libsoup-2.4: Fix CVE-2025-32914

import patch from debian to fix CVE-2025-32914 Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf] Reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450 https://security-tracker.debian.org/tracker/CVE-2025-32914 (From OE-Core rev: 8eba970123aca651cbce13e52d43ddaddd76a7cc) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-05-21 15:23:24 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-06-02 07:12:34 -0700
commit: 53ab80ae8f0394f7a57ae144076ac0c1c97e9002 (patch)
tree: 0feed114517747af2ebe964d4df28099b5919254
parent: a6c55c0bd7bff9d8762b6678b08e0bb70cfc3dab (diff)
download: poky-53ab80ae8f0394f7a57ae144076ac0c1c97e9002.tar.gz
2 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
new file mode 100644
index 0000000000..e6d4607b5e
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
@@ -0,0 +1,137 @@
+From: Milan Crha <mcrha@redhat.com>
+Date: Tue, 15 Apr 2025 09:03:00 +0200
+Subject: multipart: Fix read out of buffer bounds under
+ soup_multipart_new_from_message()
+This is CVE-2025-32914, special crafted input can cause read out of buffer bounds
+of the body argument.
+Closes #436
+(cherry picked from commit 5bfcf8157597f2d327050114fb37ff600004dbcf)
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32914.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf]
+CVE: CVE-2025-32914
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-multipart.c |  2 +-
+ tests/multipart-test.c   | 85 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 86 insertions(+), 1 deletion(-)
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index a7e550f..dd93973 100644
+--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
+@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
+                        return NULL;
+                }
+ 
+-               split = strstr (start, "\r\n\r\n");
+               split = g_strstr_len (start, body_end - start, "\r\n\r\n");
+                if (!split || split > end) {
+                        soup_multipart_free (multipart);
+                        soup_buffer_free (flattened);
+diff --git a/tests/multipart-test.c b/tests/multipart-test.c
+index 64a5ebf..834b181 100644
+--- a/tests/multipart-test.c
+++ b/tests/multipart-test.c
+@@ -479,6 +479,89 @@ test_multipart (gconstpointer data)
+        g_main_loop_unref (loop);
+ }
+ 
+static void
+test_multipart_bounds_good (void)
+{
+       #define TEXT "line1\r\nline2"
+       SoupMultipart *multipart;
+       SoupMessageHeaders *headers, *set_headers = NULL;
+       //GBytes *bytes, *set_bytes = NULL;
+       GBytes *bytes;
+       const char *raw_data = "--123\r\nContent-Type: text/plain;\r\n\r\n" TEXT "\r\n--123--\r\n";
+       gboolean success;
+       SoupMessageBody *body = soup_message_body_new ();
+       SoupBuffer *set_buffer = NULL;
+       gconstpointer data;
+       gsize size;
+
+       headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+       soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
+
+       bytes = g_bytes_new (raw_data, strlen (raw_data));
+
+       data = g_bytes_get_data(bytes, NULL);
+       size = g_bytes_get_size(bytes);
+
+       soup_message_body_append(body, SOUP_MEMORY_STATIC, data, size);
+
+       //multipart = soup_multipart_new_from_message (headers, bytes);
+       multipart = soup_multipart_new_from_message (headers, body);
+
+       soup_message_body_free (body);
+
+       g_assert_nonnull (multipart);
+       g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1);
+       success = soup_multipart_get_part (multipart, 0, &set_headers, &set_buffer);
+       g_assert_true (success);
+       g_assert_nonnull (set_headers);
+       //g_assert_nonnull (set_bytes);
+       g_assert_nonnull (set_buffer);
+       //g_assert_cmpint (strlen (TEXT), ==, g_bytes_get_size (set_bytes));
+       g_assert_cmpint (strlen (TEXT), ==, set_buffer->length);
+       g_assert_cmpstr ("text/plain", ==, soup_message_headers_get_content_type (set_headers, NULL));
+       //g_assert_cmpmem (TEXT, strlen (TEXT), g_bytes_get_data (set_bytes, NULL), g_bytes_get_size (set_bytes));
+       g_assert_cmpmem(TEXT, strlen(TEXT), set_buffer->data, set_buffer->length);
