5 files changed, 446 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52530.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52530.patch
new file mode 100644
index 0000000000..fb6d5c3c6f
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52530.patch
@@ -0,0 +1,150 @@
+From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Mon, 8 Jul 2024 12:33:15 -0500
+Subject: [PATCH] headers: Strictly don't allow NUL bytes
+In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.
+CVE: CVE-2024-52530
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-headers.c      | 15 +++------
+ tests/header-parsing-test.c | 62 +++++++++++++++++--------------------
+ 2 files changed, 32 insertions(+), 45 deletions(-)
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index a0cf351ac..f30ee467a 100644
+--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
+@@ -51,13 +51,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
+         * ignorable trailing whitespace.
+         */
+ 
+       /* No '\0's are allowed */
+       if (memchr (str, '\0', len))
+               return FALSE;
+
+        /* Skip over the Request-Line / Status-Line */
+        headers_start = memchr (str, '\n', len);
+        if (!headers_start)
+                return FALSE;
+-       /* No '\0's in the Request-Line / Status-Line */
+-       if (memchr (str, '\0', headers_start - str))
+-               return FALSE;
+ 
+        /* We work on a copy of the headers, which we can write '\0's
+         * into, so that we don't have to individually g_strndup and
+@@ -69,14 +70,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
+        headers_copy[copy_len] = '\0';
+        value_end = headers_copy;
+ 
+-       /* There shouldn't be any '\0's in the headers already, but
+-        * this is the web we're talking about.
+-        */
+-       while ((p = memchr (headers_copy, '\0', copy_len))) {
+-               memmove (p, p + 1, copy_len - (p - headers_copy));
+-               copy_len--;
+-       }
+-
+        while (*(value_end + 1)) {
+                name = value_end + 1;
+                name_end = strchr (name, ':');
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index edf8eebb3..715c2c6f2 100644
+--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
+@@ -358,24 +358,6 @@ static struct RequestTest {
+          }
+        },
+ 
+-       { "NUL in header name", "760832",
+-         "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
+-         SOUP_STATUS_OK,
+-         "GET", "/", SOUP_HTTP_1_1,
+-         { { "Host", "example.com" },
+-           { NULL }
+-         }
+-       },
+-
+-       { "NUL in header value", "760832",
+-         "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
+-         SOUP_STATUS_OK,
+-         "GET", "/", SOUP_HTTP_1_1,
+-         { { "Host", "examplecom" },
+-           { NULL }
+-         }
+-       },
+-
+        /************************/
+        /*** INVALID REQUESTS ***/
+        /************************/
+@@ -448,6 +430,21 @@ static struct RequestTest {
+          SOUP_STATUS_EXPECTATION_FAILED,
+          NULL, NULL, -1,
+          { { NULL } }
+       },
+
+       // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+       { "NUL in header name", NULL,
+         "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
+         SOUP_STATUS_BAD_REQUEST,
+         NULL, NULL, -1,
+         { { NULL } }
+       },
+
+       { "NUL in header value", NULL,
+         "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+         SOUP_STATUS_BAD_REQUEST,
+           NULL, NULL, -1,
+         { { NULL } }
+        }
+ };
+ static const int num_reqtests = G_N_ELEMENTS (reqtests);
+@@ -620,22 +617,6 @@ static struct ResponseTest {
+            { NULL } }
+        },
+ 
+-       { "NUL in header name", "760832",
+-         "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
+-         SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
+-         { { "Foo", "bar" },
+-           { NULL }
+-         }
+-       },
+-
