3 files changed, 174 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch
new file mode 100644
index 0000000000..9de0310c8d
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch
@@ -0,0 +1,39 @@
+From 8331e681c85c3b1893d8d5193783f631bfc07acb Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Fri, 16 May 2025 13:42:08 +0800
+Subject: [PATCH] tests: Add test for passing invalid UTF-8 to
+ soup_header_parse_semi_param_list()
+CVE: CVE-2024-52531
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=825fda3425546847b42ad5270544e9388ff349fe]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ tests/header-parsing-test.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index b811115..cfcc003 100644
+--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
+@@ -836,6 +836,17 @@ static struct ParamListTest {
+            { "filename", "t\xC3\xA9st.txt" },
+          },
+        },
+
+/* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */
+       { TRUE,
+         "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo",
+          {
+               { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
+               { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
+               { "foo", NULL },
+          },
+       }
+
+ };
+ static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests);
+ 
+-- 
+2.34.1
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
new file mode 100644
index 0000000000..740c28c016
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
@@ -0,0 +1,133 @@
+From 12523a592f1216450d18706bcf6c16e0f1ab0ce0 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Fri, 16 May 2025 13:52:37 +0800
+Subject: [PATCH] headers: Be more robust against invalid input when
+ parsing params
+If you pass invalid input to a function such as soup_header_parse_param_list_strict()
+it can cause an overflow if it decodes the input to UTF-8.
+This should never happen with valid UTF-8 input which libsoup's client API
+ensures, however it's server API does not currently.
+CVE: CVE-2024-52531
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=a35222dd0bfab2ac97c10e86b95f762456628283]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-headers.c | 45 +++++++++++++++++++++---------------------
+ 1 file changed, 23 insertions(+), 22 deletions(-)
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 67905b2..39e8d34 100644
+--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
+@@ -642,8 +642,9 @@ soup_header_contains (const char *header, const char *token)
+ }
+ 
+ static void
+-decode_quoted_string (char *quoted_string)
+decode_quoted_string_inplace (GString *quoted_gstring)
+ {
+       char *quoted_string = quoted_gstring->str;
+        char *src, *dst;
+ 
+        src = quoted_string + 1;
+@@ -657,10 +658,11 @@ decode_quoted_string (char *quoted_string)
+ }
+ 
+ static gboolean
+-decode_rfc5987 (char *encoded_string)
+decode_rfc5987_inplace (GString *encoded_gstring)
+ {
+        char *q, *decoded;
+        gboolean iso_8859_1 = FALSE;
+       const char *encoded_string = encoded_gstring->str;
+ 
+        q = strchr (encoded_string, '\'');
+        if (!q)
+@@ -689,14 +691,7 @@ decode_rfc5987 (char *encoded_string)
+                decoded = utf8;
+        }
+ 
+-       /* If encoded_string was UTF-8, then each 3-character %-escape
+-        * will be converted to a single byte, and so decoded is
+-        * shorter than encoded_string. If encoded_string was
+-        * iso-8859-1, then each 3-character %-escape will be
+-        * converted into at most 2 bytes in UTF-8, and so it's still
+-        * shorter.