+
+       soup_message_headers_free (headers);
+       g_bytes_unref (bytes);
+
+       soup_multipart_free (multipart);
+
+       #undef TEXT
+}
+
+static void
+test_multipart_bounds_bad (void)
+{
+       SoupMultipart *multipart;
+       SoupMessageHeaders *headers;
+       GBytes *bytes;
+       const char *raw_data = "--123\r\nContent-Type: text/plain;\r\nline1\r\nline2\r\n--123--\r\n";
+       SoupMessageBody *body = soup_message_body_new ();
+       gconstpointer data;
+       gsize size;
+
+       headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+       soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
+
+       bytes = g_bytes_new (raw_data, strlen (raw_data));
+
+       data = g_bytes_get_data(bytes, NULL);
+       size = g_bytes_get_size(bytes);
+
+       soup_message_body_append(body, SOUP_MEMORY_STATIC, data, size);
+
+       /* it did read out of raw_data/bytes bounds */
+       //multipart = soup_multipart_new_from_message (headers, bytes);
+       multipart = soup_multipart_new_from_message (headers, body);
+       g_assert_null (multipart);
+
+       soup_message_body_free (body);
+
+       soup_message_headers_free (headers);
+       g_bytes_unref (bytes);
+}
+
+ int
+ main (int argc, char **argv)
+ {
+@@ -508,6 +591,8 @@ main (int argc, char **argv)
+        g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart);
+        g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart);
+        g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
+       g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
+       g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
+ 
+        ret = g_test_run ();
+ 
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index 509026c4ff..b986e2eea2 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -30,6 +30,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
           file://CVE-2025-32911_CVE-2025-32913-2.patch \
           file://CVE-2025-32912-1.patch \
           file://CVE-2025-32912-2.patch \
+           file://CVE-2025-32914.patch \
          "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-05-21 15:23:24 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-06-02 07:12:34 -0700
commit	53ab80ae8f0394f7a57ae144076ac0c1c97e9002 (patch)
tree	0feed114517747af2ebe964d4df28099b5919254
parent	a6c55c0bd7bff9d8762b6678b08e0bb70cfc3dab (diff)
download	poky-53ab80ae8f0394f7a57ae144076ac0c1c97e9002.tar.gz

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch new file mode 100644 index 0000000000..e6d4607b5e --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
@@ -0,0 +1,137 @@
		1	From: Milan Crha <mcrha@redhat.com>
		2	Date: Tue, 15 Apr 2025 09:03:00 +0200
		3	Subject: multipart: Fix read out of buffer bounds under
		4	soup_multipart_new_from_message()
		5
		6	This is CVE-2025-32914, special crafted input can cause read out of buffer bounds
		7	of the body argument.
		8
		9	Closes #436
		10
		11	(cherry picked from commit 5bfcf8157597f2d327050114fb37ff600004dbcf)
		12
		13	Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32914.patch?ref_type=heads
		14	Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf]
		15	CVE: CVE-2025-32914
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	libsoup/soup-multipart.c \| 2 +-
		19	tests/multipart-test.c \| 85 ++++++++++++++++++++++++++++++++++++++++++++++++
		20	2 files changed, 86 insertions(+), 1 deletion(-)
		21
		22	diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
		23	index a7e550f..dd93973 100644
		24	--- a/libsoup/soup-multipart.c
		25	+++ b/libsoup/soup-multipart.c
		26	@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
		27	return NULL;
		28	}
		29
		30	- split = strstr (start, "\r\n\r\n");
		31	+ split = g_strstr_len (start, body_end - start, "\r\n\r\n");
		32	if (!split \|\| split > end) {
		33	soup_multipart_free (multipart);
		34	soup_buffer_free (flattened);
		35	diff --git a/tests/multipart-test.c b/tests/multipart-test.c
		36	index 64a5ebf..834b181 100644
		37	--- a/tests/multipart-test.c
		38	+++ b/tests/multipart-test.c
		39	@@ -479,6 +479,89 @@ test_multipart (gconstpointer data)
		40	g_main_loop_unref (loop);
		41	}
		42
		43	+static void