+-       { "NUL in header value", "760832",
+-         "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+-         SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
+-         { { "Foo", "bar" },
+-           { NULL }
+-         }
+-       },
+-
+        /********************************/
+        /*** VALID CONTINUE RESPONSES ***/
+        /********************************/
+@@ -768,6 +749,19 @@ static struct ResponseTest {
+          { { NULL }
+          }
+        },
+
+       // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+       { "NUL in header name", NULL,
+         "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
+         -1, 0, NULL,
+         { { NULL } }
+       },
+
+       { "NUL in header value", "760832",
+         "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+         -1, 0, NULL,
+         { { NULL } }
+       },
+ };
+ static const int num_resptests = G_N_ELEMENTS (resptests);
+ 
+-- 
+GitLab
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-1.patch
new file mode 100644
index 0000000000..c8e855c128
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-1.patch
@@ -0,0 +1,116 @@
+From 4ec9e3d286b6d3e982cb0fc3564dee0bf8d87ede Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 27 Aug 2024 12:18:58 -0500
+Subject: [PATCH] fuzzing: Cover soup_header_parse_param_list
+CVE: CVE-2024-52531
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=4ec9e3d286b6d3e982cb0fc3564dee0bf8d87ede]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ fuzzing/fuzz.h                   |  9 +++++++--
+ fuzzing/fuzz_header_parsing.c    | 19 +++++++++++++++++++
+ fuzzing/fuzz_header_parsing.dict |  8 ++++++++
+ fuzzing/meson.build              |  2 ++
+ 4 files changed, 36 insertions(+), 2 deletions(-)
+ create mode 100644 fuzzing/fuzz_header_parsing.c
+ create mode 100644 fuzzing/fuzz_header_parsing.dict
+diff --git a/fuzzing/fuzz.h b/fuzzing/fuzz.h
+index 0d380285..f3bd28ee 100644
+--- a/fuzzing/fuzz.h
+++ b/fuzzing/fuzz.h
+@@ -1,13 +1,14 @@
+ #include "libsoup/soup.h"
+ 
+ int LLVMFuzzerTestOneInput (const unsigned char *data, size_t size);
+static int set_logger = 0;
+ 
+ #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+ static GLogWriterOutput
+ empty_logging_func (GLogLevelFlags log_level, const GLogField *fields,
+                     gsize n_fields, gpointer user_data)
+ {
+-  return G_LOG_WRITER_HANDLED;
+        return G_LOG_WRITER_HANDLED;
+ }
+ #endif
+ 
+@@ -16,6 +17,10 @@ static void
+ fuzz_set_logging_func (void)
+ {
+ #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+-  g_log_set_writer_func (empty_logging_func, NULL, NULL);
+        if (!set_logger)
+        {
+                set_logger = 1;
+                g_log_set_writer_func (empty_logging_func, NULL, NULL);
+        }
+ #endif
+ }
+diff --git a/fuzzing/fuzz_header_parsing.c b/fuzzing/fuzz_header_parsing.c
+new file mode 100644
+index 00000000..a8e5c1f9
+--- /dev/null
+++ b/fuzzing/fuzz_header_parsing.c
+@@ -0,0 +1,19 @@
+#include "fuzz.h"
+
+int
+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
+{
+        GHashTable *elements;
+
+        // We only accept NUL terminated strings
+        if (!size || data[size - 1] != '\0')
+                return 0;
+
+        fuzz_set_logging_func ();
+
+        elements = soup_header_parse_param_list((char*)data);
+
+        g_hash_table_unref(elements);
+
+        return 0;
+}
+\ No newline at end of file
+diff --git a/fuzzing/fuzz_header_parsing.dict b/fuzzing/fuzz_header_parsing.dict
+new file mode 100644
+index 00000000..1562ca3a
+--- /dev/null
+++ b/fuzzing/fuzz_header_parsing.dict
+@@ -0,0 +1,8 @@
+"*=UTF-8''"
+"*=iso-8859-1''"
+"'"
+"''"
+"="
+"*="
+"""
+";"
+\ No newline at end of file
+diff --git a/fuzzing/meson.build b/fuzzing/meson.build
+index b14cbb50..5dd0f417 100644
+--- a/fuzzing/meson.build
+++ b/fuzzing/meson.build
+@@ -5,6 +5,7 @@ fuzz_targets = [
+   'fuzz_cookie_parse',
+   'fuzz_content_sniffer',
+   'fuzz_date_time',
+  'fuzz_header_parsing',
+ ]
+ 
