3 files changed, 169 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch
new file mode 100644
index 0000000000..d56ad0ff5e
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch
@@ -0,0 +1,131 @@
+From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 27 Aug 2024 13:53:26 -0500
+Subject: [PATCH 1/2] headers: Be more robust against invalid input when
+ parsing params
+If you pass invalid input to a function such as soup_header_parse_param_list_strict()
+it can cause an overflow if it decodes the input to UTF-8.
+This should never happen with valid UTF-8 input which libsoup's client API
+ensures, however it's server API does not currently.
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2024-52531-1.patch?h=ubuntu/jammy-security
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283]
+CVE: CVE-2024-52531
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-headers.c | 46 ++++++++++++++++++++++--------------------
+ 1 file changed, 24 insertions(+), 22 deletions(-)
+Index: libsoup2.4-2.74.2/libsoup/soup-headers.c
+===================================================================
+--- libsoup2.4-2.74.2.orig/libsoup/soup-headers.c
+++ libsoup2.4-2.74.2/libsoup/soup-headers.c
+@@ -643,8 +643,9 @@ soup_header_contains (const char *header
+ }
+ 
+ static void
+-decode_quoted_string (char *quoted_string)
+decode_quoted_string_inplace (GString *quoted_gstring)
+ {
+       char *quoted_string = quoted_gstring->str;
+        char *src, *dst;
+ 
+        src = quoted_string + 1;
+@@ -658,10 +659,11 @@ decode_quoted_string (char *quoted_strin
+ }
+ 
+ static gboolean
+-decode_rfc5987 (char *encoded_string)
+decode_rfc5987_inplace (GString *encoded_gstring)
+ {
+        char *q, *decoded;
+        gboolean iso_8859_1 = FALSE;
+       const char *encoded_string = encoded_gstring->str;
+ 
+        q = strchr (encoded_string, '\'');
+        if (!q)
+@@ -690,14 +692,7 @@ decode_rfc5987 (char *encoded_string)
+                decoded = utf8;
+        }
+ 
+-       /* If encoded_string was UTF-8, then each 3-character %-escape
+-        * will be converted to a single byte, and so decoded is
+-        * shorter than encoded_string. If encoded_string was
+-        * iso-8859-1, then each 3-character %-escape will be
+-        * converted into at most 2 bytes in UTF-8, and so it's still
+-        * shorter.
+-        */
+-       strcpy (encoded_string, decoded);
+       g_string_assign (encoded_gstring, decoded);
+        g_free (decoded);
+        return TRUE;
+ }
+@@ -707,15 +702,17 @@ parse_param_list (const char *header, ch
+ {
+        GHashTable *params;
+        GSList *list, *iter;
+-       char *item, *eq, *name_end, *value;
+-       gboolean override, duplicated;
+ 
+        params = g_hash_table_new_full (soup_str_case_hash, 
+                                        soup_str_case_equal,
+-                                       g_free, NULL);
+                                       g_free, g_free);
+ 
+        list = parse_list (header, delim);
+        for (iter = list; iter; iter = iter->next) {
+               char *item, *eq, *name_end;
+               gboolean override, duplicated;
+               GString *parsed_value = NULL;
+
+                item = iter->data;
+                override = FALSE;
+ 
+@@ -730,19 +727,19 @@ parse_param_list (const char *header, ch
+ 
+                        *name_end = '\0';
+ 
+-                       value = (char *)skip_lws (eq + 1);
+                       parsed_value = g_string_new ((char *)skip_lws (eq + 1));
+ 
+                        if (name_end[-1] == '*' && name_end > item + 1) {
+                                name_end[-1] = '\0';
+-                               if (!decode_rfc5987 (value)) {
+                               if (!decode_rfc5987_inplace (parsed_value)) {
+                                       g_string_free (parsed_value, TRUE);
+                                        g_free (item);
+                                        continue;
+                                }
+                                override = TRUE;
+-                       } else if (*value == '"')
+-                               decode_quoted_string (value);
+-               } else
+-                       value = NULL;
+                       } else if (parsed_value->str[0] == '"')
+                               decode_quoted_string_inplace (parsed_value);
+               }
+ 
+                duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
+ 
+@@ -750,11 +747,16 @@ parse_param_list (const char *header, ch
+                        soup_header_free_param_list (params);
+                        params = NULL;
+                        g_slist_foreach (iter, (GFunc)g_free, NULL);
+                       if (parsed_value)
+                               g_string_free (parsed_value, TRUE);
+                        break;
+-               } else if (override || !duplicated)
