diff options
| author | Vijay Anusuri <vanusuri@mvista.com> | 2025-06-13 11:14:46 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-06-20 08:06:29 -0700 |
| commit | f49fc9966d78a7273ff2ec07b3f3762b83f2d97c (patch) | |
| tree | 4bf34fe4ae0a9192a94e26bf7ce42f2fd3a661cf | |
| parent | 523a48d5c819ac640d79ba042c7ab22f27ec7e9f (diff) | |
| download | poky-f49fc9966d78a7273ff2ec07b3f3762b83f2d97c.tar.gz | |
libsoup-2.4: Fix CVE-2025-2784
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/commit/242a10fbb12dbdc12d254bd8fc8669a0ac055304
&
https://gitlab.gnome.org/GNOME/libsoup/-/commit/c415ad0b6771992e66c70edf373566c6e247089d]
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435
(From OE-Core rev: 5cea727e87489b144cba9b2aa491d0c90f34f93d)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 files changed, 189 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-1.patch new file mode 100644 index 0000000000..bc2538329f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-1.patch | |||
| @@ -0,0 +1,52 @@ | |||
| 1 | From 242a10fbb12dbdc12d254bd8fc8669a0ac055304 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Griffis <pgriffis@igalia.com> | ||
| 3 | Date: Wed, 5 Feb 2025 14:39:42 -0600 | ||
| 4 | Subject: [PATCH] sniffer: Fix potential overflow | ||
| 5 | |||
| 6 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2025-2784-1.patch?h=ubuntu/focal-security | ||
| 7 | Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/242a10fbb12dbdc12d254bd8fc8669a0ac055304] | ||
| 8 | CVE: CVE-2025-2784 | ||
| 9 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 10 | --- | ||
| 11 | libsoup/content-sniffer/soup-content-sniffer.c | 2 +- | ||
| 12 | tests/meson.build | 4 +++- | ||
| 13 | tests/resources/whitespace.html | Bin 0 -> 512 bytes | ||
| 14 | tests/sniffing-test.c | 5 +++++ | ||
| 15 | tests/soup-tests.gresource.xml | 1 + | ||
| 16 | 5 files changed, 10 insertions(+), 2 deletions(-) | ||
| 17 | create mode 100644 tests/resources/whitespace.html | ||
| 18 | |||
| 19 | --- libsoup2.4-2.70.0.orig/libsoup/soup-content-sniffer.c | ||
| 20 | +++ libsoup2.4-2.70.0/libsoup/soup-content-sniffer.c | ||
| 21 | @@ -642,7 +642,7 @@ sniff_feed_or_html (SoupContentSniffer * | ||
| 22 | pos = 3; | ||
| 23 | |||
| 24 | look_for_tag: | ||
| 25 | - if (pos > resource_length) | ||
| 26 | + if (pos >= resource_length) | ||
| 27 | goto text_html; | ||
| 28 | |||
| 29 | if (skip_insignificant_space (resource, &pos, resource_length)) | ||
| 30 | --- libsoup2.4-2.70.0.orig/tests/sniffing-test.c | ||
| 31 | +++ libsoup2.4-2.70.0/tests/sniffing-test.c | ||
| 32 | @@ -601,6 +601,11 @@ main (int argc, char **argv) | ||
| 33 | "type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8", | ||
| 34 | do_sniffing_test); | ||
| 35 | |||
| 36 | + /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */ | ||
| 37 | + g_test_add_data_func ("/sniffing/whitespace", | ||
| 38 | + "type/text_html/whitespace.html => text/html", | ||
| 39 | + do_sniffing_test); | ||
| 40 | + | ||
| 41 | /* Test that disabling the sniffer works correctly */ | ||
| 42 | g_test_add_data_func ("/sniffing/disabled", | ||
| 43 | "/text_or_binary/home.gif", | ||
| 44 | --- libsoup2.4-2.70.0.orig/tests/soup-tests.gresource.xml | ||
| 45 | +++ libsoup2.4-2.70.0/tests/soup-tests.gresource.xml | ||
| 46 | @@ -25,5 +25,6 @@ | ||
| 47 | <file>resources/text.txt</file> | ||
| 48 | <file>resources/text_binary.txt</file> | ||
| 49 | <file>resources/tux.webp</file> | ||