		44	+test_multipart_bounds_good (void)
		45	+{
		46	+ #define TEXT "line1\r\nline2"
		47	+ SoupMultipart *multipart;
		48	+ SoupMessageHeaders headers, set_headers = NULL;
		49	+ //GBytes bytes, set_bytes = NULL;
		50	+ GBytes *bytes;
		51	+ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\n\r\n" TEXT "\r\n--123--\r\n";
		52	+ gboolean success;
		53	+ SoupMessageBody *body = soup_message_body_new ();
		54	+ SoupBuffer *set_buffer = NULL;
		55	+ gconstpointer data;
		56	+ gsize size;
		57	+
		58	+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
		59	+ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
		60	+
		61	+ bytes = g_bytes_new (raw_data, strlen (raw_data));
		62	+
		63	+ data = g_bytes_get_data(bytes, NULL);
		64	+ size = g_bytes_get_size(bytes);
		65	+
		66	+ soup_message_body_append(body, SOUP_MEMORY_STATIC, data, size);
		67	+
		68	+ //multipart = soup_multipart_new_from_message (headers, bytes);
		69	+ multipart = soup_multipart_new_from_message (headers, body);
		70	+
		71	+ soup_message_body_free (body);
		72	+
		73	+ g_assert_nonnull (multipart);
		74	+ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1);
		75	+ success = soup_multipart_get_part (multipart, 0, &set_headers, &set_buffer);
		76	+ g_assert_true (success);
		77	+ g_assert_nonnull (set_headers);
		78	+ //g_assert_nonnull (set_bytes);
		79	+ g_assert_nonnull (set_buffer);
		80	+ //g_assert_cmpint (strlen (TEXT), ==, g_bytes_get_size (set_bytes));
		81	+ g_assert_cmpint (strlen (TEXT), ==, set_buffer->length);
		82	+ g_assert_cmpstr ("text/plain", ==, soup_message_headers_get_content_type (set_headers, NULL));
		83	+ //g_assert_cmpmem (TEXT, strlen (TEXT), g_bytes_get_data (set_bytes, NULL), g_bytes_get_size (set_bytes));
		84	+ g_assert_cmpmem(TEXT, strlen(TEXT), set_buffer->data, set_buffer->length);
		85	+
		86	+ soup_message_headers_free (headers);
		87	+ g_bytes_unref (bytes);
		88	+
		89	+ soup_multipart_free (multipart);
		90	+
		91	+ #undef TEXT
		92	+}
		93	+
		94	+static void
		95	+test_multipart_bounds_bad (void)
		96	+{
		97	+ SoupMultipart *multipart;
		98	+ SoupMessageHeaders *headers;
		99	+ GBytes *bytes;
		100	+ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\nline1\r\nline2\r\n--123--\r\n";
		101	+ SoupMessageBody *body = soup_message_body_new ();
		102	+ gconstpointer data;
		103	+ gsize size;
		104	+
		105	+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
		106	+ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
		107	+
		108	+ bytes = g_bytes_new (raw_data, strlen (raw_data));
		109	+
		110	+ data = g_bytes_get_data(bytes, NULL);
		111	+ size = g_bytes_get_size(bytes);
		112	+
		113	+ soup_message_body_append(body, SOUP_MEMORY_STATIC, data, size);
		114	+
		115	+ /* it did read out of raw_data/bytes bounds */
		116	+ //multipart = soup_multipart_new_from_message (headers, bytes);
		117	+ multipart = soup_multipart_new_from_message (headers, body);
		118	+ g_assert_null (multipart);
		119	+
		120	+ soup_message_body_free (body);
		121	+
		122	+ soup_message_headers_free (headers);
		123	+ g_bytes_unref (bytes);
		124	+}
		125	+
		126	int
		127	main (int argc, char **argv)
		128	{
		129	@@ -508,6 +591,8 @@ main (int argc, char **argv)
		130	g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart);
		131	g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart);
		132	g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
		133	+ g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
		134	+ g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
		135
		136	ret = g_test_run ();
		137


diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 509026c4ff..b986e2eea2 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -30,6 +30,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
30	file://CVE-2025-32911_CVE-2025-32913-2.patch \	30	file://CVE-2025-32911_CVE-2025-32913-2.patch \
31	file://CVE-2025-32912-1.patch \	31	file://CVE-2025-32912-1.patch \
32	file://CVE-2025-32912-2.patch \	32	file://CVE-2025-32912-2.patch \
		33	file://CVE-2025-32914.patch \
33	"	34	"
34	SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"	35	SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
35		36