openclaw/tqma6-yocto-mirror
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Complete Yocto mirror with license table for TQMa6UL (2038-compliance)

Browse Source 
- 264 license table entries with exact download URLs (224/264 resolved)
- Complete sources/ directory with all BitBake recipes
- Build configuration: tqma6ul-multi-mba6ulx, spaetzle (musl)
- Full traceability for Softwarefreigabeantrag
- GCC 13.4.0, Linux 6.6.102, U-Boot 2023.04, musl 1.2.4
- License distribution: GPL-2.0 (24), MIT (23), GPL-2.0+ (18), BSD-3 (16)
This commit is contained in:
Siggi (OpenClaw Agent)
2026-03-01 20:58:18 +00:00
commit 16accb6b24
15086 changed files with 1292356 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

150
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52530.patch Normal file
View File

@@ -0,0 +1,150 @@
From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Mon, 8 Jul 2024 12:33:15 -0500
Subject: [PATCH] headers: Strictly don't allow NUL bytes
In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.
CVE: CVE-2024-52530
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-headers.c | 15 +++------
tests/header-parsing-test.c | 62 +++++++++++++++++--------------------
2 files changed, 32 insertions(+), 45 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index a0cf351ac..f30ee467a 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -51,13 +51,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
* ignorable trailing whitespace.
*/
+ /* No '\0's are allowed */
+ if (memchr (str, '\0', len))
+ return FALSE;
+
/* Skip over the Request-Line / Status-Line */
headers_start = memchr (str, '\n', len);
if (!headers_start)
return FALSE;
- /* No '\0's in the Request-Line / Status-Line */
- if (memchr (str, '\0', headers_start - str))
- return FALSE;
/* We work on a copy of the headers, which we can write '\0's
* into, so that we don't have to individually g_strndup and
@@ -69,14 +70,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
headers_copy[copy_len] = '\0';
value_end = headers_copy;
- /* There shouldn't be any '\0's in the headers already, but
- * this is the web we're talking about.
- */
- while ((p = memchr (headers_copy, '\0', copy_len))) {
- memmove (p, p + 1, copy_len - (p - headers_copy));
- copy_len--;
- }
-
while (*(value_end + 1)) {
name = value_end + 1;
name_end = strchr (name, ':');
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index edf8eebb3..715c2c6f2 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -358,24 +358,6 @@ static struct RequestTest {
}
},
- { "NUL in header name", "760832",
- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
- SOUP_STATUS_OK,
- "GET", "/", SOUP_HTTP_1_1,
- { { "Host", "example.com" },
- { NULL }
- }
- },
-
- { "NUL in header value", "760832",
- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
- SOUP_STATUS_OK,
- "GET", "/", SOUP_HTTP_1_1,
- { { "Host", "examplecom" },
- { NULL }
- }
- },
-
/************************/
/*** INVALID REQUESTS ***/
/************************/
@@ -448,6 +430,21 @@ static struct RequestTest {
SOUP_STATUS_EXPECTATION_FAILED,
NULL, NULL, -1,
{ { NULL } }
+ },
+
+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+ { "NUL in header name", NULL,
+ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
+ },
+
+ { "NUL in header value", NULL,
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
}
};
static const int num_reqtests = G_N_ELEMENTS (reqtests);
@@ -620,22 +617,6 @@ static struct ResponseTest {
{ NULL } }
},
- { "NUL in header name", "760832",
- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
- { { "Foo", "bar" },
- { NULL }
- }
- },
-
- { "NUL in header value", "760832",
- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
- { { "Foo", "bar" },
- { NULL }
- }
- },
-
/********************************/
/*** VALID CONTINUE RESPONSES ***/
/********************************/
@@ -768,6 +749,19 @@ static struct ResponseTest {
{ { NULL }
}
},
+
+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+ { "NUL in header name", NULL,
+ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
+ -1, 0, NULL,
+ { { NULL } }
+ },
+
+ { "NUL in header value", "760832",
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+ -1, 0, NULL,
+ { { NULL } }
+ },
};
static const int num_resptests = G_N_ELEMENTS (resptests);
--
GitLab

116
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-1.patch Normal file
View File

@@ -0,0 +1,116 @@
From 4ec9e3d286b6d3e982cb0fc3564dee0bf8d87ede Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 27 Aug 2024 12:18:58 -0500
Subject: [PATCH] fuzzing: Cover soup_header_parse_param_list
CVE: CVE-2024-52531
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=4ec9e3d286b6d3e982cb0fc3564dee0bf8d87ede]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
fuzzing/fuzz.h | 9 +++++++--
fuzzing/fuzz_header_parsing.c | 19 +++++++++++++++++++
fuzzing/fuzz_header_parsing.dict | 8 ++++++++
fuzzing/meson.build | 2 ++
4 files changed, 36 insertions(+), 2 deletions(-)
create mode 100644 fuzzing/fuzz_header_parsing.c
create mode 100644 fuzzing/fuzz_header_parsing.dict
diff --git a/fuzzing/fuzz.h b/fuzzing/fuzz.h
index 0d380285..f3bd28ee 100644
--- a/fuzzing/fuzz.h
+++ b/fuzzing/fuzz.h
@@ -1,13 +1,14 @@
#include "libsoup/soup.h"
int LLVMFuzzerTestOneInput (const unsigned char *data, size_t size);
+static int set_logger = 0;
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
static GLogWriterOutput
empty_logging_func (GLogLevelFlags log_level, const GLogField *fields,
gsize n_fields, gpointer user_data)
{
- return G_LOG_WRITER_HANDLED;
+ return G_LOG_WRITER_HANDLED;
}
#endif
@@ -16,6 +17,10 @@ static void
fuzz_set_logging_func (void)
{
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
- g_log_set_writer_func (empty_logging_func, NULL, NULL);
+ if (!set_logger)
+ {
+ set_logger = 1;
+ g_log_set_writer_func (empty_logging_func, NULL, NULL);
+ }
#endif
}
diff --git a/fuzzing/fuzz_header_parsing.c b/fuzzing/fuzz_header_parsing.c
new file mode 100644
index 00000000..a8e5c1f9
--- /dev/null
+++ b/fuzzing/fuzz_header_parsing.c
@@ -0,0 +1,19 @@
+#include "fuzz.h"
+
+int
+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
+{
+ GHashTable *elements;
+
+ // We only accept NUL terminated strings
+ if (!size || data[size - 1] != '\0')
+ return 0;
+
+ fuzz_set_logging_func ();
+
+ elements = soup_header_parse_param_list((char*)data);
+
+ g_hash_table_unref(elements);
+
+ return 0;
+}
\ No newline at end of file
diff --git a/fuzzing/fuzz_header_parsing.dict b/fuzzing/fuzz_header_parsing.dict
new file mode 100644
index 00000000..1562ca3a
--- /dev/null
+++ b/fuzzing/fuzz_header_parsing.dict
@@ -0,0 +1,8 @@
+"*=UTF-8''"
+"*=iso-8859-1''"
+"'"
+"''"
+"="
+"*="
+"""
+";"
\ No newline at end of file
diff --git a/fuzzing/meson.build b/fuzzing/meson.build
index b14cbb50..5dd0f417 100644
--- a/fuzzing/meson.build
+++ b/fuzzing/meson.build
@@ -5,6 +5,7 @@ fuzz_targets = [
'fuzz_cookie_parse',
'fuzz_content_sniffer',
'fuzz_date_time',
+ 'fuzz_header_parsing',
]
fuzzing_args = '-fsanitize=fuzzer,address,undefined'
@@ -34,6 +35,7 @@ if have_fuzzing and (fuzzing_feature.enabled() or fuzzing_feature.auto())
'-runs=200000',
'-artifact_prefix=meson-logs/' + target + '-',
'-print_final_stats=1',
+ '-max_len=4096',
] + extra_args,
env: [
'ASAN_OPTIONS=fast_unwind_on_malloc=0',
--
2.25.1

