openclaw/tqma6-yocto-mirror
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Complete Yocto mirror with license table for TQMa6UL (2038-compliance)

Browse Source 
- 264 license table entries with exact download URLs (224/264 resolved)
- Complete sources/ directory with all BitBake recipes
- Build configuration: tqma6ul-multi-mba6ulx, spaetzle (musl)
- Full traceability for Softwarefreigabeantrag
- GCC 13.4.0, Linux 6.6.102, U-Boot 2023.04, musl 1.2.4
- License distribution: GPL-2.0 (24), MIT (23), GPL-2.0+ (18), BSD-3 (16)
This commit is contained in:
Siggi (OpenClaw Agent)
2026-03-01 20:58:18 +00:00
commit 16accb6b24
15086 changed files with 1292356 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/0001-Fix-build-with-libxml2-2.12.0-and-clang-17.patch Normal file
View File

@@ -0,0 +1,44 @@
From ced3c5d8cad0177b297666343f1561799dfefb0d Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Wed, 22 Nov 2023 18:49:10 -0800
Subject: [PATCH] Fix build with libxml2-2.12.0 and clang-17
Fixes build errors about missing function prototypes with clang-17
Fixes
| ../libsoup-2.74.3/libsoup/soup-xmlrpc-old.c:512:8: error: call to undeclared function 'xmlParseMemory'; ISO C99 and later do not support implicit function declarations
Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/385]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
libsoup/soup-xmlrpc-old.c | 1 +
libsoup/soup-xmlrpc.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/libsoup/soup-xmlrpc-old.c b/libsoup/soup-xmlrpc-old.c
index c57086b6..527e3b23 100644
--- a/libsoup/soup-xmlrpc-old.c
+++ b/libsoup/soup-xmlrpc-old.c
@@ -11,6 +11,7 @@
#include <string.h>
+#include <libxml/parser.h>
#include <libxml/tree.h>
#include "soup-xmlrpc-old.h"
diff --git a/libsoup/soup-xmlrpc.c b/libsoup/soup-xmlrpc.c
index 42dcda9c..e991cbf0 100644
--- a/libsoup/soup-xmlrpc.c
+++ b/libsoup/soup-xmlrpc.c
@@ -17,6 +17,7 @@
#include <string.h>
#include <errno.h>
+#include <libxml/parser.h>
#include <libxml/tree.h>
#include "soup-xmlrpc.h"
#include "soup.h"
--
2.43.0

149
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch Normal file
View File

@@ -0,0 +1,149 @@
From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Mon, 8 Jul 2024 12:33:15 -0500
Subject: [PATCH] headers: Strictly don't allow NUL bytes
In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b]
CVE: CVE-2024-52530
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-headers.c | 15 +++------
tests/header-parsing-test.c | 62 +++++++++++++++++--------------------
2 files changed, 32 insertions(+), 45 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index a0cf351ac..f30ee467a 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -51,13 +51,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
* ignorable trailing whitespace.
*/
+ /* No '\0's are allowed */
+ if (memchr (str, '\0', len))
+ return FALSE;
+
/* Skip over the Request-Line / Status-Line */
headers_start = memchr (str, '\n', len);
if (!headers_start)
return FALSE;
- /* No '\0's in the Request-Line / Status-Line */
- if (memchr (str, '\0', headers_start - str))
- return FALSE;
/* We work on a copy of the headers, which we can write '\0's
* into, so that we don't have to individually g_strndup and
@@ -69,14 +70,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
headers_copy[copy_len] = '\0';
value_end = headers_copy;
- /* There shouldn't be any '\0's in the headers already, but
- * this is the web we're talking about.
- */
- while ((p = memchr (headers_copy, '\0', copy_len))) {
- memmove (p, p + 1, copy_len - (p - headers_copy));
- copy_len--;
- }
-
while (*(value_end + 1)) {
name = value_end + 1;
name_end = strchr (name, ':');
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index edf8eebb3..715c2c6f2 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -358,24 +358,6 @@ static struct RequestTest {
}
},
- { "NUL in header name", "760832",
- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
- SOUP_STATUS_OK,
- "GET", "/", SOUP_HTTP_1_1,
- { { "Host", "example.com" },
- { NULL }
- }
- },
-
- { "NUL in header value", "760832",
- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
- SOUP_STATUS_OK,
- "GET", "/", SOUP_HTTP_1_1,
- { { "Host", "examplecom" },
- { NULL }
- }
- },
-
/************************/
/*** INVALID REQUESTS ***/
/************************/
@@ -448,6 +430,21 @@ static struct RequestTest {
SOUP_STATUS_EXPECTATION_FAILED,
NULL, NULL, -1,
{ { NULL } }
+ },
+
+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+ { "NUL in header name", NULL,
+ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
+ },
+
+ { "NUL in header value", NULL,
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
}
};
static const int num_reqtests = G_N_ELEMENTS (reqtests);
@@ -620,22 +617,6 @@ static struct ResponseTest {
{ NULL } }
},
- { "NUL in header name", "760832",
- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
- { { "Foo", "bar" },
- { NULL }
- }
- },
-
- { "NUL in header value", "760832",
- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
- { { "Foo", "bar" },
- { NULL }
- }
- },
-
/********************************/
/*** VALID CONTINUE RESPONSES ***/
/********************************/
@@ -768,6 +749,19 @@ static struct ResponseTest {
{ { NULL }
}
},
+
+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+ { "NUL in header name", NULL,
+ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
+ -1, 0, NULL,
+ { { NULL } }
+ },
+
+ { "NUL in header value", "760832",
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+ -1, 0, NULL,
+ { { NULL } }
+ },
};
static const int num_resptests = G_N_ELEMENTS (resptests);
--
GitLab

131
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch Normal file
View File

