summaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-support/libsoup/libsoup-2.4
diff options
context:
space:
mode:
Diffstat (limited to 'meta-oe/recipes-support/libsoup/libsoup-2.4')
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch74
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch44
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-possibly-uninitialized-warnings.patch43
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Remove-http-and-https-aliases-support-test.patch145
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch150
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch39
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch133
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch37
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch43
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch48
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch56
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch29
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch32
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch39
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch71
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch39
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch38
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch32
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch94
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch28
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch32
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch35
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch38
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch61
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch47
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch38
-rw-r--r--meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch37
27 files changed, 1502 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch
new file mode 100644
index 0000000000..d75594bb4f
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch
@@ -0,0 +1,74 @@
1From 52c5859b82fe79f2c32d883e048d218e0d7f2182 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Wed, 30 Apr 2025 14:59:55 +0800
4Subject: [PATCH] CVE-2025-32911
5
6CVE: CVE-2025-32911 CVE-2025-32913
7Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/422/commits]
8
9Signed-off-by: Changqing Li <changqing.li@windriver.com>
10---
11 libsoup/soup-message-headers.c | 13 +++++++++----
12 tests/header-parsing-test.c | 15 +++++++++++++++
13 2 files changed, 24 insertions(+), 4 deletions(-)
14
15diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
16index 39ad14a..78b2455 100644
17--- a/libsoup/soup-message-headers.c
18+++ b/libsoup/soup-message-headers.c
19@@ -1454,10 +1454,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
20 */
21 if (params && g_hash_table_lookup_extended (*params, "filename",
22 &orig_key, &orig_value)) {
23- char *filename = strrchr (orig_value, '/');
24-
25- if (filename)
26- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
27+ if (orig_value) {
28+ char *filename = strrchr (orig_value, '/');
29+
30+ if (filename)
31+ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup(filename + 1));
32+ } else {
33+ /* filename with no value isn't valid. */
34+ g_hash_table_remove (*params, "filename");
35+ }
36 }
37 return TRUE;
38 }
39diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
40index 946f118..752196e 100644
41--- a/tests/header-parsing-test.c
42+++ b/tests/header-parsing-test.c
43@@ -1034,6 +1034,7 @@ do_param_list_tests (void)
44 #define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\""
45 #define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\""
46 #define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar"
47+#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename"
48
49 static void
50 do_content_disposition_tests (void)
51@@ -1133,6 +1134,20 @@ do_content_disposition_tests (void)
52 g_assert_cmpstr (filename, ==, RFC5987_TEST_FALLBACK_FILENAME);
53 parameter2 = g_hash_table_lookup (params, "foo");
54 g_assert_cmpstr (parameter2, ==, "bar");
55+ g_hash_table_destroy (params);
56+
57+ /* Empty filename */
58+ soup_message_headers_clear (hdrs);
59+ soup_message_headers_append (hdrs, "Content-Disposition",
60+ RFC5987_TEST_HEADER_EMPTY_FILENAME);
61+ if (!soup_message_headers_get_content_disposition (hdrs,
62+ &disposition,
63+ &params)) {
64+ soup_test_assert (FALSE, "empty filename decoding FAILED");
65+ return;
66+ }
67+ g_free (disposition);
68+ g_assert_false (g_hash_table_contains (params, "filename"));
69 g_hash_table_destroy (params);
70
71 soup_message_headers_free (hdrs);
72--
732.34.1
74
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch
new file mode 100644
index 0000000000..d867e5bc17
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch
@@ -0,0 +1,44 @@
1From ced3c5d8cad0177b297666343f1561799dfefb0d Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Wed, 22 Nov 2023 18:49:10 -0800
4Subject: [PATCH] Fix build with libxml2-2.12.0 and clang-17
5
6Fixes build errors about missing function prototypes with clang-17
7
8Fixes
9| ../libsoup-2.74.3/libsoup/soup-xmlrpc-old.c:512:8: error: call to undeclared function 'xmlParseMemory'; ISO C99 and later do not support implicit function declarations
10
11Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/385]
12Signed-off-by: Khem Raj <raj.khem@gmail.com>
13---
14 libsoup/soup-xmlrpc-old.c | 1 +
15 libsoup/soup-xmlrpc.c | 1 +
16 2 files changed, 2 insertions(+)
17
18diff --git a/libsoup/soup-xmlrpc-old.c b/libsoup/soup-xmlrpc-old.c
19index c57086b6..527e3b23 100644
20--- a/libsoup/soup-xmlrpc-old.c
21+++ b/libsoup/soup-xmlrpc-old.c
22@@ -11,6 +11,7 @@
23
24 #include <string.h>
25
26+#include <libxml/parser.h>
27 #include <libxml/tree.h>
28
29 #include "soup-xmlrpc-old.h"
30diff --git a/libsoup/soup-xmlrpc.c b/libsoup/soup-xmlrpc.c
31index 42dcda9c..e991cbf0 100644
32--- a/libsoup/soup-xmlrpc.c
33+++ b/libsoup/soup-xmlrpc.c
34@@ -17,6 +17,7 @@
35
36 #include <string.h>
37 #include <errno.h>
38+#include <libxml/parser.h>
39 #include <libxml/tree.h>
40 #include "soup-xmlrpc.h"
41 #include "soup.h"
42--
432.43.0
44
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-possibly-uninitialized-warnings.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-possibly-uninitialized-warnings.patch
new file mode 100644
index 0000000000..fcd442c13a
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Fix-possibly-uninitialized-warnings.patch
@@ -0,0 +1,43 @@
1From 1159686379184a1c899eabb2174258aba5e0fd79 Mon Sep 17 00:00:00 2001
2From: Patrick Griffis <pgriffis@igalia.com>
3Date: Mon, 20 Sep 2021 15:41:31 -0500
4Subject: [PATCH] Fix possibly uninitialized warnings
5
6Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/fb98e9a8c3062c75357b961543af091de2dd5459]
7