+-        */
+-       strcpy (encoded_string, decoded);
+       g_string_assign (encoded_gstring, decoded);
+        g_free (decoded);
+        return TRUE;
+ }
+@@ -706,15 +701,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
+ {
+        GHashTable *params;
+        GSList *list, *iter;
+-       char *item, *eq, *name_end, *value;
+-       gboolean override, duplicated;
+ 
+        params = g_hash_table_new_full (soup_str_case_hash, 
+                                        soup_str_case_equal,
+-                                       g_free, NULL);
+                                       g_free, g_free);
+ 
+        list = parse_list (header, delim);
+        for (iter = list; iter; iter = iter->next) {
+               char *item, *eq, *name_end;
+               gboolean override, duplicated;
+               GString *parsed_value = NULL;
+                item = iter->data;
+                override = FALSE;
+ 
+@@ -729,19 +725,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
+ 
+                        *name_end = '\0';
+ 
+-                       value = (char *)skip_lws (eq + 1);
+                       parsed_value = g_string_new ((char *)skip_lws (eq + 1));
+ 
+                        if (name_end[-1] == '*' && name_end > item + 1) {
+                                name_end[-1] = '\0';
+-                               if (!decode_rfc5987 (value)) {
+                               if (!decode_rfc5987_inplace (parsed_value)) {
+                                       g_string_free (parsed_value, TRUE);
+                                        g_free (item);
+                                        continue;
+                                }
+                                override = TRUE;
+-                       } else if (*value == '"')
+-                               decode_quoted_string (value);
+-               } else
+-                       value = NULL;
+                       } else if (parsed_value->str[0] == '"')
+                               decode_quoted_string_inplace (parsed_value);
+                       }
+ 
+                duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
+ 
+@@ -749,11 +745,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
+                        soup_header_free_param_list (params);
+                        params = NULL;
+                        g_slist_foreach (iter, (GFunc)g_free, NULL);
+                       if (parsed_value)
+                               g_string_free (parsed_value, TRUE);
+                        break;
+-               } else if (override || !duplicated)
+-                       g_hash_table_replace (params, item, value);
+-               else
+               } else if (override || !duplicated) {
+                       g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
+               } else {
+                       if (parsed_value)
+                               g_string_free (parsed_value, TRUE);
+                        g_free (item);
+               }
+        }
+ 
+        g_slist_free (list);
+-- 
+2.34.1
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index ed36d7c12b..089a032a4f 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -31,6 +31,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
           file://CVE-2025-32910-2.patch \
           file://CVE-2025-32910-3.patch \
           file://CVE-2025-32912.patch \
+           file://CVE-2024-52531-1.patch \
+           file://CVE-2024-52531-2.patch \
 "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch new file mode 100644 index 0000000000..9de0310c8d --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch
@@ -0,0 +1,39 @@
		1	From 8331e681c85c3b1893d8d5193783f631bfc07acb Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Fri, 16 May 2025 13:42:08 +0800
		4	Subject: [PATCH] tests: Add test for passing invalid UTF-8 to
		5	soup_header_parse_semi_param_list()
		6
		7	CVE: CVE-2024-52531
		8	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=825fda3425546847b42ad5270544e9388ff349fe]
		9
		10	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		11	---
		12	tests/header-parsing-test.c \| 11 +++++++++++
		13	1 file changed, 11 insertions(+)
		14
		15	diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
		16	index b811115..cfcc003 100644
		17	--- a/tests/header-parsing-test.c
		18	+++ b/tests/header-parsing-test.c
		19	@@ -836,6 +836,17 @@ static struct ParamListTest {
		20	{ "filename", "t\xC3\xA9st.txt" },
		21	},
		22	},
		23	+
		24	+/* This tests invalid UTF-8 data which should never be passed here but it was designed to be robust against it. */
		25	+ { TRUE,
		26	+ "invalid=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo",
		27	+ {
		28	+ { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
		29	+ { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
		30	+ { "foo", NULL },
		31	+ },
		32	+ }
		33	+
		34	};
		35	static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests);
		36
		37	--
		38	2.34.1
		39


diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch new file mode 100644 index 0000000000..740c28c016 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
@@ -0,0 +1,133 @@
		1	From 12523a592f1216450d18706bcf6c16e0f1ab0ce0 Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Fri, 16 May 2025 13:52:37 +0800
		4	Subject: [PATCH] headers: Be more robust against invalid input when
		5	parsing params
		6
		7	If you pass invalid input to a function such as soup_header_parse_param_list_strict()
		8	it can cause an overflow if it decodes the input to UTF-8.
		9
		10	This should never happen with valid UTF-8 input which libsoup's client API
		11	ensures, however it's server API does not currently.