| 50 | + <file>resources/whitespace.html</file> | ||
| 51 | </gresource> | ||
| 52 | </gresources> | ||
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-2.patch new file mode 100644 index 0000000000..c9d9c04087 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-2.patch | |||
| @@ -0,0 +1,135 @@ | |||
| 1 | From c415ad0b6771992e66c70edf373566c6e247089d Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Griffis <pgriffis@igalia.com> | ||
| 3 | Date: Tue, 18 Feb 2025 14:29:50 -0600 | ||
| 4 | Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space() | ||
| 5 | |||
| 6 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2025-2784-2.patch?h=ubuntu/focal-security | ||
| 7 | Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/c415ad0b6771992e66c70edf373566c6e247089d] | ||
| 8 | CVE: CVE-2025-2784 | ||
| 9 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 10 | --- | ||
| 11 | .../content-sniffer/soup-content-sniffer.c | 10 ++-- | ||
| 12 | tests/resources/whitespace.html | Bin 512 -> 0 bytes | ||
| 13 | tests/sniffing-test.c | 53 ++++++++++++++++-- | ||
| 14 | tests/soup-tests.gresource.xml | 1 - | ||
| 15 | 4 files changed, 53 insertions(+), 11 deletions(-) | ||
| 16 | delete mode 100644 tests/resources/whitespace.html | ||
| 17 | |||
| 18 | --- libsoup2.4-2.70.0.orig/libsoup/soup-content-sniffer.c | ||
| 19 | +++ libsoup2.4-2.70.0/libsoup/soup-content-sniffer.c | ||
| 20 | @@ -612,8 +612,11 @@ sniff_text_or_binary (SoupContentSniffer | ||
| 21 | } | ||
| 22 | |||
| 23 | static gboolean | ||
| 24 | -skip_insignificant_space (const char *resource, int *pos, int resource_length) | ||
| 25 | +skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length) | ||
| 26 | { | ||
| 27 | + if (*pos >= resource_length) | ||
| 28 | + return TRUE; | ||
| 29 | + | ||
| 30 | while ((resource[*pos] == '\x09') || | ||
| 31 | (resource[*pos] == '\x20') || | ||
| 32 | (resource[*pos] == '\x0A') || | ||
| 33 | @@ -632,7 +635,7 @@ sniff_feed_or_html (SoupContentSniffer * | ||
| 34 | { | ||
| 35 | const char *resource = (const char *)buffer->data; | ||
| 36 | int resource_length = MIN (512, buffer->length); | ||
| 37 | - int pos = 0; | ||
| 38 | + gsize pos = 0; | ||
| 39 | |||
| 40 | if (resource_length < 3) | ||
| 41 | goto text_html; | ||
| 42 | @@ -642,9 +645,6 @@ sniff_feed_or_html (SoupContentSniffer * | ||
| 43 | pos = 3; | ||
| 44 | |||
| 45 | look_for_tag: | ||
| 46 | - if (pos >= resource_length) | ||
| 47 | - goto text_html; | ||
| 48 | - | ||
| 49 | if (skip_insignificant_space (resource, &pos, resource_length)) | ||
| 50 | goto text_html; | ||
| 51 | |||
| 52 | --- libsoup2.4-2.70.0.orig/tests/sniffing-test.c | ||
| 53 | +++ libsoup2.4-2.70.0/tests/sniffing-test.c | ||
| 54 | @@ -432,6 +432,53 @@ test_disabled (gconstpointer data) | ||
| 55 | soup_uri_free (uri); | ||
| 56 | } | ||
| 57 | |||
| 58 | +static const gsize MARKUP_LENGTH = strlen ("<!--") + strlen ("-->"); | ||
| 59 | + | ||
| 60 | +static void | ||
| 61 | +do_skip_whitespace_test (void) | ||
| 62 | +{ | ||
| 63 | + SoupContentSniffer *sniffer = soup_content_sniffer_new (); | ||
| 64 | + SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org"); | ||
| 65 | + const char *test_cases[] = { | ||
| 66 | + "", | ||
| 67 | + "<rdf:RDF", | ||
| 68 | + "<rdf:RDFxmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"", | ||
| 69 | + "<rdf:RDFxmlns=\"http://purl.org/rss/1.0/\"", | ||
| 70 | + }; | ||
| 71 | + | ||