40
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-2.patch Normal file
View File

@@ -0,0 +1,40 @@
From 825fda3425546847b42ad5270544e9388ff349fe Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 27 Aug 2024 13:52:08 -0500
Subject: [PATCH] tests: Add test for passing invalid UTF-8 to
soup_header_parse_semi_param_list()
CVE: CVE-2024-52531
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=825fda3425546847b42ad5270544e9388ff349fe]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
tests/header-parsing-test.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 715c2c6f..5e423d2b 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -825,6 +825,17 @@ static struct ParamListTest {
{ "filename", "t\xC3\xA9st.txt" },
},
},
+
+ /* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */
+ { TRUE,
+ "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo",
+ {
+ { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
+ { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
+ { "foo", NULL },
+
+ },
+ }
};
static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests);
--
2.25.1

136
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52531-3.patch Normal file
View File

@@ -0,0 +1,136 @@
From a35222dd0bfab2ac97c10e86b95f762456628283 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 27 Aug 2024 13:53:26 -0500
Subject: [PATCH] headers: Be more robust against invalid input when parsing
params
If you pass invalid input to a function such as soup_header_parse_param_list_strict()
it can cause an overflow if it decodes the input to UTF-8.
This should never happen with valid UTF-8 input which libsoup's client API
ensures, however it's server API does not currently.
CVE: CVE-2024-52531
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=a35222dd0bfab2ac97c10e86b95f762456628283]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-headers.c | 46 ++++++++++++++++++++++--------------------
1 file changed, 24 insertions(+), 22 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index f30ee467..613e1905 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -646,8 +646,9 @@ soup_header_contains (const char *header, const char *token)
}
static void
-decode_quoted_string (char *quoted_string)
+decode_quoted_string_inplace (GString *quoted_gstring)
{
+ char *quoted_string = quoted_gstring->str;
char *src, *dst;
src = quoted_string + 1;
@@ -661,10 +662,11 @@ decode_quoted_string (char *quoted_string)
}
static gboolean
-decode_rfc5987 (char *encoded_string)
+decode_rfc5987_inplace (GString *encoded_gstring)
{
char *q, *decoded;
gboolean iso_8859_1 = FALSE;
+ const char *encoded_string = encoded_gstring->str;
q = strchr (encoded_string, '\'');
if (!q)
@@ -696,14 +698,7 @@ decode_rfc5987 (char *encoded_string)
decoded = utf8;
}
- /* If encoded_string was UTF-8, then each 3-character %-escape
- * will be converted to a single byte, and so decoded is
- * shorter than encoded_string. If encoded_string was
- * iso-8859-1, then each 3-character %-escape will be
- * converted into at most 2 bytes in UTF-8, and so it's still
- * shorter.
- */
- strcpy (encoded_string, decoded);
+ g_string_assign (encoded_gstring, decoded);
g_free (decoded);
return TRUE;
}
@@ -713,15 +708,17 @@ parse_param_list (const char *header, char delim, gboolean strict)
{
GHashTable *params;
GSList *list, *iter;
- char *item, *eq, *name_end, *value;
- gboolean override, duplicated;
params = g_hash_table_new_full (soup_str_case_hash,
soup_str_case_equal,
- g_free, NULL);
+ g_free, g_free);
list = parse_list (header, delim);
for (iter = list; iter; iter = iter->next) {
+ char *item, *eq, *name_end;
+ gboolean override, duplicated;
+ GString *parsed_value = NULL;
+
item = iter->data;
override = FALSE;
@@ -736,19 +733,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
*name_end = '\0';
- value = (char *)skip_lws (eq + 1);
+ parsed_value = g_string_new ((char *)skip_lws (eq + 1));
if (name_end[-1] == '*' && name_end > item + 1) {
name_end[-1] = '\0';
- if (!decode_rfc5987 (value)) {
+ if (!decode_rfc5987_inplace (parsed_value)) {
+ g_string_free (parsed_value, TRUE);
g_free (item);
continue;
}
override = TRUE;
- } else if (*value == '"')
- decode_quoted_string (value);
- } else
- value = NULL;
+ } else if (parsed_value->str[0] == '"')
+ decode_quoted_string_inplace (parsed_value);
+ }
duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
@@ -756,11 +753,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
soup_header_free_param_list (params);
params = NULL;
g_slist_foreach (iter, (GFunc)g_free, NULL);
+ if (parsed_value)
+ g_string_free (parsed_value, TRUE);
break;
- } else if (override || !duplicated)
- g_hash_table_replace (params, item, value);
- else
+ } else if (override || !duplicated) {
+ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
+ } else {
+ if (parsed_value)
+ g_string_free (parsed_value, TRUE);
g_free (item);
+ }
}
g_slist_free (list);
--
2.25.1

42
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52532-0001.patch Normal file
View File

