libsoup-2.4: Fix CVE-2025-32906

Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f (From OE-Core rev: 2b938dd6beb1badca59804ffbe395deb679bc1b1) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-05-13 14:33:39 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-05-16 08:58:06 -0700
commit: 6b27d84c2c5d6fa6a4a71d9e7f3d25f32bc5ceec (patch)
tree: d0f542d9090f9899ae065625335c18c2c09c2f03
parent: 02c2876c5e55494f605f4911928343830b7c2fef (diff)
download: poky-6b27d84c2c5d6fa6a4a71d9e7f3d25f32bc5ceec.tar.gz
3 files changed, 146 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch
new file mode 100644
index 0000000000..916a41a71f
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch
@@ -0,0 +1,61 @@
+From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 11 Feb 2025 14:36:26 -0600
+Subject: [PATCH] headers: Handle parsing edge case
+This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931]
+CVE: CVE-2025-32906 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-headers.c      |  2 +-
+ tests/header-parsing-test.c | 12 ++++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 85385cea..9d6d00a3 100644
+--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
+@@ -225,7 +225,7 @@ soup_headers_parse_request (const char          *str,
+            !g_ascii_isdigit (version[5]))
+                return SOUP_STATUS_BAD_REQUEST;
+        major_version = strtoul (version + 5, &p, 10);
+-       if (*p != '.' || !g_ascii_isdigit (p[1]))
+       if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1]))
+                return SOUP_STATUS_BAD_REQUEST;
+        minor_version = strtoul (p + 1, &p, 10);
+        version_end = p;
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 07ea2866..10ddb684 100644
+--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
+@@ -6,6 +6,10 @@ typedef struct {
+        const char *name, *value;
+ } Header;
+ 
+static char unterminated_http_version[] = {
+        'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
+};
+
+ static struct RequestTest {
+        const char *description;
+        const char *bugref;
+@@ -383,6 +387,14 @@ static struct RequestTest {
+          { { NULL } }
+        },
+ 
+        /* This couldn't be a C string as going one byte over would have been safe. */
+       { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
+         unterminated_http_version, sizeof (unterminated_http_version),
+         SOUP_STATUS_BAD_REQUEST,
+           NULL, NULL, -1,
+         { { NULL } }
+       },
+
+        { "Non-HTTP request", NULL,
+          "GET / SOUP/1.1\r\nHost: example.com\r\n", -1,
+          SOUP_STATUS_BAD_REQUEST,
+-- 
+GitLab
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch
new file mode 100644
index 0000000000..5baad15648
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch
@@ -0,0 +1,83 @@
+From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 12 Feb 2025 11:30:02 -0600
+Subject: [PATCH] headers: Handle parsing only newlines
+Closes #404
+Closes #407
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f]
+CVE: CVE-2025-32906
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-headers.c      |  4 ++--
+ tests/header-parsing-test.c | 13 ++++++++++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 9d6d00a3..52ef2ece 100644
+--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
+@@ -186,7 +186,7 @@ soup_headers_parse_request (const char          *str,
+        /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
+         * received where a Request-Line is expected."
+         */
+-       while ((*str == '\r' || *str == '\n') && len > 0) {
+       while (len > 0 && (*str == '\r' || *str == '\n')) {
+                str++;
+                len--;
+        }
+@@ -371,7 +371,7 @@ soup_headers_parse_response (const char          *str,
+         * after a response, which we then see prepended to the next
+         * response on that connection.