@@ -0,0 +1,131 @@
From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 27 Aug 2024 13:53:26 -0500
Subject: [PATCH 1/2] headers: Be more robust against invalid input when
parsing params
If you pass invalid input to a function such as soup_header_parse_param_list_strict()
it can cause an overflow if it decodes the input to UTF-8.
This should never happen with valid UTF-8 input which libsoup's client API
ensures, however it's server API does not currently.
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2024-52531-1.patch?h=ubuntu/jammy-security
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283]
CVE: CVE-2024-52531
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-headers.c | 46 ++++++++++++++++++++++--------------------
1 file changed, 24 insertions(+), 22 deletions(-)
Index: libsoup2.4-2.74.2/libsoup/soup-headers.c
===================================================================
--- libsoup2.4-2.74.2.orig/libsoup/soup-headers.c
+++ libsoup2.4-2.74.2/libsoup/soup-headers.c
@@ -643,8 +643,9 @@ soup_header_contains (const char *header
}
static void
-decode_quoted_string (char *quoted_string)
+decode_quoted_string_inplace (GString *quoted_gstring)
{
+ char *quoted_string = quoted_gstring->str;
char *src, *dst;
src = quoted_string + 1;
@@ -658,10 +659,11 @@ decode_quoted_string (char *quoted_strin
}
static gboolean
-decode_rfc5987 (char *encoded_string)
+decode_rfc5987_inplace (GString *encoded_gstring)
{
char *q, *decoded;
gboolean iso_8859_1 = FALSE;
+ const char *encoded_string = encoded_gstring->str;
q = strchr (encoded_string, '\'');
if (!q)
@@ -690,14 +692,7 @@ decode_rfc5987 (char *encoded_string)
decoded = utf8;
}
- /* If encoded_string was UTF-8, then each 3-character %-escape
- * will be converted to a single byte, and so decoded is
- * shorter than encoded_string. If encoded_string was
- * iso-8859-1, then each 3-character %-escape will be
- * converted into at most 2 bytes in UTF-8, and so it's still
- * shorter.
- */
- strcpy (encoded_string, decoded);
+ g_string_assign (encoded_gstring, decoded);
g_free (decoded);
return TRUE;
}
@@ -707,15 +702,17 @@ parse_param_list (const char *header, ch
{
GHashTable *params;
GSList *list, *iter;
- char *item, *eq, *name_end, *value;
- gboolean override, duplicated;
params = g_hash_table_new_full (soup_str_case_hash,
soup_str_case_equal,
- g_free, NULL);
+ g_free, g_free);
list = parse_list (header, delim);
for (iter = list; iter; iter = iter->next) {
+ char *item, *eq, *name_end;
+ gboolean override, duplicated;
+ GString *parsed_value = NULL;
+
item = iter->data;
override = FALSE;
@@ -730,19 +727,19 @@ parse_param_list (const char *header, ch
*name_end = '\0';
- value = (char *)skip_lws (eq + 1);
+ parsed_value = g_string_new ((char *)skip_lws (eq + 1));
if (name_end[-1] == '*' && name_end > item + 1) {
name_end[-1] = '\0';
- if (!decode_rfc5987 (value)) {
+ if (!decode_rfc5987_inplace (parsed_value)) {
+ g_string_free (parsed_value, TRUE);
g_free (item);
continue;
}
override = TRUE;
- } else if (*value == '"')
- decode_quoted_string (value);
- } else
- value = NULL;
+ } else if (parsed_value->str[0] == '"')
+ decode_quoted_string_inplace (parsed_value);
+ }
duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
@@ -750,11 +747,16 @@ parse_param_list (const char *header, ch
soup_header_free_param_list (params);
params = NULL;
g_slist_foreach (iter, (GFunc)g_free, NULL);
+ if (parsed_value)
+ g_string_free (parsed_value, TRUE);
break;
- } else if (override || !duplicated)
- g_hash_table_replace (params, item, value);
- else
+ } else if (override || !duplicated) {
+ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
+ } else {
+ if (parsed_value)
+ g_string_free (parsed_value, TRUE);
g_free (item);
+ }
}
g_slist_free (list);

36
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch Normal file
View File

@@ -0,0 +1,36 @@
From 825fda3425546847b42ad5270544e9388ff349fe Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 27 Aug 2024 13:52:08 -0500
Subject: [PATCH 2/2] tests: Add test for passing invalid UTF-8 to
soup_header_parse_semi_param_list()
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2024-52531-2.patch?h=ubuntu/jammy-security
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/825fda3425546847b42ad5270544e9388ff349fe]
CVE: CVE-2024-52531
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
tests/header-parsing-test.c | 11 +++++++++++
1 file changed, 11 insertions(+)
Index: libsoup2.4-2.74.2/tests/header-parsing-test.c
===================================================================
--- libsoup2.4-2.74.2.orig/tests/header-parsing-test.c
+++ libsoup2.4-2.74.2/tests/header-parsing-test.c
@@ -825,6 +825,17 @@ static struct ParamListTest {
{ "filename", "t\xC3\xA9st.txt" },
},
},
+
+ /* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */
+ { TRUE,
+ "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo",
+ {
+ { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
+ { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
+ { "foo", NULL },
+
+ },
+ }
};
static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests);

36
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch Normal file
View File

@@ -0,0 +1,36 @@
From 6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be Mon Sep 17 00:00:00 2001
From: Ignacio Casal Quinteiro <qignacio@amazon.com>
Date: Wed, 11 Sep 2024 11:52:11 +0200
Subject: [PATCH] websocket: process the frame as soon as we read data
Otherwise we can enter in a read loop because we were not
validating the data until the all the data was read.
Fixes #391
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be]
CVE: CVE-2024-52532
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-websocket-connection.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
index a4095e1..9d5f4f8 100644
--- a/libsoup/soup-websocket-connection.c
+++ b/libsoup/soup-websocket-connection.c
@@ -1140,9 +1140,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self)
}
pv->incoming->len = len + count;
- } while (count > 0);
- process_incoming (self);
+ process_incoming (self);
+ } while (count > 0 && !pv->close_sent && !pv->io_closing);
if (end) {
if (!pv->close_sent || !pv->close_received) {
--
2.25.1