@@ -0,0 +1,42 @@
From 29b96fab2512666d7241e46c98cc45b60b795c0c Mon Sep 17 00:00:00 2001
From: Ignacio Casal Quinteiro <qignacio@amazon.com>
Date: Wed, 2 Oct 2024 11:17:19 +0200
Subject: [PATCH] websocket-test: disconnect error copy after the test ends
Otherwise the server will have already sent a few more wrong
bytes and the client will continue getting errors to copy
but the error is already != NULL and it will assert.
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c]
CVE: CVE-2024-52532
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
tests/websocket-test.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/websocket-test.c b/tests/websocket-test.c
index b954b01..9b37780 100644
--- a/tests/websocket-test.c
+++ b/tests/websocket-test.c
@@ -1489,8 +1489,9 @@ test_receive_invalid_encode_length_64 (Test *test,
GError *error = NULL;
InvalidEncodeLengthTest context = { test, NULL };
guint i;
+ guint error_id;
- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
/* We use 127(\x7f) as payload length with 65535 extended length */
@@ -1503,6 +1504,7 @@ test_receive_invalid_encode_length_64 (Test *test,
WAIT_UNTIL (error != NULL || received != NULL);
g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
g_clear_error (&error);
+ g_signal_handler_disconnect (test->client, error_id);
g_assert_null (received);
g_thread_join (thread);
--
2.25.1

36
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2024-52532-0002.patch Normal file
View File

@@ -0,0 +1,36 @@
From 6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be Mon Sep 17 00:00:00 2001
From: Ignacio Casal Quinteiro <qignacio@amazon.com>
Date: Wed, 11 Sep 2024 11:52:11 +0200
Subject: [PATCH] websocket: process the frame as soon as we read data
Otherwise we can enter in a read loop because we were not
validating the data until the all the data was read.
Fixes #391
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be]
CVE: CVE-2024-52532
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
libsoup/websocket/soup-websocket-connection.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
index 2f7d920..df8f67d 100644
--- a/libsoup/websocket/soup-websocket-connection.c
+++ b/libsoup/websocket/soup-websocket-connection.c
@@ -1165,9 +1165,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self)
}
priv->incoming->len = len + count;
- } while (count > 0);
- process_incoming (self);
+ process_incoming (self);
+ } while (count > 0 && !priv->close_sent && !priv->io_closing);
if (end) {
if (!priv->close_sent || !priv->close_received) {
--
2.25.1

137
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-2784.patch Normal file
View File

@@ -0,0 +1,137 @@
From dd10ae267e33bcc35646610d7cc1841da77d05e7 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 14:39:42 -0600
Subject: [PATCH] Fix CVE-2025-2784
CVE: CVE-2025-2784
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435/diffs?commit_id=242a10fbb12dbdc12d254bd8fc8669a0ac055304
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/442/diffs?commit_id=c415ad0b6771992e66c70edf373566c6e247089d]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
.../content-sniffer/soup-content-sniffer.c | 10 ++--
tests/meson.build | 4 +-
tests/sniffing-test.c | 48 +++++++++++++++++++
3 files changed, 56 insertions(+), 6 deletions(-)
diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
index aeee2e2..a5e18d5 100644
--- a/libsoup/content-sniffer/soup-content-sniffer.c
+++ b/libsoup/content-sniffer/soup-content-sniffer.c
@@ -638,8 +638,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, GBytes *buffer)
}
static gboolean
-skip_insignificant_space (const char *resource, int *pos, int resource_length)
+skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
{
+ if (*pos >= resource_length)
+ return TRUE;
+
while ((resource[*pos] == '\x09') ||
(resource[*pos] == '\x20') ||
(resource[*pos] == '\x0A') ||
@@ -659,7 +662,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
gsize resource_length;
const char *resource = g_bytes_get_data (buffer, &resource_length);
resource_length = MIN (512, resource_length);
- int pos = 0;
+ gsize pos = 0;
if (resource_length < 3)
goto text_html;
@@ -669,9 +672,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
pos = 3;
look_for_tag:
- if (pos > resource_length)
- goto text_html;
-
if (skip_insignificant_space (resource, &pos, resource_length))
goto text_html;
diff --git a/tests/meson.build b/tests/meson.build
index 7ef7ac5..95b13b8 100644
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -95,7 +95,9 @@ tests = [
{'name': 'server-auth'},
{'name': 'server-mem-limit'},
{'name': 'server'},
- {'name': 'sniffing'},
+ {'name': 'sniffing',
+ 'depends': [test_resources],
+ },
{'name': 'ssl',
'dependencies': [gnutls_dep],
'depends': mock_pkcs11_module,
diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
index 6116719..7857732 100644
--- a/tests/sniffing-test.c
+++ b/tests/sniffing-test.c
@@ -342,6 +342,52 @@ test_disabled (gconstpointer data)
g_uri_unref (uri);
}
+static const gsize MARKUP_LENGTH = strlen ("<!--") + strlen ("-->");
+
+static void
+do_skip_whitespace_test (void)
+{
+ SoupContentSniffer *sniffer = soup_content_sniffer_new ();
+ SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org");
+ const char *test_cases[] = {
+ "",
+ "<rdf:RDF",
+ "<rdf:RDFxmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"",
+ "<rdf:RDFxmlns=\"http://purl.org/rss/1.0/\"",
+ };
+
+ soup_message_headers_set_content_type (soup_message_get_response_headers (msg), "text/html", NULL);
+
+ for (guint i = 0; i < G_N_ELEMENTS (test_cases); i++) {
+ const char *trailing_data = test_cases[i];
+ gsize leading_zeros = 512 - MARKUP_LENGTH - strlen (trailing_data);
+ gsize testsize = MARKUP_LENGTH + leading_zeros + strlen (trailing_data);
+ guint8 *data = g_malloc0 (testsize);
+ guint8 *p = data;
+ char *content_type;
+ GBytes *buffer;
+
+ // Format of <!--[0x00 * $leading_zeros]-->$trailing_data
+ memcpy (p, "<!--", strlen ("<!--"));
+ p += strlen ("<!--");
+ p += leading_zeros;
+ memcpy (p, "-->", strlen ("-->"));
+ p += strlen ("-->");
+ if (strlen (trailing_data))
+ memcpy (p, trailing_data, strlen (trailing_data));
+ // Purposefully not NUL terminated.
+
+ buffer = g_bytes_new_take (g_steal_pointer (&data), testsize);
+ content_type = soup_content_sniffer_sniff (sniffer, msg, buffer, NULL);
+
+ g_free (content_type);
+ g_bytes_unref (buffer);
+ }
+
+ g_object_unref (msg);
+ g_object_unref (sniffer);
+}
+
int
main (int argc, char **argv)
{
@@ -517,6 +563,8 @@ main (int argc, char **argv)
"/text_or_binary/home.gif",
test_disabled);
+ g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test);
+
ret = g_test_run ();
g_uri_unref (base_uri);
--
2.34.1

29
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32050.patch Normal file
View File