8Signed-off-by: Changqing Li <changqing.li@windriver.com>
9---
10 libsoup/soup-websocket-connection.c | 2 +-
11 tests/samesite-test.c | 3 +++
12 2 files changed, 4 insertions(+), 1 deletion(-)
13
14diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
15index 65c1492..585d45c 100644
16--- a/libsoup/soup-websocket-connection.c
17+++ b/libsoup/soup-websocket-connection.c
18@@ -471,7 +471,7 @@ send_message (SoupWebsocketConnection *self,
19 GByteArray *bytes;
20 gsize frame_len;
21 guint8 *outer;
22- guint8 mask_offset;
23+ guint8 mask_offset = 0;
24 GBytes *filtered_bytes;
25 GList *l;
26 GError *error = NULL;
27diff --git a/tests/samesite-test.c b/tests/samesite-test.c
28index 0b081b2..60c9b8e 100644
29--- a/tests/samesite-test.c
30+++ b/tests/samesite-test.c
31@@ -60,6 +60,9 @@ assert_highest_policy_visible (GSList *cookies, SoupSameSitePolicy policy)
32 case SOUP_SAME_SITE_POLICY_NONE:
33 expected_count = 1;
34 break;
35+ default:
36+ g_assert_not_reached ();
37+ break;
38 }
39
40 g_assert_cmpuint (size, ==, expected_count);
41--
422.34.1
43
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Remove-http-and-https-aliases-support-test.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Remove-http-and-https-aliases-support-test.patch
new file mode 100644
index 0000000000..0d4139ec08
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-Remove-http-and-https-aliases-support-test.patch
@@ -0,0 +1,145 @@
1From 0e3bfa22b23451531caf8cc30b1771ac6a41fcad Mon Sep 17 00:00:00 2001
2From: Carlos Garcia Campos <cgarcia@igalia.com>
3Date: Thu, 11 Feb 2021 10:47:09 +0100
4Subject: [PATCH] Remove http and https aliases support test
5
6Upstream has removed the whole function of http and https aliases
7support, this commit partially cherry pick it, only remove the test to
8mute the warning:
9| ../libsoup-2.74.3/tests/server-test.c: In function 'do_one_server_aliases_test':
10| ../libsoup-2.74.3/tests/server-test.c:180:17: warning: 'g_socket_client_set_tls_validation_flags' is deprecated [-Wdeprecated-declarations]
11| 180 | g_socket_client_set_tls_validation_flags (client, 0);
12| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13
14Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/111ae4ebe7cc2e389573cff5b9ac76509d6cbac0]
15
16Signed-off-by: Changqing Li <changqing.li@windriver.com>
17---
18 tests/server-test.c | 104 --------------------------------------------
19 1 file changed, 104 deletions(-)
20
21diff --git a/tests/server-test.c b/tests/server-test.c
22index 8976103..cb7e815 100644
23--- a/tests/server-test.c
24+++ b/tests/server-test.c
25@@ -154,108 +154,6 @@ do_star_test (ServerData *sd, gconstpointer test_data)
26 soup_uri_free (star_uri);
27 }
28
29-static void
30-do_one_server_aliases_test (SoupURI *uri,
31- const char *alias,
32- gboolean succeed)
33-{
34- GSocketClient *client;
35- GSocketConnectable *addr;
36- GSocketConnection *conn;
37- GInputStream *in;
38- GOutputStream *out;
39- GError *error = NULL;
40- GString *req;
41- static char buf[1024];
42-
43- debug_printf (1, " %s via %s\n", alias, uri->scheme);
44-
45- /* There's no way to make libsoup's client side send an absolute
46- * URI (to a non-proxy server), so we have to fake this.
47- */
48-
49- client = g_socket_client_new ();
50- if (uri->scheme == SOUP_URI_SCHEME_HTTPS) {
51- g_socket_client_set_tls (client, TRUE);
52- g_socket_client_set_tls_validation_flags (client, 0);
53- }
54- addr = g_network_address_new (uri->host, uri->port);
55-
56- conn = g_socket_client_connect (client, addr, NULL, &error);
57- g_object_unref (addr);
58- g_object_unref (client);
59- if (!conn) {
60- g_assert_no_error (error);
61- g_error_free (error);
62- return;
63- }
64-
65- in = g_io_stream_get_input_stream (G_IO_STREAM (conn));
66- out = g_io_stream_get_output_stream (G_IO_STREAM (conn));
67-
68- req = g_string_new (NULL);
69- g_string_append_printf (req, "GET %s://%s:%d HTTP/1.1\r\n",
70- alias, uri->host, uri->port);
71- g_string_append_printf (req, "Host: %s:%d\r\n",
72- uri->host, uri->port);
73- g_string_append (req, "Connection: close\r\n\r\n");
74-
75- if (!g_output_stream_write_all (out, req->str, req->len, NULL, NULL, &error)) {
76- g_assert_no_error (error);
77- g_error_free (error);
78- g_object_unref (conn);
79- g_string_free (req, TRUE);
80- return;
81- }
82- g_string_free (req, TRUE);
83-
84- if (!g_input_stream_read_all (in, buf, sizeof (buf), NULL, NULL, &error)) {
85- g_assert_no_error (error);
86- g_error_free (error);
87- g_object_unref (conn);
88- return;
89- }
90-
91- if (succeed)
92- g_assert_true (g_str_has_prefix (buf, "HTTP/1.1 200 "));
93- else
94- g_assert_true (g_str_has_prefix (buf, "HTTP/1.1 400 "));
95-
96- g_io_stream_close (G_IO_STREAM (conn), NULL, NULL);
97- g_object_unref (conn);
98-}
99-
100-static void
101-do_server_aliases_test (ServerData *sd, gconstpointer test_data)
102-{
103- char *http_aliases[] = { "dav", NULL };
104- char *https_aliases[] = { "davs", NULL };
105- char *http_good[] = { "http", "dav", NULL };
106- char *http_bad[] = { "https", "davs", "fred", NULL };
107- char *https_good[] = { "https", "davs", NULL };
108- char *https_bad[] = { "http", "dav", "fred", NULL };
109- int i;
110-
111- g_test_bug ("703694");
112-
113- g_object_set (G_OBJECT (sd->server),
114- SOUP_SERVER_HTTP_ALIASES, http_aliases,
115- SOUP_SERVER_HTTPS_ALIASES, https_aliases,
116- NULL);
117-
118- for (i = 0; http_good[i]; i++)
119- do_one_server_aliases_test (sd->base_uri, http_good[i], TRUE);
120- for (i = 0; http_bad[i]; i++)
121- do_one_server_aliases_test (sd->base_uri, http_bad[i], FALSE);
122-
123- if (tls_available) {
124- for (i = 0; https_good[i]; i++)
125- do_one_server_aliases_test (sd->ssl_base_uri, https_good[i], TRUE);
126- for (i = 0; https_bad[i]; i++)
127- do_one_server_aliases_test (sd->ssl_base_uri, https_bad[i], FALSE);
128- }
129-}
130-
131 static void
132 do_dot_dot_test (ServerData *sd, gconstpointer test_data)
133 {
134@@ -1382,8 +1280,6 @@ main (int argc, char **argv)
135
136 g_test_add ("/server/OPTIONS *", ServerData, NULL,
137 server_setup, do_star_test, server_teardown);
138- g_test_add ("/server/aliases", ServerData, NULL,
139- server_setup, do_server_aliases_test, server_teardown);
140 g_test_add ("/server/..-in-path", ServerData, NULL,
141 server_setup, do_dot_dot_test, server_teardown);
142 g_test_add ("/server/ipv6", ServerData, NULL,
143--
1442.34.1
145
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch
new file mode 100644
index 0000000000..04713850e1
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch
@@ -0,0 +1,150 @@
1From 4a2bb98e03d79146c729dca52c8d6edc635218ff Mon Sep 17 00:00:00 2001
2From: Patrick Griffis <pgriffis@igalia.com>
3Date: Mon, 8 Jul 2024 12:33:15 -0500
4Subject: [PATCH] headers: Strictly don't allow NUL bytes
5
6In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.