+         */
+-       while ((*str == '\r' || *str == '\n') && len > 0) {
+       while (len > 0 && (*str == '\r' || *str == '\n')) {
+                str++;
+                len--;
+        }
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 10ddb684..4faafbd6 100644
+--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
+@@ -6,10 +6,15 @@ typedef struct {
+        const char *name, *value;
+ } Header;
+ 
+/* These are not C strings to ensure going one byte over is not safe. */
+ static char unterminated_http_version[] = {
+         'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
+ };
+ 
+static char only_newlines[] = {
+        '\n', '\n', '\n', '\n'
+};
+
+ static struct RequestTest {
+        const char *description;
+        const char *bugref;
+@@ -387,7 +392,6 @@ static struct RequestTest {
+          { { NULL } }
+        },
+ 
+-        /* This couldn't be a C string as going one byte over would have been safe. */
+        { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
+          unterminated_http_version, sizeof (unterminated_http_version),
+          SOUP_STATUS_BAD_REQUEST,
+@@ -457,6 +461,13 @@ static struct RequestTest {
+          SOUP_STATUS_BAD_REQUEST,
+            NULL, NULL, -1,
+          { { NULL } }
+       },
+
+       { "Only newlines", NULL,
+         only_newlines, sizeof (only_newlines),
+         SOUP_STATUS_BAD_REQUEST,
+           NULL, NULL, -1,
+         { { NULL } }
+        }
+ };
+ static const int num_reqtests = G_N_ELEMENTS (reqtests);
+-- 
+GitLab
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
index b299fcf6de..f409816fc2 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -19,6 +19,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
           file://CVE-2024-52532-3.patch \
           file://CVE-2024-52531-1.patch \
           file://CVE-2024-52531-2.patch \
+           file://CVE-2025-32906-1.patch \
+           file://CVE-2025-32906-2.patch \
          "
 SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-05-13 14:33:39 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-05-16 08:58:06 -0700
commit	6b27d84c2c5d6fa6a4a71d9e7f3d25f32bc5ceec (patch)
tree	d0f542d9090f9899ae065625335c18c2c09c2f03
parent	02c2876c5e55494f605f4911928343830b7c2fef (diff)
download	poky-6b27d84c2c5d6fa6a4a71d9e7f3d25f32bc5ceec.tar.gz

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch new file mode 100644 index 0000000000..916a41a71f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch
@@ -0,0 +1,61 @@
		1	From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001
		2	From: Patrick Griffis <pgriffis@igalia.com>
		3	Date: Tue, 11 Feb 2025 14:36:26 -0600
		4	Subject: [PATCH] headers: Handle parsing edge case
		5
		6	This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds.
		7
		8	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931]
		9	CVE: CVE-2025-32906 #Dependency Patch
		10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		11	---
		12	libsoup/soup-headers.c \| 2 +-
		13	tests/header-parsing-test.c \| 12 ++++++++++++
		14	2 files changed, 13 insertions(+), 1 deletion(-)
		15
		16	diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
		17	index 85385cea..9d6d00a3 100644
		18	--- a/libsoup/soup-headers.c
		19	+++ b/libsoup/soup-headers.c
		20	@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str,
		21	!g_ascii_isdigit (version[5]))
		22	return SOUP_STATUS_BAD_REQUEST;
		23	major_version = strtoul (version + 5, &p, 10);
		24	- if (*p != '.' \|\| !g_ascii_isdigit (p[1]))
		25	+ if (p + 1 >= str + len \|\| *p != '.' \|\| !g_ascii_isdigit (p[1]))
		26	return SOUP_STATUS_BAD_REQUEST;
		27	minor_version = strtoul (p + 1, &p, 10);
		28	version_end = p;
		29	diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
		30	index 07ea2866..10ddb684 100644
		31	--- a/tests/header-parsing-test.c
		32	+++ b/tests/header-parsing-test.c
		33	@@ -6,6 +6,10 @@ typedef struct {
		34	const char name, value;
		35	} Header;
		36
		37	+static char unterminated_http_version[] = {
		38	+ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
		39	+};
		40	+
		41	static struct RequestTest {