@@ -0,0 +1,29 @@
From 30c86c9a284cf6f366ac87df0bca3e18a5de8671 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Mon, 28 Oct 2024 12:29:48 -0500
Subject: [PATCH] Fix using int instead of size_t for strcspn return
CVE: CVE-2025-32050
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-headers.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 5fb32c2..52ef2ec 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -906,7 +906,7 @@ append_param_quoted (GString *string,
const char *name,
const char *value)
{
- int len;
+ gsize len;
g_string_append (string, name);
g_string_append (string, "=\"");
--
2.34.1

29
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-1.patch Normal file
View File

@@ -0,0 +1,29 @@
From dc5db30989f385303c79ec3188c52e33f6f5886e Mon Sep 17 00:00:00 2001
From: Ar Jun <pkillarjun@protonmail.com>
Date: Sat, 16 Nov 2024 11:50:09 -0600
Subject: [PATCH 1/2] Fix possible NULL deref in soup_uri_decode_data_uri
CVE: CVE-2025-32051
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/0713ba4a719da938dc8facc89fca99cd0aa3069f]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-uri-utils.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c
index be2b79b..0251279 100644
--- a/libsoup/soup-uri-utils.c
+++ b/libsoup/soup-uri-utils.c
@@ -303,6 +303,8 @@ soup_uri_decode_data_uri (const char *uri,
uri_string = g_uri_to_string (soup_uri);
g_uri_unref (soup_uri);
+ if (!uri_string)
+ return NULL;
start = uri_string + 5;
comma = strchr (start, ',');
--
2.34.1

57
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32051-2.patch Normal file
View File

@@ -0,0 +1,57 @@
From 7d1557a60145927806c88d321e8322a9d9f49bb2 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 22 Nov 2024 13:39:51 -0600
Subject: [PATCH 2/2] soup_uri_decode_data_uri(): Handle URIs with a path
starting with //
CVE: CVE-2025-32051
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/79cfd65c9bd8024cd45dd725c284766329873709]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-uri-utils.c | 8 ++++++++
tests/uri-parsing-test.c | 2 ++
2 files changed, 10 insertions(+)
diff --git a/libsoup/soup-uri-utils.c b/libsoup/soup-uri-utils.c
index 0251279..1ff11cd 100644
--- a/libsoup/soup-uri-utils.c
+++ b/libsoup/soup-uri-utils.c
@@ -286,6 +286,7 @@ soup_uri_decode_data_uri (const char *uri,
gboolean base64 = FALSE;
char *uri_string;
GBytes *bytes;
+ const char *path;
g_return_val_if_fail (uri != NULL, NULL);
@@ -301,6 +302,13 @@ soup_uri_decode_data_uri (const char *uri,
if (content_type)
*content_type = NULL;
+ /* g_uri_to_string() is picky about paths that start with `//` and will assert. */
+ path = g_uri_get_path (soup_uri);
+ if (path[0] == '/' && path[1] == '/') {
+ g_uri_unref (soup_uri);
+ return NULL;
+ }
+
uri_string = g_uri_to_string (soup_uri);
g_uri_unref (soup_uri);
if (!uri_string)
diff --git a/tests/uri-parsing-test.c b/tests/uri-parsing-test.c
index 1f16273..418391e 100644
--- a/tests/uri-parsing-test.c
+++ b/tests/uri-parsing-test.c
@@ -141,6 +141,8 @@ static struct {
{ "data:text/plain;base64,aGVsbG8=", "hello", "text/plain" },
{ "data:text/plain;base64,invalid=", "", "text/plain" },
{ "data:,", "", CONTENT_TYPE_DEFAULT },
+ { "data:.///", NULL, NULL },
+ { "data:/.//", NULL, NULL },
};
static void
--
2.34.1

31
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32052.patch Normal file
View File

@@ -0,0 +1,31 @@
From 779bcb279b1dc4eb8bcb22c5e727b1174630c3fc Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sat, 16 Nov 2024 12:07:30 -0600
Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff
Co-Author: Ar Jun <pkillarjun@protonmail.com>
CVE: CVE-2025-32052
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/content-sniffer/soup-content-sniffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
index 23d5aaa..aeee2e2 100644
--- a/libsoup/content-sniffer/soup-content-sniffer.c
+++ b/libsoup/content-sniffer/soup-content-sniffer.c
@@ -529,7 +529,7 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer,
guint index_pattern = 0;
gboolean skip_row = FALSE;
- while ((index_stream < resource_length) &&
+ while ((index_stream < resource_length - 1) &&
(index_pattern <= type_row->pattern_length)) {
/* Skip insignificant white space ("WS" in the spec) */
if (type_row->pattern[index_pattern] == ' ') {
--
2.34.1

40
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32053.patch Normal file
View File

@@ -0,0 +1,40 @@
From 819dbc0fcf174b8182cdb279f7be15ea1cde649f Mon Sep 17 00:00:00 2001
From: Ar Jun <pkillarjun@protonmail.com>
Date: Mon, 18 Nov 2024 14:59:51 -0600
Subject: [PATCH] Fix heap buffer overflow in
soup-content-sniffer.c:sniff_feed_or_html()
CVE: CVE-2025-32053
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/commit/eaed42ca8d40cd9ab63764e3d63641180505f40a]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/content-sniffer/soup-content-sniffer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
index 2351c3f..23d5aaa 100644
--- a/libsoup/content-sniffer/soup-content-sniffer.c
+++ b/libsoup/content-sniffer/soup-content-sniffer.c
@@ -646,7 +646,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length)
(resource[*pos] == '\x0D')) {
*pos = *pos + 1;
- if (*pos > resource_length)
+ if (*pos >= resource_length)
return TRUE;
}
@@ -709,7 +709,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
do {
pos++;
- if (pos > resource_length)
+ if ((pos + 1) > resource_length)
goto text_html;
} while (resource[pos] != '>');
--
2.34.1

61
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-1.patch Normal file
View File

@@ -0,0 +1,61 @@
From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 11 Feb 2025 14:36:26 -0600
Subject: [PATCH] headers: Handle parsing edge case
This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds.
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931]
CVE: CVE-2025-32906 #Dependency Patch
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-headers.c | 2 +-
tests/header-parsing-test.c | 12 ++++++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 85385cea..9d6d00a3 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str,
!g_ascii_isdigit (version[5]))
return SOUP_STATUS_BAD_REQUEST;
major_version = strtoul (version + 5, &p, 10);
- if (*p != '.' || !g_ascii_isdigit (p[1]))
+ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1]))
return SOUP_STATUS_BAD_REQUEST;
minor_version = strtoul (p + 1, &p, 10);
version_end = p;
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 07ea2866..10ddb684 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -6,6 +6,10 @@ typedef struct {
const char *name, *value;
} Header;
+static char unterminated_http_version[] = {
+ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
+};
+
static struct RequestTest {
const char *description;
const char *bugref;
@@ -383,6 +387,14 @@ static struct RequestTest {
{ { NULL } }
},
+ /* This couldn't be a C string as going one byte over would have been safe. */
+ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
+ unterminated_http_version, sizeof (unterminated_http_version),
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
+ },
+
{ "Non-HTTP request", NULL,
"GET / SOUP/1.1\r\nHost: example.com\r\n", -1,
SOUP_STATUS_BAD_REQUEST,
--
GitLab