+-                       g_hash_table_replace (params, item, value);
+-               else
+               } else if (override || !duplicated) {
+                       g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
+               } else {
+                       if (parsed_value)
+                               g_string_free (parsed_value, TRUE);
+                        g_free (item);
+               }
+        }
+ 
+        g_slist_free (list);
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
new file mode 100644
index 0000000000..19b1872866
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
@@ -0,0 +1,36 @@
+From 825fda3425546847b42ad5270544e9388ff349fe Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 27 Aug 2024 13:52:08 -0500
+Subject: [PATCH 2/2] tests: Add test for passing invalid UTF-8 to
+ soup_header_parse_semi_param_list()
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2024-52531-2.patch?h=ubuntu/jammy-security
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/825fda3425546847b42ad5270544e9388ff349fe]
+CVE: CVE-2024-52531
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tests/header-parsing-test.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+Index: libsoup2.4-2.74.2/tests/header-parsing-test.c
+===================================================================
+--- libsoup2.4-2.74.2.orig/tests/header-parsing-test.c
+++ libsoup2.4-2.74.2/tests/header-parsing-test.c
+@@ -825,6 +825,17 @@ static struct ParamListTest {
+            { "filename", "t\xC3\xA9st.txt" },
+          },
+        },
+
+        /* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */
+        { TRUE,
+              "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo",
+              {
+                    { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
+                    { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
+                    { "foo", NULL },
+
+                },
+        }
+ };
+ static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests);
+ 
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
index b1962961ce..88d08ad0ec 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -16,6 +16,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
           file://CVE-2024-52530.patch \
           file://CVE-2024-52532-1.patch \
           file://CVE-2024-52532-2.patch \
+           file://CVE-2024-52531-1.patch \
+           file://CVE-2024-52531-2.patch \
          "
 SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch new file mode 100644 index 0000000000..d56ad0ff5e --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch
@@ -0,0 +1,131 @@
		1	From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001
		2	From: Patrick Griffis <pgriffis@igalia.com>
		3	Date: Tue, 27 Aug 2024 13:53:26 -0500
		4	Subject: [PATCH 1/2] headers: Be more robust against invalid input when
		5	parsing params
		6
		7	If you pass invalid input to a function such as soup_header_parse_param_list_strict()
		8	it can cause an overflow if it decodes the input to UTF-8.
		9
		10	This should never happen with valid UTF-8 input which libsoup's client API
		11	ensures, however it's server API does not currently.
		12
		13	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2024-52531-1.patch?h=ubuntu/jammy-security
		14	Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283]
		15	CVE: CVE-2024-52531
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	libsoup/soup-headers.c \| 46 ++++++++++++++++++++++--------------------
		19	1 file changed, 24 insertions(+), 22 deletions(-)
		20
		21	Index: libsoup2.4-2.74.2/libsoup/soup-headers.c
		22	===================================================================
		23	--- libsoup2.4-2.74.2.orig/libsoup/soup-headers.c
		24	+++ libsoup2.4-2.74.2/libsoup/soup-headers.c
		25	@@ -643,8 +643,9 @@ soup_header_contains (const char *header
		26	}
		27
		28	static void
		29	-decode_quoted_string (char *quoted_string)
		30	+decode_quoted_string_inplace (GString *quoted_gstring)
		31	{
		32	+ char *quoted_string = quoted_gstring->str;
		33	char src, dst;
		34
		35	src = quoted_string + 1;
		36	@@ -658,10 +659,11 @@ decode_quoted_string (char *quoted_strin
		37	}
		38
		39	static gboolean
		40	-decode_rfc5987 (char *encoded_string)
		41	+decode_rfc5987_inplace (GString *encoded_gstring)
		42	{
		43	char q, decoded;
		44	gboolean iso_8859_1 = FALSE;
		45	+ const char *encoded_string = encoded_gstring->str;
		46
		47	q = strchr (encoded_string, '\'');
		48	if (!q)
		49	@@ -690,14 +692,7 @@ decode_rfc5987 (char *encoded_string)
		50	decoded = utf8;
		51	}
		52
		53	- /* If encoded_string was UTF-8, then each 3-character %-escape
		54	- * will be converted to a single byte, and so decoded is
		55	- * shorter than encoded_string. If encoded_string was
		56	- * iso-8859-1, then each 3-character %-escape will be
		57	- * converted into at most 2 bytes in UTF-8, and so it's still
		58	- * shorter.