		12
		13	CVE: CVE-2024-52531
		14	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=a35222dd0bfab2ac97c10e86b95f762456628283]
		15
		16	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		17	---
		18	libsoup/soup-headers.c \| 45 +++++++++++++++++++++---------------------
		19	1 file changed, 23 insertions(+), 22 deletions(-)
		20
		21	diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
		22	index 67905b2..39e8d34 100644
		23	--- a/libsoup/soup-headers.c
		24	+++ b/libsoup/soup-headers.c
		25	@@ -642,8 +642,9 @@ soup_header_contains (const char header, const char token)
		26	}
		27
		28	static void
		29	-decode_quoted_string (char *quoted_string)
		30	+decode_quoted_string_inplace (GString *quoted_gstring)
		31	{
		32	+ char *quoted_string = quoted_gstring->str;
		33	char src, dst;
		34
		35	src = quoted_string + 1;
		36	@@ -657,10 +658,11 @@ decode_quoted_string (char *quoted_string)
		37	}
		38
		39	static gboolean
		40	-decode_rfc5987 (char *encoded_string)
		41	+decode_rfc5987_inplace (GString *encoded_gstring)
		42	{
		43	char q, decoded;
		44	gboolean iso_8859_1 = FALSE;
		45	+ const char *encoded_string = encoded_gstring->str;
		46
		47	q = strchr (encoded_string, '\'');
		48	if (!q)
		49	@@ -689,14 +691,7 @@ decode_rfc5987 (char *encoded_string)
		50	decoded = utf8;
		51	}
		52
		53	- /* If encoded_string was UTF-8, then each 3-character %-escape
		54	- * will be converted to a single byte, and so decoded is
		55	- * shorter than encoded_string. If encoded_string was
		56	- * iso-8859-1, then each 3-character %-escape will be
		57	- * converted into at most 2 bytes in UTF-8, and so it's still
		58	- * shorter.
		59	- */
		60	- strcpy (encoded_string, decoded);
		61	+ g_string_assign (encoded_gstring, decoded);
		62	g_free (decoded);
		63	return TRUE;
		64	}
		65	@@ -706,15 +701,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
		66	{
		67	GHashTable *params;
		68	GSList list, iter;
		69	- char item, eq, name_end, value;
		70	- gboolean override, duplicated;
		71
		72	params = g_hash_table_new_full (soup_str_case_hash,
		73	soup_str_case_equal,
		74	- g_free, NULL);
		75	+ g_free, g_free);
		76
		77	list = parse_list (header, delim);
		78	for (iter = list; iter; iter = iter->next) {
		79	+ char item, eq, *name_end;
		80	+ gboolean override, duplicated;
		81	+ GString *parsed_value = NULL;
		82	item = iter->data;
		83	override = FALSE;
		84
		85	@@ -729,19 +725,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
		86
		87	*name_end = '\0';
		88
		89	- value = (char *)skip_lws (eq + 1);
		90	+ parsed_value = g_string_new ((char *)skip_lws (eq + 1));
		91
		92	if (name_end[-1] == '*' && name_end > item + 1) {
		93	name_end[-1] = '\0';
		94	- if (!decode_rfc5987 (value)) {
		95	+ if (!decode_rfc5987_inplace (parsed_value)) {
		96	+ g_string_free (parsed_value, TRUE);
		97	g_free (item);
		98	continue;
		99	}
		100	override = TRUE;
		101	- } else if (*value == '"')
		102	- decode_quoted_string (value);
		103	- } else
		104	- value = NULL;
		105	+ } else if (parsed_value->str[0] == '"')
		106	+ decode_quoted_string_inplace (parsed_value);
		107	+ }
		108
		109	duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
		110
		111	@@ -749,11 +745,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
		112	soup_header_free_param_list (params);
		113	params = NULL;
		114	g_slist_foreach (iter, (GFunc)g_free, NULL);
		115	+ if (parsed_value)
		116	+ g_string_free (parsed_value, TRUE);
		117	break;
		118	- } else if (override \|\| !duplicated)
		119	- g_hash_table_replace (params, item, value);
		120	- else
		121	+ } else if (override \|\| !duplicated) {
		122	+ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
		123	+ } else {
		124	+ if (parsed_value)
		125	+ g_string_free (parsed_value, TRUE);
		126	g_free (item);
		127	+ }
		128	}
		129
		130	g_slist_free (list);
		131	--
		132	2.34.1
		133


diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index ed36d7c12b..089a032a4f 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -31,6 +31,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
31	file://CVE-2025-32910-2.patch \	31	file://CVE-2025-32910-2.patch \
32	file://CVE-2025-32910-3.patch \	32	file://CVE-2025-32910-3.patch \
33	file://CVE-2025-32912.patch \	33	file://CVE-2025-32912.patch \
		34	file://CVE-2024-52531-1.patch \
		35	file://CVE-2024-52531-2.patch \
34	"	36	"
35	SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"	37	SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
36		38