1 files changed, 116 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-1.patch
new file mode 100644
index 0000000000..c8e855c128
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-1.patch
@@ -0,0 +1,116 @@
+From 4ec9e3d286b6d3e982cb0fc3564dee0bf8d87ede Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 27 Aug 2024 12:18:58 -0500
+Subject: [PATCH] fuzzing: Cover soup_header_parse_param_list
+CVE: CVE-2024-52531
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=4ec9e3d286b6d3e982cb0fc3564dee0bf8d87ede]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ fuzzing/fuzz.h                   |  9 +++++++--
+ fuzzing/fuzz_header_parsing.c    | 19 +++++++++++++++++++
+ fuzzing/fuzz_header_parsing.dict |  8 ++++++++
+ fuzzing/meson.build              |  2 ++
+ 4 files changed, 36 insertions(+), 2 deletions(-)
+ create mode 100644 fuzzing/fuzz_header_parsing.c
+ create mode 100644 fuzzing/fuzz_header_parsing.dict
+diff --git a/fuzzing/fuzz.h b/fuzzing/fuzz.h
+index 0d380285..f3bd28ee 100644
+--- a/fuzzing/fuzz.h
+++ b/fuzzing/fuzz.h
+@@ -1,13 +1,14 @@
+ #include "libsoup/soup.h"
+ 
+ int LLVMFuzzerTestOneInput (const unsigned char *data, size_t size);
+static int set_logger = 0;
+ 
+ #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+ static GLogWriterOutput
+ empty_logging_func (GLogLevelFlags log_level, const GLogField *fields,
+                     gsize n_fields, gpointer user_data)
+ {
+-  return G_LOG_WRITER_HANDLED;
+        return G_LOG_WRITER_HANDLED;
+ }
+ #endif
+ 
+@@ -16,6 +17,10 @@ static void
+ fuzz_set_logging_func (void)
+ {
+ #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+-  g_log_set_writer_func (empty_logging_func, NULL, NULL);
+        if (!set_logger)
+        {
+                set_logger = 1;
+                g_log_set_writer_func (empty_logging_func, NULL, NULL);
+        }
+ #endif
+ }
+diff --git a/fuzzing/fuzz_header_parsing.c b/fuzzing/fuzz_header_parsing.c
+new file mode 100644
+index 00000000..a8e5c1f9
+--- /dev/null
+++ b/fuzzing/fuzz_header_parsing.c
+@@ -0,0 +1,19 @@
+#include "fuzz.h"
+
+int
+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
+{
+        GHashTable *elements;
+
+        // We only accept NUL terminated strings
+        if (!size || data[size - 1] != '\0')
+                return 0;
+
+        fuzz_set_logging_func ();
+
+        elements = soup_header_parse_param_list((char*)data);
+
+        g_hash_table_unref(elements);
+
+        return 0;
+}
+\ No newline at end of file
+diff --git a/fuzzing/fuzz_header_parsing.dict b/fuzzing/fuzz_header_parsing.dict
+new file mode 100644
+index 00000000..1562ca3a
+--- /dev/null
+++ b/fuzzing/fuzz_header_parsing.dict
+@@ -0,0 +1,8 @@
+"*=UTF-8''"
+"*=iso-8859-1''"
+"'"
+"''"
+"="
+"*="
+"""
+";"
+\ No newline at end of file
+diff --git a/fuzzing/meson.build b/fuzzing/meson.build
+index b14cbb50..5dd0f417 100644
+--- a/fuzzing/meson.build
+++ b/fuzzing/meson.build
+@@ -5,6 +5,7 @@ fuzz_targets = [
+   'fuzz_cookie_parse',
+   'fuzz_content_sniffer',
+   'fuzz_date_time',
+  'fuzz_header_parsing',
+ ]
+ 
+ fuzzing_args = '-fsanitize=fuzzer,address,undefined'
+@@ -34,6 +35,7 @@ if have_fuzzing and (fuzzing_feature.enabled() or fuzzing_feature.auto())
+         '-runs=200000',
+         '-artifact_prefix=meson-logs/' + target + '-',
+         '-print_final_stats=1',
+        '-max_len=4096',
+       ] + extra_args,
+       env: [
+         'ASAN_OPTIONS=fast_unwind_on_malloc=0',
+-- 
+2.25.1

diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-1.patch new file mode 100644 index 0000000000..c8e855c128 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-1.patch
@@ -0,0 +1,116 @@
	1	From 4ec9e3d286b6d3e982cb0fc3564dee0bf8d87ede Mon Sep 17 00:00:00 2001
	2	From: Patrick Griffis <pgriffis@igalia.com>
	3	Date: Tue, 27 Aug 2024 12:18:58 -0500
	4	Subject: [PATCH] fuzzing: Cover soup_header_parse_param_list
	5
	6	CVE: CVE-2024-52531
	7	Upstream-Status: Backport
	8	[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=4ec9e3d286b6d3e982cb0fc3564dee0bf8d87ede]
	9
	10	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	11
	12	---
	13	fuzzing/fuzz.h \| 9 +++++++--
	14	fuzzing/fuzz_header_parsing.c \| 19 +++++++++++++++++++
	15	fuzzing/fuzz_header_parsing.dict \| 8 ++++++++
	16	fuzzing/meson.build \| 2 ++
	17	4 files changed, 36 insertions(+), 2 deletions(-)
	18	create mode 100644 fuzzing/fuzz_header_parsing.c
	19	create mode 100644 fuzzing/fuzz_header_parsing.dict
	20
	21	diff --git a/fuzzing/fuzz.h b/fuzzing/fuzz.h
	22	index 0d380285..f3bd28ee 100644
	23	--- a/fuzzing/fuzz.h
	24	+++ b/fuzzing/fuzz.h
	25	@@ -1,13 +1,14 @@
	26	#include "libsoup/soup.h"
	27
	28	int LLVMFuzzerTestOneInput (const unsigned char *data, size_t size);
	29	+static int set_logger = 0;
	30
	31	#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
	32	static GLogWriterOutput
	33	empty_logging_func (GLogLevelFlags log_level, const GLogField *fields,
	34	gsize n_fields, gpointer user_data)
	35	{
	36	- return G_LOG_WRITER_HANDLED;
	37	+ return G_LOG_WRITER_HANDLED;
	38	}
	39	#endif
	40
	41	@@ -16,6 +17,10 @@ static void
	42	fuzz_set_logging_func (void)
	43	{
	44	#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
	45	- g_log_set_writer_func (empty_logging_func, NULL, NULL);
	46	+ if (!set_logger)
	47	+ {
	48	+ set_logger = 1;
	49	+ g_log_set_writer_func (empty_logging_func, NULL, NULL);
	50	+ }
	51	#endif
	52	}
	53	diff --git a/fuzzing/fuzz_header_parsing.c b/fuzzing/fuzz_header_parsing.c
	54	new file mode 100644
	55	index 00000000..a8e5c1f9
	56	--- /dev/null
	57	+++ b/fuzzing/fuzz_header_parsing.c
	58	@@ -0,0 +1,19 @@
	59	+#include "fuzz.h"
	60	+
	61	+int
	62	+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
	63	+{
	64	+ GHashTable *elements;
	65	+
	66	+ // We only accept NUL terminated strings
	67	+ if (!size \|\| data[size - 1] != '\0')
	68	+ return 0;
	69	+
	70	+ fuzz_set_logging_func ();
	71	+
	72	+ elements = soup_header_parse_param_list((char*)data);
	73	+
	74	+ g_hash_table_unref(elements);
	75	+
	76	+ return 0;
	77	+}
	78	\ No newline at end of file
	79	diff --git a/fuzzing/fuzz_header_parsing.dict b/fuzzing/fuzz_header_parsing.dict
	80	new file mode 100644
	81	index 00000000..1562ca3a
	82	--- /dev/null
	83	+++ b/fuzzing/fuzz_header_parsing.dict
	84	@@ -0,0 +1,8 @@
	85	+"*=UTF-8''"
	86	+"*=iso-8859-1''"
	87	+"'"
	88	+"''"
	89	+"="
	90	+"*="
	91	+"""
	92	+";"
	93	\ No newline at end of file
	94	diff --git a/fuzzing/meson.build b/fuzzing/meson.build
	95	index b14cbb50..5dd0f417 100644
	96	--- a/fuzzing/meson.build
	97	+++ b/fuzzing/meson.build
	98	@@ -5,6 +5,7 @@ fuzz_targets = [
	99	'fuzz_cookie_parse',
	100	'fuzz_content_sniffer',
	101	'fuzz_date_time',
	102	+ 'fuzz_header_parsing',
	103	]
	104
	105	fuzzing_args = '-fsanitize=fuzzer,address,undefined'
	106	@@ -34,6 +35,7 @@ if have_fuzzing and (fuzzing_feature.enabled() or fuzzing_feature.auto())
	107	'-runs=200000',
	108	'-artifact_prefix=meson-logs/' + target + '-',
	109	'-print_final_stats=1',
	110	+ '-max_len=4096',
	111	] + extra_args,
	112	env: [
	113	'ASAN_OPTIONS=fast_unwind_on_malloc=0',
	114	--
	115	2.25.1
	116