+ fuzzing_args = '-fsanitize=fuzzer,address,undefined'
+@@ -34,6 +35,7 @@ if have_fuzzing and (fuzzing_feature.enabled() or fuzzing_feature.auto())
+         '-runs=200000',
+         '-artifact_prefix=meson-logs/' + target + '-',
+         '-print_final_stats=1',
+        '-max_len=4096',
+       ] + extra_args,
+       env: [
+         'ASAN_OPTIONS=fast_unwind_on_malloc=0',
+-- 
+2.25.1
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-2.patch
new file mode 100644
index 0000000000..7e0d81ba4c
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-2.patch
@@ -0,0 +1,40 @@
+From 825fda3425546847b42ad5270544e9388ff349fe Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 27 Aug 2024 13:52:08 -0500
+Subject: [PATCH] tests: Add test for passing invalid UTF-8 to
+ soup_header_parse_semi_param_list()
+CVE: CVE-2024-52531
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=825fda3425546847b42ad5270544e9388ff349fe]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ tests/header-parsing-test.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 715c2c6f..5e423d2b 100644
+--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
+@@ -825,6 +825,17 @@ static struct ParamListTest {
+            { "filename", "t\xC3\xA9st.txt" },
+          },
+        },
+
+        /* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */
+        { TRUE,
+              "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo",
+              {
+                    { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
+                    { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
+                    { "foo", NULL },
+
+                },
+        }
+ };
+ static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests);
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-3.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-3.patch
new file mode 100644
index 0000000000..a47c8747c5
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-3.patch
@@ -0,0 +1,136 @@
+From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 27 Aug 2024 13:53:26 -0500
+Subject: [PATCH] headers: Be more robust against invalid input when parsing
+ params
+If you pass invalid input to a function such as soup_header_parse_param_list_strict()
+it can cause an overflow if it decodes the input to UTF-8.
+This should never happen with valid UTF-8 input which libsoup's client API
+ensures, however it's server API does not currently.
+CVE: CVE-2024-52531
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=a35222dd0bfab2ac97c10e86b95f762456628283]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-headers.c | 46 ++++++++++++++++++++++--------------------
+ 1 file changed, 24 insertions(+), 22 deletions(-)
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index f30ee467..613e1905 100644
+--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
+@@ -646,8 +646,9 @@ soup_header_contains (const char *header, const char *token)
+ }
+ 
+ static void
+-decode_quoted_string (char *quoted_string)
+decode_quoted_string_inplace (GString *quoted_gstring)
+ {
+       char *quoted_string = quoted_gstring->str;
+        char *src, *dst;
+ 
+        src = quoted_string + 1;
+@@ -661,10 +662,11 @@ decode_quoted_string (char *quoted_string)
+ }
+ 
+ static gboolean
+-decode_rfc5987 (char *encoded_string)
+decode_rfc5987_inplace (GString *encoded_gstring)
+ {
+        char *q, *decoded;
+        gboolean iso_8859_1 = FALSE;
+       const char *encoded_string = encoded_gstring->str;
+ 
+        q = strchr (encoded_string, '\'');
+        if (!q)
+@@ -696,14 +698,7 @@ decode_rfc5987 (char *encoded_string)
+                decoded = utf8;
+        }
+ 
+-       /* If encoded_string was UTF-8, then each 3-character %-escape
+-        * will be converted to a single byte, and so decoded is
+-        * shorter than encoded_string. If encoded_string was
+-        * iso-8859-1, then each 3-character %-escape will be
+-        * converted into at most 2 bytes in UTF-8, and so it's still
+-        * shorter.