| 72 | + soup_message_headers_set_content_type (msg->response_headers, "text/html", NULL); | ||
| 73 | + | ||
| 74 | + guint i; | ||
| 75 | + for (i = 0; i < G_N_ELEMENTS (test_cases); i++) { | ||
| 76 | + const char *trailing_data = test_cases[i]; | ||
| 77 | + gsize leading_zeros = 512 - MARKUP_LENGTH - strlen (trailing_data); | ||
| 78 | + gsize testsize = MARKUP_LENGTH + leading_zeros + strlen (trailing_data); | ||
| 79 | + guint8 *data = g_malloc0 (testsize); | ||
| 80 | + guint8 *p = data; | ||
| 81 | + char *content_type; | ||
| 82 | + GBytes *buffer; | ||
| 83 | + | ||
| 84 | + /* Format of <!--[0x00 * $leading_zeros]-->$trailing_data */ | ||
| 85 | + memcpy (p, "<!--", strlen ("<!--")); | ||
| 86 | + p += strlen ("<!--"); | ||
| 87 | + p += leading_zeros; | ||
| 88 | + memcpy (p, "-->", strlen ("-->")); | ||
| 89 | + p += strlen ("-->"); | ||
| 90 | + if (strlen (trailing_data)) | ||
| 91 | + memcpy (p, trailing_data, strlen (trailing_data)); | ||
| 92 | + /* Purposefully not NUL terminated. */ | ||
| 93 | + | ||
| 94 | + buffer = g_bytes_new_take (g_steal_pointer (&data), testsize); | ||
| 95 | + content_type = soup_content_sniffer_sniff (sniffer, msg, (SoupBuffer *) buffer, NULL); | ||
| 96 | + | ||
| 97 | + g_free (content_type); | ||
| 98 | + g_bytes_unref (buffer); | ||
| 99 | + } | ||
| 100 | + | ||
| 101 | + g_object_unref (msg); | ||
| 102 | + g_object_unref (sniffer); | ||
| 103 | +} | ||
| 104 | + | ||
| 105 | int | ||
| 106 | main (int argc, char **argv) | ||
| 107 | { | ||
| 108 | @@ -601,16 +648,13 @@ main (int argc, char **argv) | ||
| 109 | "type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8", | ||
| 110 | do_sniffing_test); | ||
| 111 | |||
| 112 | - /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */ | ||
| 113 | - g_test_add_data_func ("/sniffing/whitespace", | ||
| 114 | - "type/text_html/whitespace.html => text/html", | ||
| 115 | - do_sniffing_test); | ||
| 116 | - | ||
| 117 | /* Test that disabling the sniffer works correctly */ | ||
| 118 | g_test_add_data_func ("/sniffing/disabled", | ||
| 119 | "/text_or_binary/home.gif", | ||
| 120 | test_disabled); | ||
| 121 | |||
| 122 | + g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test); | ||
| 123 | + | ||
| 124 | ret = g_test_run (); | ||
| 125 | |||
| 126 | soup_uri_free (base_uri); | ||
| 127 | --- libsoup2.4-2.70.0.orig/tests/soup-tests.gresource.xml | ||
| 128 | +++ libsoup2.4-2.70.0/tests/soup-tests.gresource.xml | ||
| 129 | @@ -25,6 +25,5 @@ | ||
| 130 | <file>resources/text.txt</file> | ||
| 131 | <file>resources/text_binary.txt</file> | ||
| 132 | <file>resources/tux.webp</file> | ||
| 133 | - <file>resources/whitespace.html</file> | ||
| 134 | </gresource> | ||
| 135 | </gresources> | ||
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb index bb15e8b926..5e8a141dc5 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb | |||
| @@ -32,6 +32,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ | |||
| 32 | file://CVE-2025-32912-1.patch \ | 32 | file://CVE-2025-32912-1.patch \ |
| 33 | file://CVE-2025-32912-2.patch \ | 33 | file://CVE-2025-32912-2.patch \ |
| 34 | file://CVE-2025-32914.patch \ | 34 | file://CVE-2025-32914.patch \ |
| 35 | file://CVE-2025-2784-1.patch \ | ||
| 36 | file://CVE-2025-2784-2.patch \ | ||
| 35 | " | 37 | " |
| 36 | SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159" | 38 | SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159" |
| 37 | 39 | ||
