1 files changed, 133 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
new file mode 100644
index 0000000000..740c28c016
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
@@ -0,0 +1,133 @@
+From 12523a592f1216450d18706bcf6c16e0f1ab0ce0 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Fri, 16 May 2025 13:52:37 +0800
+Subject: [PATCH] headers: Be more robust against invalid input when
+ parsing params
+If you pass invalid input to a function such as soup_header_parse_param_list_strict()
+it can cause an overflow if it decodes the input to UTF-8.
+This should never happen with valid UTF-8 input which libsoup's client API
+ensures, however it's server API does not currently.
+CVE: CVE-2024-52531
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=a35222dd0bfab2ac97c10e86b95f762456628283]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-headers.c | 45 +++++++++++++++++++++---------------------
+ 1 file changed, 23 insertions(+), 22 deletions(-)
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 67905b2..39e8d34 100644
+--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
+@@ -642,8 +642,9 @@ soup_header_contains (const char *header, const char *token)
+ }
+ 
+ static void
+-decode_quoted_string (char *quoted_string)
+decode_quoted_string_inplace (GString *quoted_gstring)
+ {
+       char *quoted_string = quoted_gstring->str;
+        char *src, *dst;
+ 
+        src = quoted_string + 1;
+@@ -657,10 +658,11 @@ decode_quoted_string (char *quoted_string)
+ }
+ 
+ static gboolean
+-decode_rfc5987 (char *encoded_string)
+decode_rfc5987_inplace (GString *encoded_gstring)
+ {
+        char *q, *decoded;
+        gboolean iso_8859_1 = FALSE;
+       const char *encoded_string = encoded_gstring->str;
+ 
+        q = strchr (encoded_string, '\'');
+        if (!q)
+@@ -689,14 +691,7 @@ decode_rfc5987 (char *encoded_string)
+                decoded = utf8;
+        }
+ 
+-       /* If encoded_string was UTF-8, then each 3-character %-escape
+-        * will be converted to a single byte, and so decoded is
+-        * shorter than encoded_string. If encoded_string was
+-        * iso-8859-1, then each 3-character %-escape will be
+-        * converted into at most 2 bytes in UTF-8, and so it's still
+-        * shorter.
+-        */
+-       strcpy (encoded_string, decoded);
+       g_string_assign (encoded_gstring, decoded);
+        g_free (decoded);
+        return TRUE;
+ }
+@@ -706,15 +701,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
+ {
+        GHashTable *params;
+        GSList *list, *iter;
+-       char *item, *eq, *name_end, *value;
+-       gboolean override, duplicated;
+ 
+        params = g_hash_table_new_full (soup_str_case_hash, 
+                                        soup_str_case_equal,
+-                                       g_free, NULL);
+                                       g_free, g_free);
+ 
+        list = parse_list (header, delim);
+        for (iter = list; iter; iter = iter->next) {
+               char *item, *eq, *name_end;
+               gboolean override, duplicated;
+               GString *parsed_value = NULL;
+                item = iter->data;
+                override = FALSE;
+ 
+@@ -729,19 +725,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
+ 
+                        *name_end = '\0';
+ 
+-                       value = (char *)skip_lws (eq + 1);
+                       parsed_value = g_string_new ((char *)skip_lws (eq + 1));
+ 
+                        if (name_end[-1] == '*' && name_end > item + 1) {
+                                name_end[-1] = '\0';
+-                               if (!decode_rfc5987 (value)) {
+                               if (!decode_rfc5987_inplace (parsed_value)) {
+                                       g_string_free (parsed_value, TRUE);
+                                        g_free (item);
+                                        continue;
+                                }
+                                override = TRUE;
+-                       } else if (*value == '"')
+-                               decode_quoted_string (value);
+-               } else
+-                       value = NULL;
+                       } else if (parsed_value->str[0] == '"')
+                               decode_quoted_string_inplace (parsed_value);
+                       }
+ 
+                duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
+ 
+@@ -749,11 +745,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
+                        soup_header_free_param_list (params);
+                        params = NULL;
+                        g_slist_foreach (iter, (GFunc)g_free, NULL);
+                       if (parsed_value)
+                               g_string_free (parsed_value, TRUE);
+                        break;
+-               } else if (override || !duplicated)
+-                       g_hash_table_replace (params, item, value);
+-               else
+               } else if (override || !duplicated) {
+                       g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
+               } else {
+                       if (parsed_value)
+                               g_string_free (parsed_value, TRUE);
+                        g_free (item);
+               }
+        }
+ 
+        g_slist_free (list);
+-- 
+2.34.1

diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch new file mode 100644 index 0000000000..740c28c016 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
@@ -0,0 +1,133 @@
	1	From 12523a592f1216450d18706bcf6c16e0f1ab0ce0 Mon Sep 17 00:00:00 2001
	2	From: Changqing Li <changqing.li@windriver.com>
	3	Date: Fri, 16 May 2025 13:52:37 +0800
	4	Subject: [PATCH] headers: Be more robust against invalid input when
	5	parsing params
	6
	7	If you pass invalid input to a function such as soup_header_parse_param_list_strict()
	8	it can cause an overflow if it decodes the input to UTF-8.
