summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVijay Anusuri <vanusuri@mvista.com>2025-06-13 11:14:46 +0530
committerSteve Sakoman <steve@sakoman.com>2025-06-20 08:06:29 -0700
commitf49fc9966d78a7273ff2ec07b3f3762b83f2d97c (patch)
tree4bf34fe4ae0a9192a94e26bf7ce42f2fd3a661cf
parent523a48d5c819ac640d79ba042c7ab22f27ec7e9f (diff)
downloadpoky-f49fc9966d78a7273ff2ec07b3f3762b83f2d97c.tar.gz
libsoup-2.4: Fix CVE-2025-2784
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/242a10fbb12dbdc12d254bd8fc8669a0ac055304 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/c415ad0b6771992e66c70edf373566c6e247089d] https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435 (From OE-Core rev: 5cea727e87489b144cba9b2aa491d0c90f34f93d) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-1.patch52
-rw-r--r--meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-2.patch135
-rw-r--r--meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb2
3 files changed, 189 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-1.patch
new file mode 100644
index 0000000000..bc2538329f
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-1.patch
@@ -0,0 +1,52 @@
1From 242a10fbb12dbdc12d254bd8fc8669a0ac055304 Mon Sep 17 00:00:00 2001
2From: Patrick Griffis <pgriffis@igalia.com>
3Date: Wed, 5 Feb 2025 14:39:42 -0600
4Subject: [PATCH] sniffer: Fix potential overflow
5
6Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2025-2784-1.patch?h=ubuntu/focal-security
7Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/242a10fbb12dbdc12d254bd8fc8669a0ac055304]
8CVE: CVE-2025-2784
9Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
10---
11 libsoup/content-sniffer/soup-content-sniffer.c | 2 +-
12 tests/meson.build | 4 +++-
13 tests/resources/whitespace.html | Bin 0 -> 512 bytes
14 tests/sniffing-test.c | 5 +++++
15 tests/soup-tests.gresource.xml | 1 +
16 5 files changed, 10 insertions(+), 2 deletions(-)
17 create mode 100644 tests/resources/whitespace.html
18
19--- libsoup2.4-2.70.0.orig/libsoup/soup-content-sniffer.c
20+++ libsoup2.4-2.70.0/libsoup/soup-content-sniffer.c
21@@ -642,7 +642,7 @@ sniff_feed_or_html (SoupContentSniffer *
22 pos = 3;
23
24 look_for_tag:
25- if (pos > resource_length)
26+ if (pos >= resource_length)
27 goto text_html;
28
29 if (skip_insignificant_space (resource, &pos, resource_length))
30--- libsoup2.4-2.70.0.orig/tests/sniffing-test.c
31+++ libsoup2.4-2.70.0/tests/sniffing-test.c
32@@ -601,6 +601,11 @@ main (int argc, char **argv)
33 "type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8",
34 do_sniffing_test);
35
36+ /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */
37+ g_test_add_data_func ("/sniffing/whitespace",
38+ "type/text_html/whitespace.html => text/html",
39+ do_sniffing_test);
40+
41 /* Test that disabling the sniffer works correctly */
42 g_test_add_data_func ("/sniffing/disabled",
43 "/text_or_binary/home.gif",
44--- libsoup2.4-2.70.0.orig/tests/soup-tests.gresource.xml
45+++ libsoup2.4-2.70.0/tests/soup-tests.gresource.xml
46@@ -25,5 +25,6 @@
47 <file>resources/text.txt</file>
48 <file>resources/text_binary.txt</file>
49 <file>resources/tux.webp</file>
50+ <file>resources/whitespace.html</file>
51 </gresource>
52 </gresources>
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-2.patch
new file mode 100644
index 0000000000..c9d9c04087
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-2.patch
@@ -0,0 +1,135 @@
1From c415ad0b6771992e66c70edf373566c6e247089d Mon Sep 17 00:00:00 2001
2From: Patrick Griffis <pgriffis@igalia.com>
3Date: Tue, 18 Feb 2025 14:29:50 -0600
4Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space()
5
6Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2025-2784-2.patch?h=ubuntu/focal-security
7Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/c415ad0b6771992e66c70edf373566c6e247089d]
8CVE: CVE-2025-2784
9Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
10---
11 .../content-sniffer/soup-content-sniffer.c | 10 ++--
12 tests/resources/whitespace.html | Bin 512 -> 0 bytes
13 tests/sniffing-test.c | 53 ++++++++++++++++--
14 tests/soup-tests.gresource.xml | 1 -
15 4 files changed, 53 insertions(+), 11 deletions(-)
16 delete mode 100644 tests/resources/whitespace.html
17
18--- libsoup2.4-2.70.0.orig/libsoup/soup-content-sniffer.c
