libsoup: fix CVE-2025-32051

Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/401 (From OE-Core rev: 4af9a40f53a6a9607999f0f4b28d2ce1eaf325a2) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Changqing Li <changqing.li@windriver.com> 2025-06-18 10:59:38 +0800
committer: Steve Sakoman <steve@sakoman.com> 2025-06-25 08:11:57 -0700
commit: f9ae7a93d407c2755ecc7b4e9e68eef8ab02020f (patch)
tree: 28ef0b077f70d9abb697d595ee03e841f64016a4
parent: 3fc748ecd70ec2ea358972e8a734bc4d0288f05a (diff)
download: poky-f9ae7a93d407c2755ecc7b4e9e68eef8ab02020f.tar.gz
3 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-1.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-1.patch
new file mode 100644
index 0000000000..efeda48b11
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-1.patch
@@ -0,0 +1,29 @@
+From dc5db30989f385303c79ec3188c52e33f6f5886e Mon Sep 17 00:00:00 2001
+From: Ar Jun <pkillarjun@protonmail.com>
+Date: Sat, 16 Nov 2024 11:50:09 -0600
+Subject: [PATCH 1/2] Fix possible NULL deref in soup_uri_decode_data_uri
+CVE: CVE-2025-32051
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/0713ba4a719da938dc8facc89fca99cd0aa3069f]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-uri-utils.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c
+index be2b79b..0251279 100644
+--- a/libsoup/soup-uri-utils.c
+++ b/libsoup/soup-uri-utils.c
+@@ -303,6 +303,8 @@ soup_uri_decode_data_uri (const char *uri,
+ 
+         uri_string = g_uri_to_string (soup_uri);
+         g_uri_unref (soup_uri);
+        if (!uri_string)
+                return NULL;
+ 
+         start = uri_string + 5;
+         comma = strchr (start, ',');
+-- 
+2.34.1
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-2.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-2.patch
new file mode 100644
index 0000000000..24c184bb86
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-2.patch
@@ -0,0 +1,57 @@
+From 7d1557a60145927806c88d321e8322a9d9f49bb2 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Fri, 22 Nov 2024 13:39:51 -0600
+Subject: [PATCH 2/2] soup_uri_decode_data_uri(): Handle URIs with a path
+ starting with //
+CVE: CVE-2025-32051
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/79cfd65c9bd8024cd45dd725c284766329873709]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-uri-utils.c | 8 ++++++++
+ tests/uri-parsing-test.c | 2 ++
+ 2 files changed, 10 insertions(+)
+diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c
+index 0251279..1ff11cd 100644
+--- a/libsoup/soup-uri-utils.c
+++ b/libsoup/soup-uri-utils.c
+@@ -286,6 +286,7 @@ soup_uri_decode_data_uri (const char *uri,
+         gboolean base64 = FALSE;
+         char *uri_string;
+         GBytes *bytes;
+        const char *path;
+ 
+         g_return_val_if_fail (uri != NULL, NULL);
+ 
+@@ -301,6 +302,13 @@ soup_uri_decode_data_uri (const char *uri,
+         if (content_type)
+                 *content_type = NULL;
+ 
+        /* g_uri_to_string() is picky about paths that start with `//` and will assert. */
+        path = g_uri_get_path (soup_uri);
+        if (path[0] == '/' && path[1] == '/') {
+                g_uri_unref (soup_uri);
+                return NULL;
+        }
+
+         uri_string = g_uri_to_string (soup_uri);
+         g_uri_unref (soup_uri);
+         if (!uri_string)
+diff --git a/tests/uri-parsing-test.c b/tests/uri-parsing-test.c
+index 1f16273..418391e 100644
+--- a/tests/uri-parsing-test.c
+++ b/tests/uri-parsing-test.c
+@@ -141,6 +141,8 @@ static struct {
+         { "data:text/plain;base64,aGVsbG8=", "hello", "text/plain" },
+         { "data:text/plain;base64,invalid=", "", "text/plain" },
+         { "data:,", "", CONTENT_TYPE_DEFAULT },
+        { "data:.///", NULL, NULL },
+        { "data:/.//", NULL, NULL },
+ };
+ 
+ static void
+-- 
+2.34.1
diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
index 90733a73e8..be29ff0e5d 100644
--- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
@@ -40,6 +40,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
           file://CVE-2025-4969.patch \
           file://CVE-2025-32907-1.patch \
           file://CVE-2025-32907-2.patch \
+           file://CVE-2025-32051-1.patch \
+           file://CVE-2025-32051-2.patch \
          "
 SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8"
author	Changqing Li <changqing.li@windriver.com>	2025-06-18 10:59:38 +0800
committer	Steve Sakoman <steve@sakoman.com>	2025-06-25 08:11:57 -0700
commit	f9ae7a93d407c2755ecc7b4e9e68eef8ab02020f (patch)
tree	28ef0b077f70d9abb697d595ee03e841f64016a4
parent	3fc748ecd70ec2ea358972e8a734bc4d0288f05a (diff)
download	poky-f9ae7a93d407c2755ecc7b4e9e68eef8ab02020f.tar.gz

diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-1.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-1.patch new file mode 100644 index 0000000000..efeda48b11 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-1.patch
@@ -0,0 +1,29 @@
		1	From dc5db30989f385303c79ec3188c52e33f6f5886e Mon Sep 17 00:00:00 2001
		2	From: Ar Jun <pkillarjun@protonmail.com>
		3	Date: Sat, 16 Nov 2024 11:50:09 -0600
		4	Subject: [PATCH 1/2] Fix possible NULL deref in soup_uri_decode_data_uri
		5
		6	CVE: CVE-2025-32051
		7	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/0713ba4a719da938dc8facc89fca99cd0aa3069f]
		8
		9	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		10	---
		11	libsoup/soup-uri-utils.c \| 2 ++
		12	1 file changed, 2 insertions(+)
		13
		14	diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c
		15	index be2b79b..0251279 100644
		16	--- a/libsoup/soup-uri-utils.c
		17	+++ b/libsoup/soup-uri-utils.c
		18	@@ -303,6 +303,8 @@ soup_uri_decode_data_uri (const char *uri,
		19
		20	uri_string = g_uri_to_string (soup_uri);
		21	g_uri_unref (soup_uri);
		22	+ if (!uri_string)
		23	+ return NULL;
		24
		25	start = uri_string + 5;
		26	comma = strchr (start, ',');
		27	--
		28	2.34.1
		29


diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-2.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-2.patch new file mode 100644 index 0000000000..24c184bb86 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32051-2.patch
@@ -0,0 +1,57 @@
		1	From 7d1557a60145927806c88d321e8322a9d9f49bb2 Mon Sep 17 00:00:00 2001
		2	From: Patrick Griffis <pgriffis@igalia.com>
		3	Date: Fri, 22 Nov 2024 13:39:51 -0600
		4	Subject: [PATCH 2/2] soup_uri_decode_data_uri(): Handle URIs with a path
		5	starting with //
		6
		7	CVE: CVE-2025-32051
		8	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/79cfd65c9bd8024cd45dd725c284766329873709]
		9
		10	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		11	---
		12	libsoup/soup-uri-utils.c \| 8 ++++++++
		13	tests/uri-parsing-test.c \| 2 ++
		14	2 files changed, 10 insertions(+)
		15
		16	diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c
		17	index 0251279..1ff11cd 100644
		18	--- a/libsoup/soup-uri-utils.c
		19	+++ b/libsoup/soup-uri-utils.c
		20	@@ -286,6 +286,7 @@ soup_uri_decode_data_uri (const char *uri,
		21	gboolean base64 = FALSE;
		22	char *uri_string;
		23	GBytes *bytes;
		24	+ const char *path;
		25
		26	g_return_val_if_fail (uri != NULL, NULL);
		27
		28	@@ -301,6 +302,13 @@ soup_uri_decode_data_uri (const char *uri,
		29	if (content_type)
		30	*content_type = NULL;
		31
		32	+ /* g_uri_to_string() is picky about paths that start with `//` and will assert. */
		33	+ path = g_uri_get_path (soup_uri);
		34	+ if (path[0] == '/' && path[1] == '/') {
		35	+ g_uri_unref (soup_uri);
		36	+ return NULL;
		37	+ }
		38	+
		39	uri_string = g_uri_to_string (soup_uri);
		40	g_uri_unref (soup_uri);
		41	if (!uri_string)
		42	diff --git a/tests/uri-parsing-test.c b/tests/uri-parsing-test.c
		43	index 1f16273..418391e 100644
		44	--- a/tests/uri-parsing-test.c
		45	+++ b/tests/uri-parsing-test.c
		46	@@ -141,6 +141,8 @@ static struct {
		47	{ "data:text/plain;base64,aGVsbG8=", "hello", "text/plain" },
		48	{ "data:text/plain;base64,invalid=", "", "text/plain" },
		49	{ "data:,", "", CONTENT_TYPE_DEFAULT },
		50	+ { "data:.///", NULL, NULL },
		51	+ { "data:/.//", NULL, NULL },
		52	};
		53
		54	static void
		55	--
		56	2.34.1
		57


diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb index 90733a73e8..be29ff0e5d 100644 --- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb +++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
@@ -40,6 +40,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
40	file://CVE-2025-4969.patch \	40	file://CVE-2025-4969.patch \
41	file://CVE-2025-32907-1.patch \	41	file://CVE-2025-32907-1.patch \
42	file://CVE-2025-32907-2.patch \	42	file://CVE-2025-32907-2.patch \
		43	file://CVE-2025-32051-1.patch \
		44	file://CVE-2025-32051-2.patch \
43	"	45	"
44	SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8"	46	SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8"
45		47