libsoup: fix CVE-2025-32908

Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/429 (From OE-Core rev: ff7440fddf5ada072f60cc25f3670cbb74f58167) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Changqing Li <changqing.li@windriver.com> 2025-06-03 17:21:02 +0800
committer: Steve Sakoman <steve@sakoman.com> 2025-06-11 08:17:34 -0700
commit: c04a6271a429b22bfac6e1d94d016073bfad55b1 (patch)
tree: dbd3f87c4aa8ceeb34958e7dc7dcc0192017088e
parent: 320b76cc477069d619fd44d28608d9d2c1efe77c (diff)
download: poky-c04a6271a429b22bfac6e1d94d016073bfad55b1.tar.gz
3 files changed, 145 insertions, 1 deletions
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-1.patch
new file mode 100644
index 0000000000..8ad0e16d45
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-1.patch
@@ -0,0 +1,89 @@
+From 56b8eb061a02c4e99644d6f1e62e601d0d814beb Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Tue, 15 Apr 2025 09:59:05 +0200
+Subject: [PATCH 1/2] soup-server-http2: Check validity of the constructed
+ connection URI
+The HTTP/2 pseudo-headers can contain invalid values, which the GUri rejects
+and returns NULL, but the soup-server did not check the validity and could
+abort the server itself later in the code.
+Closes #429
+CVE: CVE-2025-32908
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/451/diffs?commit_id=a792b23ab87cacbf4dd9462bf7b675fa678efbae]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ .../http2/soup-server-message-io-http2.c      |  4 +++
+ tests/http2-test.c                            | 28 +++++++++++++++++++
+ 2 files changed, 32 insertions(+)
+diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c
+index 943ecfd..f1fe2d5 100644
+--- a/libsoup/server/http2/soup-server-message-io-http2.c
+++ b/libsoup/server/http2/soup-server-message-io-http2.c
+@@ -771,9 +771,13 @@ on_frame_recv_callback (nghttp2_session     *session,
+                 char *uri_string;
+                 GUri *uri;
+ 
+               if (msg_io->scheme == NULL || msg_io->authority == NULL || msg_io->path == NULL)
+                       return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+                 uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path);
+                 uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL);
+                 g_free (uri_string);
+               if (uri == NULL)
+                       return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+                 soup_server_message_set_uri (msg_io->msg, uri);
+                 g_uri_unref (uri);
+ 
+diff --git a/tests/http2-test.c b/tests/http2-test.c
+index ef097f4..df86d9b 100644
+--- a/tests/http2-test.c
+++ b/tests/http2-test.c
+@@ -1241,6 +1241,30 @@ do_connection_closed_test (Test *test, gconstpointer data)
+         g_uri_unref (uri);
+ }
+ 
+static void
+do_broken_pseudo_header_test (Test *test, gconstpointer data)
+{
+       char *path;
+       SoupMessage *msg;
+       GUri *uri;
+       GBytes *body = NULL;
+       GError *error = NULL;
+
+       uri = g_uri_parse_relative (base_uri, "/ag", SOUP_HTTP_URI_FLAGS, NULL);
+
+       /* an ugly cheat to construct a broken URI, which can be sent from other libs */
+       path = (char *) g_uri_get_path (uri);
+       path[1] = '%';
+
+       msg = soup_message_new_from_uri (SOUP_METHOD_GET, uri);
+       body = soup_test_session_async_send (test->session, msg, NULL, &error);
+       g_assert_error (error, G_IO_ERROR, G_IO_ERROR_PARTIAL_INPUT);
+       g_assert_null (body);
+       g_clear_error (&error);
+       g_object_unref (msg);
+       g_uri_unref (uri);
+}
+
+ static gboolean
+ unpause_message (SoupServerMessage *msg)
+ {
+@@ -1549,6 +1573,10 @@ main (int argc, char **argv)
+                     setup_session,
+                     do_connection_closed_test,
+                     teardown_session);
+        g_test_add ("/http2/broken-pseudo-header", Test, NULL,
+                    setup_session,
+                    do_broken_pseudo_header_test,
+                    teardown_session);
+ 
+        ret = g_test_run ();
+ 
+-- 
+2.34.1
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-2.patch
new file mode 100644
index 0000000000..b53c7efb7b
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-2.patch
@@ -0,0 +1,53 @@
+From aad0dcf22ee9fdfefa6b72055268240cceccfe4c Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Mon, 28 Apr 2025 10:55:42 +0200
+Subject: [PATCH 2/2] soup-server-http2: Correct check of the validity of the
+ constructed connection URI
+RFC 5740: the CONNECT has unset the "scheme" and "path", thus allow them unset.
