1 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch
new file mode 100644
index 0000000000..916a41a71f
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch
@@ -0,0 +1,61 @@
+From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 11 Feb 2025 14:36:26 -0600
+Subject: [PATCH] headers: Handle parsing edge case
+This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931]
+CVE: CVE-2025-32906 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-headers.c      |  2 +-
+ tests/header-parsing-test.c | 12 ++++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 85385cea..9d6d00a3 100644
+--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
+@@ -225,7 +225,7 @@ soup_headers_parse_request (const char          *str,
+            !g_ascii_isdigit (version[5]))
+                return SOUP_STATUS_BAD_REQUEST;
+        major_version = strtoul (version + 5, &p, 10);
+-       if (*p != '.' || !g_ascii_isdigit (p[1]))
+       if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1]))
+                return SOUP_STATUS_BAD_REQUEST;
+        minor_version = strtoul (p + 1, &p, 10);
+        version_end = p;
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 07ea2866..10ddb684 100644
+--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
+@@ -6,6 +6,10 @@ typedef struct {
+        const char *name, *value;
+ } Header;
+ 
+static char unterminated_http_version[] = {
+        'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
+};
+
+ static struct RequestTest {
+        const char *description;
+        const char *bugref;
+@@ -383,6 +387,14 @@ static struct RequestTest {
+          { { NULL } }
+        },
+ 
+        /* This couldn't be a C string as going one byte over would have been safe. */
+       { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
+         unterminated_http_version, sizeof (unterminated_http_version),
+         SOUP_STATUS_BAD_REQUEST,
+           NULL, NULL, -1,
+         { { NULL } }
+       },
+
+        { "Non-HTTP request", NULL,
+          "GET / SOUP/1.1\r\nHost: example.com\r\n", -1,
+          SOUP_STATUS_BAD_REQUEST,
+-- 
+GitLab

diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch new file mode 100644 index 0000000000..916a41a71f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch
@@ -0,0 +1,61 @@
	1	From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001
	2	From: Patrick Griffis <pgriffis@igalia.com>
	3	Date: Tue, 11 Feb 2025 14:36:26 -0600
	4	Subject: [PATCH] headers: Handle parsing edge case
	5
	6	This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds.
	7
	8	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931]
	9	CVE: CVE-2025-32906 #Dependency Patch
	10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	11	---
	12	libsoup/soup-headers.c \| 2 +-
	13	tests/header-parsing-test.c \| 12 ++++++++++++
	14	2 files changed, 13 insertions(+), 1 deletion(-)
	15
	16	diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
	17	index 85385cea..9d6d00a3 100644
	18	--- a/libsoup/soup-headers.c
	19	+++ b/libsoup/soup-headers.c
	20	@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str,
	21	!g_ascii_isdigit (version[5]))
	22	return SOUP_STATUS_BAD_REQUEST;
	23	major_version = strtoul (version + 5, &p, 10);
	24	- if (*p != '.' \|\| !g_ascii_isdigit (p[1]))
	25	+ if (p + 1 >= str + len \|\| *p != '.' \|\| !g_ascii_isdigit (p[1]))
	26	return SOUP_STATUS_BAD_REQUEST;
	27	minor_version = strtoul (p + 1, &p, 10);
	28	version_end = p;
	29	diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
	30	index 07ea2866..10ddb684 100644
	31	--- a/tests/header-parsing-test.c
	32	+++ b/tests/header-parsing-test.c
	33	@@ -6,6 +6,10 @@ typedef struct {
	34	const char name, value;
	35	} Header;
	36
	37	+static char unterminated_http_version[] = {
	38	+ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
	39	+};
	40	+
	41	static struct RequestTest {
	42	const char *description;
	43	const char *bugref;
	44	@@ -383,6 +387,14 @@ static struct RequestTest {
	45	{ { NULL } }
	46	},
	47
	48	+ /* This couldn't be a C string as going one byte over would have been safe. */
	49	+ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
	50	+ unterminated_http_version, sizeof (unterminated_http_version),
	51	+ SOUP_STATUS_BAD_REQUEST,
	52	+ NULL, NULL, -1,
	53	+ { { NULL } }
	54	+ },
	55	+
	56	{ "Non-HTTP request", NULL,
	57	"GET / SOUP/1.1\r\nHost: example.com\r\n", -1,
	58	SOUP_STATUS_BAD_REQUEST,
	59	--
	60	GitLab
	61