		42	const char *description;
		43	const char *bugref;
		44	@@ -383,6 +387,14 @@ static struct RequestTest {
		45	{ { NULL } }
		46	},
		47
		48	+ /* This couldn't be a C string as going one byte over would have been safe. */
		49	+ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
		50	+ unterminated_http_version, sizeof (unterminated_http_version),
		51	+ SOUP_STATUS_BAD_REQUEST,
		52	+ NULL, NULL, -1,
		53	+ { { NULL } }
		54	+ },
		55	+
		56	{ "Non-HTTP request", NULL,
		57	"GET / SOUP/1.1\r\nHost: example.com\r\n", -1,
		58	SOUP_STATUS_BAD_REQUEST,
		59	--
		60	GitLab
		61


diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch new file mode 100644 index 0000000000..5baad15648 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch
@@ -0,0 +1,83 @@
		1	From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001
		2	From: Patrick Griffis <pgriffis@igalia.com>
		3	Date: Wed, 12 Feb 2025 11:30:02 -0600
		4	Subject: [PATCH] headers: Handle parsing only newlines
		5
		6	Closes #404
		7	Closes #407
		8
		9	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f]
		10	CVE: CVE-2025-32906
		11	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		12	---
		13	libsoup/soup-headers.c \| 4 ++--
		14	tests/header-parsing-test.c \| 13 ++++++++++++-
		15	2 files changed, 14 insertions(+), 3 deletions(-)
		16
		17	diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
		18	index 9d6d00a3..52ef2ece 100644
		19	--- a/libsoup/soup-headers.c
		20	+++ b/libsoup/soup-headers.c
		21	@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str,
		22	/* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
		23	* received where a Request-Line is expected."
		24	*/
		25	- while ((str == '\r' \|\| str == '\n') && len > 0) {
		26	+ while (len > 0 && (str == '\r' \|\| str == '\n')) {
		27	str++;
		28	len--;
		29	}
		30	@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str,
		31	* after a response, which we then see prepended to the next
		32	* response on that connection.
		33	*/
		34	- while ((str == '\r' \|\| str == '\n') && len > 0) {
		35	+ while (len > 0 && (str == '\r' \|\| str == '\n')) {
		36	str++;
		37	len--;
		38	}
		39	diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
		40	index 10ddb684..4faafbd6 100644
		41	--- a/tests/header-parsing-test.c
		42	+++ b/tests/header-parsing-test.c
		43	@@ -6,10 +6,15 @@ typedef struct {
		44	const char name, value;
		45	} Header;
		46
		47	+/* These are not C strings to ensure going one byte over is not safe. */
		48	static char unterminated_http_version[] = {
		49	'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
		50	};
		51
		52	+static char only_newlines[] = {
		53	+ '\n', '\n', '\n', '\n'
		54	+};
		55	+
		56	static struct RequestTest {
		57	const char *description;
		58	const char *bugref;
		59	@@ -387,7 +392,6 @@ static struct RequestTest {
		60	{ { NULL } }
		61	},
		62
		63	- /* This couldn't be a C string as going one byte over would have been safe. */
		64	{ "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
		65	unterminated_http_version, sizeof (unterminated_http_version),
		66	SOUP_STATUS_BAD_REQUEST,
		67	@@ -457,6 +461,13 @@ static struct RequestTest {
		68	SOUP_STATUS_BAD_REQUEST,
		69	NULL, NULL, -1,
		70	{ { NULL } }
		71	+ },
		72	+
		73	+ { "Only newlines", NULL,
		74	+ only_newlines, sizeof (only_newlines),
		75	+ SOUP_STATUS_BAD_REQUEST,
		76	+ NULL, NULL, -1,
		77	+ { { NULL } }
		78	}
		79	};
		80	static const int num_reqtests = G_N_ELEMENTS (reqtests);
		81	--
		82	GitLab
		83


diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb index b299fcf6de..f409816fc2 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -19,6 +19,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
19	file://CVE-2024-52532-3.patch \	19	file://CVE-2024-52532-3.patch \
20	file://CVE-2024-52531-1.patch \	20	file://CVE-2024-52531-1.patch \
21	file://CVE-2024-52531-2.patch \	21	file://CVE-2024-52531-2.patch \
		22	file://CVE-2025-32906-1.patch \
		23	file://CVE-2025-32906-2.patch \
22	"	24	"
23	SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"	25	SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"
24		26