42
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch Normal file
View File

@@ -0,0 +1,42 @@
From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001
From: Ignacio Casal Quinteiro <qignacio@amazon.com>
Date: Wed, 2 Oct 2024 11:17:19 +0200
Subject: [PATCH] websocket-test: disconnect error copy after the test ends
Otherwise the server will have already sent a few more wrong
bytes and the client will continue getting errors to copy
but the error is already != NULL and it will assert
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c]
CVE: CVE-2024-52532
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
tests/websocket-test.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/websocket-test.c b/tests/websocket-test.c
index 06c443bb5..6a48c1f9b 100644
--- a/tests/websocket-test.c
+++ b/tests/websocket-test.c
@@ -1539,8 +1539,9 @@ test_receive_invalid_encode_length_64 (Test *test,
GError *error = NULL;
InvalidEncodeLengthTest context = { test, NULL };
guint i;
+ guint error_id;
- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
/* We use 127(\x7f) as payload length with 65535 extended length */
@@ -1553,6 +1554,7 @@ test_receive_invalid_encode_length_64 (Test *test,
WAIT_UNTIL (error != NULL || received != NULL);
g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
g_clear_error (&error);
+ g_signal_handler_disconnect (test->client, error_id);
g_assert_null (received);
g_thread_join (thread);
--
GitLab

46
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch Normal file
View File

@@ -0,0 +1,46 @@
From 4c9e75c6676a37b6485620c332e568e1a3f530ff Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Wed, 13 Nov 2024 14:14:23 +0000
Subject: [PATCH] websocket-test: Disconnect error signal in another place
This is the same change as commit 29b96fab "websocket-test: disconnect
error copy after the test ends", and is done for the same reason, but
replicating it into a different function.
Fixes: 6adc0e3e "websocket: process the frame as soon as we read data"
Resolves: https://gitlab.gnome.org/GNOME/libsoup/-/issues/399
Signed-off-by: Simon McVittie <smcv@debian.org>
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6676a37b6485620c332e568e1a3f530ff]
CVE: CVE-2024-52532
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
tests/websocket-test.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/websocket-test.c b/tests/websocket-test.c
index 6a48c1f9..723f2857 100644
--- a/tests/websocket-test.c
+++ b/tests/websocket-test.c
@@ -1508,8 +1508,9 @@ test_receive_invalid_encode_length_16 (Test *test,
GError *error = NULL;
InvalidEncodeLengthTest context = { test, NULL };
guint i;
+ guint error_id;
- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
/* We use 126(~) as payload length with 125 extended length */
@@ -1522,6 +1523,7 @@ test_receive_invalid_encode_length_16 (Test *test,
WAIT_UNTIL (error != NULL || received != NULL);
g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
g_clear_error (&error);
+ g_signal_handler_disconnect (test->client, error_id);
g_assert_null (received);
g_thread_join (thread);
--
GitLab

56
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch Normal file
View File

@@ -0,0 +1,56 @@
From 2eacbd762332795e00692ddab2515c6da23198d3 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Mon, 12 May 2025 14:06:41 +0800
Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space()
CVE: CVE-2025-2784
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435/diffs?commit_id=242a10fbb12dbdc12d254bd8fc8669a0ac055304;
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/442/diffs?commit_id=c415ad0b6771992e66c70edf373566c6e247089d]
Test code is not added since it uses some functions not defined in
version 2.74. These tests are not used now, so just ignore them.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-content-sniffer.c | 9 +++----
1 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index 5f2896e..9554636 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -612,8 +612,10 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer)
}
static gboolean
-skip_insignificant_space (const char *resource, int *pos, int resource_length)
+skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
{
+ if (*pos >= resource_length)
+ return TRUE;
while ((resource[*pos] == '\x09') ||
(resource[*pos] == '\x20') ||
(resource[*pos] == '\x0A') ||
@@ -632,7 +634,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
{
const char *resource = (const char *)buffer->data;
int resource_length = MIN (512, buffer->length);
- int pos = 0;
+ gsize pos = 0;
if (resource_length < 3)
goto text_html;
@@ -642,9 +644,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
pos = 3;
look_for_tag:
- if (pos > resource_length)
- goto text_html;
-
if (skip_insignificant_space (resource, &pos, resource_length))
goto text_html;
--
2.34.1

29
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch Normal file
View File

@@ -0,0 +1,29 @@
From 5709dfffb6fdc5b66ce001bf82a755ad8ad1d992 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Mon, 28 Oct 2024 12:29:48 -0500
Subject: [PATCH] Fix using int instead of size_t for strcspn return
CVE: CVE-2025-32050
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-headers.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 9707ca0..67905b2 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -902,7 +902,7 @@ append_param_quoted (GString *string,
const char *name,
const char *value)
{
- int len;
+ gsize len;
g_string_append (string, name);
g_string_append (string, "=\"");
--
2.34.1

32
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch Normal file
View File

@@ -0,0 +1,32 @@
From f4a67a9a3033586edaee715d40d5992e02d32893 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sat, 16 Nov 2024 12:07:30 -0600
Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff
Co-Author: Ar Jun <pkillarjun@protonmail.com>
CVE: CVE-2025-32052
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652#500da7cfde649872c49169be34b03a1c42a53ddb]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-content-sniffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index 9554636..eac9e7b 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -504,7 +504,7 @@ sniff_unknown (SoupContentSniffer *sniffer, SoupBuffer *buffer,
guint index_pattern = 0;
gboolean skip_row = FALSE;
- while ((index_stream < resource_length) &&
+ while ((index_stream < resource_length - 1) &&
(index_pattern <= type_row->pattern_length)) {
/* Skip insignificant white space ("WS" in the spec) */
if (type_row->pattern[index_pattern] == ' ') {
--
2.34.1

