libsoup-2.4: Fix CVE-2024-52530

Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b (From OE-Core rev: ef1bff79d6b84eacccff2a3f8a5c3b8ed92fe0c4) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-05-06 21:27:27 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-05-14 09:08:57 -0700
commit: ecdb5e17859d4ab15cbb28ae06340f0e40c81104 (patch)
tree: f2edca693fef519c086c2258f89ad3aa27bd4a95
parent: 488cf4238a3c86a65ca54204f9e3b14aa6534c55 (diff)
download: poky-ecdb5e17859d4ab15cbb28ae06340f0e40c81104.tar.gz
2 files changed, 152 insertions, 1 deletions
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch
new file mode 100644
index 0000000000..bd62a748eb
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch
@@ -0,0 +1,149 @@
+From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Mon, 8 Jul 2024 12:33:15 -0500
+Subject: [PATCH] headers: Strictly don't allow NUL bytes
+In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b]
+CVE: CVE-2024-52530
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-headers.c      | 15 +++------
+ tests/header-parsing-test.c | 62 +++++++++++++++++--------------------
+ 2 files changed, 32 insertions(+), 45 deletions(-)
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index a0cf351ac..f30ee467a 100644
+--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
+@@ -51,13 +51,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
+         * ignorable trailing whitespace.
+         */
+ 
+       /* No '\0's are allowed */
+       if (memchr (str, '\0', len))
+               return FALSE;
+
+        /* Skip over the Request-Line / Status-Line */
+        headers_start = memchr (str, '\n', len);
+        if (!headers_start)
+                return FALSE;
+-       /* No '\0's in the Request-Line / Status-Line */
+-       if (memchr (str, '\0', headers_start - str))
+-               return FALSE;
+ 
+        /* We work on a copy of the headers, which we can write '\0's
+         * into, so that we don't have to individually g_strndup and
+@@ -69,14 +70,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
+        headers_copy[copy_len] = '\0';
+        value_end = headers_copy;
+ 
+-       /* There shouldn't be any '\0's in the headers already, but
+-        * this is the web we're talking about.
+-        */
+-       while ((p = memchr (headers_copy, '\0', copy_len))) {
+-               memmove (p, p + 1, copy_len - (p - headers_copy));
+-               copy_len--;
+-       }
+-
+        while (*(value_end + 1)) {
+                name = value_end + 1;
+                name_end = strchr (name, ':');
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index edf8eebb3..715c2c6f2 100644
+--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
+@@ -358,24 +358,6 @@ static struct RequestTest {
+          }
+        },
+ 
+-       { "NUL in header name", "760832",
+-         "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
+-         SOUP_STATUS_OK,
+-         "GET", "/", SOUP_HTTP_1_1,
+-         { { "Host", "example.com" },
+-           { NULL }
+-         }
+-       },
+-
+-       { "NUL in header value", "760832",
+-         "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
+-         SOUP_STATUS_OK,
+-         "GET", "/", SOUP_HTTP_1_1,
+-         { { "Host", "examplecom" },
+-           { NULL }
+-         }
+-       },
+-
+        /************************/
+        /*** INVALID REQUESTS ***/
+        /************************/
+@@ -448,6 +430,21 @@ static struct RequestTest {
+          SOUP_STATUS_EXPECTATION_FAILED,
+          NULL, NULL, -1,
+          { { NULL } }
+       },
+
+       // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+       { "NUL in header name", NULL,
+         "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
+         SOUP_STATUS_BAD_REQUEST,
+         NULL, NULL, -1,
+         { { NULL } }
+       },
+
+       { "NUL in header value", NULL,
+         "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+         SOUP_STATUS_BAD_REQUEST,
+           NULL, NULL, -1,
+         { { NULL } }
+        }
+ };
+ static const int num_reqtests = G_N_ELEMENTS (reqtests);
+@@ -620,22 +617,6 @@ static struct ResponseTest {
+            { NULL } }
+        },
+ 
+-       { "NUL in header name", "760832",
+-         "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
+-         SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
+-         { { "Foo", "bar" },
+-           { NULL }
+-         }
+-       },
+-
+-       { "NUL in header value", "760832",
+-         "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+-         SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
+-         { { "Foo", "bar" },
+-           { NULL }
+-         }
+-       },
+-
+        /********************************/
+        /*** VALID CONTINUE RESPONSES ***/
+        /********************************/
+@@ -768,6 +749,19 @@ static struct ResponseTest {
+          { { NULL }
+          }
+        },
+
+       // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+       { "NUL in header name", NULL,
+         "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
+         -1, 0, NULL,
+         { { NULL } }
+       },
+
+       { "NUL in header value", "760832",
+         "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+         -1, 0, NULL,
+         { { NULL } }
+       },
+ };
+ static const int num_resptests = G_N_ELEMENTS (resptests);
+ 
+-- 
+GitLab
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index ee20530b64..b833d2cfa9 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -12,7 +12,9 @@ DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl"
 SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
-           file://0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch"
+           file://0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch \
+           file://CVE-2024-52530.patch \
+          "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
 CVE_PRODUCT = "libsoup"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-05-06 21:27:27 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-05-14 09:08:57 -0700
commit	ecdb5e17859d4ab15cbb28ae06340f0e40c81104 (patch)
tree	f2edca693fef519c086c2258f89ad3aa27bd4a95
parent	488cf4238a3c86a65ca54204f9e3b14aa6534c55 (diff)
download	poky-ecdb5e17859d4ab15cbb28ae06340f0e40c81104.tar.gz

