2 files changed, 119 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch
new file mode 100644
index 0000000000..22a8908f23
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch
@@ -0,0 +1,118 @@
+From f0ee9d522f302d7d199e3e61fa8cd45eae7b248f Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Thu, 15 May 2025 07:59:14 +0200
+Subject: [PATCH] soup-date-utils: Add value checks for date/time parsing
+Reject date/time when it does not represent a valid value.
+Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
+CVE: CVE-2025-4945
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-date-utils.c | 23 +++++++++++++++--------
+ tests/cookies-test.c      | 10 ++++++++++
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+diff --git a/libsoup/soup-date-utils.c b/libsoup/soup-date-utils.c
+index fd785f5..34ca995 100644
+--- a/libsoup/soup-date-utils.c
+++ b/libsoup/soup-date-utils.c
+@@ -129,7 +129,7 @@ parse_day (int *day, const char **date_string)
+        while (*end == ' ' || *end == '-')
+                end++;
+        *date_string = end;
+-       return TRUE;
+       return *day >= 1 && *day <= 31;
+ }
+ 
+ static inline gboolean
+@@ -169,7 +169,7 @@ parse_year (int *year, const char **date_string)
+        while (*end == ' ' || *end == '-')
+                end++;
+        *date_string = end;
+-       return TRUE;
+       return *year > 0 && *year < 9999;
+ }
+ 
+ static inline gboolean
+@@ -193,7 +193,7 @@ parse_time (int *hour, int *minute, int *second, const char **date_string)
+        while (*p == ' ')
+                p++;
+        *date_string = p;
+-       return TRUE;
+       return *hour >= 0 && *hour < 24 && *minute >= 0 && *minute < 60 && *second >= 0 && *second < 60;
+ }
+ 
+ static inline gboolean
+@@ -209,9 +209,14 @@ parse_timezone (GTimeZone **timezone, const char **date_string)
+                gulong val;
+                int sign = (**date_string == '+') ? 1 : -1;
+                val = strtoul (*date_string + 1, (char **)date_string, 10);
+-               if (**date_string == ':')
+-                       val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10);
+-               else
+               if (val > 9999)
+                       return FALSE;
+               if (**date_string == ':') {
+                       gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10);
+                       if (val > 99 || val2 > 99)
+                               return FALSE;
+                       val = 60 * val + val2;
+               } else
+                        val =  60 * (val / 100) + (val % 100);
+                offset_minutes = sign * val;
+                 utc = (sign == -1) && !val;
+@@ -264,7 +269,8 @@ parse_textual_date (const char *date_string)
+                if (!parse_month (&month, &date_string) ||
+                    !parse_day (&day, &date_string) ||
+                    !parse_time (&hour, &minute, &second, &date_string) ||
+-                   !parse_year (&year, &date_string))
+                   !parse_year (&year, &date_string) ||
+                   !g_date_valid_dmy (day, month, year))
+                        return NULL;
+ 
+                /* There shouldn't be a timezone, but check anyway */
+@@ -276,7 +282,8 @@ parse_textual_date (const char *date_string)
+                if (!parse_day (&day, &date_string) ||
+                    !parse_month (&month, &date_string) ||
+                    !parse_year (&year, &date_string) ||
+-                   !parse_time (&hour, &minute, &second, &date_string))
+                   !parse_time (&hour, &minute, &second, &date_string) ||
+                   !g_date_valid_dmy (day, month, year))
+                        return NULL;
+ 
+                /* This time there *should* be a timezone, but we