7
8CVE: CVE-2024-52530
9Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/402/diffs?commit_id=04df03bc092ac20607f3e150936624d4f536e68b]
10
11Signed-off-by: Changqing Li <changqing.li@windriver.com>
12---
13 libsoup/soup-headers.c | 15 +++------
14 tests/header-parsing-test.c | 62 +++++++++++++++++--------------------
15 2 files changed, 32 insertions(+), 45 deletions(-)
16
17diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
18index eec28ad..e5d3c03 100644
19--- a/libsoup/soup-headers.c
20+++ b/libsoup/soup-headers.c
21@@ -50,13 +50,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
22 * ignorable trailing whitespace.
23 */
24
25+ /* No '\0's are allowed */
26+ if (memchr (str, '\0', len))
27+ return FALSE;
28+
29 /* Skip over the Request-Line / Status-Line */
30 headers_start = memchr (str, '\n', len);
31 if (!headers_start)
32 return FALSE;
33- /* No '\0's in the Request-Line / Status-Line */
34- if (memchr (str, '\0', headers_start - str))
35- return FALSE;
36
37 /* We work on a copy of the headers, which we can write '\0's
38 * into, so that we don't have to individually g_strndup and
39@@ -68,14 +69,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
40 headers_copy[copy_len] = '\0';
41 value_end = headers_copy;
42
43- /* There shouldn't be any '\0's in the headers already, but
44- * this is the web we're talking about.
45- */
46- while ((p = memchr (headers_copy, '\0', copy_len))) {
47- memmove (p, p + 1, copy_len - (p - headers_copy));
48- copy_len--;
49- }
50-
51 while (*(value_end + 1)) {
52 name = value_end + 1;
53 name_end = strchr (name, ':');
54diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
55index 752196e..c1d3b33 100644
56--- a/tests/header-parsing-test.c
57+++ b/tests/header-parsing-test.c
58@@ -358,24 +358,6 @@ static struct RequestTest {
59 }
60 },
61
62- { "NUL in header name", "760832",
63- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
64- SOUP_STATUS_OK,
65- "GET", "/", SOUP_HTTP_1_1,
66- { { "Host", "example.com" },
67- { NULL }
68- }
69- },
70-
71- { "NUL in header value", "760832",
72- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
73- SOUP_STATUS_OK,
74- "GET", "/", SOUP_HTTP_1_1,
75- { { "Host", "examplecom" },
76- { NULL }
77- }
78- },
79-
80 /************************/
81 /*** INVALID REQUESTS ***/
82 /************************/
83@@ -448,6 +430,21 @@ static struct RequestTest {
84 SOUP_STATUS_EXPECTATION_FAILED,
85 NULL, NULL, -1,
86 { { NULL } }
87+ },
88+
89+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
90+ { "NUL in header name", NULL,
91+ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
92+ SOUP_STATUS_BAD_REQUEST,
93+ NULL, NULL, -1,
94+ { { NULL } }
95+ },
96+
97+ { "NUL in header value", NULL,
98+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
99+ SOUP_STATUS_BAD_REQUEST,
100+ NULL, NULL, -1,
101+ { { NULL } }
102 }
103 };
104 static const int num_reqtests = G_N_ELEMENTS (reqtests);
105@@ -620,22 +617,6 @@ static struct ResponseTest {
106 { NULL } }
107 },
108
109- { "NUL in header name", "760832",
110- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
111- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
112- { { "Foo", "bar" },
113- { NULL }
114- }
115- },
116-
117- { "NUL in header value", "760832",
118- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
119- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
120- { { "Foo", "bar" },
121- { NULL }
122- }
123- },
124-
125 /********************************/
126 /*** VALID CONTINUE RESPONSES ***/
127 /********************************/
128@@ -768,6 +749,19 @@ static struct ResponseTest {
129 { { NULL }
130 }
131 },
132+
133+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
134+ { "NUL in header name", NULL,
135+ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
136+ -1, 0, NULL,
137+ { { NULL } }
138+ },
139+
140+ { "NUL in header value", "760832",
141+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
142+ -1, 0, NULL,
143+ { { NULL } }
144+ },
145 };
146 static const int num_resptests = G_N_ELEMENTS (resptests);
147
148--
1492.34.1
150
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch
new file mode 100644
index 0000000000..9de0310c8d
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch
@@ -0,0 +1,39 @@
1From 8331e681c85c3b1893d8d5193783f631bfc07acb Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Fri, 16 May 2025 13:42:08 +0800
4Subject: [PATCH] tests: Add test for passing invalid UTF-8 to
5 soup_header_parse_semi_param_list()
6
7CVE: CVE-2024-52531
8Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=825fda3425546847b42ad5270544e9388ff349fe]
9
10Signed-off-by: Changqing Li <changqing.li@windriver.com>
11---
12 tests/header-parsing-test.c | 11 +++++++++++
13 1 file changed, 11 insertions(+)
14
15diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
16index b811115..cfcc003 100644
17--- a/tests/header-parsing-test.c
18+++ b/tests/header-parsing-test.c
19@@ -836,6 +836,17 @@ static struct ParamListTest {
20 { "filename", "t\xC3\xA9st.txt" },
21 },
22 },
23+
24+/* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */
25+ { TRUE,
26+ "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo",
27+ {
28+ { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
29+ { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
30+ { "foo", NULL },
31+ },
32+ }
33+
34 };
35 static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests);
36
37--
382.34.1
39
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
new file mode 100644
index 0000000000..740c28c016
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
@@ -0,0 +1,133 @@
1From 12523a592f1216450d18706bcf6c16e0f1ab0ce0 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Fri, 16 May 2025 13:52:37 +0800
4Subject: [PATCH] headers: Be more robust against invalid input when
5 parsing params
6
7If you pass invalid input to a function such as soup_header_parse_param_list_strict()
8it can cause an overflow if it decodes the input to UTF-8.
9
10This should never happen with valid UTF-8 input which libsoup's client API
11ensures, however it's server API does not currently.
12
13CVE: CVE-2024-52531
14Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=a35222dd0bfab2ac97c10e86b95f762456628283]
15
16Signed-off-by: Changqing Li <changqing.li@windriver.com>
17---
18 libsoup/soup-headers.c | 45 +++++++++++++++++++++---------------------
19 1 file changed, 23 insertions(+), 22 deletions(-)
20
21diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
22index 67905b2..39e8d34 100644
23--- a/libsoup/soup-headers.c
24+++ b/libsoup/soup-headers.c
25@@ -642,8 +642,9 @@ soup_header_contains (const char *header, const char *token)
26 }
27
28 static void
29-decode_quoted_string (char *quoted_string)
30+decode_quoted_string_inplace (GString *quoted_gstring)
31 {
32+ char *quoted_string = quoted_gstring->str;
33 char *src, *dst;
34
35 src = quoted_string + 1;
36@@ -657,10 +658,11 @@ decode_quoted_string (char *quoted_string)
37 }
38
39 static gboolean
40-decode_rfc5987 (char *encoded_string)
41+decode_rfc5987_inplace (GString *encoded_gstring)
42 {
43 char *q, *decoded;
44 gboolean iso_8859_1 = FALSE;
45+ const char *encoded_string = encoded_gstring->str;
46
47 q = strchr (encoded_string, '\'');
48 if (!q)
49@@ -689,14 +691,7 @@ decode_rfc5987 (char *encoded_string)
50 decoded = utf8;
51 }
52
53- /* If encoded_string was UTF-8, then each 3-character %-escape
54- * will be converted to a single byte, and so decoded is
55- * shorter than encoded_string. If encoded_string was
56- * iso-8859-1, then each 3-character %-escape will be
57- * converted into at most 2 bytes in UTF-8, and so it's still
58- * shorter.