	9
	10	This should never happen with valid UTF-8 input which libsoup's client API
	11	ensures, however it's server API does not currently.
	12
	13	CVE: CVE-2024-52531
	14	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=a35222dd0bfab2ac97c10e86b95f762456628283]
	15
	16	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	17	---
	18	libsoup/soup-headers.c \| 45 +++++++++++++++++++++---------------------
	19	1 file changed, 23 insertions(+), 22 deletions(-)
	20
	21	diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
	22	index 67905b2..39e8d34 100644
	23	--- a/libsoup/soup-headers.c
	24	+++ b/libsoup/soup-headers.c
	25	@@ -642,8 +642,9 @@ soup_header_contains (const char header, const char token)
	26	}
	27
	28	static void
	29	-decode_quoted_string (char *quoted_string)
	30	+decode_quoted_string_inplace (GString *quoted_gstring)
	31	{
	32	+ char *quoted_string = quoted_gstring->str;
	33	char src, dst;
	34
	35	src = quoted_string + 1;
	36	@@ -657,10 +658,11 @@ decode_quoted_string (char *quoted_string)
	37	}
	38
	39	static gboolean
	40	-decode_rfc5987 (char *encoded_string)
	41	+decode_rfc5987_inplace (GString *encoded_gstring)
	42	{
	43	char q, decoded;
	44	gboolean iso_8859_1 = FALSE;
	45	+ const char *encoded_string = encoded_gstring->str;
	46
	47	q = strchr (encoded_string, '\'');
	48	if (!q)
	49	@@ -689,14 +691,7 @@ decode_rfc5987 (char *encoded_string)
	50	decoded = utf8;
	51	}
	52
	53	- /* If encoded_string was UTF-8, then each 3-character %-escape
	54	- * will be converted to a single byte, and so decoded is
	55	- * shorter than encoded_string. If encoded_string was
	56	- * iso-8859-1, then each 3-character %-escape will be
	57	- * converted into at most 2 bytes in UTF-8, and so it's still
	58	- * shorter.
	59	- */
	60	- strcpy (encoded_string, decoded);
	61	+ g_string_assign (encoded_gstring, decoded);
	62	g_free (decoded);
	63	return TRUE;
	64	}
	65	@@ -706,15 +701,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
	66	{
	67	GHashTable *params;
	68	GSList list, iter;
	69	- char item, eq, name_end, value;
	70	- gboolean override, duplicated;
	71
	72	params = g_hash_table_new_full (soup_str_case_hash,
	73	soup_str_case_equal,
	74	- g_free, NULL);
	75	+ g_free, g_free);
	76
	77	list = parse_list (header, delim);
	78	for (iter = list; iter; iter = iter->next) {
	79	+ char item, eq, *name_end;
	80	+ gboolean override, duplicated;
	81	+ GString *parsed_value = NULL;
	82	item = iter->data;
	83	override = FALSE;
	84
	85	@@ -729,19 +725,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
	86
	87	*name_end = '\0';
	88
	89	- value = (char *)skip_lws (eq + 1);
	90	+ parsed_value = g_string_new ((char *)skip_lws (eq + 1));
	91
	92	if (name_end[-1] == '*' && name_end > item + 1) {
	93	name_end[-1] = '\0';
	94	- if (!decode_rfc5987 (value)) {
	95	+ if (!decode_rfc5987_inplace (parsed_value)) {
	96	+ g_string_free (parsed_value, TRUE);
	97	g_free (item);
	98	continue;
	99	}
	100	override = TRUE;
	101	- } else if (*value == '"')
	102	- decode_quoted_string (value);
	103	- } else
	104	- value = NULL;
	105	+ } else if (parsed_value->str[0] == '"')
	106	+ decode_quoted_string_inplace (parsed_value);
	107	+ }
	108
	109	duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
	110
	111	@@ -749,11 +745,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
	112	soup_header_free_param_list (params);
	113	params = NULL;
	114	g_slist_foreach (iter, (GFunc)g_free, NULL);
	115	+ if (parsed_value)
	116	+ g_string_free (parsed_value, TRUE);
	117	break;
	118	- } else if (override \|\| !duplicated)
	119	- g_hash_table_replace (params, item, value);
	120	- else
	121	+ } else if (override \|\| !duplicated) {
	122	+ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
	123	+ } else {
	124	+ if (parsed_value)
	125	+ g_string_free (parsed_value, TRUE);
	126	g_free (item);
	127	+ }
	128	}
	129
	130	g_slist_free (list);
	131	--
	132	2.34.1
	133