83
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32906-2.patch Normal file
View File

@@ -0,0 +1,83 @@
From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 12 Feb 2025 11:30:02 -0600
Subject: [PATCH] headers: Handle parsing only newlines
Closes #404
Closes #407
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f]
CVE: CVE-2025-32906
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-headers.c | 4 ++--
tests/header-parsing-test.c | 13 ++++++++++++-
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 9d6d00a3..52ef2ece 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str,
/* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
* received where a Request-Line is expected."
*/
- while ((*str == '\r' || *str == '\n') && len > 0) {
+ while (len > 0 && (*str == '\r' || *str == '\n')) {
str++;
len--;
}
@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str,
* after a response, which we then see prepended to the next
* response on that connection.
*/
- while ((*str == '\r' || *str == '\n') && len > 0) {
+ while (len > 0 && (*str == '\r' || *str == '\n')) {
str++;
len--;
}
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 10ddb684..4faafbd6 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -6,10 +6,15 @@ typedef struct {
const char *name, *value;
} Header;
+/* These are not C strings to ensure going one byte over is not safe. */
static char unterminated_http_version[] = {
'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
};
+static char only_newlines[] = {
+ '\n', '\n', '\n', '\n'
+};
+
static struct RequestTest {
const char *description;
const char *bugref;
@@ -387,7 +392,6 @@ static struct RequestTest {
{ { NULL } }
},
- /* This couldn't be a C string as going one byte over would have been safe. */
{ "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
unterminated_http_version, sizeof (unterminated_http_version),
SOUP_STATUS_BAD_REQUEST,
@@ -457,6 +461,13 @@ static struct RequestTest {
SOUP_STATUS_BAD_REQUEST,
NULL, NULL, -1,
{ { NULL } }
+ },
+
+ { "Only newlines", NULL,
+ only_newlines, sizeof (only_newlines),
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
}
};
static const int num_reqtests = G_N_ELEMENTS (reqtests);
--
GitLab

200
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32907-1.patch Normal file
View File

@@ -0,0 +1,200 @@
From 4741bc288ece52f5dbaebc568e72ce14da3e2757 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Tue, 15 Apr 2025 12:17:39 +0200
Subject: [PATCH 1/2] soup-message-headers: Correct merge of ranges
It had been skipping every second range, which generated an array
of a lot of insane ranges, causing large memory usage by the server.
Closes #428
Part-of: <https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452>
CVE: CVE-2025-32907
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452/commits]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-message-headers.c | 1 +
tests/meson.build | 1 +
tests/server-mem-limit-test.c | 144 +++++++++++++++++++++++++++++++++
3 files changed, 146 insertions(+)
create mode 100644 tests/server-mem-limit-test.c
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 95e2c31..d69d6e8 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1210,6 +1210,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs,
if (cur->start <= prev->end) {
prev->end = MAX (prev->end, cur->end);
g_array_remove_index (array, i);
+ i--;
}
}
}
diff --git a/tests/meson.build b/tests/meson.build
index 9bf88be..7ef7ac5 100644
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -93,6 +93,7 @@ tests = [
{'name': 'samesite'},
{'name': 'session'},
{'name': 'server-auth'},
+ {'name': 'server-mem-limit'},
{'name': 'server'},
{'name': 'sniffing'},
{'name': 'ssl',
diff --git a/tests/server-mem-limit-test.c b/tests/server-mem-limit-test.c
new file mode 100644
index 0000000..98f1c40
--- /dev/null
+++ b/tests/server-mem-limit-test.c
@@ -0,0 +1,144 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
+/*
+ * Copyright (C) 2025 Red Hat <www.redhat.com>
+ */
+
+#include "test-utils.h"
+
+#include <sys/resource.h>
+
+/*
+ This test limits memory usage to trigger too large buffer allocation crash.
+ As restoring the limits back to what it was does not always work, it's split
+ out of the server-test.c test with copied minimal server code.
+ */
+
+typedef struct {
+ SoupServer *server;
+ GUri *base_uri, *ssl_base_uri;
+ GSList *handlers;
+} ServerData;
+
+static void
+server_setup_nohandler (ServerData *sd, gconstpointer test_data)
+{
+ sd->server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+ sd->base_uri = soup_test_server_get_uri (sd->server, "http", NULL);
+ if (tls_available)
+ sd->ssl_base_uri = soup_test_server_get_uri (sd->server, "https", NULL);
+}
+
+static void
+server_add_handler (ServerData *sd,
+ const char *path,
+ SoupServerCallback callback,
+ gpointer user_data,
+ GDestroyNotify destroy)
+{
+ soup_server_add_handler (sd->server, path, callback, user_data, destroy);
+ sd->handlers = g_slist_prepend (sd->handlers, g_strdup (path));
+}
+
+static void
+server_setup (ServerData *sd, gconstpointer test_data)
+{
+ server_setup_nohandler (sd, test_data);
+}
+
+static void
+server_teardown (ServerData *sd, gconstpointer test_data)
+{
+ GSList *iter;
+
+ for (iter = sd->handlers; iter; iter = iter->next)
+ soup_server_remove_handler (sd->server, iter->data);
+ g_slist_free_full (sd->handlers, g_free);
+
+ g_clear_pointer (&sd->server, soup_test_server_quit_unref);
+ g_clear_pointer (&sd->base_uri, g_uri_unref);
+ g_clear_pointer (&sd->ssl_base_uri, g_uri_unref);
+}
+
+static void
+server_file_callback (SoupServer *server,
+ SoupServerMessage *msg,
+ const char *path,
+ GHashTable *query,
+ gpointer data)
+{
+ void *mem;
+
+ g_assert_cmpstr (path, ==, "/file");
+ g_assert_cmpstr (soup_server_message_get_method (msg), ==, SOUP_METHOD_GET);
+
+ mem = g_malloc0 (sizeof (char) * 1024 * 1024);
+ /* fedora-scan CI claims a warning about possibly leaked `mem` variable, thus use
+ the copy and free it explicitly, to workaround the false positive; the g_steal_pointer()
+ did not help for the malloc-ed memory */
+ soup_server_message_set_response (msg, "application/octet-stream", SOUP_MEMORY_COPY, mem, sizeof (char) * 1024 *1024);
+ soup_server_message_set_status (msg, SOUP_STATUS_OK, NULL);
+ g_free (mem);
+}
+
+static void
+do_ranges_overlaps_test (ServerData *sd, gconstpointer test_data)
+{
+ SoupSession *session;
+ SoupMessage *msg;
+ GString *range;
+ GUri *uri;
+ const char *chunk = ",0,0,0,0,0,0,0,0,0,0,0";
+
+ g_test_bug ("428");
+
+ #ifdef G_OS_WIN32
+ g_test_skip ("Cannot run under windows");
+ return;
+ #endif
+
+ range = g_string_sized_new (99 * 1024);
+ g_string_append (range, "bytes=1024");
+ while (range->len < 99 * 1024)
+ g_string_append (range, chunk);
+
+ session = soup_test_session_new (NULL);
+ server_add_handler (sd, "/file", server_file_callback, NULL, NULL);
+
+ uri = g_uri_parse_relative (sd->base_uri, "/file", SOUP_HTTP_URI_FLAGS, NULL);
+
+ msg = soup_message_new_from_uri ("GET", uri);
+ soup_message_headers_append (soup_message_get_request_headers (msg), "Range", range->str);
+
+ soup_test_session_send_message (session, msg);
+
+ soup_test_assert_message_status (msg, SOUP_STATUS_PARTIAL_CONTENT);
+
+ g_object_unref (msg);
+
+ g_string_free (range, TRUE);
+ g_uri_unref (uri);
+
+ soup_test_session_abort_unref (session);
+}
+
+int
+main (int argc, char **argv)
+{
+ int ret;
+
+ test_init (argc, argv, NULL);
+
+ #ifndef G_OS_WIN32
+ struct rlimit new_rlimit = { 1024 * 1024 * 64, 1024 * 1024 * 64 };
+ /* limit memory usage, to trigger too large memory allocation abort */
+ g_assert_cmpint (setrlimit (RLIMIT_DATA, &new_rlimit), ==, 0);
+ #endif
+
+ g_test_add ("/server-mem/range-overlaps", ServerData, NULL,
+ server_setup, do_ranges_overlaps_test, server_teardown);
+
+ ret = g_test_run ();
+
+ test_cleanup ();
+ return ret;
+}
--
2.34.1