59- */
60- strcpy (encoded_string, decoded);
61+ g_string_assign (encoded_gstring, decoded);
62 g_free (decoded);
63 return TRUE;
64 }
65@@ -706,15 +701,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
66 {
67 GHashTable *params;
68 GSList *list, *iter;
69- char *item, *eq, *name_end, *value;
70- gboolean override, duplicated;
71
72 params = g_hash_table_new_full (soup_str_case_hash,
73 soup_str_case_equal,
74- g_free, NULL);
75+ g_free, g_free);
76
77 list = parse_list (header, delim);
78 for (iter = list; iter; iter = iter->next) {
79+ char *item, *eq, *name_end;
80+ gboolean override, duplicated;
81+ GString *parsed_value = NULL;
82 item = iter->data;
83 override = FALSE;
84
85@@ -729,19 +725,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
86
87 *name_end = '\0';
88
89- value = (char *)skip_lws (eq + 1);
90+ parsed_value = g_string_new ((char *)skip_lws (eq + 1));
91
92 if (name_end[-1] == '*' && name_end > item + 1) {
93 name_end[-1] = '\0';
94- if (!decode_rfc5987 (value)) {
95+ if (!decode_rfc5987_inplace (parsed_value)) {
96+ g_string_free (parsed_value, TRUE);
97 g_free (item);
98 continue;
99 }
100 override = TRUE;
101- } else if (*value == '"')
102- decode_quoted_string (value);
103- } else
104- value = NULL;
105+ } else if (parsed_value->str[0] == '"')
106+ decode_quoted_string_inplace (parsed_value);
107+ }
108
109 duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
110
111@@ -749,11 +745,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
112 soup_header_free_param_list (params);
113 params = NULL;
114 g_slist_foreach (iter, (GFunc)g_free, NULL);
115+ if (parsed_value)
116+ g_string_free (parsed_value, TRUE);
117 break;
118- } else if (override || !duplicated)
119- g_hash_table_replace (params, item, value);
120- else
121+ } else if (override || !duplicated) {
122+ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
123+ } else {
124+ if (parsed_value)
125+ g_string_free (parsed_value, TRUE);
126 g_free (item);
127+ }
128 }
129
130 g_slist_free (list);
131--
1322.34.1
133
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch
new file mode 100644
index 0000000000..cb1f096110
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch
@@ -0,0 +1,37 @@
1From a693d49bff058fc20a448dc4e7d324ff0dc6597e Mon Sep 17 00:00:00 2001
2From: Ignacio Casal Quinteiro <qignacio@amazon.com>
3Date: Wed, 11 Sep 2024 11:52:11 +0200
4Subject: [PATCH 1/3] websocket: process the frame as soon as we read data
5
6Otherwise we can enter in a read loop because we were not
7validating the data until the all the data was read.
8
9Fixes #391
10
11CVE: CVE-2024-52532
12Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be#f1d67ca0386b145ea201cf88d27f72724d7c6715]
13
14Signed-off-by: Changqing Li <changqing.li@windriver.com>
15---
16 libsoup/soup-websocket-connection.c | 5 ++---
17 1 file changed, 2 insertions(+), 3 deletions(-)
18
19diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
20index a4095e1..65c1492 100644
21--- a/libsoup/soup-websocket-connection.c
22+++ b/libsoup/soup-websocket-connection.c
23@@ -1140,9 +1140,8 @@ soup_websocket_connection_read (SoupWebsocketConnection *self)
24 }
25
26 pv->incoming->len = len + count;
27- } while (count > 0);
28-
29- process_incoming (self);
30+ process_incoming (self);
31+ } while (count > 0 && !pv->close_sent && !pv->io_closing);
32
33 if (end) {
34 if (!pv->close_sent || !pv->close_received) {
35--
362.34.1
37
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch
new file mode 100644
index 0000000000..dcadafe944
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch
@@ -0,0 +1,43 @@
1From f5b76410de1318f49844dacf6e68692522b6c856 Mon Sep 17 00:00:00 2001
2From: Ignacio Casal Quinteiro <qignacio@amazon.com>
3Date: Wed, 2 Oct 2024 11:17:19 +0200
4Subject: [PATCH] websocket-test: disconnect error copy after the test ends
5
6Otherwise the server will have already sent a few more wrong
7bytes and the client will continue getting errors to copy
8but the error is already != NULL and it will assert
9
10CVE: CVE-2024-52532
11Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c]
12
13Signed-off-by: Changqing Li <changqing.li@windriver.com>
14---
15 tests/websocket-test.c | 5 ++++-
16 1 file changed, 4 insertions(+), 1 deletion(-)
17
18diff --git a/tests/websocket-test.c b/tests/websocket-test.c
19index 5e40cf3..1ec9ff6 100644
20--- a/tests/websocket-test.c
21+++ b/tests/websocket-test.c
22@@ -1331,8 +1331,9 @@ test_receive_invalid_encode_length_64 (Test *test,
23 GError *error = NULL;
24 InvalidEncodeLengthTest context = { test, NULL };
25 guint i;
26+ guint error_id;
27
28- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
29+ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
30 g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
31
32 /* We use 127(\x7f) as payload length with 65535 extended length */
33@@ -1345,6 +1346,7 @@ test_receive_invalid_encode_length_64 (Test *test,
34 WAIT_UNTIL (error != NULL || received != NULL);
35 g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
36 g_clear_error (&error);
37+ g_signal_handler_disconnect (test->client, error_id);
38 g_assert_null (received);
39
40 g_thread_join (thread);
41--
422.34.1
43
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
new file mode 100644
index 0000000000..ab6af72291
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
@@ -0,0 +1,48 @@
1From d97bb2e340f5a6d7e56a7738403f9d18bc406b70 Mon Sep 17 00:00:00 2001
2From: Simon McVittie <smcv@debian.org>
3Date: Wed, 13 Nov 2024 14:14:23 +0000
4Subject: [PATCH 3/3] websocket-test: Disconnect error signal in another place
5
6This is the same change as commit 29b96fab "websocket-test: disconnect
7error copy after the test ends", and is done for the same reason, but
8replicating it into a different function.