+-        */
+-       strcpy (encoded_string, decoded);
+       g_string_assign (encoded_gstring, decoded);
+        g_free (decoded);
+        return TRUE;
+ }
+@@ -713,15 +708,17 @@ parse_param_list (const char *header, char delim, gboolean strict)
+ {
+        GHashTable *params;
+        GSList *list, *iter;
+-       char *item, *eq, *name_end, *value;
+-       gboolean override, duplicated;
+ 
+        params = g_hash_table_new_full (soup_str_case_hash, 
+                                        soup_str_case_equal,
+-                                       g_free, NULL);
+                                       g_free, g_free);
+ 
+        list = parse_list (header, delim);
+        for (iter = list; iter; iter = iter->next) {
+               char *item, *eq, *name_end;
+               gboolean override, duplicated;
+               GString *parsed_value = NULL;
+
+                item = iter->data;
+                override = FALSE;
+ 
+@@ -736,19 +733,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
+ 
+                        *name_end = '\0';
+ 
+-                       value = (char *)skip_lws (eq + 1);
+                       parsed_value = g_string_new ((char *)skip_lws (eq + 1));
+ 
+                        if (name_end[-1] == '*' && name_end > item + 1) {
+                                name_end[-1] = '\0';
+-                               if (!decode_rfc5987 (value)) {
+                               if (!decode_rfc5987_inplace (parsed_value)) {
+                                       g_string_free (parsed_value, TRUE);
+                                        g_free (item);
+                                        continue;
+                                }
+                                override = TRUE;
+-                       } else if (*value == '"')
+-                               decode_quoted_string (value);
+-               } else
+-                       value = NULL;
+                       } else if (parsed_value->str[0] == '"')
+                               decode_quoted_string_inplace (parsed_value);
+               }
+ 
+                duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
+ 
+@@ -756,11 +753,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
+                        soup_header_free_param_list (params);
+                        params = NULL;
+                        g_slist_foreach (iter, (GFunc)g_free, NULL);
+                       if (parsed_value)
+                               g_string_free (parsed_value, TRUE);
+                        break;
+-               } else if (override || !duplicated)
+-                       g_hash_table_replace (params, item, value);
+-               else
+               } else if (override || !duplicated) {
+                       g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
+               } else {
+                       if (parsed_value)
+                               g_string_free (parsed_value, TRUE);
+                        g_free (item);
+               }
+        }
+ 
+        g_slist_free (list);
+-- 
+2.25.1
diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
index 0e66715589..b2e32b892a 100644
--- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
@@ -14,6 +14,10 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
           file://CVE-2024-52532-0001.patch \
           file://CVE-2024-52532-0002.patch \
+           file://CVE-2024-52530.patch \
+           file://CVE-2024-52531-1.patch \
+           file://CVE-2024-52531-2.patch \
+           file://CVE-2024-52531-3.patch \
          "
 SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"

diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52530.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52530.patch new file mode 100644 index 0000000000..fb6d5c3c6f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52530.patch
@@ -0,0 +1,150 @@
		1	From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001
		2	From: Patrick Griffis <pgriffis@igalia.com>
		3	Date: Mon, 8 Jul 2024 12:33:15 -0500
		4	Subject: [PATCH] headers: Strictly don't allow NUL bytes
		5
		6	In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.
		7
		8	CVE: CVE-2024-52530
		9	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b]
		10
		11	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		12	---
		13	libsoup/soup-headers.c \| 15 +++------
		14	tests/header-parsing-test.c \| 62 +++++++++++++++++--------------------
		15	2 files changed, 32 insertions(+), 45 deletions(-)
		16
		17	diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
		18	index a0cf351ac..f30ee467a 100644
		19	--- a/libsoup/soup-headers.c
		20	+++ b/libsoup/soup-headers.c
		21	@@ -51,13 +51,14 @@ soup_headers_parse (const char str, int len, SoupMessageHeaders dest)
		22	* ignorable trailing whitespace.
		23	*/
		24
		25	+ /* No '\0's are allowed */
		26	+ if (memchr (str, '\0', len))
		27	+ return FALSE;
		28	+
		29	/* Skip over the Request-Line / Status-Line */
		30	headers_start = memchr (str, '\n', len);
		31	if (!headers_start)
		32	return FALSE;
		33	- /* No '\0's in the Request-Line / Status-Line */
		34	- if (memchr (str, '\0', headers_start - str))
		35	- return FALSE;
		36
		37	/* We work on a copy of the headers, which we can write '\0's
		38	* into, so that we don't have to individually g_strndup and
		39	@@ -69,14 +70,6 @@ soup_headers_parse (const char str, int len, SoupMessageHeaders dest)
		40	headers_copy[copy_len] = '\0';
		41	value_end = headers_copy;
		42
		43	- /* There shouldn't be any '\0's in the headers already, but
		44	- * this is the web we're talking about.
