: [PATCH] Set message size limit in SoupServer rather than + SoupWebsocketConnection + +We're not sure about the compatibility implications of having a default +size limit for clients. + +Also not sure whether the server limit is actually set appropriately, +but there is probably very little server usage of +SoupWebsocketConnection in the wild, so it's not so likely to break +things. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/2df34d9544cabdbfdedd3b36f098cf69233b1df7] +CVE: CVE-2025-32049 + +Signed-off-by: Changqing Li +--- + libsoup/server/soup-server.c | 24 +++++++++++++---- + libsoup/websocket/soup-websocket-connection.c | 26 +++++++++++++------ + 2 files changed, 37 insertions(+), 13 deletions(-) + +diff --git a/libsoup/server/soup-server.c b/libsoup/server/soup-server.c +index 6b486f5..c779f7d 100644 +--- a/libsoup/server/soup-server.c ++++ b/libsoup/server/soup-server.c +@@ -186,6 +186,16 @@ static GParamSpec *properties[LAST_PROPERTY] = { NULL, }; + + G_DEFINE_TYPE_WITH_PRIVATE (SoupServer, soup_server, G_TYPE_OBJECT) + ++/* SoupWebsocketConnection by default limits only maximum packet size. But a ++ * message may consist of multiple packets, so SoupServer additionally restricts ++ * total message size to mitigate denial of service attacks on the server. ++ * SoupWebsocketConnection does not do this by default because I don't know ++ * whether that would or would not cause compatibility problems for websites. ++ * ++ * This size is in bytes and it is arbitrary. ++ */ ++#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024 ++ + static void request_finished (SoupServerMessage *msg, + SoupMessageIOCompletion completion, + SoupServer *server); +@@ -937,11 +947,15 @@ complete_websocket_upgrade (SoupServer *server, + + g_object_ref (msg); + stream = soup_server_message_steal_connection (msg); +- conn = soup_websocket_connection_new (stream, uri, +- SOUP_WEBSOCKET_CONNECTION_SERVER, +- soup_message_headers_get_one_common (soup_server_message_get_request_headers (msg), SOUP_HEADER_ORIGIN), +- soup_message_headers_get_one_common (soup_server_message_get_response_headers (msg), SOUP_HEADER_SEC_WEBSOCKET_PROTOCOL), +- handler->websocket_extensions); ++ conn = SOUP_WEBSOCKET_CONNECTION (g_object_new (SOUP_TYPE_WEBSOCKET_CONNECTION, ++ "io-stream", stream, ++ "uri", uri, ++ "connection-type", SOUP_WEBSOCKET_CONNECTION_SERVER, ++ "origin", soup_message_headers_get_one_common (soup_server_message_get_request_headers (msg), SOUP_HEADER_ORIGIN), ++ "protocol", soup_message_headers_get_one_common (soup_server_message_get_response_headers (msg), SOUP_HEADER_SEC_WEBSOCKET_PROTOCOL), ++ "extensions", handler->websocket_extensions, ++ "max-total-message-size", (guint64)MAX_TOTAL_MESSAGE_SIZE_DEFAULT, ++ NULL)); + handler->websocket_extensions = NULL; + g_object_unref (stream); + +diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c +index 26476df..cbb1b72 100644 +--- a/libsoup/websocket/soup-websocket-connection.c ++++ b/libsoup/websocket/soup-websocket-connection.c +@@ -149,7 +149,6 @@ typedef struct { + } SoupWebsocketConnectionPrivate; + + #define MAX_INCOMING_PAYLOAD_SIZE_DEFAULT 128 * 1024 +-#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024 + #define READ_BUFFER_SIZE 1024 + #define MASK_LENGTH 4 + +@@ -1612,9 +1611,10 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + /** + * SoupWebsocketConnection:max-incoming-payload-size: + * +- * The maximum payload size for incoming packets. +- * +- * The protocol expects or 0 to not limit it. ++ * The maximum payload size for incoming packets, or 0 to not limit it. ++ * ++ * Each message may consist of multiple packets, so also refer to ++ * [property@WebSocketConnection:max-total-message-size]. + */ + properties[PROP_MAX_INCOMING_PAYLOAD_SIZE] = + g_param_spec_uint64 ("max-incoming-payload-size", +@@ -1662,9 +1662,19 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + /** + * SoupWebsocketConnection:max-total-message-size: + * +- * The total message size for incoming packets. ++ * The maximum size for incoming messages. ++ * ++ * Set to a value to limit the total message size, or 0 to not ++ * limit it. ++ * ++ * [method@Server.add_websocket_handler] will set this to a nonzero ++ * default value to mitigate denial of service attacks. Clients must ++ * choose their own default if they need to mitigate denial of service ++ * attacks. You also need to set your own default if creating your own ++ * server SoupWebsocketConnection without using SoupServer. + * +- * The protocol expects or 0 to not limit it. ++ * Each message may consist of multiple packets, so also refer to ++ * [property@WebSocketConnection:max-incoming-payload-size]. + * + * Since: 3.8 + */ +@@ -1674,7 +1684,7 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + "Max total message size ", + 0, + G_MAXUINT64, +- MAX_TOTAL_MESSAGE_SIZE_DEFAULT, ++ 0, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + G_PARAM_STATIC_STRINGS); +@@ -2164,7 +2174,7 @@ soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *s + { + SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self); + +- g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), MAX_TOTAL_MESSAGE_SIZE_DEFAULT); ++ g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), 0); + + return priv->max_total_message_size; + } +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-4.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-4.patch new file mode 100644 index 0000000000..6f391e98e2 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-4.patch @@ -0,0 +1,292 @@ +From 3c87790a4ba141125e6ba165c478f0440e8e693e Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Fri, 16 May 2025 16:55:40 -0500 +Subject: [PATCH 4/4] Add tests for max-incoming-packet-size and + max-total-message-size + +An even better test would verify that it's possible to send big messages +containing small packets, but libsoup doesn't offer control over packet +size, and I don't want to take the time to learn how WebSockets work to +figure out how to do that manually. Instead, I just check that both +limits work, for both client and server. + +I didn't add deflate variants of these tests because I doubt that would +add valuable coverage. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/4d00b45b7eebdcfa0706b58e34c40b8a0a16015b] +CVE: CVE-2025-32049 + +Signed-off-by: Changqing Li +--- + tests/websocket-test.c | 214 +++++++++++++++++++++++++++++++++++++---- + 1 file changed, 197 insertions(+), 17 deletions(-) + +diff --git a/tests/websocket-test.c b/tests/websocket-test.c +index 827b041..ec1324c 100644 +--- a/tests/websocket-test.c ++++ b/tests/websocket-test.c +@@ -543,16 +543,9 @@ test_send_big_packets (Test *test, + { + GBytes *sent = NULL; + GBytes *received = NULL; ++ gulong signal_id; + +- g_signal_connect (test->client, "message", G_CALLBACK (on_text_message), &received); +- +- sent = g_bytes_new_take (g_strnfill (400, '!'), 400); +- soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL)); +- WAIT_UNTIL (received != NULL); +- g_assert (g_bytes_equal (sent, received)); +- g_bytes_unref (sent); +- g_bytes_unref (received); +- received = NULL; ++ signal_id = g_signal_connect (test->client, "message", G_CALLBACK (on_text_message), &received); + + sent = g_bytes_new_take (g_strnfill (100 * 1000, '?'), 100 * 1000); + soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL)); +@@ -563,23 +556,174 @@ test_send_big_packets (Test *test, + received = NULL; + + soup_websocket_connection_set_max_incoming_payload_size (test->client, 1000 * 1000 + 1); +- g_assert (soup_websocket_connection_get_max_incoming_payload_size (test->client) == (1000 * 1000 + 1)); ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 1000 * 1000 + 1); + soup_websocket_connection_set_max_incoming_payload_size (test->server, 1000 * 1000 + 1); +- g_assert (soup_websocket_connection_get_max_incoming_payload_size (test->server) == (1000 * 1000 + 1)); ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 1000 * 1000 + 1); + + soup_websocket_connection_set_max_total_message_size (test->client, 1000 * 1000 + 1); +- g_assert (soup_websocket_connection_get_max_total_message_size (test->client) == (1000 * 1000 + 1)); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 1000 * 1000 + 1); + soup_websocket_connection_set_max_total_message_size (test->server, 1000 * 1000 + 1); +- g_assert (soup_websocket_connection_get_max_total_message_size (test->server) == (1000 * 1000 + 1)); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 1000 * 1000 + 1); + + sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000); + soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL)); + WAIT_UNTIL (received != NULL); + g_assert (g_bytes_equal (sent, received)); ++ g_bytes_unref (received); ++ received = NULL; ++ ++ /* Reverse the test and send the big message to the server. */ ++ g_signal_handler_disconnect (test->client, signal_id); ++ g_signal_connect (test->server, "message", G_CALLBACK (on_text_message), &received); ++ ++ soup_websocket_connection_send_text (test->client, g_bytes_get_data (sent, NULL)); ++ WAIT_UNTIL (received != NULL); ++ g_assert_true (g_bytes_equal (sent, received)); + g_bytes_unref (sent); + g_bytes_unref (received); + } + ++static void ++test_send_big_packets_direct (Test *test, ++ gconstpointer data) ++{ ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 128 * 1024); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 0); ++ ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 128 * 1024); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 0); ++ ++ test_send_big_packets (test, data); ++} ++ ++static void ++test_send_big_packets_soup (Test *test, ++ gconstpointer data) ++{ ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 128 * 1024); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 0); ++ ++ /* Max total message size defaults to 0 (unlimited), but SoupServer applies its own limit by default. */ ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 128 * 1024); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 128 * 1024); ++ ++ test_send_big_packets (test, data); ++} ++ ++static void ++test_send_exceeding_client_max_payload_size (Test *test, ++ gconstpointer data) ++{ ++ GBytes *sent = NULL; ++ GBytes *received = NULL; ++ gboolean close_event = FALSE; ++ GError *error = NULL; ++ ++ g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error); ++ g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event); ++ ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 128 * 1024); ++ ++ soup_websocket_connection_set_max_incoming_payload_size (test->server, 0); ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 0); ++ ++ /* The message to the client is dropped due to the client's limit. */ ++ sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000); ++ soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL)); ++ g_bytes_unref (sent); ++ WAIT_UNTIL (close_event); ++ g_assert_null (received); ++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED); ++ g_assert_no_error (test->client_error); ++} ++ ++static void ++test_send_exceeding_server_max_payload_size (Test *test, ++ gconstpointer data) ++{ ++ GBytes *sent = NULL; ++ GBytes *received = NULL; ++ gboolean close_event = FALSE; ++ GError *error = NULL; ++ ++ g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); ++ g_signal_connect (test->server, "closed", G_CALLBACK (on_close_set_flag), &close_event); ++ ++ soup_websocket_connection_set_max_incoming_payload_size (test->client, 0); ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 0); ++ ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 128 * 1024); ++ ++ /* The message to the server is dropped due to the server's limit. */ ++ sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000); ++ soup_websocket_connection_send_text (test->client, g_bytes_get_data (sent, NULL)); ++ g_bytes_unref (sent); ++ WAIT_UNTIL (close_event); ++ g_assert_null (received); ++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED); ++ g_assert_no_error (test->client_error); ++} ++ ++static void ++test_send_exceeding_client_max_message_size (Test *test, ++ gconstpointer data) ++{ ++ GBytes *sent = NULL; ++ GBytes *received = NULL; ++ gboolean close_event = FALSE; ++ GError *error = NULL; ++ ++ g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error); ++ g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event); ++ ++ soup_websocket_connection_set_max_total_message_size (test->client, 128 * 