9
10Fixes: 6adc0e3e "websocket: process the frame as soon as we read data"
11Resolves: https://gitlab.gnome.org/GNOME/libsoup/-/issues/399
12Signed-off-by: Simon McVittie <smcv@debian.org>
13
14CVE: CVE-2024-52532
15Upstream-Status: Backport
16[https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6676a37b6485620c332e568e1a3f530ff]
17
18Signed-off-by: Changqing Li <changqing.li@windriver.com>
19---
20 tests/websocket-test.c | 4 +++-
21 1 file changed, 3 insertions(+), 1 deletion(-)
22
23diff --git a/tests/websocket-test.c b/tests/websocket-test.c
24index 2b19a7b..0699a06 100644
25--- a/tests/websocket-test.c
26+++ b/tests/websocket-test.c
27@@ -1300,8 +1300,9 @@ test_receive_invalid_encode_length_16 (Test *test,
28 GError *error = NULL;
29 InvalidEncodeLengthTest context = { test, NULL };
30 guint i;
31+ guint error_id;
32
33- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
34+ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
35 g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
36
37 /* We use 126(~) as payload length with 125 extended length */
38@@ -1314,6 +1315,7 @@ test_receive_invalid_encode_length_16 (Test *test,
39 WAIT_UNTIL (error != NULL || received != NULL);
40 g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
41 g_clear_error (&error);
42+ g_signal_handler_disconnect (test->client, error_id);
43 g_assert_null (received);
44
45 g_thread_join (thread);
46--
472.34.1
48
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch
new file mode 100644
index 0000000000..106f907168
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch
@@ -0,0 +1,56 @@
1From 2eacbd762332795e00692ddab2515c6da23198d3 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Mon, 12 May 2025 14:06:41 +0800
4Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space()
5
6CVE: CVE-2025-2784
7Upstream-Status: Backport
8[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435/diffs?commit_id=242a10fbb12dbdc12d254bd8fc8669a0ac055304;
9 https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/442/diffs?commit_id=c415ad0b6771992e66c70edf373566c6e247089d]
10
11Test code is not added since it uses some functions not defined in
12version 2.74. These tests are not used now, so just ignore them.
13
14Signed-off-by: Changqing Li <changqing.li@windriver.com>
15---
16 libsoup/soup-content-sniffer.c | 9 +++----
17 1 files changed, 3 insertions(+), 4 deletions(-)
18
19diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
20index 5f2896e..9554636 100644
21--- a/libsoup/soup-content-sniffer.c
22+++ b/libsoup/soup-content-sniffer.c
23@@ -612,8 +612,10 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer)
24 }
25
26 static gboolean
27-skip_insignificant_space (const char *resource, int *pos, int resource_length)
28+skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
29 {
30+ if (*pos >= resource_length)
31+ return TRUE;
32 while ((resource[*pos] == '\x09') ||
33 (resource[*pos] == '\x20') ||
34 (resource[*pos] == '\x0A') ||
35@@ -632,7 +634,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
36 {
37 const char *resource = (const char *)buffer->data;
38 int resource_length = MIN (512, buffer->length);
39- int pos = 0;
40+ gsize pos = 0;
41
42 if (resource_length < 3)
43 goto text_html;
44@@ -642,9 +644,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
45 pos = 3;
46
47 look_for_tag:
48- if (pos > resource_length)
49- goto text_html;
50-
51 if (skip_insignificant_space (resource, &pos, resource_length))
52 goto text_html;
53
54--
552.34.1
56
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch
new file mode 100644
index 0000000000..c032846ef0
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch
@@ -0,0 +1,29 @@
1From 5709dfffb6fdc5b66ce001bf82a755ad8ad1d992 Mon Sep 17 00:00:00 2001
2From: Patrick Griffis <pgriffis@igalia.com>
3Date: Mon, 28 Oct 2024 12:29:48 -0500
4Subject: [PATCH] Fix using int instead of size_t for strcspn return
5
6CVE: CVE-2025-32050
7Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323]
8
9Signed-off-by: Changqing Li <changqing.li@windriver.com>
10---
11 libsoup/soup-headers.c | 2 +-
12 1 file changed, 1 insertion(+), 1 deletion(-)
13
14diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
15index 9707ca0..67905b2 100644
16--- a/libsoup/soup-headers.c
17+++ b/libsoup/soup-headers.c
18@@ -902,7 +902,7 @@ append_param_quoted (GString *string,
19 const char *name,
20 const char *value)
21 {
22- int len;
23+ gsize len;
24
25 g_string_append (string, name);
26 g_string_append (string, "=\"");
27--
282.34.1
29
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch
new file mode 100644
index 0000000000..34bc8113a4
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch
@@ -0,0 +1,32 @@
1From f4a67a9a3033586edaee715d40d5992e02d32893 Mon Sep 17 00:00:00 2001
2From: Patrick Griffis <pgriffis@igalia.com>
3Date: Sat, 16 Nov 2024 12:07:30 -0600
4Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff
5
6Co-Author: Ar Jun <pkillarjun@protonmail.com>
7
8CVE: CVE-2025-32052
9Upstream-Status: Backport
10[https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652#500da7cfde649872c49169be34b03a1c42a53ddb]
11
12Signed-off-by: Changqing Li <changqing.li@windriver.com>
13---
14 libsoup/soup-content-sniffer.c | 2 +-
15 1 file changed, 1 insertion(+), 1 deletion(-)
16
17diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
18index 9554636..eac9e7b 100644
19--- a/libsoup/soup-content-sniffer.c
20+++ b/libsoup/soup-content-sniffer.c
21@@ -504,7 +504,7 @@ sniff_unknown (SoupContentSniffer *sniffer, SoupBuffer *buffer,
22 guint index_pattern = 0;
23 gboolean skip_row = FALSE;
24
25- while ((index_stream < resource_length) &&
26+ while ((index_stream < resource_length - 1) &&
27 (index_pattern <= type_row->pattern_length)) {
28 /* Skip insignificant white space ("WS" in the spec) */
29 if (type_row->pattern[index_pattern] == ' ') {
30--
312.34.1
32
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch
new file mode 100644
index 0000000000..0d829d6200
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch
@@ -0,0 +1,39 @@
1From d9bcffd6cd5e8ec32889a594f7348d67a5101b3a Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Mon, 12 May 2025 13:58:42 +0800
4Subject: [PATCH] Fix heap buffer overflow in
5 soup-content-sniffer.c:sniff_feed_or_html()
6
7CVE: CVE-2025-32053
8Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/eaed42ca8d40cd9ab63764e3d63641180505f40a]
9
10Signed-off-by: Changqing Li <changqing.li@windriver.com>
11---
12 libsoup/soup-content-sniffer.c | 4 ++--
13 1 file changed, 2 insertions(+), 2 deletions(-)
14
15diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
16index 967ec61..5f2896e 100644
17--- a/libsoup/soup-content-sniffer.c
18+++ b/libsoup/soup-content-sniffer.c
19@@ -620,7 +620,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length)
20 (resource[*pos] == '\x0D')) {
21 *pos = *pos + 1;
22
23- if (*pos > resource_length)
24+ if (*pos >= resource_length)
25 return TRUE;
26 }
27
28@@ -682,7 +682,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
29 do {
30 pos++;
31
32- if (pos > resource_length)
33+ if ((pos + 1) > resource_length)
34 goto text_html;
35 } while (resource[pos] != '>');
36
37--
382.34.1
39
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch
new file mode 100644
index 0000000000..c33ebf8056
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch
@@ -0,0 +1,71 @@
1From 4b8809cca4bbcbf9514314d86227f985362258b0 Mon Sep 17 00:00:00 2001
2From: Patrick Griffis <pgriffis@igalia.com>
3Date: Wed, 12 Feb 2025 11:30:02 -0600
4Subject: [PATCH] headers: Handle parsing only newlines
5
6Closes #404
7Closes #407
8
9CVE: CVE-2025-32906
10Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f]
11
12Signed-off-by: Changqing Li <changqing.li@windriver.com>
13---
14 libsoup/soup-headers.c | 4 ++--
15 tests/header-parsing-test.c | 11 +++++++++++
16 2 files changed, 13 insertions(+), 2 deletions(-)
17
18diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
19index e5d3c03..87bb3dc 100644
20--- a/libsoup/soup-headers.c
21+++ b/libsoup/soup-headers.c
22@@ -185,7 +185,7 @@ soup_headers_parse_request (const char *str,
23 /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
24 * received where a Request-Line is expected."