39
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch Normal file
View File

@@ -0,0 +1,39 @@
From d9bcffd6cd5e8ec32889a594f7348d67a5101b3a Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Mon, 12 May 2025 13:58:42 +0800
Subject: [PATCH] Fix heap buffer overflow in
soup-content-sniffer.c:sniff_feed_or_html()
CVE: CVE-2025-32053
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/eaed42ca8d40cd9ab63764e3d63641180505f40a]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-content-sniffer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index 967ec61..5f2896e 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -620,7 +620,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length)
(resource[*pos] == '\x0D')) {
*pos = *pos + 1;
- if (*pos > resource_length)
+ if (*pos >= resource_length)
return TRUE;
}
@@ -682,7 +682,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
do {
pos++;
- if (pos > resource_length)
+ if ((pos + 1) > resource_length)
goto text_html;
} while (resource[pos] != '>');
--
2.34.1

61
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch Normal file
View File

@@ -0,0 +1,61 @@
From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 11 Feb 2025 14:36:26 -0600
Subject: [PATCH] headers: Handle parsing edge case
This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds.
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931]
CVE: CVE-2025-32906 #Dependency Patch
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-headers.c | 2 +-
tests/header-parsing-test.c | 12 ++++++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 85385cea..9d6d00a3 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str,
!g_ascii_isdigit (version[5]))
return SOUP_STATUS_BAD_REQUEST;
major_version = strtoul (version + 5, &p, 10);
- if (*p != '.' || !g_ascii_isdigit (p[1]))
+ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1]))
return SOUP_STATUS_BAD_REQUEST;
minor_version = strtoul (p + 1, &p, 10);
version_end = p;
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 07ea2866..10ddb684 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -6,6 +6,10 @@ typedef struct {
const char *name, *value;
} Header;
+static char unterminated_http_version[] = {
+ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
+};
+
static struct RequestTest {
const char *description;
const char *bugref;
@@ -383,6 +387,14 @@ static struct RequestTest {
{ { NULL } }
},
+ /* This couldn't be a C string as going one byte over would have been safe. */
+ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
+ unterminated_http_version, sizeof (unterminated_http_version),
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
+ },
+
{ "Non-HTTP request", NULL,
"GET / SOUP/1.1\r\nHost: example.com\r\n", -1,
SOUP_STATUS_BAD_REQUEST,
--
GitLab

83
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch Normal file
View File

@@ -0,0 +1,83 @@
From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 12 Feb 2025 11:30:02 -0600
Subject: [PATCH] headers: Handle parsing only newlines
Closes #404
Closes #407
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f]
CVE: CVE-2025-32906
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-headers.c | 4 ++--
tests/header-parsing-test.c | 13 ++++++++++++-
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 9d6d00a3..52ef2ece 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str,
/* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
* received where a Request-Line is expected."
*/
- while ((*str == '\r' || *str == '\n') && len > 0) {
+ while (len > 0 && (*str == '\r' || *str == '\n')) {
str++;
len--;
}
@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str,
* after a response, which we then see prepended to the next
* response on that connection.
*/
- while ((*str == '\r' || *str == '\n') && len > 0) {
+ while (len > 0 && (*str == '\r' || *str == '\n')) {
str++;
len--;
}
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 10ddb684..4faafbd6 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -6,10 +6,15 @@ typedef struct {
const char *name, *value;
} Header;
+/* These are not C strings to ensure going one byte over is not safe. */
static char unterminated_http_version[] = {
'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
};
+static char only_newlines[] = {
+ '\n', '\n', '\n', '\n'
+};
+
static struct RequestTest {
const char *description;
const char *bugref;
@@ -387,7 +392,6 @@ static struct RequestTest {
{ { NULL } }
},
- /* This couldn't be a C string as going one byte over would have been safe. */
{ "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
unterminated_http_version, sizeof (unterminated_http_version),
SOUP_STATUS_BAD_REQUEST,
@@ -457,6 +461,13 @@ static struct RequestTest {
SOUP_STATUS_BAD_REQUEST,
NULL, NULL, -1,
{ { NULL } }
+ },
+
+ { "Only newlines", NULL,
+ only_newlines, sizeof (only_newlines),
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
}
};
static const int num_reqtests = G_N_ELEMENTS (reqtests);
--
GitLab

39
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch Normal file
View File

@@ -0,0 +1,39 @@
From 8158b4084dcba2a233dfcb7359c53ab2840148f7 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Tue, 15 Apr 2025 12:17:39 +0200
Subject: [PATCH 1/2] soup-message-headers: Correct merge of ranges
It had been skipping every second range, which generated an array
of a lot of insane ranges, causing large memory usage by the server.
Closes #428
Part-of: <https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452>
CVE: CVE-2025-32907
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452/diffs?commit_id=9bb92f7a685e31e10e9e8221d0342280432ce836]
Test part not applied since test codes use some functions not in this
version
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-message-headers.c | 1 +
1 files changed, 1 insertions(+)
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 78b2455..00b9763 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1024,6 +1024,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs,
if (cur->start <= prev->end) {
prev->end = MAX (prev->end, cur->end);
g_array_remove_index (array, i);
+ i--;
}
}
}
--
2.34.1

36
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch Normal file
View File

@@ -0,0 +1,36 @@
From ba4c3a6f988beff59e45801ab36067293d24ce92 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 8 Jan 2025 16:30:17 -0600
Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than 4
bytes
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92]
CVE: CVE-2025-32909
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-content-sniffer.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
index 967ec61..a1f23c2 100644
--- a/libsoup/soup-content-sniffer.c
+++ b/libsoup/soup-content-sniffer.c
@@ -227,9 +227,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, SoupBuffer *buffer)
{
const char *resource = (const char *)buffer->data;
guint resource_length = MIN (512, buffer->length);
- guint32 box_size = *((guint32*)resource);
+ guint32 box_size;
guint i;
+ if (resource_length < sizeof (guint32))
+ return FALSE;
+
+ box_size = *((guint32*)resource);
+
#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
box_size = ((box_size >> 24) |
((box_size << 8) & 0x00FF0000) |
--
2.25.1