68
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32907-2.patch Normal file
View File

@@ -0,0 +1,68 @@
From 85716d2769b3e1acda024d2c7cbfb68139c5d90b Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Tue, 13 May 2025 14:20:46 +0200
Subject: [PATCH 2/2] server-mem-limit-test: Limit memory usage only when not
built witha sanitizer
A build with -Db_sanitize=address crashes with failed mmap(), which is done
inside libasan. The test requires 20.0TB of virtual memory when running with
the sanitizer, which is beyond unsigned integer limits and may not trigger
the bug anyway.
Part-of: <https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452>
CVE: CVE-2025-32907
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452/commits]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
meson.build | 4 ++++
tests/server-mem-limit-test.c | 13 +++++++++----
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/meson.build b/meson.build
index 73a9fa0..a9531a4 100644
--- a/meson.build
+++ b/meson.build
@@ -374,6 +374,10 @@ configinc = include_directories('.')
prefix = get_option('prefix')
+if get_option('b_sanitize') != 'none'
+ cdata.set_quoted('B_SANITIZE_OPTION', get_option('b_sanitize'))
+endif
+
cdata.set_quoted('PACKAGE_VERSION', soup_version)
cdata.set_quoted('LOCALEDIR', join_paths(prefix, get_option('localedir')))
cdata.set_quoted('GETTEXT_PACKAGE', libsoup_api_name)
diff --git a/tests/server-mem-limit-test.c b/tests/server-mem-limit-test.c
index 98f1c40..65dc875 100644
--- a/tests/server-mem-limit-test.c
+++ b/tests/server-mem-limit-test.c
@@ -126,14 +126,19 @@ main (int argc, char **argv)
{
int ret;
- test_init (argc, argv, NULL);
-
- #ifndef G_OS_WIN32
- struct rlimit new_rlimit = { 1024 * 1024 * 64, 1024 * 1024 * 64 };
+ /* a build with an address sanitizer may crash on mmap() with the limit,
+ thus skip the limit set in such case, even it may not necessarily
+ trigger the bug if it regresses */
+ #if !defined(G_OS_WIN32) && !defined(B_SANITIZE_OPTION)
+ struct rlimit new_rlimit = { 1024UL * 1024UL * 1024UL * 2UL, 1024UL * 1024UL * 1024UL * 2UL };
/* limit memory usage, to trigger too large memory allocation abort */
g_assert_cmpint (setrlimit (RLIMIT_DATA, &new_rlimit), ==, 0);
+ #else
+ g_message ("server-mem-limit-test: Running without memory limit");
#endif
+ test_init (argc, argv, NULL);
+
g_test_add ("/server-mem/range-overlaps", ServerData, NULL,
server_setup, do_ranges_overlaps_test, server_teardown);
--
2.34.1

89
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-1.patch Normal file
View File

@@ -0,0 +1,89 @@
From 56b8eb061a02c4e99644d6f1e62e601d0d814beb Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Tue, 15 Apr 2025 09:59:05 +0200
Subject: [PATCH 1/2] soup-server-http2: Check validity of the constructed
connection URI
The HTTP/2 pseudo-headers can contain invalid values, which the GUri rejects
and returns NULL, but the soup-server did not check the validity and could
abort the server itself later in the code.
Closes #429
CVE: CVE-2025-32908
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/451/diffs?commit_id=a792b23ab87cacbf4dd9462bf7b675fa678efbae]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
.../http2/soup-server-message-io-http2.c | 4 +++
tests/http2-test.c | 28 +++++++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c
index 943ecfd..f1fe2d5 100644
--- a/libsoup/server/http2/soup-server-message-io-http2.c
+++ b/libsoup/server/http2/soup-server-message-io-http2.c
@@ -771,9 +771,13 @@ on_frame_recv_callback (nghttp2_session *session,
char *uri_string;
GUri *uri;
+ if (msg_io->scheme == NULL || msg_io->authority == NULL || msg_io->path == NULL)
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path);
uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL);
g_free (uri_string);
+ if (uri == NULL)
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
soup_server_message_set_uri (msg_io->msg, uri);
g_uri_unref (uri);
diff --git a/tests/http2-test.c b/tests/http2-test.c
index ef097f4..df86d9b 100644
--- a/tests/http2-test.c
+++ b/tests/http2-test.c
@@ -1241,6 +1241,30 @@ do_connection_closed_test (Test *test, gconstpointer data)
g_uri_unref (uri);
}
+static void
+do_broken_pseudo_header_test (Test *test, gconstpointer data)
+{
+ char *path;
+ SoupMessage *msg;
+ GUri *uri;
+ GBytes *body = NULL;
+ GError *error = NULL;
+
+ uri = g_uri_parse_relative (base_uri, "/ag", SOUP_HTTP_URI_FLAGS, NULL);
+
+ /* an ugly cheat to construct a broken URI, which can be sent from other libs */
+ path = (char *) g_uri_get_path (uri);
+ path[1] = '%';
+
+ msg = soup_message_new_from_uri (SOUP_METHOD_GET, uri);
+ body = soup_test_session_async_send (test->session, msg, NULL, &error);
+ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_PARTIAL_INPUT);
+ g_assert_null (body);
+ g_clear_error (&error);
+ g_object_unref (msg);
+ g_uri_unref (uri);
+}
+
static gboolean
unpause_message (SoupServerMessage *msg)
{
@@ -1549,6 +1573,10 @@ main (int argc, char **argv)
setup_session,
do_connection_closed_test,
teardown_session);
+ g_test_add ("/http2/broken-pseudo-header", Test, NULL,
+ setup_session,
+ do_broken_pseudo_header_test,
+ teardown_session);
ret = g_test_run ();
--
2.34.1

