1 files changed, 71 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch
new file mode 100644
index 0000000000..c33ebf8056
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch
@@ -0,0 +1,71 @@
+From 4b8809cca4bbcbf9514314d86227f985362258b0 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 12 Feb 2025 11:30:02 -0600
+Subject: [PATCH] headers: Handle parsing only newlines
+Closes #404
+Closes #407
+CVE: CVE-2025-32906
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-headers.c      |  4 ++--
+ tests/header-parsing-test.c | 11 +++++++++++
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index e5d3c03..87bb3dc 100644
+--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
+@@ -185,7 +185,7 @@ soup_headers_parse_request (const char          *str,
+        /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
+         * received where a Request-Line is expected."
+         */
+-       while ((*str == '\r' || *str == '\n') && len > 0) {
+       while (len > 0 && (*str == '\r' || *str == '\n')) {
+                str++;
+                len--;
+        }
+@@ -369,7 +369,7 @@ soup_headers_parse_response (const char          *str,
+         * after a response, which we then see prepended to the next
+         * response on that connection.
+         */
+-       while ((*str == '\r' || *str == '\n') && len > 0) {
+       while (len > 0 && (*str == '\r' || *str == '\n')) {
+                str++;
+                len--;
+        }
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index c1d3b33..b811115 100644
+--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
+@@ -6,6 +6,10 @@ typedef struct {
+        const char *name, *value;
+ } Header;
+ 
+static char only_newlines[] = {
+        '\n', '\n', '\n', '\n'
+};
+
+ static struct RequestTest {
+        const char *description;
+        const char *bugref;
+@@ -445,6 +449,13 @@ static struct RequestTest {
+          SOUP_STATUS_BAD_REQUEST,
+            NULL, NULL, -1,
+          { { NULL } }
+       },
+
+       { "Only newlines", NULL,
+         only_newlines, sizeof (only_newlines),
+         SOUP_STATUS_BAD_REQUEST,
+           NULL, NULL, -1,
+         { { NULL } }
+        }
+ };
+ static const int num_reqtests = G_N_ELEMENTS (reqtests);
+-- 
+2.34.1

diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch new file mode 100644 index 0000000000..c33ebf8056 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch
@@ -0,0 +1,71 @@
	1	From 4b8809cca4bbcbf9514314d86227f985362258b0 Mon Sep 17 00:00:00 2001
	2	From: Patrick Griffis <pgriffis@igalia.com>
	3	Date: Wed, 12 Feb 2025 11:30:02 -0600
	4	Subject: [PATCH] headers: Handle parsing only newlines
	5
	6	Closes #404
	7	Closes #407
	8
	9	CVE: CVE-2025-32906
	10	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f]
	11
	12	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	13	---
	14	libsoup/soup-headers.c \| 4 ++--
	15	tests/header-parsing-test.c \| 11 +++++++++++
	16	2 files changed, 13 insertions(+), 2 deletions(-)
	17
	18	diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
	19	index e5d3c03..87bb3dc 100644
	20	--- a/libsoup/soup-headers.c
	21	+++ b/libsoup/soup-headers.c
	22	@@ -185,7 +185,7 @@ soup_headers_parse_request (const char *str,
	23	/* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
	24	* received where a Request-Line is expected."
	25	*/
	26	- while ((str == '\r' \|\| str == '\n') && len > 0) {
	27	+ while (len > 0 && (str == '\r' \|\| str == '\n')) {
	28	str++;
	29	len--;
	30	}
	31	@@ -369,7 +369,7 @@ soup_headers_parse_response (const char *str,
	32	* after a response, which we then see prepended to the next
	33	* response on that connection.
	34	*/
	35	- while ((str == '\r' \|\| str == '\n') && len > 0) {
	36	+ while (len > 0 && (str == '\r' \|\| str == '\n')) {
	37	str++;
	38	len--;
	39	}
	40	diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
	41	index c1d3b33..b811115 100644
	42	--- a/tests/header-parsing-test.c
	43	+++ b/tests/header-parsing-test.c
	44	@@ -6,6 +6,10 @@ typedef struct {
	45	const char name, value;
	46	} Header;
	47
	48	+static char only_newlines[] = {
	49	+ '\n', '\n', '\n', '\n'
	50	+};
	51	+
	52	static struct RequestTest {
	53	const char *description;
	54	const char *bugref;
	55	@@ -445,6 +449,13 @@ static struct RequestTest {
	56	SOUP_STATUS_BAD_REQUEST,
	57	NULL, NULL, -1,
	58	{ { NULL } }
	59	+ },
	60	+
	61	+ { "Only newlines", NULL,
	62	+ only_newlines, sizeof (only_newlines),
	63	+ SOUP_STATUS_BAD_REQUEST,
	64	+ NULL, NULL, -1,
	65	+ { { NULL } }
	66	}
	67	};
	68	static const int num_reqtests = G_N_ELEMENTS (reqtests);
	69	--
	70	2.34.1
	71