2 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch
new file mode 100644
index 0000000000..b2e1c12d48
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch
@@ -0,0 +1,137 @@
+From dd10ae267e33bcc35646610d7cc1841da77d05e7 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 5 Feb 2025 14:39:42 -0600
+Subject: [PATCH] Fix CVE-2025-2784
+CVE: CVE-2025-2784
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435/diffs?commit_id=242a10fbb12dbdc12d254bd8fc8669a0ac055304
+https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/442/diffs?commit_id=c415ad0b6771992e66c70edf373566c6e247089d]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ .../content-sniffer/soup-content-sniffer.c    | 10 ++--
+ tests/meson.build                             |  4 +-
+ tests/sniffing-test.c                         | 48 +++++++++++++++++++
+ 3 files changed, 56 insertions(+), 6 deletions(-)
+diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
+index aeee2e2..a5e18d5 100644
+--- a/libsoup/content-sniffer/soup-content-sniffer.c
+++ b/libsoup/content-sniffer/soup-content-sniffer.c
+@@ -638,8 +638,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, GBytes *buffer)
+ }
+ 
+ static gboolean
+-skip_insignificant_space (const char *resource, int *pos, int resource_length)
+skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
+ {
+        if (*pos >= resource_length)
+               return TRUE;
+
+        while ((resource[*pos] == '\x09') ||
+               (resource[*pos] == '\x20') ||
+               (resource[*pos] == '\x0A') ||
+@@ -659,7 +662,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
+        gsize resource_length;
+        const char *resource = g_bytes_get_data (buffer, &resource_length);
+        resource_length = MIN (512, resource_length);
+-       int pos = 0;
+       gsize pos = 0;
+ 
+        if (resource_length < 3)
+                goto text_html;
+@@ -669,9 +672,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
+                pos = 3;
+ 
+  look_for_tag:
+-       if (pos > resource_length)
+-               goto text_html;
+-
+        if (skip_insignificant_space (resource, &pos, resource_length))
+                goto text_html;
+ 
+diff --git a/tests/meson.build b/tests/meson.build
+index 7ef7ac5..95b13b8 100644
+--- a/tests/meson.build
+++ b/tests/meson.build
+@@ -95,7 +95,9 @@ tests = [
+   {'name': 'server-auth'},
+   {'name': 'server-mem-limit'},
+   {'name': 'server'},
+-  {'name': 'sniffing'},
+  {'name': 'sniffing',
+    'depends': [test_resources],
+  },
+   {'name': 'ssl',
+    'dependencies': [gnutls_dep],
+    'depends': mock_pkcs11_module,
+diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
+index 6116719..7857732 100644
+--- a/tests/sniffing-test.c
+++ b/tests/sniffing-test.c
+@@ -342,6 +342,52 @@ test_disabled (gconstpointer data)
+        g_uri_unref (uri);
+ }
+ 
+static const gsize MARKUP_LENGTH = strlen ("<!--") + strlen ("-->");
+
+static void
+do_skip_whitespace_test (void)
+{
+        SoupContentSniffer *sniffer = soup_content_sniffer_new ();
+        SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org");
+        const char *test_cases[] = {
+                "",
+                "<rdf:RDF",
+                "<rdf:RDFxmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"",
+                "<rdf:RDFxmlns=\"http://purl.org/rss/1.0/\"",
+        };
+
+        soup_message_headers_set_content_type (soup_message_get_response_headers (msg), "text/html", NULL);
+
+        for (guint i = 0; i < G_N_ELEMENTS (test_cases); i++) {
+                const char *trailing_data = test_cases[i];
+                gsize leading_zeros = 512 - MARKUP_LENGTH - strlen (trailing_data);
+                gsize testsize = MARKUP_LENGTH + leading_zeros + strlen (trailing_data);
+                guint8 *data = g_malloc0 (testsize);
+                guint8 *p = data;
+                char *content_type;
+                GBytes *buffer;
+
+                // Format of <!--[0x00 * $leading_zeros]-->$trailing_data
+                memcpy (p, "<!--", strlen ("<!--"));
+                p += strlen ("<!--");
+                p += leading_zeros;
+                memcpy (p, "-->", strlen ("-->"));
+                p += strlen ("-->");
+                if (strlen (trailing_data))
+                        memcpy (p, trailing_data, strlen (trailing_data));
+                // Purposefully not NUL terminated.                