36
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch Normal file
View File

@@ -0,0 +1,36 @@
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sun, 8 Dec 2024 20:00:35 -0600
Subject: auth-digest: Handle missing realm in authenticate header
(cherry picked from commit e40df6d48a1cbab56f5d15016cc861a503423cfe)
Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-1.patch?ref_type=heads
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe]
CVE: CVE-2025-32910
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Remove test code for fixing do_compile failure of libsoup-2.4, test codes include
new type added in 3.x version
../libsoup-2.74.3/tests/auth-test.c:1554:39: error: unknown type name 'SoupServerMessage'; did you mean 'SoupServerClass'?
1554 | SoupServerMessage *msg,
| ^~~~~~~~~~~~~~~~~
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-auth-digest.c | 3 +++
1 files changed, 3 insertions(+)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index e8ba990..263a15a 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
+ if (!soup_auth_get_realm (auth))
+ return FALSE;
+
g_free (priv->domain);
g_free (priv->nonce);
g_free (priv->opaque);

106
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch Normal file
View File

@@ -0,0 +1,106 @@
From: Patrick Griffis <pgriffis@igalia.com>
Date: Thu, 26 Dec 2024 18:18:35 -0600
Subject: auth-digest: Handle missing nonce
(cherry picked from commit 405a8a34597a44bd58c4759e7d5e23f02c3b556a)
Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-2.patch?ref_type=heads
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a]
CVE: CVE-2025-32910
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Remove test code for fixing do_compile failure of libsoup-2.4, test codes include
new type added in 3.x version
../libsoup-2.74.3/tests/auth-test.c:1554:39: error: unknown type name 'SoupServerMessage'; did you mean 'SoupServerClass'?
1554 | SoupServerMessage *msg,
| ^~~~~~~~~~~~~~~~~
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-auth-digest.c | 45 +++++++++++++++++++++++++++++++++++----------
1 files changed, 35 insertions(+), 10 deletions(-)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 263a15a..393adb6 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
return g_string_free (out, FALSE);
}
+static gboolean
+validate_params (SoupAuthDigest *auth_digest)
+{
+ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
+
+ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
+ if (!priv->nonce)
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
static gboolean
soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
GHashTable *auth_params)
@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
if (priv->algorithm == -1)
ok = FALSE;
- stale = g_hash_table_lookup (auth_params, "stale");
- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
- recompute_hex_a1 (priv);
- else {
- g_free (priv->user);
- priv->user = NULL;
- g_free (priv->cnonce);
- priv->cnonce = NULL;
- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+ if (!validate_params (auth_digest))
+ ok = FALSE;
+
+ if (ok) {
+ stale = g_hash_table_lookup (auth_params, "stale");
+ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+ recompute_hex_a1 (priv);
+ else {
+ g_free (priv->user);
+ priv->user = NULL;
+ g_free (priv->cnonce);
+ priv->cnonce = NULL;
+ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+ }
}
return ok;
@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp,
/* In MD5-sess, A1 is hex_urp:nonce:cnonce */
+ g_assert (nonce && cnonce);
+
checksum = g_checksum_new (G_CHECKSUM_MD5);
g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));
g_checksum_update (checksum, (guchar *)":", 1);
@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char *method,
if (qop) {
char tmp[9];
+ g_assert (cnonce);
+
g_snprintf (tmp, 9, "%.8x", nc);
g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
g_checksum_update (checksum, (guchar *)":", 1);
@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
g_return_val_if_fail (uri != NULL, NULL);
url = soup_uri_to_string (uri, TRUE);
+ g_assert (priv->nonce);
+ g_assert (!priv->qop || priv->cnonce);
+
soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
priv->qop, priv->nonce,
priv->cnonce, priv->nc,

26
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch Normal file
View File

@@ -0,0 +1,26 @@
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 13:52:52 -0600
Subject: auth-digest: Fix leak
(cherry picked from commit ea16eeacb052e423eb5c3b0b705e5eab34b13832)
Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-3.patch?ref_type=heads
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
CVE: CVE-2025-32910
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-auth-digest.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 393adb6..a1db188 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object)
g_free (priv->nonce);
g_free (priv->domain);
g_free (priv->cnonce);
+ g_free (priv->opaque);
memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
memset (priv->hex_a1, 0, sizeof (priv->hex_a1));

72
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch Normal file
View File

@@ -0,0 +1,72 @@
From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 17:53:50 -0600
Subject: [PATCH] soup_message_headers_get_content_disposition: Fix NULL deref
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34]
CVE: CVE-2025-32911 CVE-2025-32913 #Dependency Patch
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-message-headers.c | 13 +++++++++----
tests/header-parsing-test.c | 14 ++++++++++++++
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 56cc1e9d..04f4c302 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1660,10 +1660,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
*/
if (params && g_hash_table_lookup_extended (*params, "filename",
&orig_key, &orig_value)) {
- char *filename = strrchr (orig_value, '/');
-
- if (filename)
- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ if (orig_value) {
+ char *filename = strrchr (orig_value, '/');
+
+ if (filename)
+ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ } else {
+ /* filename with no value isn't valid. */
+ g_hash_table_remove (*params, "filename");
+ }
}
return TRUE;
}
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 5e423d2b..d0b360c8 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -1039,6 +1039,7 @@ do_param_list_tests (void)
#define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\""
#define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\""
#define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar"
+#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename"
static void
do_content_disposition_tests (void)
@@ -1139,6 +1140,19 @@ do_content_disposition_tests (void)
g_assert_cmpstr (parameter2, ==, "bar");
g_hash_table_destroy (params);
+ /* Empty filename */
+ soup_message_headers_clear (hdrs);
+ soup_message_headers_append (hdrs, "Content-Disposition",
+ RFC5987_TEST_HEADER_EMPTY_FILENAME);
+ if (!soup_message_headers_get_content_disposition (hdrs,
+ &disposition,
+ &params)) {
+ soup_test_assert (FALSE, "empty filename decoding FAILED");
+ return;
+ }
+ g_assert_false (g_hash_table_contains (params, "filename"));
+ g_hash_table_destroy (params);
+
soup_message_headers_free (hdrs);
/* Ensure that soup-multipart always quotes filename */
--
GitLab