25 */
26- while ((*str == '\r' || *str == '\n') && len > 0) {
27+ while (len > 0 && (*str == '\r' || *str == '\n')) {
28 str++;
29 len--;
30 }
31@@ -369,7 +369,7 @@ soup_headers_parse_response (const char *str,
32 * after a response, which we then see prepended to the next
33 * response on that connection.
34 */
35- while ((*str == '\r' || *str == '\n') && len > 0) {
36+ while (len > 0 && (*str == '\r' || *str == '\n')) {
37 str++;
38 len--;
39 }
40diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
41index c1d3b33..b811115 100644
42--- a/tests/header-parsing-test.c
43+++ b/tests/header-parsing-test.c
44@@ -6,6 +6,10 @@ typedef struct {
45 const char *name, *value;
46 } Header;
47
48+static char only_newlines[] = {
49+ '\n', '\n', '\n', '\n'
50+};
51+
52 static struct RequestTest {
53 const char *description;
54 const char *bugref;
55@@ -445,6 +449,13 @@ static struct RequestTest {
56 SOUP_STATUS_BAD_REQUEST,
57 NULL, NULL, -1,
58 { { NULL } }
59+ },
60+
61+ { "Only newlines", NULL,
62+ only_newlines, sizeof (only_newlines),
63+ SOUP_STATUS_BAD_REQUEST,
64+ NULL, NULL, -1,
65+ { { NULL } }
66 }
67 };
68 static const int num_reqtests = G_N_ELEMENTS (reqtests);
69--
702.34.1
71
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch
new file mode 100644
index 0000000000..41dd3ff3f4
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch
@@ -0,0 +1,39 @@
1From 8158b4084dcba2a233dfcb7359c53ab2840148f7 Mon Sep 17 00:00:00 2001
2From: Milan Crha <mcrha@redhat.com>
3Date: Tue, 15 Apr 2025 12:17:39 +0200
4Subject: [PATCH 1/2] soup-message-headers: Correct merge of ranges
5
6It had been skipping every second range, which generated an array
7of a lot of insane ranges, causing large memory usage by the server.
8
9Closes #428
10
11Part-of: <https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452>
12
13CVE: CVE-2025-32907
14Upstream-Status: Backport
15[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452/diffs?commit_id=9bb92f7a685e31e10e9e8221d0342280432ce836]
16
17Test part not applied since test codes use some functions not in this
18version
19
20Signed-off-by: Changqing Li <changqing.li@windriver.com>
21---
22 libsoup/soup-message-headers.c | 1 +
23 1 files changed, 1 insertions(+)
24
25diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
26index 78b2455..00b9763 100644
27--- a/libsoup/soup-message-headers.c
28+++ b/libsoup/soup-message-headers.c
29@@ -1024,6 +1024,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs,
30 if (cur->start <= prev->end) {
31 prev->end = MAX (prev->end, cur->end);
32 g_array_remove_index (array, i);
33+ i--;
34 }
35 }
36 }
37--
382.34.1
39
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch
new file mode 100644
index 0000000000..2f5366348d
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch
@@ -0,0 +1,38 @@
1From e6e088e62c10ab91fa2f2ad5c122332aa7cde97c Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Mon, 12 May 2025 16:55:37 +0800
4Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than
5 4 bytes
6
7CVE: CVE-2025-32909
8Upstream-Status: Backport
9[https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92]
10
11Signed-off-by: Changqing Li <changqing.li@windriver.com>
12---
13 libsoup/soup-content-sniffer.c | 7 ++++++-
14 1 file changed, 6 insertions(+), 1 deletion(-)
15
16diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
17index eac9e7b..73d2245 100644
18--- a/libsoup/soup-content-sniffer.c
19+++ b/libsoup/soup-content-sniffer.c
20@@ -227,9 +227,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, SoupBuffer *buffer)
21 {
22 const char *resource = (const char *)buffer->data;
23 guint resource_length = MIN (512, buffer->length);
24- guint32 box_size = *((guint32*)resource);
25+ guint32 box_size;
26 guint i;
27
28+ if (resource_length < sizeof (guint32))
29+ return FALSE;
30+
31+ box_size = *((guint32*)resource);
32+
33 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
34 box_size = ((box_size >> 24) |
35 ((box_size << 8) & 0x00FF0000) |
36--
372.34.1
38
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
new file mode 100644
index 0000000000..c1dc6860f2
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
@@ -0,0 +1,32 @@
1From a7e711d0f162c6edc8acad2a96981d4890784ea3 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Mon, 12 May 2025 17:02:55 +0800
4Subject: [PATCH] auth-digest: Handle missing realm/nonce in authenticate
5 header
6
7CVE: CVE-2025-32910
8Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=e40df6d48a1cbab56f5d15016cc861a503423cfe]
9
10Signed-off-by: Changqing Li <changqing.li@windriver.com>
11---
12 libsoup/soup-auth-digest.c | 3 +++
13 1 files changed, 3 insertions(+)
14
15diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
16index e8ba990..0ab3499 100644
17--- a/libsoup/soup-auth-digest.c
18+++ b/libsoup/soup-auth-digest.c
19@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
20 guint qop_options;
21 gboolean ok = TRUE;
22
23+ if (!soup_auth_get_realm (auth))
24+ return FALSE;
25+
26 g_free (priv->domain);
27 g_free (priv->nonce);
28 g_free (priv->opaque);
29
30--
312.34.1
32
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
new file mode 100644
index 0000000000..019a35e3be
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
@@ -0,0 +1,94 @@
1From eccfca1074fc485a0b60dfb9c8385429a226bf73 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Fri, 16 May 2025 13:19:38 +0800
4Subject: [PATCH] auth-digest: Handle missing nonce
5
6CVE: CVE-2025-32910
7Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=405a8a34597a44bd58c4759e7d5e23f02c3b556a]
8
9Signed-off-by: Changqing Li <changqing.li@windriver.com>
10---
11 libsoup/soup-auth-digest.c | 45 ++++++++++++++++++++++++++++----------
12 1 files changed, 28 insertions(+), 10 deletions(-)
13
14diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
15index 0ab3499..10a8591 100644
16--- a/libsoup/soup-auth-digest.c
17+++ b/libsoup/soup-auth-digest.c
18@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
19 return g_string_free (out, FALSE);
20 }
21
22+static gboolean
23+validate_params (SoupAuthDigest *auth_digest)
24+{