+diff --git a/tests/cookies-test.c b/tests/cookies-test.c
+index 1d2d456..ff809a4 100644
+--- a/tests/cookies-test.c
+++ b/tests/cookies-test.c
+@@ -460,6 +460,15 @@ do_cookies_parsing_max_age_long_overflow (void)
+        soup_cookie_free (cookie);
+ }
+ 
+static void
+do_cookies_parsing_int32_overflow (void)
+{
+       SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9    999:9:9+ 999999999-age=main=gne=", NULL);
+       g_assert_nonnull (cookie);
+       g_assert_null (soup_cookie_get_expires (cookie));
+       soup_cookie_free (cookie);
+}
+
+ static void
+ do_cookies_equal_nullpath (void)
+ {
+@@ -718,6 +727,7 @@ main (int argc, char **argv)
+        g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin);
+        g_test_add_func ("/cookies/parsing/max-age-int32-overflow", do_cookies_parsing_max_age_int32_overflow);
+        g_test_add_func ("/cookies/parsing/max-age-long-overflow", do_cookies_parsing_max_age_long_overflow);
+       g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow);
+        g_test_add_func ("/cookies/parsing/equal-nullpath", do_cookies_equal_nullpath);
+        g_test_add_func ("/cookies/parsing/control-characters", do_cookies_parsing_control_characters);
+         g_test_add_func ("/cookies/parsing/name-value-max-size", do_cookies_parsing_name_value_max_size);
+-- 
+2.34.1
diff --git a/meta/recipes-support/libsoup/libsoup_3.6.5.bb b/meta/recipes-support/libsoup/libsoup_3.6.5.bb
index 457a30ec70..acd84af934 100644
--- a/meta/recipes-support/libsoup/libsoup_3.6.5.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.6.5.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
           file://CVE-2025-32908-2.patch \
           file://CVE-2025-4948.patch \
           file://CVE-2025-4969.patch \
+           file://CVE-2025-4945.patch \
 "
 SRC_URI[sha256sum] = "6891765aac3e949017945c3eaebd8cc8216df772456dc9f460976fbdb7ada234"

diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch new file mode 100644 index 0000000000..22a8908f23 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch
@@ -0,0 +1,118 @@
		1	From f0ee9d522f302d7d199e3e61fa8cd45eae7b248f Mon Sep 17 00:00:00 2001
		2	From: Milan Crha <mcrha@redhat.com>
		3	Date: Thu, 15 May 2025 07:59:14 +0200
		4	Subject: [PATCH] soup-date-utils: Add value checks for date/time parsing
		5
		6	Reject date/time when it does not represent a valid value.
		7
		8	Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
		9
		10	CVE: CVE-2025-4945
		11	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f]
		12
		13	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		14	---
		15	libsoup/soup-date-utils.c \| 23 +++++++++++++++--------
		16	tests/cookies-test.c \| 10 ++++++++++
		17	2 files changed, 25 insertions(+), 8 deletions(-)
		18
		19	diff --git a/libsoup/soup-date-utils.c b/libsoup/soup-date-utils.c
		20	index fd785f5..34ca995 100644
		21	--- a/libsoup/soup-date-utils.c
		22	+++ b/libsoup/soup-date-utils.c
		23	@@ -129,7 +129,7 @@ parse_day (int day, const char *date_string)
		24	while (end == ' ' \|\| end == '-')
		25	end++;
		26	*date_string = end;
		27	- return TRUE;
		28	+ return day >= 1 && day <= 31;
		29	}
		30
		31	static inline gboolean
		32	@@ -169,7 +169,7 @@ parse_year (int year, const char *date_string)
		33	while (end == ' ' \|\| end == '-')
		34	end++;
		35	*date_string = end;
		36	- return TRUE;
		37	+ return year > 0 && year < 9999;
		38	}
		39
		40	static inline gboolean
		41	@@ -193,7 +193,7 @@ parse_time (int hour, int minute, int second, const char *date_string)
		42	while (*p == ' ')
		43	p++;
		44	*date_string = p;
		45	- return TRUE;
		46	+ return hour >= 0 && hour < 24 && minute >= 0 && minute < 60 && second >= 0 && second < 60;
		47	}