		59	- */
		60	- strcpy (encoded_string, decoded);
		61	+ g_string_assign (encoded_gstring, decoded);
		62	g_free (decoded);
		63	return TRUE;
		64	}
		65	@@ -707,15 +702,17 @@ parse_param_list (const char *header, ch
		66	{
		67	GHashTable *params;
		68	GSList list, iter;
		69	- char item, eq, name_end, value;
		70	- gboolean override, duplicated;
		71
		72	params = g_hash_table_new_full (soup_str_case_hash,
		73	soup_str_case_equal,
		74	- g_free, NULL);
		75	+ g_free, g_free);
		76
		77	list = parse_list (header, delim);
		78	for (iter = list; iter; iter = iter->next) {
		79	+ char item, eq, *name_end;
		80	+ gboolean override, duplicated;
		81	+ GString *parsed_value = NULL;
		82	+
		83	item = iter->data;
		84	override = FALSE;
		85
		86	@@ -730,19 +727,19 @@ parse_param_list (const char *header, ch
		87
		88	*name_end = '\0';
		89
		90	- value = (char *)skip_lws (eq + 1);
		91	+ parsed_value = g_string_new ((char *)skip_lws (eq + 1));
		92
		93	if (name_end[-1] == '*' && name_end > item + 1) {
		94	name_end[-1] = '\0';
		95	- if (!decode_rfc5987 (value)) {
		96	+ if (!decode_rfc5987_inplace (parsed_value)) {
		97	+ g_string_free (parsed_value, TRUE);
		98	g_free (item);
		99	continue;
		100	}
		101	override = TRUE;
		102	- } else if (*value == '"')
		103	- decode_quoted_string (value);
		104	- } else
		105	- value = NULL;
		106	+ } else if (parsed_value->str[0] == '"')
		107	+ decode_quoted_string_inplace (parsed_value);
		108	+ }
		109
		110	duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
		111
		112	@@ -750,11 +747,16 @@ parse_param_list (const char *header, ch
		113	soup_header_free_param_list (params);
		114	params = NULL;
		115	g_slist_foreach (iter, (GFunc)g_free, NULL);
		116	+ if (parsed_value)
		117	+ g_string_free (parsed_value, TRUE);
		118	break;
		119	- } else if (override \|\| !duplicated)
		120	- g_hash_table_replace (params, item, value);
		121	- else
		122	+ } else if (override \|\| !duplicated) {
		123	+ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
		124	+ } else {
		125	+ if (parsed_value)
		126	+ g_string_free (parsed_value, TRUE);
		127	g_free (item);
		128	+ }
		129	}
		130
		131	g_slist_free (list);


diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch new file mode 100644 index 0000000000..19b1872866 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
@@ -0,0 +1,36 @@
		1	From 825fda3425546847b42ad5270544e9388ff349fe Mon Sep 17 00:00:00 2001
		2	From: Patrick Griffis <pgriffis@igalia.com>
		3	Date: Tue, 27 Aug 2024 13:52:08 -0500
		4	Subject: [PATCH 2/2] tests: Add test for passing invalid UTF-8 to
		5	soup_header_parse_semi_param_list()
		6
		7	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2024-52531-2.patch?h=ubuntu/jammy-security
		8	Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/825fda3425546847b42ad5270544e9388ff349fe]
		9	CVE: CVE-2024-52531
		10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		11	---
		12	tests/header-parsing-test.c \| 11 +++++++++++
		13	1 file changed, 11 insertions(+)
		14
		15	Index: libsoup2.4-2.74.2/tests/header-parsing-test.c
		16	===================================================================
		17	--- libsoup2.4-2.74.2.orig/tests/header-parsing-test.c
		18	+++ libsoup2.4-2.74.2/tests/header-parsing-test.c
		19	@@ -825,6 +825,17 @@ static struct ParamListTest {
		20	{ "filename", "t\xC3\xA9st.txt" },
		21	},
		22	},
		23	+
		24	+ /* This tests invalid UTF-8 data which should never be passed here but it was designed to be robust against it. */
		25	+ { TRUE,
		26	+ "invalid=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo",
		27	+ {
		28	+ { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
		29	+ { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
		30	+ { "foo", NULL },
		31	+
		32	+ },
		33	+ }
		34	};
		35	static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests);
		36


diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb index b1962961ce..88d08ad0ec 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -16,6 +16,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
16	file://CVE-2024-52530.patch \	16	file://CVE-2024-52530.patch \
17	file://CVE-2024-52532-1.patch \	17	file://CVE-2024-52532-1.patch \
18	file://CVE-2024-52532-2.patch \	18	file://CVE-2024-52532-2.patch \
		19	file://CVE-2024-52531-1.patch \
		20	file://CVE-2024-52531-2.patch \
19	"	21	"
20	SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"	22	SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"
21		23