25+ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
26+
27+ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
28+ if (!priv->nonce)
29+ return FALSE;
30+ }
31+
32+ return TRUE;
33+}
34+
35 static gboolean
36 soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
37 GHashTable *auth_params)
38@@ -169,17 +182,22 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
39 if (priv->algorithm == -1)
40 ok = FALSE;
41
42- stale = g_hash_table_lookup (auth_params, "stale");
43- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
44- recompute_hex_a1 (priv);
45- else {
46- g_free (priv->user);
47- priv->user = NULL;
48- g_free (priv->cnonce);
49- priv->cnonce = NULL;
50- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
51- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
52- }
53+ if (!validate_params (auth_digest))
54+ ok = FALSE;
55+
56+ if (ok) {
57+ stale = g_hash_table_lookup (auth_params, "stale");
58+ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
59+ recompute_hex_a1 (priv);
60+ else {
61+ g_free (priv->user);
62+ priv->user = NULL;
63+ g_free (priv->cnonce);
64+ priv->cnonce = NULL;
65+ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
66+ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
67+ }
68+ }
69
70 return ok;
71 }
72@@ -359,6 +377,8 @@ soup_auth_digest_compute_response (const char *method,
73 if (qop) {
74 char tmp[9];
75
76+ g_assert (cnonce);
77+
78 g_snprintf (tmp, 9, "%.8x", nc);
79 g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
80 g_checksum_update (checksum, (guchar *)":", 1);
81@@ -422,6 +442,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
82 g_return_val_if_fail (uri != NULL, NULL);
83 url = soup_uri_to_string (uri, TRUE);
84
85+ g_assert (priv->nonce);
86+ g_assert (!priv->qop || priv->cnonce);
87+
88 soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
89 priv->qop, priv->nonce,
90 priv->cnonce, priv->nc,
91
92--
932.34.1
94
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
new file mode 100644
index 0000000000..bdf4d64ca3
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
@@ -0,0 +1,28 @@
1From 74c95d54fe42041fe161cb74c76d942ffd37a5dd Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Fri, 16 May 2025 13:21:43 +0800
4Subject: [PATCH] auth-digest: Fix leak
5
6CVE: CVE-2025-32910
7Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=ea16eeacb052e423eb5c3b0b705e5eab34b13832]
8
9Signed-off-by: Changqing Li <changqing.li@windriver.com>
10---
11 libsoup/soup-auth-digest.c | 1 +
12 1 file changed, 1 insertion(+)
13
14diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
15index 10a8591..6d965d2 100644
16--- a/libsoup/soup-auth-digest.c
17+++ b/libsoup/soup-auth-digest.c
18@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object)
19 g_free (priv->nonce);
20 g_free (priv->domain);
21 g_free (priv->cnonce);
22+ g_free (priv->opaque);
23
24 memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
25 memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
26--
272.34.1
28
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch
new file mode 100644
index 0000000000..b3ce9d8bc3
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch
@@ -0,0 +1,32 @@
1From 0984dddb11daf14fdf5ca24077cd0ebda796439a Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Fri, 16 May 2025 13:25:32 +0800
4Subject: [PATCH] auth-digest: Handle missing nonce
5
6CVE: CVE-2025-32912
7Upstream-Status: Backport
8[https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992?merge_request_iid=434
9https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f]
10
11Signed-off-by: Changqing Li <changqing.li@windriver.com>
12---
13 libsoup/soup-auth-digest.c | 2 +-
14 1 files changed, 1 insertions(+), 1 deletion(-)
15
16diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
17index 6d965d2..f1621ec 100644
18--- a/libsoup/soup-auth-digest.c
19+++ b/libsoup/soup-auth-digest.c
20@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
21 guint qop_options;
22 gboolean ok = TRUE;
23
24- if (!soup_auth_get_realm (auth))
25+ if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce"))
26 return FALSE;
27
28 g_free (priv->domain);
29
30--
312.34.1
32
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
new file mode 100644
index 0000000000..9f3bb21a25
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
@@ -0,0 +1,35 @@
1From ac844b9fc7945c38ea21fb7cf1a49a5c226d7c9c Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Mon, 12 May 2025 16:17:20 +0800
4Subject: [PATCH] Resolve "(CVE-2025-32914) (#YWH-PGM9867-23) OOB Read on
5 libsoup through function "soup_multipart_new_from_message" in
6 soup-multipart.c leads to crash or exit of process"
7
8CVE: CVE-2025-32914
9Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450/diffs?commit_id=5bfcf8157597f2d327050114fb37ff600004dbcf]
10
11Test code are not added since some functions not aligned with version
122.74.3
13
14Signed-off-by: Changqing Li <changqing.li@windriver.com>
15---
16 libsoup/soup-multipart.c | 2 +-
17 1 files changed, 1 insertions(+), 1 deletion(-)
18
19diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
20index a7e550f..dd93973 100644
21--- a/libsoup/soup-multipart.c
22+++ b/libsoup/soup-multipart.c
23@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
24 return NULL;
25 }
26
27- split = strstr (start, "\r\n\r\n");
28+ split = g_strstr_len (start, body_end - start, "\r\n\r\n");
29 if (!split || split > end) {
30 soup_multipart_free (multipart);
31 soup_buffer_free (flattened);
32
33--
342.34.1
35
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch
new file mode 100644
index 0000000000..874f62e7ad
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch
@@ -0,0 +1,38 @@
1From 52a0f9234d384b9dab368835b22e5a5a01542168 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Fri, 16 May 2025 14:16:10 +0800
4Subject: [PATCH] auth-digest: fix crash in
5 soup_auth_digest_get_protection_space()
6
7We need to validate the Domain parameter in the WWW-Authenticate header.
8
9Unfortunately this crash only occurs when listening on default ports 80
10and 443, so there's no good way to test for this. The test would require
11running as root.