1024); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 128 * 1024); ++ ++ soup_websocket_connection_set_max_total_message_size (test->server, 0); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 0); ++ ++ /* The message to the client is dropped due to the client's limit. */ ++ sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000); ++ soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL)); ++ g_bytes_unref (sent); ++ WAIT_UNTIL (close_event); ++ g_assert_null (received); ++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED); ++ g_assert_no_error (test->client_error); ++} ++ ++static void ++test_send_exceeding_server_max_message_size (Test *test, ++ gconstpointer data) ++{ ++ GBytes *sent = NULL; ++ GBytes *received = NULL; ++ gboolean close_event = FALSE; ++ GError *error = NULL; ++ ++ g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); ++ g_signal_connect (test->server, "closed", G_CALLBACK (on_close_set_flag), &close_event); ++ ++ soup_websocket_connection_set_max_total_message_size (test->client, 0); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 0); ++ ++ /* Set the server message total message size manually, because its ++ * default is different for direct connection vs. soup connection. ++ */ ++ soup_websocket_connection_set_max_total_message_size (test->server, 128 * 1024); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 128 * 1024); ++ ++ /* The message to the server is dropped due to the server's limit. */ ++ sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000); ++ soup_websocket_connection_send_text (test->client, g_bytes_get_data (sent, NULL)); ++ g_bytes_unref (sent); ++ WAIT_UNTIL (close_event); ++ g_assert_null (received); ++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED); ++ g_assert_no_error (test->client_error); ++} ++ ++ + static void + test_send_empty_packets (Test *test, + gconstpointer data) +@@ -2064,11 +2208,47 @@ main (int argc, + + g_test_add ("/websocket/direct/send-big-packets", Test, NULL, + setup_direct_connection, +- test_send_big_packets, ++ test_send_big_packets_direct, + teardown_direct_connection); + g_test_add ("/websocket/soup/send-big-packets", Test, NULL, + setup_soup_connection, +- test_send_big_packets, ++ test_send_big_packets_soup, ++ teardown_soup_connection); ++ ++ g_test_add ("/websocket/direct/send-exceeding-client-max-payload-size", Test, NULL, ++ setup_direct_connection, ++ test_send_exceeding_client_max_payload_size, ++ teardown_direct_connection); ++ g_test_add ("/websocket/soup/send-exceeding-client-max-payload-size", Test, NULL, ++ setup_soup_connection, ++ test_send_exceeding_client_max_payload_size, ++ teardown_soup_connection); ++ ++ g_test_add ("/websocket/direct/send-exceeding-server-max-payload-size", Test, NULL, ++ setup_direct_connection, ++ test_send_exceeding_server_max_payload_size, ++ teardown_direct_connection); ++ g_test_add ("/websocket/soup/send-exceeding-server-max-payload-size", Test, NULL, ++ setup_soup_connection, ++ test_send_exceeding_server_max_payload_size, ++ teardown_soup_connection); ++ ++ g_test_add ("/websocket/direct/send-exceeding-client-max-message-size", Test, NULL, ++ setup_direct_connection, ++ test_send_exceeding_client_max_message_size, ++ teardown_direct_connection); ++ g_test_add ("/websocket/soup/send-exceeding-client-max-message-size", Test, NULL, ++ setup_soup_connection, ++ test_send_exceeding_client_max_message_size, ++ teardown_soup_connection); ++ ++ g_test_add ("/websocket/direct/send-exceeding-server-max-message-size", Test, NULL, ++ setup_direct_connection, ++ test_send_exceeding_server_max_message_size, ++ teardown_direct_connection); ++ g_test_add ("/websocket/soup/send-exceeding-server-max-message-size", Test, NULL, ++ setup_soup_connection, ++ test_send_exceeding_server_max_message_size, + teardown_soup_connection); + + g_test_add ("/websocket/direct/send-empty-packets", Test, NULL, +@@ -2217,11 +2397,11 @@ main (int argc, + + g_test_add ("/websocket/direct/deflate-send-big-packets", Test, NULL, + setup_direct_connection_with_extensions, +- test_send_big_packets, ++ test_send_big_packets_direct, + teardown_direct_connection); + g_test_add ("/websocket/soup/deflate-send-big-packets", Test, NULL, + setup_soup_connection_with_extensions, +- test_send_big_packets, ++ test_send_big_packets_soup, + teardown_soup_connection); + + g_test_add ("/websocket/direct/deflate-send-empty-packets", Test, NULL, +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 6be31806f1..fc4a286dcf 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -47,6 +47,10 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-4945.patch \ file://CVE-2025-12105.patch \ file://CVE-2025-14523.patch \ + file://CVE-2025-32049-1.patch \ + file://CVE-2025-32049-2.patch \ + file://CVE-2025-32049-3.patch \ + file://CVE-2025-32049-4.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Wed Apr 29 06:15:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 87087 X-Patchwork-Delegate: fabien.thomas@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1AF3FF8864 for ; Wed, 29 Apr 2026 06:16:03 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.5395.1777443358232594918 for ; Tue, 28 Apr 2026 23:15:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=TRjnHq7N; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=9579970def=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 63T4hm0H3687161 for ; Tue, 28 Apr 2026 23:15:58 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=N0WQHBfjI3wTXJZKHR09GjMgV6dUx5bG62EQAPN72Fc=; b=TRjnHq7NbPxi xKptRfeCgxANRkop0gKW2qHNs/BwFdvWzzpHXFSn/HueYmG/WgdD4yHjz9znHd+P pOKlgNQYlHyc52j4DN2Q0F/6+Ny/Lxqt1H80UCdrxBTDKOr2z5AC9/Pf2pPCntJ5 eJFRYbs83/qV7SahqKu7Bsos6eLxqBtdPymX1IslLGPTJqrISD+y7CLXGAtZilej XRcNAcNmgkLxuUIygz3Uu1dCprezFElQWtRnskPnuVrWWDMfDOVA2SFyHr5GBxg2 IhVmY6aJUVhrF3H02/EsfTs3stYfmMh//PqV5M8ZrsFrPX4bH+dDbEWM09V+FYVt 9Rgj6RQwsA== Received: from byapr05cu005.outbound.protection.outlook.com (mail-westusazon11010017.outbound.protection.outlook.com [52.101.85.17]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4drrw2vaqr-3 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Tue, 28 Apr 2026 