		45	- */
		46	- while ((p = memchr (headers_copy, '\0', copy_len))) {
		47	- memmove (p, p + 1, copy_len - (p - headers_copy));
		48	- copy_len--;
		49	- }
		50	-
		51	while (*(value_end + 1)) {
		52	name = value_end + 1;
		53	name_end = strchr (name, ':');
		54	diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
		55	index edf8eebb3..715c2c6f2 100644
		56	--- a/tests/header-parsing-test.c
		57	+++ b/tests/header-parsing-test.c
		58	@@ -358,24 +358,6 @@ static struct RequestTest {
		59	}
		60	},
		61
		62	- { "NUL in header name", "760832",
		63	- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
		64	- SOUP_STATUS_OK,
		65	- "GET", "/", SOUP_HTTP_1_1,
		66	- { { "Host", "example.com" },
		67	- { NULL }
		68	- }
		69	- },
		70	-
		71	- { "NUL in header value", "760832",
		72	- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
		73	- SOUP_STATUS_OK,
		74	- "GET", "/", SOUP_HTTP_1_1,
		75	- { { "Host", "examplecom" },
		76	- { NULL }
		77	- }
		78	- },
		79	-
		80	/************************/
		81	/* INVALID REQUESTS */
		82	/************************/
		83	@@ -448,6 +430,21 @@ static struct RequestTest {
		84	SOUP_STATUS_EXPECTATION_FAILED,
		85	NULL, NULL, -1,
		86	{ { NULL } }
		87	+ },
		88	+
		89	+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
		90	+ { "NUL in header name", NULL,
		91	+ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
		92	+ SOUP_STATUS_BAD_REQUEST,
		93	+ NULL, NULL, -1,
		94	+ { { NULL } }
		95	+ },
		96	+
		97	+ { "NUL in header value", NULL,
		98	+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
		99	+ SOUP_STATUS_BAD_REQUEST,
		100	+ NULL, NULL, -1,
		101	+ { { NULL } }
		102	}
		103	};
		104	static const int num_reqtests = G_N_ELEMENTS (reqtests);
		105	@@ -620,22 +617,6 @@ static struct ResponseTest {
		106	{ NULL } }
		107	},
		108
		109	- { "NUL in header name", "760832",
		110	- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
		111	- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
		112	- { { "Foo", "bar" },
		113	- { NULL }
		114	- }
		115	- },
		116	-
		117	- { "NUL in header value", "760832",
		118	- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
		119	- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
		120	- { { "Foo", "bar" },
		121	- { NULL }
		122	- }
		123	- },
		124	-
		125	/********************************/
		126	/* VALID CONTINUE RESPONSES */
		127	/********************************/
		128	@@ -768,6 +749,19 @@ static struct ResponseTest {
		129	{ { NULL }
		130	}
		131	},
		132	+
		133	+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
		134	+ { "NUL in header name", NULL,
		135	+ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
		136	+ -1, 0, NULL,
		137	+ { { NULL } }
		138	+ },
		139	+
		140	+ { "NUL in header value", "760832",
		141	+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
		142	+ -1, 0, NULL,
		143	+ { { NULL } }
		144	+ },
		145	};
		146	static const int num_resptests = G_N_ELEMENTS (resptests);
		147
		148	--
		149	GitLab
		150


diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-1.patch new file mode 100644 index 0000000000..c8e855c128 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-1.patch
@@ -0,0 +1,116 @@
		1	From 4ec9e3d286b6d3e982cb0fc3564dee0bf8d87ede Mon Sep 17 00:00:00 2001
		2	From: Patrick Griffis <pgriffis@igalia.com>
		3	Date: Tue, 27 Aug 2024 12:18:58 -0500
		4	Subject: [PATCH] fuzzing: Cover soup_header_parse_param_list
		5
		6	CVE: CVE-2024-52531
		7	Upstream-Status: Backport
		8	[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=4ec9e3d286b6d3e982cb0fc3564dee0bf8d87ede]
		9