+The commit a792b23ab87cacbf4dd9462bf7b675fa678efbae also missed to decrement
+the `io->in_callback` in the early returns.
+Related to #429
+CVE: CVE-2025-32908
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/453/diffs?commit_id=527428a033df573ef4558ce1106e080fd9ec5c71]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ .../server/http2/soup-server-message-io-http2.c   | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c
+index f1fe2d5..913afb4 100644
+--- a/libsoup/server/http2/soup-server-message-io-http2.c
+++ b/libsoup/server/http2/soup-server-message-io-http2.c
+@@ -771,13 +771,18 @@ on_frame_recv_callback (nghttp2_session     *session,
+                 char *uri_string;
+                 GUri *uri;
+ 
+-               if (msg_io->scheme == NULL || msg_io->authority == NULL || msg_io->path == NULL)
+-                       return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+-                uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path);
+                if (msg_io->authority == NULL) {
+                        io->in_callback--;
+                        return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+                }
+                /* RFC 5740: the CONNECT has unset the "scheme" and "path", but the GUri requires the scheme, thus let it be "(null)" */
+                uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path == NULL ? "" : msg_io->path);
+                 uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL);
+                 g_free (uri_string);
+-               if (uri == NULL)
+-                       return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+                if (uri == NULL) {
+                        io->in_callback--;
+                        return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+                }
+                 soup_server_message_set_uri (msg_io->msg, uri);
+                 g_uri_unref (uri);
+ 
+-- 
+2.34.1
diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
index 21a1bbe6cd..c19be9b5f4 100644
--- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
@@ -32,7 +32,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
           file://CVE-2025-32914.patch \
           file://CVE-2025-4476.patch \
           file://CVE-2025-4969.patch \
-          "
+           file://CVE-2025-32908-1.patch \
+           file://CVE-2025-32908-2.patch \
+"
 SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
 PROVIDES = "libsoup-3.0"
author	Changqing Li <changqing.li@windriver.com>	2025-06-03 17:21:02 +0800
committer	Steve Sakoman <steve@sakoman.com>	2025-06-11 08:17:34 -0700
commit	c04a6271a429b22bfac6e1d94d016073bfad55b1 (patch)
tree	dbd3f87c4aa8ceeb34958e7dc7dcc0192017088e
parent	320b76cc477069d619fd44d28608d9d2c1efe77c (diff)
download	poky-c04a6271a429b22bfac6e1d94d016073bfad55b1.tar.gz

diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-1.patch new file mode 100644 index 0000000000..8ad0e16d45 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-1.patch
@@ -0,0 +1,89 @@
		1	From 56b8eb061a02c4e99644d6f1e62e601d0d814beb Mon Sep 17 00:00:00 2001
		2	From: Milan Crha <mcrha@redhat.com>
		3	Date: Tue, 15 Apr 2025 09:59:05 +0200
		4	Subject: [PATCH 1/2] soup-server-http2: Check validity of the constructed
		5	connection URI
		6
		7	The HTTP/2 pseudo-headers can contain invalid values, which the GUri rejects
		8	and returns NULL, but the soup-server did not check the validity and could
		9	abort the server itself later in the code.
		10
		11	Closes #429
		12
		13	CVE: CVE-2025-32908
		14	Upstream-Status: Backport
		15	[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/451/diffs?commit_id=a792b23ab87cacbf4dd9462bf7b675fa678efbae]
		16
		17	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		18	---
		19	.../http2/soup-server-message-io-http2.c \| 4 +++
		20	tests/http2-test.c \| 28 +++++++++++++++++++
		21	2 files changed, 32 insertions(+)
		22
		23	diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c
		24	index 943ecfd..f1fe2d5 100644
		25	--- a/libsoup/server/http2/soup-server-message-io-http2.c
		26	+++ b/libsoup/server/http2/soup-server-message-io-http2.c
		27	@@ -771,9 +771,13 @@ on_frame_recv_callback (nghttp2_session *session,
		28	char *uri_string;
		29	GUri *uri;
		30
		31	+ if (msg_io->scheme == NULL \|\| msg_io->authority == NULL \|\| msg_io->path == NULL)
		32	+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
		33	uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path);
		34	uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL);
		35	g_free (uri_string);
		36	+ if (uri == NULL)
		37	+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