+
+                buffer = g_bytes_new_take (g_steal_pointer (&data), testsize);
+                content_type = soup_content_sniffer_sniff (sniffer, msg, buffer, NULL);
+
+                g_free (content_type);
+                g_bytes_unref (buffer);
+        }
+
+        g_object_unref (msg);
+        g_object_unref (sniffer);
+}
+
+ int
+ main (int argc, char **argv)
+ {
+@@ -517,6 +563,8 @@ main (int argc, char **argv)
+                              "/text_or_binary/home.gif",
+                              test_disabled);
+ 
+       g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test);
+
+        ret = g_test_run ();
+ 
+        g_uri_unref (base_uri);
+-- 
+2.34.1
diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
index 9b8bf5b9a2..37319f007f 100644
--- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
@@ -43,6 +43,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
           file://CVE-2025-32050.patch \
           file://CVE-2025-46421.patch \
           file://CVE-2025-4948.patch \
+           file://CVE-2025-2784.patch \
 "
 SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"

diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch new file mode 100644 index 0000000000..b2e1c12d48 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch
@@ -0,0 +1,137 @@
		1	From dd10ae267e33bcc35646610d7cc1841da77d05e7 Mon Sep 17 00:00:00 2001
		2	From: Patrick Griffis <pgriffis@igalia.com>
		3	Date: Wed, 5 Feb 2025 14:39:42 -0600
		4	Subject: [PATCH] Fix CVE-2025-2784
		5
		6	CVE: CVE-2025-2784
		7	Upstream-Status: Backport
		8	[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435/diffs?commit_id=242a10fbb12dbdc12d254bd8fc8669a0ac055304
		9	https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/442/diffs?commit_id=c415ad0b6771992e66c70edf373566c6e247089d]
		10
		11	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		12	---
		13	.../content-sniffer/soup-content-sniffer.c \| 10 ++--
		14	tests/meson.build \| 4 +-
		15	tests/sniffing-test.c \| 48 +++++++++++++++++++
		16	3 files changed, 56 insertions(+), 6 deletions(-)
		17
		18	diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
		19	index aeee2e2..a5e18d5 100644
		20	--- a/libsoup/content-sniffer/soup-content-sniffer.c
		21	+++ b/libsoup/content-sniffer/soup-content-sniffer.c
		22	@@ -638,8 +638,11 @@ sniff_text_or_binary (SoupContentSniffer sniffer, GBytes buffer)
		23	}
		24
		25	static gboolean
		26	-skip_insignificant_space (const char resource, int pos, int resource_length)
		27	+skip_insignificant_space (const char resource, gsize pos, gsize resource_length)
		28	{
		29	+ if (*pos >= resource_length)
		30	+ return TRUE;
		31	+
		32	while ((resource[*pos] == '\x09') \|\|
		33	(resource[*pos] == '\x20') \|\|
		34	(resource[*pos] == '\x0A') \|\|
		35	@@ -659,7 +662,7 @@ sniff_feed_or_html (SoupContentSniffer sniffer, GBytes buffer)
		36	gsize resource_length;
		37	const char *resource = g_bytes_get_data (buffer, &resource_length);
		38	resource_length = MIN (512, resource_length);
		39	- int pos = 0;
		40	+ gsize pos = 0;
		41
		42	if (resource_length < 3)
		43	goto text_html;
		44	@@ -669,9 +672,6 @@ sniff_feed_or_html (SoupContentSniffer sniffer, GBytes buffer)
		45	pos = 3;
		46
		47	look_for_tag:
		48	- if (pos > resource_length)
		49	- goto text_html;
		50	-
		51	if (skip_insignificant_space (resource, &pos, resource_length))