		10	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		11
		12	---
		13	fuzzing/fuzz.h \| 9 +++++++--
		14	fuzzing/fuzz_header_parsing.c \| 19 +++++++++++++++++++
		15	fuzzing/fuzz_header_parsing.dict \| 8 ++++++++
		16	fuzzing/meson.build \| 2 ++
		17	4 files changed, 36 insertions(+), 2 deletions(-)
		18	create mode 100644 fuzzing/fuzz_header_parsing.c
		19	create mode 100644 fuzzing/fuzz_header_parsing.dict
		20
		21	diff --git a/fuzzing/fuzz.h b/fuzzing/fuzz.h
		22	index 0d380285..f3bd28ee 100644
		23	--- a/fuzzing/fuzz.h
		24	+++ b/fuzzing/fuzz.h
		25	@@ -1,13 +1,14 @@
		26	#include "libsoup/soup.h"
		27
		28	int LLVMFuzzerTestOneInput (const unsigned char *data, size_t size);
		29	+static int set_logger = 0;
		30
		31	#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
		32	static GLogWriterOutput
		33	empty_logging_func (GLogLevelFlags log_level, const GLogField *fields,
		34	gsize n_fields, gpointer user_data)
		35	{
		36	- return G_LOG_WRITER_HANDLED;
		37	+ return G_LOG_WRITER_HANDLED;
		38	}
		39	#endif
		40
		41	@@ -16,6 +17,10 @@ static void
		42	fuzz_set_logging_func (void)
		43	{
		44	#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
		45	- g_log_set_writer_func (empty_logging_func, NULL, NULL);
		46	+ if (!set_logger)
		47	+ {
		48	+ set_logger = 1;
		49	+ g_log_set_writer_func (empty_logging_func, NULL, NULL);
		50	+ }
		51	#endif
		52	}
		53	diff --git a/fuzzing/fuzz_header_parsing.c b/fuzzing/fuzz_header_parsing.c
		54	new file mode 100644
		55	index 00000000..a8e5c1f9
		56	--- /dev/null
		57	+++ b/fuzzing/fuzz_header_parsing.c
		58	@@ -0,0 +1,19 @@
		59	+#include "fuzz.h"
		60	+
		61	+int
		62	+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
		63	+{
		64	+ GHashTable *elements;
		65	+
		66	+ // We only accept NUL terminated strings
		67	+ if (!size \|\| data[size - 1] != '\0')
		68	+ return 0;
		69	+
		70	+ fuzz_set_logging_func ();
		71	+
		72	+ elements = soup_header_parse_param_list((char*)data);
		73	+
		74	+ g_hash_table_unref(elements);
		75	+
		76	+ return 0;
		77	+}
		78	\ No newline at end of file
		79	diff --git a/fuzzing/fuzz_header_parsing.dict b/fuzzing/fuzz_header_parsing.dict
		80	new file mode 100644
		81	index 00000000..1562ca3a
		82	--- /dev/null
		83	+++ b/fuzzing/fuzz_header_parsing.dict
		84	@@ -0,0 +1,8 @@
		85	+"*=UTF-8''"
		86	+"*=iso-8859-1''"
		87	+"'"
		88	+"''"
		89	+"="
		90	+"*="
		91	+"""
		92	+";"
		93	\ No newline at end of file
		94	diff --git a/fuzzing/meson.build b/fuzzing/meson.build
		95	index b14cbb50..5dd0f417 100644
		96	--- a/fuzzing/meson.build
		97	+++ b/fuzzing/meson.build
		98	@@ -5,6 +5,7 @@ fuzz_targets = [
		99	'fuzz_cookie_parse',
		100	'fuzz_content_sniffer',
		101	'fuzz_date_time',
		102	+ 'fuzz_header_parsing',
		103	]
		104
		105	fuzzing_args = '-fsanitize=fuzzer,address,undefined'
		106	@@ -34,6 +35,7 @@ if have_fuzzing and (fuzzing_feature.enabled() or fuzzing_feature.auto())
		107	'-runs=200000',
		108	'-artifact_prefix=meson-logs/' + target + '-',
		109	'-print_final_stats=1',
		110	+ '-max_len=4096',
		111	] + extra_args,
		112	env: [
		113	'ASAN_OPTIONS=fast_unwind_on_malloc=0',
		114	--
		115	2.25.1
		116


diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-2.patch new file mode 100644 index 0000000000..7e0d81ba4c --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-2.patch
@@ -0,0 +1,40 @@
		1	From 825fda3425546847b42ad5270544e9388ff349fe Mon Sep 17 00:00:00 2001
		2	From: Patrick Griffis <pgriffis@igalia.com>
		3	Date: Tue, 27 Aug 2024 13:52:08 -0500
		4	Subject: [PATCH] tests: Add test for passing invalid UTF-8 to
		5	soup_header_parse_semi_param_list()
		6