53
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-2.patch Normal file
View File

@@ -0,0 +1,53 @@
From aad0dcf22ee9fdfefa6b72055268240cceccfe4c Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Mon, 28 Apr 2025 10:55:42 +0200
Subject: [PATCH 2/2] soup-server-http2: Correct check of the validity of the
constructed connection URI
RFC 5740: the CONNECT has unset the "scheme" and "path", thus allow them unset.
The commit a792b23ab87cacbf4dd9462bf7b675fa678efbae also missed to decrement
the `io->in_callback` in the early returns.
Related to #429
CVE: CVE-2025-32908
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/453/diffs?commit_id=527428a033df573ef4558ce1106e080fd9ec5c71]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
.../server/http2/soup-server-message-io-http2.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c
index f1fe2d5..913afb4 100644
--- a/libsoup/server/http2/soup-server-message-io-http2.c
+++ b/libsoup/server/http2/soup-server-message-io-http2.c
@@ -771,13 +771,18 @@ on_frame_recv_callback (nghttp2_session *session,
char *uri_string;
GUri *uri;
- if (msg_io->scheme == NULL || msg_io->authority == NULL || msg_io->path == NULL)
- return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
- uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path);
+ if (msg_io->authority == NULL) {
+ io->in_callback--;
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ }
+ /* RFC 5740: the CONNECT has unset the "scheme" and "path", but the GUri requires the scheme, thus let it be "(null)" */
+ uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path == NULL ? "" : msg_io->path);
uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL);
g_free (uri_string);
- if (uri == NULL)
- return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ if (uri == NULL) {
+ io->in_callback--;
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ }
soup_server_message_set_uri (msg_io->msg, uri);
g_uri_unref (uri);
--
2.34.1

36
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32909.patch Normal file
View File

@@ -0,0 +1,36 @@
From ba4c3a6f988beff59e45801ab36067293d24ce92 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 8 Jan 2025 16:30:17 -0600
Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than 4
bytes
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92]
CVE: CVE-2025-32909
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/content-sniffer/soup-content-sniffer.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
index 5a181ff1..aeee2e25 100644
--- a/libsoup/content-sniffer/soup-content-sniffer.c
+++ b/libsoup/content-sniffer/soup-content-sniffer.c
@@ -243,9 +243,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, GBytes *buffer)
gsize resource_length;
const char *resource = g_bytes_get_data (buffer, &resource_length);
resource_length = MIN (512, resource_length);
- guint32 box_size = *((guint32*)resource);
+ guint32 box_size;
guint i;
+ if (resource_length < sizeof (guint32))
+ return FALSE;
+
+ box_size = *((guint32*)resource);
+
#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
box_size = ((box_size >> 24) |
((box_size << 8) & 0x00FF0000) |
--
GitLab

98
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-1.patch Normal file
View File

@@ -0,0 +1,98 @@
From e40df6d48a1cbab56f5d15016cc861a503423cfe Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sun, 8 Dec 2024 20:00:35 -0600
Subject: [PATCH] auth-digest: Handle missing realm in authenticate header
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe]
CVE: CVE-2025-32910
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/auth/soup-auth-digest.c | 3 ++
tests/auth-test.c | 50 +++++++++++++++++++++++++++++++++
2 files changed, 53 insertions(+)
diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
index 2e81849af..4f12e87a5 100644
--- a/libsoup/auth/soup-auth-digest.c
+++ b/libsoup/auth/soup-auth-digest.c
@@ -148,6 +148,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
+ if (!soup_auth_get_realm (auth))
+ return FALSE;
+
g_free (priv->domain);
g_free (priv->nonce);
g_free (priv->opaque);
diff --git a/tests/auth-test.c b/tests/auth-test.c
index 158fdac10..3066e904a 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1866,6 +1866,55 @@ do_multiple_digest_algorithms (void)
soup_test_server_quit_unref (server);
}
+static void
+on_request_read_for_missing_realm (SoupServer *server,
+ SoupServerMessage *msg,
+ gpointer user_data)
+{
+ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
+ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
+}
+
+static void
+do_missing_realm_test (void)
+{
+ SoupSession *session;
+ SoupMessage *msg;
+ SoupServer *server;
+ SoupAuthDomain *digest_auth_domain;
+ gint status;
+ GUri *uri;
+
+ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+ soup_server_add_handler (server, NULL,
+ server_callback, NULL, NULL);
+ uri = soup_test_server_get_uri (server, "http", NULL);
+
+ digest_auth_domain = soup_auth_domain_digest_new (
+ "realm", "auth-test",
+ "auth-callback", server_digest_auth_callback,
+ NULL);
+ soup_auth_domain_add_path (digest_auth_domain, "/");
+ soup_server_add_auth_domain (server, digest_auth_domain);
+ g_object_unref (digest_auth_domain);
+
+ g_signal_connect (server, "request-read",
+ G_CALLBACK (on_request_read_for_missing_realm),
+ NULL);
+
+ session = soup_test_session_new (NULL);
+ msg = soup_message_new_from_uri ("GET", uri);
+ g_signal_connect (msg, "authenticate",
+ G_CALLBACK (on_digest_authenticate),
+ NULL);
+
+ status = soup_test_session_send_message (session, msg);
+
+ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
+ g_uri_unref (uri);
+ soup_test_server_quit_unref (server);
+}
+
int
main (int argc, char **argv)
{
@@ -1899,6 +1948,7 @@ main (int argc, char **argv)
g_test_add_func ("/auth/auth-uri", do_auth_uri_test);
g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate);
g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms);
+ g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
ret = g_test_run ();
--
GitLab