23:15:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ZIFnMlT1PIEyDY7WW/f9XL57UxJlfy6ZoDqM0OzsCbqvPpSUuHIQlENjlcNAxagPdviQykEhIZQ9oU2fuhJjgAncAi2Az2Ffdii+PSAsYpnHTWrlGHPWzCYn0BpAMVb58dGih6BPE7bIjmgfy8DaPOBx19zfPFWC0x/iuG/Tt9kWDzA72GChEJTU8KY+WjTQmmcyHsphHrmEQsTYsy4do7Gz190ddsLkPzhE4ZOUlySaCgwEZdFfMaHAS3vUT/XxXDrDVjwB+gm9ffqsWJnvKHdl1atxRRbFjvT70x6IGhJf9XzlrbDJeCtXTy6raSWNUF3EXNf+Tq4rRY8eqqoiwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=N0WQHBfjI3wTXJZKHR09GjMgV6dUx5bG62EQAPN72Fc=; b=OuLQoDzoj9M7WtJBFLDVT0yHfJqvstd6z7JxX7t6KE1/pObTPeFUOiV/8u8nyh+GM0biYH0uKElNhBVR205RhvX/jk1UNNJsQhrB9lKTdoE21ManmPwN/GPruRqkC8+8o+sWTLahdxAKwl144qBcgJDh00wwomn61wlVpZzRoiVO0Vw12XdZjcQNgzaFuRDEUq7tGz1NgODSpCG+zlNL+6+CzlenybMJGwV4hLo25Hn0vgmj89CQ1PDWswZPPFI9DZmLO+Uu9M6zhNUq3QvdGTRV4SXc8JxKdOV8CjF9sJS+cNY2HDhB5Is345d2cHNPyL/7w3GTFiJFo1bZUy61Rw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DS0PR11MB7312.namprd11.prod.outlook.com (2603:10b6:8:11f::18) by LV8PR11MB8535.namprd11.prod.outlook.com (2603:10b6:408:1ed::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9870.16; Wed, 29 Apr 2026 06:15:52 +0000 Received: from DS0PR11MB7312.namprd11.prod.outlook.com ([fe80::531e:6ef5:812b:48f6]) by DS0PR11MB7312.namprd11.prod.outlook.com ([fe80::531e:6ef5:812b:48f6%5]) with mapi id 15.20.9870.020; Wed, 29 Apr 2026 06:15:52 +0000 From: Changqing Li To: openembedded-core@lists.openembedded.org Subject: [scarthgap][PATCH 3/4] libsoup-2.4: fix CVE-2025-14523 Date: Wed, 29 Apr 2026 14:15:32 +0800 Message-Id: <20260429061533.858115-3-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260429061533.858115-1-changqing.li@windriver.com> References: <20260429061533.858115-1-changqing.li@windriver.com> X-ClientProxiedBy: SI2PR02CA0054.apcprd02.prod.outlook.com (2603:1096:4:196::13) To DS0PR11MB7312.namprd11.prod.outlook.com (2603:10b6:8:11f::18) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS0PR11MB7312:EE_|LV8PR11MB8535:EE_ X-MS-Office365-Filtering-Correlation-Id: aaf2f8ad-8a8e-40cb-7ac1-08dea5b6c3fa X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|52116014|376014|366016|38350700014|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: UmVsjyC64YYP/l75n9rJWDNTaJipBw+B8GsKRV+1MNgRiIJLzQ14l3uK3mivEaJmN3kd1R1vusmxY1YI5X04hcTOYul7cXQaanbJiaZM/N90N3jRnQDX2UHlXkq/wS7+LFMdlLmpxQ3eOn6LGh8tlE1b8ENt8b4cUrCio9O2qFHyuoj/kcOvdzitDrAwNJBLnmrP15f/umjYRWfN9FVQwA0eZYK9fwh0vFWtdIsSM4/0ECsVBy1/l5mmZ94g61DU65BHD/wSe1Z7zwLPjJB/rD+aL+sjiB96bJga7WAHrvvNKYPE+63ck/k/WgRZ0jrxWs4EnDrTg++2516LZJ+2DzmKUytU25OLnpgvctqOBb6L/Cyg1gBe0/aTWWe3vCDPRJcYpXOjgDnf6TKFfqItwUQzFIMi1InJYLxse7w6Yn01eJ53njonzGukCZZr57IrbU1IinROB9ZTUhMoIWkpnS30M4yjmhNoITmlTk1QEGufMtgKNX/bQl4F5oFwFFymnTL4HH+3NMQSFxRMOFJF0VXwts7DLKauuAGXgb2D3b5axgf3YGDr91rN+X3q9lr1T1AlfpFh4ltIrD0m63btEu+HXoF9LiHZgryDO6SjOrXEUp+6JXs3h0WRUHzW6Aw5puHnQj00aENipGqjXudO0YuzU6ylOok6tTXK+yC7UdY4bt2QIYoPRL+fAuKVL3RbQAocTp53i0mfhiaoU91/sKkWeVlTByCgLRDe9w6eKk2lOpRL4M3OqE73ljcyBWlv X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR11MB7312.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(52116014)(376014)(366016)(38350700014)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: iwxy/i2Bw1mmmhfFRhtqyuemvsmmou5k36ZkANFB4jDZ7ok+J97mcRWOMFtD1rnkyTI4IbuLa/QLIMgzunJoMQkfIBGfQx7u6av3G//s5MOOq8nchhUy1s6tRVZnzcH/ZC0xIQhYWshwLM2npGa9TB5RjOaNKIDUS+XNs9Yo6Od95e8KDiwOrit8HcLJRsIldLN+JaEBizivJbYn96Q7RgBAZxVmE4d3TS8/QKtBqITfjGaBSmXxH2r7OaE4H2O1PlHHWyxzQ5NYnfcLeNqEksXJL7B93aCaf3nkuo5VzhftEQhkTmmbYL27nMxMk4XLScEBKd+ujv8JoMbZrkFks4snwsUmfeDQvlcs1qaEv82UVl68QOUMdbwCdUI7v9b1kxT2tvbhxE6f83bX77EN6fuzY09kAMSt0MGHjxvRlGI0TbQIJ4oQvpJ6X7XdGHfNUQ0nDYD4Eu85H9kjnmQsGmBDVhRgjJ6rsael/xwTspmFiqcY2rwzPPIeTgW908KMlk9uxAjTjlyo8sOi/hzh2gUVi0FaKxpbzZ2v6XksWty5F1/vqhHke0piOmpkiy2haz/BWfNlOMvUsFNYdNPy/cgpOzKa9XufUHdpDGM6UcwparolS/v7Kx8cmJ+r6yL6wwHevKWGMx4PZg3yJ3EkpeJtL9WyWRZGI2ilfOZt5DyLNWA9Gv2+G6qpc2PxH4HzMjgjjPgqA9FH54pMd+Fi+L1TSkyqKaFBHMFdRcinLLwjM5r5Tj+TuJRBpN4LNqO/mUnbSCjuDbfPA138XsUvjnT6PjNwXPMfc2SjR1QdbQ8B9kaYdwfMh3n7cGTCfVGg8BdZxxK8cRiNAlusfgrSY0LFfogYPUfif7/i4JLKnR9jDmUb+mW3qlfLegq5w/S8lAJzF7L2tJrX5X7qwLi4dCeFA3wYIr9LsYnjpVmHCLt+di0PwGURIRBtCBQZBhB6uotmEpgHBw9T7UQ9+GV7I1wVc8/U8goSe7HvZ9ijRJ0P/aokbE2cPBhp9KZpYAe7vkJ5o1syBC3KNzMe7fy2RaSNJYC/uO8nn4uf6G9YpZ6rTIPmSfHiryq2z/8RPu1cdGUk1PovwYRwU5kpFCT4uXaOJdX3VtGxTMolmw4z4smhDv/8GLwHS98JkeQ8VXUWCVQhrtIQE2/IeOV6T5eUyq4hV0EjGpesXRveZJatYe1ktv9yow5Rp4ZCNpwyMbDfW3XE4F7dyhQFKtawSgL7yyF2xoY6hIrfISq0v67p8zVRxVBGhCTyiehOTSTV148E8pCdVvnV/tF6F9FRSrcPvaL844nEwRAPVSJkphscGZo8CNXsF+muT2dSeAvtIo0L64J4Q48/Z67xjwoqvbZonn4XQGBqpIKH426T6HhKTRlk/9bR6F62jODXcAwAVHCi5R6mq/2c/ib/fGk9KeUOdzWC/6l04Cyz612jA93veIY0R4MuLgZYDsRpHrspq31cwlmocyvMiEAJ+2Nq4cg2er4g3gx8J7UksHEoxNPhlzBC9CVB6O/Vydl1VrEI3d8pjXetM3AfN9ultzvRU1i4GhGXltoFJq7uU4yNezG5JilUZqA8rfMkd0CSMLWBNSatkUGUAJUdCb91f/nz2LpPmuh4A6lIsjznF9FR6jhsMpIHPBE+ytQt29c3OYtwMFoOhQhaheEYAeg9GcPa3zqmWw0hyBsYfPaoB4IXuGNpnsAK3/nDM5M9509UTVwa5fgFq3U+HRiu/ju7lawZ3SPtdpGz93LomSd5PParmg0vkQ0= X-Exchange-RoutingPolicyChecked: gVUICJF5l5aQYN3Y6x/lKeLPvm8u9SljPVOTGT2xCVUMBbvGfdL7OGFSraF1zKqxKpoVNOOc307/0zHq7rrvpyrI9e1NUodhqqAvNDYNg/J0jVAKUXjT/DFw4ramPnqv/vC6zVqh3rx+1HihJLc4NutIlw4eNMQ/X6Tm1Ul4CR9CRsg4aA5ccZdhhzhirCSjfD+7wSkAkOQQeTGII171lf+Ihu1w0Kl9HolYLZ8c3ht2KG4rla9DKeKMUapCkxz5WfiRcX6SqVCf1IIP952jmOzhmdePmxw8qS3crP6akE/znNVLKg2Ae0mEJBunyeXOcdATYKX//4XVsAMzvuSmgg== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: aaf2f8ad-8a8e-40cb-7ac1-08dea5b6c3fa X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB7312.