		7	CVE: CVE-2024-52531
		8	Upstream-Status: Backport
		9	[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=825fda3425546847b42ad5270544e9388ff349fe]
		10
		11	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		12	---
		13	tests/header-parsing-test.c \| 11 +++++++++++
		14	1 file changed, 11 insertions(+)
		15
		16	diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
		17	index 715c2c6f..5e423d2b 100644
		18	--- a/tests/header-parsing-test.c
		19	+++ b/tests/header-parsing-test.c
		20	@@ -825,6 +825,17 @@ static struct ParamListTest {
		21	{ "filename", "t\xC3\xA9st.txt" },
		22	},
		23	},
		24	+
		25	+ /* This tests invalid UTF-8 data which should never be passed here but it was designed to be robust against it. */
		26	+ { TRUE,
		27	+ "invalid=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo",
		28	+ {
		29	+ { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
		30	+ { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
		31	+ { "foo", NULL },
		32	+
		33	+ },
		34	+ }
		35	};
		36	static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests);
		37
		38	--
		39	2.25.1
		40


diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-3.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-3.patch new file mode 100644 index 0000000000..a47c8747c5 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-3.patch
@@ -0,0 +1,136 @@
		1	From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001
		2	From: Patrick Griffis <pgriffis@igalia.com>
		3	Date: Tue, 27 Aug 2024 13:53:26 -0500
		4	Subject: [PATCH] headers: Be more robust against invalid input when parsing
		5	params
		6
		7	If you pass invalid input to a function such as soup_header_parse_param_list_strict()
		8	it can cause an overflow if it decodes the input to UTF-8.
		9
		10	This should never happen with valid UTF-8 input which libsoup's client API
		11	ensures, however it's server API does not currently.
		12
		13	CVE: CVE-2024-52531
		14	Upstream-Status: Backport
		15	[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=a35222dd0bfab2ac97c10e86b95f762456628283]
		16
		17	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		18
		19	---
		20	libsoup/soup-headers.c \| 46 ++++++++++++++++++++++--------------------
		21	1 file changed, 24 insertions(+), 22 deletions(-)
		22
		23	diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
		24	index f30ee467..613e1905 100644
		25	--- a/libsoup/soup-headers.c
		26	+++ b/libsoup/soup-headers.c
		27	@@ -646,8 +646,9 @@ soup_header_contains (const char header, const char token)
		28	}
		29
		30	static void
		31	-decode_quoted_string (char *quoted_string)
		32	+decode_quoted_string_inplace (GString *quoted_gstring)
		33	{
		34	+ char *quoted_string = quoted_gstring->str;
		35	char src, dst;
		36
		37	src = quoted_string + 1;
		38	@@ -661,10 +662,11 @@ decode_quoted_string (char *quoted_string)
		39	}
		40
		41	static gboolean
		42	-decode_rfc5987 (char *encoded_string)
		43	+decode_rfc5987_inplace (GString *encoded_gstring)
		44	{
		45	char q, decoded;
		46	gboolean iso_8859_1 = FALSE;
		47	+ const char *encoded_string = encoded_gstring->str;
		48
		49	q = strchr (encoded_string, '\'');
		50	if (!q)
		51	@@ -696,14 +698,7 @@ decode_rfc5987 (char *encoded_string)
		52	decoded = utf8;
		53	}
		54
		55	- /* If encoded_string was UTF-8, then each 3-character %-escape
		56	- * will be converted to a single byte, and so decoded is
		57	- * shorter than encoded_string. If encoded_string was
		58	- * iso-8859-1, then each 3-character %-escape will be
		59	- * converted into at most 2 bytes in UTF-8, and so it's still
		60	- * shorter.