19+++ libsoup2.4-2.70.0/libsoup/soup-content-sniffer.c
20@@ -612,8 +612,11 @@ sniff_text_or_binary (SoupContentSniffer
21 }
22
23 static gboolean
24-skip_insignificant_space (const char *resource, int *pos, int resource_length)
25+skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
26 {
27+ if (*pos >= resource_length)
28+ return TRUE;
29+
30 while ((resource[*pos] == '\x09') ||
31 (resource[*pos] == '\x20') ||
32 (resource[*pos] == '\x0A') ||
33@@ -632,7 +635,7 @@ sniff_feed_or_html (SoupContentSniffer *
34 {
35 const char *resource = (const char *)buffer->data;
36 int resource_length = MIN (512, buffer->length);
37- int pos = 0;
38+ gsize pos = 0;
39
40 if (resource_length < 3)
41 goto text_html;
42@@ -642,9 +645,6 @@ sniff_feed_or_html (SoupContentSniffer *
43 pos = 3;
44
45 look_for_tag:
46- if (pos >= resource_length)
47- goto text_html;
48-
49 if (skip_insignificant_space (resource, &pos, resource_length))
50 goto text_html;
51
52--- libsoup2.4-2.70.0.orig/tests/sniffing-test.c
53+++ libsoup2.4-2.70.0/tests/sniffing-test.c
54@@ -432,6 +432,53 @@ test_disabled (gconstpointer data)
55 soup_uri_free (uri);
56 }
57
58+static const gsize MARKUP_LENGTH = strlen ("<!--") + strlen ("-->");
59+
60+static void
61+do_skip_whitespace_test (void)
62+{
63+ SoupContentSniffer *sniffer = soup_content_sniffer_new ();
64+ SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org");
65+ const char *test_cases[] = {
66+ "",
67+ "<rdf:RDF",
68+ "<rdf:RDFxmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"",
69+ "<rdf:RDFxmlns=\"http://purl.org/rss/1.0/\"",
70+ };
71+
72+ soup_message_headers_set_content_type (msg->response_headers, "text/html", NULL);
73+
74+ guint i;
75+ for (i = 0; i < G_N_ELEMENTS (test_cases); i++) {
76+ const char *trailing_data = test_cases[i];
77+ gsize leading_zeros = 512 - MARKUP_LENGTH - strlen (trailing_data);
78+ gsize testsize = MARKUP_LENGTH + leading_zeros + strlen (trailing_data);
79+ guint8 *data = g_malloc0 (testsize);
80+ guint8 *p = data;
81+ char *content_type;
82+ GBytes *buffer;
83+
84+ /* Format of <!--[0x00 * $leading_zeros]-->$trailing_data */
85+ memcpy (p, "<!--", strlen ("<!--"));
86+ p += strlen ("<!--");
87+ p += leading_zeros;
88+ memcpy (p, "-->", strlen ("-->"));
89+ p += strlen ("-->");
90+ if (strlen (trailing_data))
91+ memcpy (p, trailing_data, strlen (trailing_data));
92+ /* Purposefully not NUL terminated. */
93+
94+ buffer = g_bytes_new_take (g_steal_pointer (&data), testsize);
95+ content_type = soup_content_sniffer_sniff (sniffer, msg, (SoupBuffer *) buffer, NULL);
96+
97+ g_free (content_type);
98+ g_bytes_unref (buffer);
99+ }
100+
101+ g_object_unref (msg);
102+ g_object_unref (sniffer);
103+}
104+
105 int
106 main (int argc, char **argv)
107 {
108@@ -601,16 +648,13 @@ main (int argc, char **argv)
109 "type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8",
110 do_sniffing_test);
111
112- /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */
113- g_test_add_data_func ("/sniffing/whitespace",
114- "type/text_html/whitespace.html => text/html",
115- do_sniffing_test);
116-
117 /* Test that disabling the sniffer works correctly */
118 g_test_add_data_func ("/sniffing/disabled",
119 "/text_or_binary/home.gif",
120 test_disabled);
121
122+ g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test);
123+
124 ret = g_test_run ();
125
126 soup_uri_free (base_uri);
127--- libsoup2.4-2.70.0.orig/tests/soup-tests.gresource.xml
128+++ libsoup2.4-2.70.0/tests/soup-tests.gresource.xml
129@@ -25,6 +25,5 @@
130 <file>resources/text.txt</file>
131 <file>resources/text_binary.txt</file>
132 <file>resources/tux.webp</file>
133- <file>resources/whitespace.html</file>
134 </gresource>
135 </gresources>
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
index bb15e8b926..5e8a141dc5 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -32,6 +32,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
32 file://CVE-2025-32912-1.patch \ 32 file://CVE-2025-32912-1.patch \
33 file://CVE-2025-32912-2.patch \ 33 file://CVE-2025-32912-2.patch \
34 file://CVE-2025-32914.patch \ 34 file://CVE-2025-32914.patch \
35 file://CVE-2025-2784-1.patch \
36 file://CVE-2025-2784-2.patch \
35 " 37 "
36SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159" 38SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"
37 39