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2026 06:15:52.5060 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Vjw9C4lLyp7E9q+HARQchiQPWtGRyLn4XsIH9LCMiVZlFkDxA989MoJOxZqevXR0XCVfbu+XicsSvjEoILlmB30zTi0EAXmpuagOxs3Lo0M= X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR11MB8535 X-Proofpoint-GUID: sKCB01h-BmGdO1apoesmFMaG9gcpGpYe X-Proofpoint-ORIG-GUID: sKCB01h-BmGdO1apoesmFMaG9gcpGpYe X-Authority-Analysis: v=2.4 cv=Pu+jqQM3 c=1 sm=1 tr=0 ts=69f1a21d cx=c_pps a=+9lCAQqCkh6G/pz+5LnHJg==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=HK-ge7EqtdluswH-FwHe:22 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=DBMtn-1xItkKiCCeOT4A:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDI5MDA1OCBTYWx0ZWRfXwVREmiIcl1jq DXhpJmNoNoe697lr8W6+HbNxol1OmlBrYwXyAOjz0KvMourYPqkwSUKonDlhkYQoJ9cvdQYYuDB vtbU5Sg8rcj5WFSeJ2Ak6jfEhIq5wXdcfQ6KhJ06bmLmzNFTaRH2k5e6J36cRjvbhAvw+ydRBn3 IBbdXZUpDu7kDnXbhaykYgPB+R6DKGWZrbZpo08IiCNZZ/8sn6xsLBh8dmoLz7YnNc1qNWRXWgE MN8aXqjkBYgGyDzfyq/hkbodUiZ1VEEC601gXv8pxXBZWRLM8vjZbRzCmJJ2oWZrITWhtSiYUfH Q6EykDA9YJ5WJmTAtouAlZ57NEaY0kuLaC3/nyDitEILqPQhBir3vLXQ7FFrFM0YbdWwZ4Wbolk 2EiWYcoq8kX/nIoZDFh+OU7eyX6fuDl0l/q+jmYVvejH8J6Ki011E647jYbswjGmjqtTPRShoIA jAtz1z62gcH5VGi6z0w== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-28_05,2026-04-28_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 lowpriorityscore=0 spamscore=0 clxscore=1015 impostorscore=0 suspectscore=0 priorityscore=1501 adultscore=0 phishscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2604290058 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 29 Apr 2026 06:16:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236079 Refer: https://gitlab.gnome.org/GNOME/libsoup/-/work_items/472 Signed-off-by: Changqing Li --- .../libsoup/libsoup-2.4/CVE-2025-14523.patch | 52 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 53 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-14523.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-14523.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-14523.patch new file mode 100644 index 0000000000..0f1d751aeb --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-14523.patch @@ -0,0 +1,52 @@ +From d6028a6e6a8417b7fb6c89f6c10fb94781435ee6 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Wed, 4 Feb 2026 15:08:50 +0800 +Subject: [PATCH] Reject duplicate Host headers (for libsoup 2) + +This is a simplified version of my patch for libsoup 3: + +!491 + +Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/libsoup/-/commit/d3db5a6f8f03e1f0133754872877c92c0284c472] +CVE: CVE-2025-14523 + +This patch is a MR for branch 2-74, but not merged yet, maybe it will +not be merged. + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 3 +++ + libsoup/soup-message-headers.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index ea2f986..6cd3dad 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -138,6 +138,9 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) + for (p = strchr (value, '\r'); p; p = strchr (p, '\r')) + *p = ' '; + ++ if (g_ascii_strcasecmp (name, "Host") == 0 && soup_message_headers_get_one (dest, "Host")) ++ goto done; ++ + soup_message_headers_append (dest, name, value); + } + success = TRUE; +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index f612bff..bb20bbb 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -220,6 +220,9 @@ soup_message_headers_append (SoupMessageHeaders *hdrs, + } + #endif + ++ if (g_ascii_strcasecmp (name, "Host") == 0 && soup_message_headers_get_one (hdrs, "Host")) ++ return; ++ + header.name = intern_header_name (name, &setter); + header.value = g_strdup (value); + g_array_append_val (hdrs->array, header); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 7e00cd678a..253a389e21 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -41,6 +41,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-4476.patch \ file://CVE-2025-2784.patch \ file://CVE-2025-4945.patch \ + file://CVE-2025-14523.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed Apr 29 06:15:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changqing Li X-Patchwork-Id: 87089 X-Patchwork-Delegate: fabien.thomas@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CB4ACCF9E3 for ; Wed, 29 Apr 2026 06:16:05 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5564.1777443358990050586 for ; Tue, 28 Apr 2026 23:15:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=rswFwngJ; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=9579970def=changqing.li@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 63T4hm0I3687161 for ; Tue, 28 Apr 2026 23:15:58 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=rjdqrDYps8BZCSodUG8X6QJQZL8SQPStB+JXNj0U7UY=; b=rswFwngJ35CV VYBuGRFu+bcuSnJBBOlkzaqAeU+4Rq83eoqeO7fQ9kL/+b5kLBdBn/wFE6oR/LV7 Mznlwqlj823n0x8YMWTK1ROo5ausRLQZCbp4msSkWQdfUpgrpjWtK1Id8DmTZdNa FpT/Htm32zZsxWn8S0svizjBqPRHfiRt1WTUWk0WP/BC3YZAkwKA1RNem3X9QW3P sPk6bk5F8nJj9lxaqR/5tNhQfohRxs5xgKpqbY+J1PdiEUNlChtppTe8h/KZIKCw e1KWNxBTEMGOm8kfPvFnSC3oTfVqlvU/shxSEoyqo0xR8u1pxI6NXdDkFGN+AKwH lhMjW9P/gw== Received: from byapr05cu005.outbound.protection.outlook.com (mail-westusazon11010017.outbound.protection.outlook.com [52.101.85.17]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4drrw2vaqr-4 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Tue, 28 Apr 2026 23:15:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=hmQ08bMMSBeGPcR+gcrq7UtHkc2tSYHWACO9aGjJHOZwQj5pi3PBsLLdsKx73TDnYXQqjnzet0/PSgnUfiAGhXpxPeMlfjZAlFlogo5VnLrHqMsM5AmjtdcVxxpoe8gtlM+ddaIhUJstc/R94rNdh/4l4xKXp77wKLXPMKMSV3JQqUMl5rlV4fo5NeDCuQzNMTlfTAv/NvFAp5wZ9uGLSGL5q4NtDxBQuu1MAfr3TyDgv6nnJILyypfLWAsDfBLHd8WxIqnXq0C68wWk/gcXSl5QQoKBungSsahgSb8jRoXUeESOWkQwiC9/hLVToSFPJ6Z3yZwWWMYgtZkOeV7Nnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rjdqrDYps8BZCSodUG8X6QJQZL8SQPStB+JXNj0U7UY=; b=OLEflxk+9IAfxzQagVMNmAhOWAuUOGkFk8nr/MlTCbcNKdkN7H4Xpm8rMcze0B/t6E0XbGF+NOK/NIiSV/yZ4vfsbu1zFETAHZRF1X8Bui9GkJY0VSBbR5oHrmmCHpqUQ8fjsUH8h16sjKZ1QXQLxjT/Vvc1OSdslFIZJAfUimHS4CfgTq0Wr4AE0h2GDxRlxmn8aY3ue/cE36EhSGBY6+h3vK04pA9qbV5dpkC0o6Fy9Noe9m3pm9qlSsZqOH8ZATeBwqYlPybivy5A+UGK9yCGUibOB3iREiA0BYCfXO8oePZewNBvag4nI70uA2X8BqnMO17Sn+TxJPm26xP2fg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DS0PR11MB7312.namprd11.prod.outlook.com (2603:10b6:8:11f::18) by LV8PR11MB8535.namprd11.prod.outlook.com (2603:10b6:408:1ed::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9870.16; Wed, 29 Apr 2026 06:15:54 +0000 Received: from DS0PR11MB7312.namprd11.prod.outlook.com ([fe80::531e:6ef5:812b:48f6]) by DS0PR11MB7312.namprd11.prod.outlook.com ([fe80::531e:6ef5:812b:48f6%5]) with mapi id 15.20.9870.020; Wed, 29 Apr 2026 06:15:54 +0000 From: Changqing Li To: openembedded-core@lists.openembedded.org Subject: [scarthgap][PATCH 4/4] libsoup-2.4: fix CVE-2025-32049 Date: Wed, 29 Apr 2026 14:15:33 +0800 Message-Id: <20260429061533.858115-4-changqing.li@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260429061533.858115-1-changqing.li@windriver.com> References: <20260429061533.858115-1-changqing.li@windriver.com> X-ClientProxiedBy: SI2PR02CA0054.apcprd02.prod.outlook.com (2603:1096:4:196::13) To DS0PR11MB7312.namprd11.prod.outlook.com (2603:10b6:8:11f::18) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS0PR11MB7312:EE_|LV8PR11MB8535:EE_ X-MS-Office365-Filtering-Correlation-Id: 527b892f-68ec-495c-b3fc-08dea5b6c4c1 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|52116014|376014|366016|38350700014|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: /wi6ti7vJz5OHnh3dyxqR9xSZIFbEoxtW33+/Qf2na9ajb49kSJCgP4zYdpMo1gqQOx3kQLdIFpCe9jqlngw8YpD5YtWYx3K2k09ywK2KHcLta1IspgGRot05alFqEYV150HUmwqiI4OmfdbNGvdu579idusRxzwt1iXeWmKlcAfkuQnoaLFrjFA3oCFuFJZAanM1knIrB/H9f4t+ei83ZDjHdoIgHAnEnar1NZk5LfGDMPnD6pStrTFcX2mD8ecoMPADsh+BQIVQhn3eTvIXfLxaCmrp/lCaodkKfnI/GwpdCJsFFVD2qYJEnerpnNLrKefaoCl3niSwRxQVvrQW8N9Sj8C/IaO2zXit//43JZbll9OGxGVnjHl5yo2Fk2kQmprmXea50E75sHhrPjqDyZOS069nxtZpupO2NKWk0bro6WBncVR7EY9fojy7rWQOjSU5SdKy4EU6g3UveCdt5mpv3pq1P55ajizW857SDawvD1ZfQH2EulO7tlBHStULL3mY9VW/LXoT6ShG8QNy1k5F0l1DAsQh1A8xfk8nW6ZBFoKI6ODIyKSQYkPncRGKfHFsxaZ8jtUQCnpQy+BPm8wMPoUo/IxVl/ZG1sCZhccBAj3tskCEg1QvbGrbpGptheXblXSYNUeXoeXQeEdXtQ5HrYjgZ4smc7/AX214I7Jq+nvzltb83t7Z6BtyKuruM2mHkQY8MFhS1VsiisuJnzbRi51LGtpRc/My1UNbs5TC3/Lh5pYwGcYr2iLtzV5 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR11MB7312.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(52116014)(376014)(366016)(38350700014)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 5nVzS/7/yddFbAy3hfAgT59CVPHHZ5+jr+NFhcFHG+3iDJ9PjJRLUTnfKWjTRgGDMhYBnDfjbmEj3WP6WcvBrC6837HKP7yaBJXIkflRnkzphaP1tiBMijx56CW7dqi0wdq0J1HwyWJZITk89DyZ20Ur1n3CcSL9lhz1tenrP8CQDoSRB94Z8RKFXnvcZfp0Q5Ne5TcrB+9qor6a1vLW/CXCdXt3m+m/Z3P1DRZD/xBI9E38iRKROoSH38gdVm2Pz9tRje3uzvXIhOJPYGMfn+cZsjsI1LqVQZXYBkyNg9ndjYXr8a+ect0YashHClIkXbblox2vF/fafdKq2Bgjw5P8t8SspY/6ElySGf/GeaIw5/wzKJcUH9mqPL+wfQIFZ2AN+ZdR2APCUTytnk5nttGSrhFNfL2t2L8J08z4PaS9O+Dsz6oTh5xoCeJdDISzxXkcr7qO0DNpZL6s8v23LxtxSVr43w3k4GJepcbq88bWuraZIfDWAzLDEDL2UaATzOL7k6GEGAMVS6UkFizLK4KjhO0MBEWIPIlqnxJ3jCcDP3Y+9ius7Kh+EPkPJb3xvyAh1RQ21b6NI2OeoremUHElr6eW+kSUGNEUGV7D3ABvQ8jLzlBERYrawzM8ugZgwOMSTh0T2hKLVi8gug3CC/RM8er/4qZJccgxCizfFICKdxcCV+k8H2jQ3BPlkynWnihCY6UQYyUPBYOO37WFxkhHSRyZio79Tx6l6puvh6k5JrsSqppIWahEQ2WnT5GkGP65rbpG3ocHkxlhTmbog1/mNa1rpSyEfuDh4T7eK/v0mKiZ/eYwTI35Ra7Qd1IXTRA9Ltf7vz2dClaDZv0dQqM7VgocxwW0ao6oXASpo/D1k5iA63Gh/UUvJLEjTqsx/Pc+DbtDA0dE/Nm3ro7e12OcfJhHXUvmUeNj7UhE+ulOvKuC1TjXSYWX9iHVkCQiHuExkbJIPR+7cfoEdlEq4w5oI4th0/8MhgHnL/HRn8atmvYEiJxHmHYYFjAbE31FRc9WACbyvcpLpOGeohqvV1YOe8GLTDTkPP9alUQoWK883Ptu8PNiPAk1+fq4uIkVqtatCb93M0A7O9qpuOqYKIwARRAH1mcW9CeAPHYBv84xiELNeXPFc+K9S5Dm9mj2S08szNrh7ec+8p5eEU/7QEd6QAZ6xZ94g/Lic6oSwh5atKIKFmMwg/CBzr/tOrPtjoyGyfNiXGZ3jUrrlRNIKMaZMuTw6BJ3xxASdJJK1DNLzOy+TaRYPqnQBzYIsI4ceGLfsd+LcwXMGY4GsatVQS+HzYTuuX+mduSxKG4LSvdTgwO8GkxKGCAG0kBAkHkpSsbahnts69+xfjUf9GQixfdO00CTofwEpa7DaAZwfgRNfQkdcgL01VvLLwtwjEqaZhuWO6L0pJstHShABqnjNhIYEOEFyoZqBrTRZCxTn47nzYa7plQb8mkgQETZbhxPN6Vp29uSnFE6mx7bi681TNFCI9Xe2rz50kdDs9htrDPqBu/4NlzNVk77kfuJ4uFIPHyURIsvaowwJbeii1ECI9Kv5ryV4pK9gaNLXjkb/QkDLsCwMSxGUFrPnOUxkkahomnRB7vz6wygq1yfcDoKchwPsnUhIUA3TDXGu8BZVdF830QnXs8y15mtPrluhChmGC+eEqIaJv4l5OwmREpAhoPRUTheIkk5xUX4Iq5j+dyEdyc4bxL09Rpxw7r8PnTjgBws58Uqv+k+AEHhmLthnYWeJdeQ5LopLAW909uKL3o= X-Exchange-RoutingPolicyChecked: nt0xYnLxrXQs6nWV3Ofip0VrNbzYdDSy8t8LwRUTBp7Niz3imMf+8VEEnP6mXQVk3eCt/Bp1JU/GUbINh1HexVFERNcXQ+9SWQDAxABmiFyuMAucynCkpSV02Eg3+U4nGW6lTPzep3/apkEDEeJk3Y4yzZ2CoRxbE+xQBMXtDAx1PKDMNwr9ytUzPc+PBTvr+7MTlvjT5sMsFv3VN9t5kmDoWUDSVX5W0/gvQQFzlG1vQVTilU3s6IS0tJq2S0ltRBJNUYaLJWitYGBsyl3EUrWBHnu96cIsIooiTyj/KK7qY+mQ9Qa+cav2cvYlII9JxoR7ibbKJGvVY4ikgbRvKw== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 527b892f-68ec-495c-b3fc-08dea5b6c4c1 X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB7312.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2026 06:15:54.0350 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 0DT96fzSY6z6DOk/wNzzMtDQcYYwcTG2AWIhKiHI9aQUSKdo5NUiV3+XX/nbcDQr6ElNZZQzW7NnvUuVRPdvfX8755V5xFOmLJk6b4tjIjk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR11MB8535 X-Proofpoint-GUID: pA_smLotniiKTqAnsVd_Myc7duWeJQ34 X-Proofpoint-ORIG-GUID: pA_smLotniiKTqAnsVd_Myc7duWeJQ34 X-Authority-Analysis: v=2.4 cv=Pu+jqQM3 c=1 sm=1 tr=0 ts=69f1a21e cx=c_pps a=+9lCAQqCkh6G/pz+5LnHJg==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=bi6dqmuHe4P4UrxVR6um:22 a=HK-ge7EqtdluswH-FwHe:22 a=GHR8O2WEAAAA:20 a=t7CeM3EgAAAA:8 a=u9qaAUzl2SAL_BSk4EAA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDI5MDA1OCBTYWx0ZWRfX3Uie8Z8kQil9 GKRFKneHcu0R+bV8dHNUbDfICAqsfuZK+OtfFrQ4cQIxJraJCgWQDeXy2+W5WIqLHtUigQGtIW2 VH+tn9NE1HhuuSkDe9TRLc0f6mTAhOpOSadpDe9Je0zlrNEwzznXoz2usxFUPeIan9542f2Htoi pC3Z46bSDLp0tFnTLRPlOue0LsI60I3jDv9rr/RO4lhlSLb2XPhNQvgph0l3yVZL0rJz1266iyx 9U+1bSmzcZQur/eRLI0jG1DyDGenAxjVey4SNZHVW6vY0w715o45+If43sVJnF3tW4rTPIOkd4i lQ+L11ROCODwTV8Ga6uwawJouGQmXU/r6jyGj+Vavy8OVp7J4TmhrikQZqc87bSeBcQiVUOz7l+ KmFYmZcR3b4p2WzpTgckeK48htplqG4uP8top+7fEzMh6HyfuFKnSmLblxkvyZemV6MhvweWMrn TpqT2vGtSuMJzgEm4ZA== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-28_05,2026-04-28_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 lowpriorityscore=0 spamscore=0 clxscore=1015 impostorscore=0 suspectscore=0 priorityscore=1501 adultscore=0 phishscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2604290058 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 29 Apr 2026 06:16:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236080 Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/390 Signed-off-by: Changqing Li --- .../libsoup-2.4/CVE-2025-32049-1.patch | 229 ++++++++++++++++++ .../libsoup-2.4/CVE-2025-32049-2.patch | 131 ++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 2 + 3 files changed, 362 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-1.patch new file mode 100644 index 0000000000..64e87cb1ec --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-1.patch @@ -0,0 +1,229 @@ +From c574e659c41c18fad3973bbaa3b3ec75664b3137 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Thu, 5 Feb 2026 16:20:02 +0800 +Subject: [PATCH 1/2] websocket: add a way to restrict the total message size + +Otherwise a client could send small packages smaller than +total-incoming-payload-size but still to break the server +with a big allocation + +Fixes: #390 