44
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch Normal file
View File

@@ -0,0 +1,44 @@
From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 18:00:39 -0600
Subject: [PATCH] soup_message_headers_get_content_disposition: strdup
truncated filenames
This table frees the strings it contains.
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0]
CVE: CVE-2025-32911 CVE-2025-32913
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-message-headers.c | 2 +-
tests/header-parsing-test.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 04f4c302..ee7a3cb1 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1664,7 +1664,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
char *filename = strrchr (orig_value, '/');
if (filename)
- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1));
} else {
/* filename with no value isn't valid. */
g_hash_table_remove (*params, "filename");
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index d0b360c8..07ea2866 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -1150,6 +1150,7 @@ do_content_disposition_tests (void)
soup_test_assert (FALSE, "empty filename decoding FAILED");
return;
}
+ g_free (disposition);
g_assert_false (g_hash_table_contains (params, "filename"));
g_hash_table_destroy (params);
--
GitLab

33
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch Normal file
View File

@@ -0,0 +1,33 @@
From cd077513f267e43ce4b659eb18a1734d8a369992 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 14:03:05 -0600
Subject: [PATCH 1/2] auth-digest: Handle missing nonce
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992]
CVE: CVE-2025-32912
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
The test codes is based on CVE-2025-32910, test code in CVE-2025-32910
is removed for fixing do_compile failure. So also remove this test code
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-auth-digest.c | 2 +-
1 files changed, 1 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index a1db188..f0edb81 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
- if (!soup_auth_get_realm (auth))
+ if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
return FALSE;
g_free (priv->domain);
--
2.25.1

30
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch Normal file
View File

@@ -0,0 +1,30 @@
From 910ebdcd3dd82386717a201c13c834f3a63eed7f Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sat, 8 Feb 2025 12:30:13 -0600
Subject: [PATCH 2/2] digest-auth: Handle NULL nonce
`contains` only handles a missing nonce, `lookup` handles both missing and empty.
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f]
CVE: CVE-2025-32912
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-auth-digest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index f0edb81..c49ffd9 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
- if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
+ if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce"))
return FALSE;
g_free (priv->domain);
--
2.25.1

137
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch Normal file
View File

@@ -0,0 +1,137 @@
From: Milan Crha <mcrha@redhat.com>
Date: Tue, 15 Apr 2025 09:03:00 +0200
Subject: multipart: Fix read out of buffer bounds under
soup_multipart_new_from_message()
This is CVE-2025-32914, special crafted input can cause read out of buffer bounds
of the body argument.
Closes #436
(cherry picked from commit 5bfcf8157597f2d327050114fb37ff600004dbcf)
Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32914.patch?ref_type=heads
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf]
CVE: CVE-2025-32914
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-multipart.c | 2 +-
tests/multipart-test.c | 85 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 86 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
index a7e550f..dd93973 100644
--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
return NULL;
}
- split = strstr (start, "\r\n\r\n");
+ split = g_strstr_len (start, body_end - start, "\r\n\r\n");
if (!split || split > end) {
soup_multipart_free (multipart);
soup_buffer_free (flattened);
diff --git a/tests/multipart-test.c b/tests/multipart-test.c
index 64a5ebf..834b181 100644
--- a/tests/multipart-test.c
+++ b/tests/multipart-test.c
@@ -479,6 +479,89 @@ test_multipart (gconstpointer data)
g_main_loop_unref (loop);
}
+static void
+test_multipart_bounds_good (void)
+{
+ #define TEXT "line1\r\nline2"
+ SoupMultipart *multipart;
+ SoupMessageHeaders *headers, *set_headers = NULL;
+ //GBytes *bytes, *set_bytes = NULL;
+ GBytes *bytes;
+ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\n\r\n" TEXT "\r\n--123--\r\n";
+ gboolean success;
+ SoupMessageBody *body = soup_message_body_new ();
+ SoupBuffer *set_buffer = NULL;
+ gconstpointer data;
+ gsize size;
+
+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
+
+ bytes = g_bytes_new (raw_data, strlen (raw_data));
+
+ data = g_bytes_get_data(bytes, NULL);
+ size = g_bytes_get_size(bytes);
+
+ soup_message_body_append(body, SOUP_MEMORY_STATIC, data, size);
+
+ //multipart = soup_multipart_new_from_message (headers, bytes);
+ multipart = soup_multipart_new_from_message (headers, body);
+
+ soup_message_body_free (body);
+
+ g_assert_nonnull (multipart);
+ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1);
+ success = soup_multipart_get_part (multipart, 0, &set_headers, &set_buffer);
+ g_assert_true (success);
+ g_assert_nonnull (set_headers);
+ //g_assert_nonnull (set_bytes);
+ g_assert_nonnull (set_buffer);
+ //g_assert_cmpint (strlen (TEXT), ==, g_bytes_get_size (set_bytes));
+ g_assert_cmpint (strlen (TEXT), ==, set_buffer->length);
+ g_assert_cmpstr ("text/plain", ==, soup_message_headers_get_content_type (set_headers, NULL));
+ //g_assert_cmpmem (TEXT, strlen (TEXT), g_bytes_get_data (set_bytes, NULL), g_bytes_get_size (set_bytes));
+ g_assert_cmpmem(TEXT, strlen(TEXT), set_buffer->data, set_buffer->length);
+
+ soup_message_headers_free (headers);
+ g_bytes_unref (bytes);
+
+ soup_multipart_free (multipart);
+
+ #undef TEXT
+}
+
+static void
+test_multipart_bounds_bad (void)
+{
+ SoupMultipart *multipart;
+ SoupMessageHeaders *headers;
+ GBytes *bytes;
+ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\nline1\r\nline2\r\n--123--\r\n";
+ SoupMessageBody *body = soup_message_body_new ();
+ gconstpointer data;
+ gsize size;
+
+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
+
+ bytes = g_bytes_new (raw_data, strlen (raw_data));
+
+ data = g_bytes_get_data(bytes, NULL);
+ size = g_bytes_get_size(bytes);
+
+ soup_message_body_append(body, SOUP_MEMORY_STATIC, data, size);
+
+ /* it did read out of raw_data/bytes bounds */
+ //multipart = soup_multipart_new_from_message (headers, bytes);
+ multipart = soup_multipart_new_from_message (headers, body);
+ g_assert_null (multipart);
+
+ soup_message_body_free (body);
+
+ soup_message_headers_free (headers);
+ g_bytes_unref (bytes);
+}
+
int
main (int argc, char **argv)
{
@@ -508,6 +591,8 @@ main (int argc, char **argv)
g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart);
g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart);
g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
+ g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
+ g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
ret = g_test_run ();