		52	goto text_html;
		53
		54	diff --git a/tests/meson.build b/tests/meson.build
		55	index 7ef7ac5..95b13b8 100644
		56	--- a/tests/meson.build
		57	+++ b/tests/meson.build
		58	@@ -95,7 +95,9 @@ tests = [
		59	{'name': 'server-auth'},
		60	{'name': 'server-mem-limit'},
		61	{'name': 'server'},
		62	- {'name': 'sniffing'},
		63	+ {'name': 'sniffing',
		64	+ 'depends': [test_resources],
		65	+ },
		66	{'name': 'ssl',
		67	'dependencies': [gnutls_dep],
		68	'depends': mock_pkcs11_module,
		69	diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
		70	index 6116719..7857732 100644
		71	--- a/tests/sniffing-test.c
		72	+++ b/tests/sniffing-test.c
		73	@@ -342,6 +342,52 @@ test_disabled (gconstpointer data)
		74	g_uri_unref (uri);
		75	}
		76
		77	+static const gsize MARKUP_LENGTH = strlen ("<!--") + strlen ("-->");
		78	+
		79	+static void
		80	+do_skip_whitespace_test (void)
		81	+{
		82	+ SoupContentSniffer *sniffer = soup_content_sniffer_new ();
		83	+ SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org");
		84	+ const char *test_cases[] = {
		85	+ "",
		86	+ "<rdf:RDF",
		87	+ "<rdf:RDFxmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"",
		88	+ "<rdf:RDFxmlns=\"http://purl.org/rss/1.0/\"",
		89	+ };
		90	+
		91	+ soup_message_headers_set_content_type (soup_message_get_response_headers (msg), "text/html", NULL);
		92	+
		93	+ for (guint i = 0; i < G_N_ELEMENTS (test_cases); i++) {
		94	+ const char *trailing_data = test_cases[i];
		95	+ gsize leading_zeros = 512 - MARKUP_LENGTH - strlen (trailing_data);
		96	+ gsize testsize = MARKUP_LENGTH + leading_zeros + strlen (trailing_data);
		97	+ guint8 *data = g_malloc0 (testsize);
		98	+ guint8 *p = data;
		99	+ char *content_type;
		100	+ GBytes *buffer;
		101	+
		102	+ // Format of <!--[0x00 * $leading_zeros]-->$trailing_data
		103	+ memcpy (p, "<!--", strlen ("<!--"));
		104	+ p += strlen ("<!--");
		105	+ p += leading_zeros;
		106	+ memcpy (p, "-->", strlen ("-->"));
		107	+ p += strlen ("-->");
		108	+ if (strlen (trailing_data))
		109	+ memcpy (p, trailing_data, strlen (trailing_data));
		110	+ // Purposefully not NUL terminated.
		111	+
		112	+ buffer = g_bytes_new_take (g_steal_pointer (&data), testsize);
		113	+ content_type = soup_content_sniffer_sniff (sniffer, msg, buffer, NULL);
		114	+
		115	+ g_free (content_type);
		116	+ g_bytes_unref (buffer);
		117	+ }
		118	+
		119	+ g_object_unref (msg);
		120	+ g_object_unref (sniffer);
		121	+}
		122	+
		123	int
		124	main (int argc, char **argv)
		125	{
		126	@@ -517,6 +563,8 @@ main (int argc, char **argv)
		127	"/text_or_binary/home.gif",
		128	test_disabled);
		129
		130	+ g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test);
		131	+
		132	ret = g_test_run ();
		133
		134	g_uri_unref (base_uri);
		135	--
		136	2.34.1
		137


diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 9b8bf5b9a2..37319f007f 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
@@ -43,6 +43,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
43	file://CVE-2025-32050.patch \	43	file://CVE-2025-32050.patch \
44	file://CVE-2025-46421.patch \	44	file://CVE-2025-46421.patch \
45	file://CVE-2025-4948.patch \	45	file://CVE-2025-4948.patch \
		46	file://CVE-2025-2784.patch \
46	"	47	"
47	SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"	48	SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
48		49