		38	soup_server_message_set_uri (msg_io->msg, uri);
		39	g_uri_unref (uri);
		40
		41	diff --git a/tests/http2-test.c b/tests/http2-test.c
		42	index ef097f4..df86d9b 100644
		43	--- a/tests/http2-test.c
		44	+++ b/tests/http2-test.c
		45	@@ -1241,6 +1241,30 @@ do_connection_closed_test (Test *test, gconstpointer data)
		46	g_uri_unref (uri);
		47	}
		48
		49	+static void
		50	+do_broken_pseudo_header_test (Test *test, gconstpointer data)
		51	+{
		52	+ char *path;
		53	+ SoupMessage *msg;
		54	+ GUri *uri;
		55	+ GBytes *body = NULL;
		56	+ GError *error = NULL;
		57	+
		58	+ uri = g_uri_parse_relative (base_uri, "/ag", SOUP_HTTP_URI_FLAGS, NULL);
		59	+
		60	+ /* an ugly cheat to construct a broken URI, which can be sent from other libs */
		61	+ path = (char *) g_uri_get_path (uri);
		62	+ path[1] = '%';
		63	+
		64	+ msg = soup_message_new_from_uri (SOUP_METHOD_GET, uri);
		65	+ body = soup_test_session_async_send (test->session, msg, NULL, &error);
		66	+ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_PARTIAL_INPUT);
		67	+ g_assert_null (body);
		68	+ g_clear_error (&error);
		69	+ g_object_unref (msg);
		70	+ g_uri_unref (uri);
		71	+}
		72	+
		73	static gboolean
		74	unpause_message (SoupServerMessage *msg)
		75	{
		76	@@ -1549,6 +1573,10 @@ main (int argc, char **argv)
		77	setup_session,
		78	do_connection_closed_test,
		79	teardown_session);
		80	+ g_test_add ("/http2/broken-pseudo-header", Test, NULL,
		81	+ setup_session,
		82	+ do_broken_pseudo_header_test,
		83	+ teardown_session);
		84
		85	ret = g_test_run ();
		86
		87	--
		88	2.34.1
		89


diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-2.patch new file mode 100644 index 0000000000..b53c7efb7b --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-2.patch
@@ -0,0 +1,53 @@
		1	From aad0dcf22ee9fdfefa6b72055268240cceccfe4c Mon Sep 17 00:00:00 2001
		2	From: Milan Crha <mcrha@redhat.com>
		3	Date: Mon, 28 Apr 2025 10:55:42 +0200
		4	Subject: [PATCH 2/2] soup-server-http2: Correct check of the validity of the
		5	constructed connection URI
		6
		7	RFC 5740: the CONNECT has unset the "scheme" and "path", thus allow them unset.
		8
		9	The commit a792b23ab87cacbf4dd9462bf7b675fa678efbae also missed to decrement
		10	the `io->in_callback` in the early returns.
		11
		12	Related to #429
		13
		14	CVE: CVE-2025-32908
		15	Upstream-Status: Backport
		16	[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/453/diffs?commit_id=527428a033df573ef4558ce1106e080fd9ec5c71]
		17
		18	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		19	---
		20	.../server/http2/soup-server-message-io-http2.c \| 15 ++++++++++-----
		21	1 file changed, 10 insertions(+), 5 deletions(-)
		22
		23	diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c
		24	index f1fe2d5..913afb4 100644
		25	--- a/libsoup/server/http2/soup-server-message-io-http2.c
		26	+++ b/libsoup/server/http2/soup-server-message-io-http2.c
		27	@@ -771,13 +771,18 @@ on_frame_recv_callback (nghttp2_session *session,
		28	char *uri_string;
		29	GUri *uri;
		30
		31	- if (msg_io->scheme == NULL \|\| msg_io->authority == NULL \|\| msg_io->path == NULL)
		32	- return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
		33	- uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path);
		34	+ if (msg_io->authority == NULL) {
		35	+ io->in_callback--;
		36	+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
		37	+ }
		38	+ /* RFC 5740: the CONNECT has unset the "scheme" and "path", but the GUri requires the scheme, thus let it be "(null)" */
		39	+ uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path == NULL ? "" : msg_io->path);
		40	uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL);
		41	g_free (uri_string);
		42	- if (uri == NULL)
		43	- return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
		44	+ if (uri == NULL) {
		45	+ io->in_callback--;
		46	+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
		47	+ }
		48	soup_server_message_set_uri (msg_io->msg, uri);
		49	g_uri_unref (uri);
		50
		51	--
		52	2.34.1
		53


diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 21a1bbe6cd..c19be9b5f4 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
@@ -32,7 +32,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
32	file://CVE-2025-32914.patch \	32	file://CVE-2025-32914.patch \
33	file://CVE-2025-4476.patch \	33	file://CVE-2025-4476.patch \
34	file://CVE-2025-4969.patch \	34	file://CVE-2025-4969.patch \
35	"	35	file://CVE-2025-32908-1.patch \
		36	file://CVE-2025-32908-2.patch \
		37	"
36	SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"	38	SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
37		39
38	PROVIDES = "libsoup-3.0"	40	PROVIDES = "libsoup-3.0"