38
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch Normal file
View File

@@ -0,0 +1,38 @@
From 52a0f9234d384b9dab368835b22e5a5a01542168 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Fri, 16 May 2025 14:16:10 +0800
Subject: [PATCH] auth-digest: fix crash in
soup_auth_digest_get_protection_space()
We need to validate the Domain parameter in the WWW-Authenticate header.
Unfortunately this crash only occurs when listening on default ports 80
and 443, so there's no good way to test for this. The test would require
running as root.
Fixes #440
CVE: CVE-2025-4476
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c?merge_request_iid=457]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-auth-digest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index f1621ec..a2dc560 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -229,7 +229,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, SoupURI *source_uri)
uri = soup_uri_new (d);
if (uri && uri->scheme == source_uri->scheme &&
uri->port == source_uri->port &&
- !strcmp (uri->host, source_uri->host))
+ !g_strcmp0 (uri->host, source_uri->host))
dir = g_strdup (uri->path);
else
dir = NULL;
--
2.34.1

60
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch Normal file
View File

@@ -0,0 +1,60 @@
From c9083869ec2a3037e6df4bd86b45c419ba295f8e Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Thu, 26 Dec 2024 18:31:42 -0600
Subject: [PATCH] soup_header_parse_quality_list: Fix leak
When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings.
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/c9083869ec2a3037e6df4bd86b45c419ba295f8e]
CVE: CVE-2025-46420
Signed-off-by: Ashish Sharma <asharma@mvista.com>
libsoup/soup-headers.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index a5f7a7f6..85385cea 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -530,7 +530,7 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
GSList *unsorted;
QualityItem *array;
GSList *sorted, *iter;
- char *item, *semi;
+ char *semi;
const char *param, *equal, *value;
double qval;
int n;
@@ -543,9 +543,8 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
unsorted = soup_header_parse_list (header);
array = g_new0 (QualityItem, g_slist_length (unsorted));
for (iter = unsorted, n = 0; iter; iter = iter->next) {
- item = iter->data;
qval = 1.0;
- for (semi = strchr (item, ';'); semi; semi = strchr (semi + 1, ';')) {
+ for (semi = strchr (iter->data, ';'); semi; semi = strchr (semi + 1, ';')) {
param = skip_lws (semi + 1);
if (*param != 'q')
continue;
@@ -577,15 +576,15 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
if (qval == 0.0) {
if (unacceptable) {
*unacceptable = g_slist_prepend (*unacceptable,
- item);
+ g_steal_pointer (&iter->data));
}
} else {
- array[n].item = item;
+ array[n].item = g_steal_pointer (&iter->data);
array[n].qval = qval;
n++;
}
}
- g_slist_free (unsorted);
+ g_slist_free_full (unsorted, g_free);
qsort (array, n, sizeof (QualityItem), sort_by_qval);
sorted = NULL;
--
GitLab

47
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch Normal file
View File

@@ -0,0 +1,47 @@
From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 16:18:10 -0600
Subject: [PATCH] session: Strip authentication credentails on
cross-origin redirect
This should match the behavior of Firefox and Safari but not of Chromium.
CVE: CVE-2025-46421
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b]
Test code not added since it included some headers not in version 2.74.3
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-session.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
index 83421ef..8d6ac61 100644
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg)
SOUP_ENCODING_NONE);
}
+ /* Strip all credentials on cross-origin redirect. */
+ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
+ soup_message_headers_remove (msg->request_headers, "Authorization");
+ soup_message_set_auth (msg, NULL);
+ }
+
soup_message_set_uri (msg, new_uri);
soup_uri_free (new_uri);
soup_session_requeue_message (session, msg);
return TRUE;
-}
+}
static void
redirect_handler (SoupMessage *msg, gpointer user_data)
--
2.34.1

117
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch Normal file
View File