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch new file mode 100644 index 0000000000..bd62a748eb --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch
@@ -0,0 +1,149 @@
		1	From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001
		2	From: Patrick Griffis <pgriffis@igalia.com>
		3	Date: Mon, 8 Jul 2024 12:33:15 -0500
		4	Subject: [PATCH] headers: Strictly don't allow NUL bytes
		5
		6	In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.
		7
		8	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b]
		9	CVE: CVE-2024-52530
		10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		11	---
		12	libsoup/soup-headers.c \| 15 +++------
		13	tests/header-parsing-test.c \| 62 +++++++++++++++++--------------------
		14	2 files changed, 32 insertions(+), 45 deletions(-)
		15
		16	diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
		17	index a0cf351ac..f30ee467a 100644
		18	--- a/libsoup/soup-headers.c
		19	+++ b/libsoup/soup-headers.c
		20	@@ -51,13 +51,14 @@ soup_headers_parse (const char str, int len, SoupMessageHeaders dest)
		21	* ignorable trailing whitespace.
		22	*/
		23
		24	+ /* No '\0's are allowed */
		25	+ if (memchr (str, '\0', len))
		26	+ return FALSE;
		27	+
		28	/* Skip over the Request-Line / Status-Line */
		29	headers_start = memchr (str, '\n', len);
		30	if (!headers_start)
		31	return FALSE;
		32	- /* No '\0's in the Request-Line / Status-Line */
		33	- if (memchr (str, '\0', headers_start - str))
		34	- return FALSE;
		35
		36	/* We work on a copy of the headers, which we can write '\0's
		37	* into, so that we don't have to individually g_strndup and
		38	@@ -69,14 +70,6 @@ soup_headers_parse (const char str, int len, SoupMessageHeaders dest)
		39	headers_copy[copy_len] = '\0';
		40	value_end = headers_copy;
		41
		42	- /* There shouldn't be any '\0's in the headers already, but
		43	- * this is the web we're talking about.
		44	- */
		45	- while ((p = memchr (headers_copy, '\0', copy_len))) {
		46	- memmove (p, p + 1, copy_len - (p - headers_copy));
		47	- copy_len--;
		48	- }
		49	-
		50	while (*(value_end + 1)) {
		51	name = value_end + 1;
		52	name_end = strchr (name, ':');
		53	diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
		54	index edf8eebb3..715c2c6f2 100644
		55	--- a/tests/header-parsing-test.c
		56	+++ b/tests/header-parsing-test.c
		57	@@ -358,24 +358,6 @@ static struct RequestTest {
		58	}
		59	},
		60
		61	- { "NUL in header name", "760832",
		62	- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
		63	- SOUP_STATUS_OK,
		64	- "GET", "/", SOUP_HTTP_1_1,
		65	- { { "Host", "example.com" },
		66	- { NULL }
		67	- }
		68	- },
		69	-
		70	- { "NUL in header value", "760832",
		71	- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
		72	- SOUP_STATUS_OK,
		73	- "GET", "/", SOUP_HTTP_1_1,
		74	- { { "Host", "examplecom" },
		75	- { NULL }
		76	- }
		77	- },
		78	-
		79	/************************/
		80	/* INVALID REQUESTS */
		81	/************************/
		82	@@ -448,6 +430,21 @@ static struct RequestTest {
		83	SOUP_STATUS_EXPECTATION_FAILED,
		84	NULL, NULL, -1,
		85	{ { NULL } }
		86	+ },
		87	+
		88	+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
		89	+ { "NUL in header name", NULL,
		90	+ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
		91	+ SOUP_STATUS_BAD_REQUEST,
		92	+ NULL, NULL, -1,
		93	+ { { NULL } }
		94	+ },
		95	+
		96	+ { "NUL in header value", NULL,
		97	+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
		98	+ SOUP_STATUS_BAD_REQUEST,
		99	+ NULL, NULL, -1,
		100	+ { { NULL } }
		101	}
		102	};
		103	static const int num_reqtests = G_N_ELEMENTS (reqtests);
		104	@@ -620,22 +617,6 @@ static struct ResponseTest {
		105	{ NULL } }
		106	},
		107
		108	- { "NUL in header name", "760832",
		109	- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
		110	- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
		111	- { { "Foo", "bar" },
		112	- { NULL }
		113	- }
		114	- },
		115	-
		116	- { "NUL in header value", "760832",
		117	- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
		118	- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
		119	- { { "Foo", "bar" },
		120	- { NULL }
		121	- }
		122	- },
		123	-
		124	/********************************/
		125	/* VALID CONTINUE RESPONSES */
		126	/********************************/
		127	@@ -768,6 +749,19 @@ static struct ResponseTest {
		128	{ { NULL }
		129	}
		130	},
		131	+
		132	+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
		133	+ { "NUL in header name", NULL,
		134	+ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
		135	+ -1, 0, NULL,
		136	+ { { NULL } }
		137	+ },
		138	+
		139	+ { "NUL in header value", "760832",
		140	+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
		141	+ -1, 0, NULL,
		142	+ { { NULL } }
		143	+ },
		144	};
		145	static const int num_resptests = G_N_ELEMENTS (resptests);
		146
		147	--
		148	GitLab
		149


diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index ee20530b64..b833d2cfa9 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -12,7 +12,9 @@ DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl"
12	SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"	12	SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
13		13
14	SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \	14	SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
15	file://0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch"	15	file://0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch \
		16	file://CVE-2024-52530.patch \
		17	"
16	SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"	18	SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
17		19
18	CVE_PRODUCT = "libsoup"	20	CVE_PRODUCT = "libsoup"