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/db87805ab565d67533dfed2cb409dbfd63c7fdce] +CVE: CVE-2025-32049 + +libsoup2 is not maintained, the patch is backported from libsoup3, and +change accordingly + +Signed-off-by: Changqing Li +--- + libsoup/soup-websocket-connection.c | 104 ++++++++++++++++++++++++++-- + libsoup/soup-websocket-connection.h | 7 ++ + 2 files changed, 107 insertions(+), 4 deletions(-) + +diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c +index 9d5f4f8..3dad477 100644 +--- a/libsoup/soup-websocket-connection.c ++++ b/libsoup/soup-websocket-connection.c +@@ -85,7 +85,8 @@ enum { + PROP_STATE, + PROP_MAX_INCOMING_PAYLOAD_SIZE, + PROP_KEEPALIVE_INTERVAL, +- PROP_EXTENSIONS ++ PROP_EXTENSIONS, ++ PROP_MAX_TOTAL_MESSAGE_SIZE, + }; + + enum { +@@ -120,6 +121,7 @@ struct _SoupWebsocketConnectionPrivate { + char *origin; + char *protocol; + guint64 max_incoming_payload_size; ++ guint64 max_total_message_size; + guint keepalive_interval; + + gushort peer_close_code; +@@ -152,6 +154,7 @@ struct _SoupWebsocketConnectionPrivate { + }; + + #define MAX_INCOMING_PAYLOAD_SIZE_DEFAULT 128 * 1024 ++#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024 + #define READ_BUFFER_SIZE 1024 + #define MASK_LENGTH 4 + +@@ -664,7 +667,7 @@ bad_data_error_and_close (SoupWebsocketConnection *self) + } + + static void +-too_big_error_and_close (SoupWebsocketConnection *self, ++too_big_incoming_payload_error_and_close (SoupWebsocketConnection *self, + guint64 payload_len) + { + GError *error; +@@ -680,6 +683,23 @@ too_big_error_and_close (SoupWebsocketConnection *self, + emit_error_and_close (self, error, TRUE); + } + ++static void ++too_big_message_error_and_close (SoupWebsocketConnection *self, ++ guint64 len) ++{ ++ GError *error; ++ ++ error = g_error_new_literal (SOUP_WEBSOCKET_ERROR, ++ SOUP_WEBSOCKET_CLOSE_TOO_BIG, ++ self->pv->connection_type == SOUP_WEBSOCKET_CONNECTION_SERVER ? ++ "Received WebSocket payload from the client larger than configured max-total-message-size" : ++ "Received WebSocket payload from the server larger than configured max-total-message-size"); ++ g_debug ("%s received message of size %" G_GUINT64_FORMAT " or greater, but max supported size is %" G_GUINT64_FORMAT, ++ self->pv->connection_type == SOUP_WEBSOCKET_CONNECTION_SERVER ? "server" : "client", ++ len, self->pv->max_total_message_size); ++ emit_error_and_close (self, error, TRUE); ++} ++ + static void + close_connection (SoupWebsocketConnection *self, + gushort code, +@@ -913,6 +933,12 @@ process_contents (SoupWebsocketConnection *self, + switch (pv->message_opcode) { + case 0x01: + case 0x02: ++ /* Safety valve */ ++ if (pv->max_total_message_size > 0 && ++ (pv->message_data->len + payload_len) > pv->max_total_message_size) { ++ too_big_message_error_and_close (self, (pv->message_data->len + payload_len)); ++ return; ++ } + g_byte_array_append (pv->message_data, payload, payload_len); + break; + default: +@@ -1050,7 +1076,7 @@ process_frame (SoupWebsocketConnection *self) + /* Safety valve */ + if (self->pv->max_incoming_payload_size > 0 && + payload_len >= self->pv->max_incoming_payload_size) { +- too_big_error_and_close (self, payload_len); ++ too_big_incoming_payload_error_and_close (self, payload_len); + return FALSE; + } + +@@ -1357,6 +1383,10 @@ soup_websocket_connection_get_property (GObject *object, + g_value_set_pointer (value, pv->extensions); + break; + ++ case PROP_MAX_TOTAL_MESSAGE_SIZE: ++ g_value_set_uint64 (value, pv->max_total_message_size); ++ break; ++ + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; +@@ -1410,6 +1440,10 @@ soup_websocket_connection_set_property (GObject *object, + pv->extensions = g_value_get_pointer (value); + break; + ++ case PROP_MAX_TOTAL_MESSAGE_SIZE: ++ pv->max_total_message_size = g_value_get_uint64 (value); ++ break; ++ + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; +@@ -1631,7 +1665,24 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT_ONLY | + G_PARAM_STATIC_STRINGS)); +- ++ /** ++ * SoupWebsocketConnection:max-total-message-size: ++ * ++ * The total message size for incoming packets. ++ * ++ * The protocol expects or 0 to not limit it. ++ * ++ */ ++ g_object_class_install_property (gobject_class, PROP_MAX_TOTAL_MESSAGE_SIZE, ++ g_param_spec_uint64 ("max-total-message-size", ++ "Max total message size", ++ "Max total message size ", ++ 0, ++ G_MAXUINT64, ++ MAX_TOTAL_MESSAGE_SIZE_DEFAULT, ++ G_PARAM_READWRITE | ++ G_PARAM_CONSTRUCT | ++ G_PARAM_STATIC_STRINGS)); + /** + * SoupWebsocketConnection::message: + * @self: the WebSocket +@@ -2145,6 +2196,51 @@ soup_websocket_connection_set_max_incoming_payload_size (SoupWebsocketConnection + } + } + ++/** ++ * soup_websocket_connection_get_max_total_message_size: ++ * @self: the WebSocket ++ * ++ * Gets the maximum total message size allowed for packets. ++ * ++ * Returns: the maximum total message size. ++ * ++ */ ++guint64 ++soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *self) ++{ ++ SoupWebsocketConnectionPrivate *pv; ++ ++ g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), MAX_TOTAL_MESSAGE_SIZE_DEFAULT); ++ pv = self->pv; ++ ++ return pv->max_total_message_size; ++} ++ ++/** ++ * soup_websocket_connection_set_max_total_message_size: ++ * @self: the WebSocket ++ * @max_total_message_size: the maximum total message size ++ * ++ * Sets the maximum total message size allowed for packets. ++ * ++ * It does not limit the outgoing packet size. ++ * ++ */ ++void ++soup_websocket_connection_set_max_total_message_size (SoupWebsocketConnection *self, ++ guint64 max_total_message_size) ++{ ++ SoupWebsocketConnectionPrivate *pv; ++ ++ g_return_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self)); ++ pv = self->pv; ++ ++ if (pv->max_total_message_size != max_total_message_size) { ++ pv->max_total_message_size = max_total_message_size; ++ g_object_notify (G_OBJECT (self), "max-total-message-size"); ++ } ++} ++ + /** + * soup_websocket_connection_get_keepalive_interval: + * @self: the WebSocket +diff --git a/libsoup/soup-websocket-connection.h b/libsoup/soup-websocket-connection.h +index f82d723..d2a60e9 100644 +--- a/libsoup/soup-websocket-connection.h ++++ b/libsoup/soup-websocket-connection.h +@@ -136,6 +136,13 @@ SOUP_AVAILABLE_IN_2_58 + void