@@ -0,0 +1,117 @@
From 3844026f74a41dd9ccab955899e005995293d246 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Tue, 8 Jul 2025 14:58:30 +0800
Subject: [PATCH] soup-date-utils: Add value checks for date/time parsing
Reject date/time when it does not represent a valid value.
Closes #448
CVE: CVE-2025-4945
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-date.c | 21 +++++++++++++++------
tests/cookies-test.c | 10 ++++++++++
2 files changed, 25 insertions(+), 6 deletions(-)
diff --git a/libsoup/soup-date.c b/libsoup/soup-date.c
index 9602d1f..4c114c1 100644
--- a/libsoup/soup-date.c
+++ b/libsoup/soup-date.c
@@ -284,7 +284,7 @@ parse_day (SoupDate *date, const char **date_string)
while (*end == ' ' || *end == '-')
end++;
*date_string = end;
- return TRUE;
+ return date->day >= 1 && date->day <= 31;
}
static inline gboolean
@@ -324,7 +324,7 @@ parse_year (SoupDate *date, const char **date_string)
while (*end == ' ' || *end == '-')
end++;
*date_string = end;
- return TRUE;
+ return date->year > 0 && date->year < 9999;
}
static inline gboolean
@@ -348,7 +348,7 @@ parse_time (SoupDate *date, const char **date_string)
while (*p == ' ')
p++;
*date_string = p;
- return TRUE;
+ return date->hour >= 0 && date->hour < 24 && date->minute >= 0 && date->minute < 60 && date->second >= 0 && date->second < 60;
}
static inline gboolean
@@ -361,8 +361,15 @@ parse_timezone (SoupDate *date, const char **date_string)
gulong val;
int sign = (**date_string == '+') ? -1 : 1;
val = strtoul (*date_string + 1, (char **)date_string, 10);
+ if (val > 9999)
+ return FALSE;
if (**date_string == ':')
- val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10);
+ {
+ gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10);
+ if (val > 99 || val2 > 99)
+ return FALSE;
+ val = 60 * val + val2;
+ }
else
val = 60 * (val / 100) + (val % 100);
date->offset = sign * val;
@@ -407,7 +414,8 @@ parse_textual_date (SoupDate *date, const char *date_string)
if (!parse_month (date, &date_string) ||
!parse_day (date, &date_string) ||
!parse_time (date, &date_string) ||
- !parse_year (date, &date_string))
+ !parse_year (date, &date_string) ||
+ !g_date_valid_dmy(date->day, date->month, date->year))
return FALSE;
/* There shouldn't be a timezone, but check anyway */
@@ -419,7 +427,8 @@ parse_textual_date (SoupDate *date, const char *date_string)
if (!parse_day (date, &date_string) ||
!parse_month (date, &date_string) ||
!parse_year (date, &date_string) ||
- !parse_time (date, &date_string))
+ !parse_time (date, &date_string) ||
+ !g_date_valid_dmy(date->day, date->month, date->year))
return FALSE;
/* This time there *should* be a timezone, but we
diff --git a/tests/cookies-test.c b/tests/cookies-test.c
index 2e2a54f..6035a86 100644
--- a/tests/cookies-test.c
+++ b/tests/cookies-test.c
@@ -413,6 +413,15 @@ do_remove_feature_test (void)
soup_uri_free (uri);
}
+static void
+do_cookies_parsing_int32_overflow (void)
+{
+ SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9 999:9:9+ 999999999-age=main=gne=", NULL);
+ g_assert_nonnull (cookie);
+ g_assert_null (soup_cookie_get_expires (cookie));
+ soup_cookie_free (cookie);
+}
+
int
main (int argc, char **argv)
{
@@ -434,6 +443,7 @@ main (int argc, char **argv)
g_test_add_func ("/cookies/accept-policy-subdomains", do_cookies_subdomain_policy_test);
g_test_add_func ("/cookies/parsing", do_cookies_parsing_test);
g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin);
+ g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow);
g_test_add_func ("/cookies/get-cookies/empty-host", do_get_cookies_empty_host_test);
g_test_add_func ("/cookies/remove-feature", do_remove_feature_test);
g_test_add_func ("/cookies/secure-cookies", do_cookies_strict_secure_test);
--
2.34.1

38
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch Normal file
View File

@@ -0,0 +1,38 @@
From dfdc9b3cc73e6fe88cc12792ba00e14642572339 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Thu, 15 May 2025 17:49:11 +0200
Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body
It could happen that the boundary started at a place which resulted into
a negative number, which in an unsigned integer is a very large value.
Check the body size is not a negative value before setting it.
Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
Part-of: <https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463>
CVE: CVE-2025-4948
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463/diffs?commit_id=f2f28afe0b3b2b3009ab67d6874457ec6bac70c0]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-multipart.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
index dd93973..ce2fc10 100644
--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
@@ -214,7 +214,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
*/
part_body = soup_buffer_new_subbuffer (flattened,
split - flattened->data,
- end - 2 - split);
+ end - 2 >= split ? end - 2 - split : 0);
g_ptr_array_add (multipart->bodies, part_body);
start = end;
--
2.34.1

46
sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch Normal file
View File

@@ -0,0 +1,46 @@
From 07b94e27afafebf31ef3cd868866a1e383750086 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Mon, 19 May 2025 17:48:27 +0200
Subject: [PATCH] soup-multipart: Verify array bounds before accessing its
members
The boundary could be at a place which, calculated, pointed
before the beginning of the array. Check the bounds, to avoid
read out of the array bounds.
Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/07b94e27afafebf31ef3cd868866a1e383750086]
CVE: CVE-2025-4969
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Refresh the patch, remove the test part, following commit in libsoup3 has a
type refactor, which make the test is not suitable for libsoup2
[0d7e672e forms: Use GBytes instead of SoupMessageBody]
The test part will cause libsoup-2.3-native build failed on fedora40/41:
../libsoup-2.74.3/tests/multipart-test.c:578:63: error: passing argument 2 of soup_multipart_new_from_message from incompatible pointer type [-Wincompatible-pointer-types]
578 | multipart = soup_multipart_new_from_message (headers, bytes);
| ^~~~~
| |
| GBytes * {aka struct _GBytes *}
---
libsoup/soup-multipart.c | 2 +-
1 files changed, 1 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
index dd93973..b3611db 100644
--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
@@ -108,7 +108,7 @@ find_boundary (const char *start, const char *end,
continue;
/* Check that it's at start of line */
- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r')))
+ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r')))
continue;
/* Check for "--" or "\r\n" after boundary */
--
2.49.0