		48
		49	static inline gboolean
		50	@@ -209,9 +209,14 @@ parse_timezone (GTimeZone timezone, const char date_string)
		51	gulong val;
		52	int sign = (**date_string == '+') ? 1 : -1;
		53	val = strtoul (date_string + 1, (char *)date_string, 10);
		54	- if (**date_string == ':')
		55	- val = 60 * val + strtoul (date_string + 1, (char *)date_string, 10);
		56	- else
		57	+ if (val > 9999)
		58	+ return FALSE;
		59	+ if (**date_string == ':') {
		60	+ gulong val2 = strtoul (date_string + 1, (char *)date_string, 10);
		61	+ if (val > 99 \|\| val2 > 99)
		62	+ return FALSE;
		63	+ val = 60 * val + val2;
		64	+ } else
		65	val = 60 * (val / 100) + (val % 100);
		66	offset_minutes = sign * val;
		67	utc = (sign == -1) && !val;
		68	@@ -264,7 +269,8 @@ parse_textual_date (const char *date_string)
		69	if (!parse_month (&month, &date_string) \|\|
		70	!parse_day (&day, &date_string) \|\|
		71	!parse_time (&hour, &minute, &second, &date_string) \|\|
		72	- !parse_year (&year, &date_string))
		73	+ !parse_year (&year, &date_string) \|\|
		74	+ !g_date_valid_dmy (day, month, year))
		75	return NULL;
		76
		77	/* There shouldn't be a timezone, but check anyway */
		78	@@ -276,7 +282,8 @@ parse_textual_date (const char *date_string)
		79	if (!parse_day (&day, &date_string) \|\|
		80	!parse_month (&month, &date_string) \|\|
		81	!parse_year (&year, &date_string) \|\|
		82	- !parse_time (&hour, &minute, &second, &date_string))
		83	+ !parse_time (&hour, &minute, &second, &date_string) \|\|
		84	+ !g_date_valid_dmy (day, month, year))
		85	return NULL;
		86
		87	/* This time there should be a timezone, but we
		88	diff --git a/tests/cookies-test.c b/tests/cookies-test.c
		89	index 1d2d456..ff809a4 100644
		90	--- a/tests/cookies-test.c
		91	+++ b/tests/cookies-test.c
		92	@@ -460,6 +460,15 @@ do_cookies_parsing_max_age_long_overflow (void)
		93	soup_cookie_free (cookie);
		94	}
		95
		96	+static void
		97	+do_cookies_parsing_int32_overflow (void)
		98	+{
		99	+ SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9 999:9:9+ 999999999-age=main=gne=", NULL);
		100	+ g_assert_nonnull (cookie);
		101	+ g_assert_null (soup_cookie_get_expires (cookie));
		102	+ soup_cookie_free (cookie);
		103	+}
		104	+
		105	static void
		106	do_cookies_equal_nullpath (void)
		107	{
		108	@@ -718,6 +727,7 @@ main (int argc, char **argv)
		109	g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin);
		110	g_test_add_func ("/cookies/parsing/max-age-int32-overflow", do_cookies_parsing_max_age_int32_overflow);
		111	g_test_add_func ("/cookies/parsing/max-age-long-overflow", do_cookies_parsing_max_age_long_overflow);
		112	+ g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow);
		113	g_test_add_func ("/cookies/parsing/equal-nullpath", do_cookies_equal_nullpath);
		114	g_test_add_func ("/cookies/parsing/control-characters", do_cookies_parsing_control_characters);
		115	g_test_add_func ("/cookies/parsing/name-value-max-size", do_cookies_parsing_name_value_max_size);
		116	--
		117	2.34.1
		118


diff --git a/meta/recipes-support/libsoup/libsoup_3.6.5.bb b/meta/recipes-support/libsoup/libsoup_3.6.5.bb index 457a30ec70..acd84af934 100644 --- a/meta/recipes-support/libsoup/libsoup_3.6.5.bb +++ b/meta/recipes-support/libsoup/libsoup_3.6.5.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
20	file://CVE-2025-32908-2.patch \	20	file://CVE-2025-32908-2.patch \
21	file://CVE-2025-4948.patch \	21	file://CVE-2025-4948.patch \
22	file://CVE-2025-4969.patch \	22	file://CVE-2025-4969.patch \
		23	file://CVE-2025-4945.patch \
23	"	24	"
24	SRC_URI[sha256sum] = "6891765aac3e949017945c3eaebd8cc8216df772456dc9f460976fbdb7ada234"	25	SRC_URI[sha256sum] = "6891765aac3e949017945c3eaebd8cc8216df772456dc9f460976fbdb7ada234"
25		26