		61	- */
		62	- strcpy (encoded_string, decoded);
		63	+ g_string_assign (encoded_gstring, decoded);
		64	g_free (decoded);
		65	return TRUE;
		66	}
		67	@@ -713,15 +708,17 @@ parse_param_list (const char *header, char delim, gboolean strict)
		68	{
		69	GHashTable *params;
		70	GSList list, iter;
		71	- char item, eq, name_end, value;
		72	- gboolean override, duplicated;
		73
		74	params = g_hash_table_new_full (soup_str_case_hash,
		75	soup_str_case_equal,
		76	- g_free, NULL);
		77	+ g_free, g_free);
		78
		79	list = parse_list (header, delim);
		80	for (iter = list; iter; iter = iter->next) {
		81	+ char item, eq, *name_end;
		82	+ gboolean override, duplicated;
		83	+ GString *parsed_value = NULL;
		84	+
		85	item = iter->data;
		86	override = FALSE;
		87
		88	@@ -736,19 +733,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
		89
		90	*name_end = '\0';
		91
		92	- value = (char *)skip_lws (eq + 1);
		93	+ parsed_value = g_string_new ((char *)skip_lws (eq + 1));
		94
		95	if (name_end[-1] == '*' && name_end > item + 1) {
		96	name_end[-1] = '\0';
		97	- if (!decode_rfc5987 (value)) {
		98	+ if (!decode_rfc5987_inplace (parsed_value)) {
		99	+ g_string_free (parsed_value, TRUE);
		100	g_free (item);
		101	continue;
		102	}
		103	override = TRUE;
		104	- } else if (*value == '"')
		105	- decode_quoted_string (value);
		106	- } else
		107	- value = NULL;
		108	+ } else if (parsed_value->str[0] == '"')
		109	+ decode_quoted_string_inplace (parsed_value);
		110	+ }
		111
		112	duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
		113
		114	@@ -756,11 +753,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
		115	soup_header_free_param_list (params);
		116	params = NULL;
		117	g_slist_foreach (iter, (GFunc)g_free, NULL);
		118	+ if (parsed_value)
		119	+ g_string_free (parsed_value, TRUE);
		120	break;
		121	- } else if (override \|\| !duplicated)
		122	- g_hash_table_replace (params, item, value);
		123	- else
		124	+ } else if (override \|\| !duplicated) {
		125	+ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
		126	+ } else {
		127	+ if (parsed_value)
		128	+ g_string_free (parsed_value, TRUE);
		129	g_free (item);
		130	+ }
		131	}
		132
		133	g_slist_free (list);
		134	--
		135	2.25.1
		136


diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 0e66715589..b2e32b892a 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
@@ -14,6 +14,10 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
14	SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \	14	SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
15	file://CVE-2024-52532-0001.patch \	15	file://CVE-2024-52532-0001.patch \
16	file://CVE-2024-52532-0002.patch \	16	file://CVE-2024-52532-0002.patch \
		17	file://CVE-2024-52530.patch \
		18	file://CVE-2024-52531-1.patch \
		19	file://CVE-2024-52531-2.patch \
		20	file://CVE-2024-52531-3.patch \
17	"	21	"
18	SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"	22	SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
19		23