soup_websocket_connection_set_keepalive_interval (SoupWebsocketConnection *self, + guint interval); + ++SOUP_AVAILABLE_IN_2_72 ++guint64 soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *self); ++ ++SOUP_AVAILABLE_IN_2_72 ++void soup_websocket_connection_set_max_total_message_size (SoupWebsocketConnection *self, ++ guint64 max_total_message_size); ++ + G_END_DECLS + + #endif /* __SOUP_WEBSOCKET_CONNECTION_H__ */ +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-2.patch new file mode 100644 index 0000000000..f9c894aaec --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-2.patch @@ -0,0 +1,131 @@ +From 0bfc66f1082f5d47df99b6fc03f742ef7fa1051e Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Thu, 5 Feb 2026 17:19:51 +0800 +Subject: [PATCH] Set message size limit in SoupServer rather than + SoupWebsocketConnection + +We're not sure about the compatibility implications of having a default +size limit for clients. + +Also not sure whether the server limit is actually set appropriately, +but there is probably very little server usage of +SoupWebsocketConnection in the wild, so it's not so likely to break +things. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/2df34d9544cabdbfdedd3b36f098cf69233b1df7] +CVE: CVE-2025-32049 + +Signed-off-by: Changqing Li +--- + libsoup/soup-server.c | 24 +++++++++++++++++++----- + libsoup/soup-websocket-connection.c | 23 ++++++++++++++++------- + 2 files changed, 35 insertions(+), 12 deletions(-) + +diff --git a/libsoup/soup-server.c b/libsoup/soup-server.c +index 63875f3..a3f8597 100644 +--- a/libsoup/soup-server.c ++++ b/libsoup/soup-server.c +@@ -216,6 +216,16 @@ enum { + + G_DEFINE_TYPE_WITH_PRIVATE (SoupServer, soup_server, G_TYPE_OBJECT) + ++/* SoupWebsocketConnection by default limits only maximum packet size. But a ++ * message may consist of multiple packets, so SoupServer additionally restricts ++ * total message size to mitigate denial of service attacks on the server. ++ * SoupWebsocketConnection does not do this by default because I don't know ++ * whether that would or would not cause compatibility problems for websites. ++ * ++ * This size is in bytes and it is arbitrary. ++ */ ++#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024 ++ + static SoupClientContext *soup_client_context_ref (SoupClientContext *client); + static void soup_client_context_unref (SoupClientContext *client); + +@@ -1445,11 +1455,15 @@ complete_websocket_upgrade (SoupMessage *msg, gpointer user_data) + + soup_client_context_ref (client); + stream = soup_client_context_steal_connection (client); +- conn = soup_websocket_connection_new_with_extensions (stream, uri, +- SOUP_WEBSOCKET_CONNECTION_SERVER, +- soup_message_headers_get_one (msg->request_headers, "Origin"), +- soup_message_headers_get_one (msg->response_headers, "Sec-WebSocket-Protocol"), +- handler->websocket_extensions); ++ conn = SOUP_WEBSOCKET_CONNECTION (g_object_new (SOUP_TYPE_WEBSOCKET_CONNECTION, ++ "io-stream", stream, ++ "uri", uri, ++ "connection-type", SOUP_WEBSOCKET_CONNECTION_SERVER, ++ "origin", soup_message_headers_get_one (msg->request_headers, "Origin"), ++ "protocol", soup_message_headers_get_one (msg->response_headers, "Sec-WebSocket-Protocol"), ++ "extensions", handler->websocket_extensions, ++ "max-total-message-size", (guint64)MAX_TOTAL_MESSAGE_SIZE_DEFAULT, ++ NULL)); + handler->websocket_extensions = NULL; + g_object_unref (stream); + soup_client_context_unref (client); +diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c +index 3dad477..e7fa9b7 100644 +--- a/libsoup/soup-websocket-connection.c ++++ b/libsoup/soup-websocket-connection.c +@@ -154,7 +154,6 @@ struct _SoupWebsocketConnectionPrivate { + }; + + #define MAX_INCOMING_PAYLOAD_SIZE_DEFAULT 128 * 1024 +-#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024 + #define READ_BUFFER_SIZE 1024 + #define MASK_LENGTH 4 + +@@ -1615,8 +1614,9 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + /** + * SoupWebsocketConnection:max-incoming-payload-size: + * +- * The maximum payload size for incoming packets the protocol expects +- * or 0 to not limit it. ++ * The maximum payload size for incoming packets, or 0 to not limit it. ++ * Each message may consist of multiple packets, so also refer to ++ * [property@WebSocketConnection:max-total-message-size]. + * + * Since: 2.56 + */ +@@ -1668,9 +1668,18 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + /** + * SoupWebsocketConnection:max-total-message-size: + * +- * The total message size for incoming packets. ++ * The maximum size for incoming messages. ++ * Set to a value to limit the total message size, or 0 to not ++ * limit it. + * +- * The protocol expects or 0 to not limit it. ++ * [method@Server.add_websocket_handler] will set this to a nonzero ++ * default value to mitigate denial of service attacks. Clients must ++ * choose their own default if they need to mitigate denial of service ++ * attacks. You also need to set your own default if creating your own ++ * server SoupWebsocketConnection without using SoupServer. ++ * ++ * Each message may consist of multiple packets, so also refer to ++ *[property@WebSocketConnection:max-incoming-payload-size]. + * + */ + g_object_class_install_property (gobject_class, PROP_MAX_TOTAL_MESSAGE_SIZE, +@@ -1679,7 +1688,7 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + "Max total message size ", + 0, + G_MAXUINT64, +- MAX_TOTAL_MESSAGE_SIZE_DEFAULT, ++ 0, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + G_PARAM_STATIC_STRINGS)); +@@ -2210,7 +2219,7 @@ soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *s + { + SoupWebsocketConnectionPrivate *pv; + +- g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), MAX_TOTAL_MESSAGE_SIZE_DEFAULT); ++ g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), 0); + pv = self->pv; + + return pv->max_total_message_size; +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 253a389e21..915d735da3 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -42,6 +42,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-2784.patch \ file://CVE-2025-4945.patch \ file://CVE-2025-14523.patch \ + file://CVE-2025-32049-1.patch \ + file://CVE-2025-32049-2.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"