12
13Fixes #440
14
15CVE: CVE-2025-4476
16Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c?merge_request_iid=457]
17
18Signed-off-by: Changqing Li <changqing.li@windriver.com>
19---
20 libsoup/soup-auth-digest.c | 2 +-
21 1 file changed, 1 insertion(+), 1 deletion(-)
22
23diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
24index f1621ec..a2dc560 100644
25--- a/libsoup/soup-auth-digest.c
26+++ b/libsoup/soup-auth-digest.c
27@@ -229,7 +229,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, SoupURI *source_uri)
28 uri = soup_uri_new (d);
29 if (uri && uri->scheme == source_uri->scheme &&
30 uri->port == source_uri->port &&
31- !strcmp (uri->host, source_uri->host))
32+ !g_strcmp0 (uri->host, source_uri->host))
33 dir = g_strdup (uri->path);
34 else
35 dir = NULL;
36--
372.34.1
38
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch
new file mode 100644
index 0000000000..c970661694
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch
@@ -0,0 +1,61 @@
1From 81e03c538d6a102406114567f4f1c468033ce2e4 Mon Sep 17 00:00:00 2001
2From: Patrick Griffis <pgriffis@igalia.com>
3Date: Thu, 26 Dec 2024 18:31:42 -0600
4Subject: [PATCH] soup_header_parse_quality_list: Fix leak
5
6When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings.
7
8CVE: CVE-2025-46420
9Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/421/diffs?commit_id=c9083869ec2a3037e6df4bd86b45c419ba295f8e]
10
11 Signed-off-by: Changqing Li <changqing.li@windriver.com>
12---
13 libsoup/soup-headers.c | 11 +++++------
14 1 file changed, 5 insertions(+), 6 deletions(-)
15
16diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
17index 87bb3dc..9707ca0 100644
18--- a/libsoup/soup-headers.c
19+++ b/libsoup/soup-headers.c
20@@ -528,7 +528,7 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
21 GSList *unsorted;
22 QualityItem *array;
23 GSList *sorted, *iter;
24- char *item, *semi;
25+ char *semi;
26 const char *param, *equal, *value;
27 double qval;
28 int n;
29@@ -541,9 +541,8 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
30 unsorted = soup_header_parse_list (header);
31 array = g_new0 (QualityItem, g_slist_length (unsorted));
32 for (iter = unsorted, n = 0; iter; iter = iter->next) {
33- item = iter->data;
34 qval = 1.0;
35- for (semi = strchr (item, ';'); semi; semi = strchr (semi + 1, ';')) {
36+ for (semi = strchr (iter->data, ';'); semi; semi = strchr (semi + 1, ';')) {
37 param = skip_lws (semi + 1);
38 if (*param != 'q')
39 continue;
40@@ -575,15 +574,15 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
41 if (qval == 0.0) {
42 if (unacceptable) {
43 *unacceptable = g_slist_prepend (*unacceptable,
44- item);
45+ g_steal_pointer (&iter->data));
46 }
47 } else {
48- array[n].item = item;
49+ array[n].item = g_steal_pointer (&iter->data);
50 array[n].qval = qval;
51 n++;
52 }
53 }
54- g_slist_free (unsorted);
55+ g_slist_free_full (unsorted, g_free);
56
57 qsort (array, n, sizeof (QualityItem), sort_by_qval);
58 sorted = NULL;
59--
602.34.1
61
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch
new file mode 100644
index 0000000000..3318093400
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch
@@ -0,0 +1,47 @@
1From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001
2From: Patrick Griffis <pgriffis@igalia.com>
3Date: Wed, 5 Feb 2025 16:18:10 -0600
4Subject: [PATCH] session: Strip authentication credentails on
5 cross-origin redirect
6
7This should match the behavior of Firefox and Safari but not of Chromium.
8
9CVE: CVE-2025-46421
10Upstream-Status: Backport
11[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b]
12
13Test code not added since it included some headers not in version 2.74.3
14
15Signed-off-by: Changqing Li <changqing.li@windriver.com>
16---
17 libsoup/soup-session.c | 8 ++++-
18 2 files changed, 85 insertions(+), 1 deletion(-)
19
20diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
21index 83421ef..8d6ac61 100644
22--- a/libsoup/soup-session.c
23+++ b/libsoup/soup-session.c
24@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg)
25 SOUP_ENCODING_NONE);
26 }
27
28+ /* Strip all credentials on cross-origin redirect. */
29+ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
30+ soup_message_headers_remove (msg->request_headers, "Authorization");
31+ soup_message_set_auth (msg, NULL);
32+ }
33+
34 soup_message_set_uri (msg, new_uri);
35 soup_uri_free (new_uri);
36
37 soup_session_requeue_message (session, msg);
38 return TRUE;
39-}
40+}
41
42 static void
43 redirect_handler (SoupMessage *msg, gpointer user_data)
44
45--
462.34.1
47
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch
new file mode 100644
index 0000000000..b15b8c763d
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch
@@ -0,0 +1,38 @@
1From dfdc9b3cc73e6fe88cc12792ba00e14642572339 Mon Sep 17 00:00:00 2001
2From: Milan Crha <mcrha@redhat.com>
3Date: Thu, 15 May 2025 17:49:11 +0200
4Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body
5
6It could happen that the boundary started at a place which resulted into
7a negative number, which in an unsigned integer is a very large value.
8Check the body size is not a negative value before setting it.
9
10Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
11
12Part-of: <https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463>
13
14CVE: CVE-2025-4948
15Upstream-Status: Backport
16[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463/diffs?commit_id=f2f28afe0b3b2b3009ab67d6874457ec6bac70c0]
17
18Signed-off-by: Changqing Li <changqing.li@windriver.com>
19---
20 libsoup/soup-multipart.c | 2 +-
21 1 file changed, 1 insertion(+), 1 deletion(-)
22
23diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
24index dd93973..ce2fc10 100644
25--- a/libsoup/soup-multipart.c
26+++ b/libsoup/soup-multipart.c
27@@ -214,7 +214,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
28 */
29 part_body = soup_buffer_new_subbuffer (flattened,
30 split - flattened->data,
31- end - 2 - split);
32+ end - 2 >= split ? end - 2 - split : 0);
33 g_ptr_array_add (multipart->bodies, part_body);
34
35 start = end;
36--
372.34.1
38
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch
new file mode 100644
index 0000000000..7bc3e8da99
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch
@@ -0,0 +1,37 @@
1From a7d0c58608ed830bedfb6b92aea11e00feb55aa9 Mon Sep 17 00:00:00 2001
2From: Milan Crha <mcrha@redhat.com>
3Date: Mon, 19 May 2025 17:48:27 +0200
4Subject: [PATCH] soup-multipart: Verify array bounds before accessing its
5 members
6
7The boundary could be at a place which, calculated, pointed
8before the beginning of the array. Check the bounds, to avoid
9read out of the array bounds.
10
11Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447
12
13CVE: CVE-2025-4969
14Upstream-Status: Backport
15[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/467/diffs?commit_id=b5b4dd10d4810f0c87b4eaffe88504f06e502f33]
16
17Signed-off-by: Changqing Li <changqing.li@windriver.com>
18---
19 libsoup/soup-multipart.c | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
23index ce2fc10..a29cdf0 100644
24--- a/libsoup/soup-multipart.c
25+++ b/libsoup/soup-multipart.c
26@@ -108,7 +108,7 @@ find_boundary (const char *start, const char *end,
27 continue;
28
29 /* Check that it's at start of line */
30- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r')))
31+ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r')))
32 continue;
33
34 /* Check for "--" or "\r\n" after boundary */
35--
362.34.1
37
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-06 12:52:54 +0000