149
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-2.patch Normal file
View File

@@ -0,0 +1,149 @@
From 405a8a34597a44bd58c4759e7d5e23f02c3b556a Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Thu, 26 Dec 2024 18:18:35 -0600
Subject: [PATCH] auth-digest: Handle missing nonce
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a]
CVE: CVE-2025-32910
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/auth/soup-auth-digest.c | 45 +++++++++++++++++++++++++--------
tests/auth-test.c | 19 ++++++++------
2 files changed, 46 insertions(+), 18 deletions(-)
diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
index 4f12e87a..350bfde6 100644
--- a/libsoup/auth/soup-auth-digest.c
+++ b/libsoup/auth/soup-auth-digest.c
@@ -138,6 +138,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
return g_string_free (out, FALSE);
}
+static gboolean
+validate_params (SoupAuthDigest *auth_digest)
+{
+ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
+
+ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
+ if (!priv->nonce)
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
static gboolean
soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
GHashTable *auth_params)
@@ -175,16 +188,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
if (priv->algorithm == -1)
ok = FALSE;
- stale = g_hash_table_lookup (auth_params, "stale");
- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
- recompute_hex_a1 (priv);
- else {
- g_free (priv->user);
- priv->user = NULL;
- g_free (priv->cnonce);
- priv->cnonce = NULL;
- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+ if (!validate_params (auth_digest))
+ ok = FALSE;
+
+ if (ok) {
+ stale = g_hash_table_lookup (auth_params, "stale");
+ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+ recompute_hex_a1 (priv);
+ else {
+ g_free (priv->user);
+ priv->user = NULL;
+ g_free (priv->cnonce);
+ priv->cnonce = NULL;
+ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+ }
}
return ok;
@@ -276,6 +294,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp,
/* In MD5-sess, A1 is hex_urp:nonce:cnonce */
+ g_assert (nonce && cnonce);
+
checksum = g_checksum_new (G_CHECKSUM_MD5);
g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));
g_checksum_update (checksum, (guchar *)":", 1);
@@ -366,6 +386,8 @@ soup_auth_digest_compute_response (const char *method,
if (qop) {
char tmp[9];
+ g_assert (cnonce);
+
g_snprintf (tmp, 9, "%.8x", nc);
g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
g_checksum_update (checksum, (guchar *)":", 1);
@@ -429,6 +451,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
g_return_val_if_fail (uri != NULL, NULL);
url = soup_uri_get_path_and_query (uri);
+ g_assert (priv->nonce);
+ g_assert (!priv->qop || priv->cnonce);
+
soup_auth_digest_compute_response (soup_message_get_method (msg), url, priv->hex_a1,
priv->qop, priv->nonce,
priv->cnonce, priv->nc,
diff --git a/tests/auth-test.c b/tests/auth-test.c
index 3066e904..c651c7cd 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1867,16 +1867,17 @@ do_multiple_digest_algorithms (void)
}
static void
-on_request_read_for_missing_realm (SoupServer *server,
- SoupServerMessage *msg,
- gpointer user_data)
+on_request_read_for_missing_params (SoupServer *server,
+ SoupServerMessage *msg,
+ gpointer user_data)
{
+ const char *auth_header = user_data;
SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
+ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
}
static void
-do_missing_realm_test (void)
+do_missing_params_test (gconstpointer auth_header)
{
SoupSession *session;
SoupMessage *msg;
@@ -1899,8 +1900,8 @@ do_missing_realm_test (void)
g_object_unref (digest_auth_domain);
g_signal_connect (server, "request-read",
- G_CALLBACK (on_request_read_for_missing_realm),
- NULL);
+ G_CALLBACK (on_request_read_for_missing_params),
+ (gpointer)auth_header);
session = soup_test_session_new (NULL);
msg = soup_message_new_from_uri ("GET", uri);
@@ -1948,7 +1949,9 @@ main (int argc, char **argv)
g_test_add_func ("/auth/auth-uri", do_auth_uri_test);
g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate);
g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms);
- g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
+ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
ret = g_test_run ();
--
GitLab

27
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-3.patch Normal file
View File

@@ -0,0 +1,27 @@
From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 13:52:52 -0600
Subject: [PATCH] auth-digest: Fix leak
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
CVE: CVE-2025-32910
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/auth/soup-auth-digest.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
index 350bfde6..9eb7fa0e 100644
--- a/libsoup/auth/soup-auth-digest.c
+++ b/libsoup/auth/soup-auth-digest.c
@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object)
g_free (priv->nonce);
g_free (priv->domain);
g_free (priv->cnonce);
+ g_free (priv->opaque);
memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
--
GitLab

72
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32911_CVE-2025-32913-1.patch Normal file
View File

@@ -0,0 +1,72 @@
From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 17:53:50 -0600
Subject: [PATCH] soup_message_headers_get_content_disposition: Fix NULL deref
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34]
CVE: CVE-2025-32911 CVE-2025-32913 #Dependency Patch
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-message-headers.c | 13 +++++++++----
tests/header-parsing-test.c | 14 ++++++++++++++
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 56cc1e9d..04f4c302 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1660,10 +1660,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
*/
if (params && g_hash_table_lookup_extended (*params, "filename",
&orig_key, &orig_value)) {
- char *filename = strrchr (orig_value, '/');
-
- if (filename)
- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ if (orig_value) {
+ char *filename = strrchr (orig_value, '/');
+
+ if (filename)
+ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ } else {
+ /* filename with no value isn't valid. */
+ g_hash_table_remove (*params, "filename");
+ }
}
return TRUE;
}
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index 5e423d2b..d0b360c8 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -1039,6 +1039,7 @@ do_param_list_tests (void)
#define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\""
#define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\""
#define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar"
+#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename"
static void
do_content_disposition_tests (void)
@@ -1139,6 +1140,19 @@ do_content_disposition_tests (void)
g_assert_cmpstr (parameter2, ==, "bar");
g_hash_table_destroy (params);
+ /* Empty filename */
+ soup_message_headers_clear (hdrs);
+ soup_message_headers_append (hdrs, "Content-Disposition",
+ RFC5987_TEST_HEADER_EMPTY_FILENAME);
+ if (!soup_message_headers_get_content_disposition (hdrs,
+ &disposition,
+ &params)) {
+ soup_test_assert (FALSE, "empty filename decoding FAILED");
+ return;
+ }
+ g_assert_false (g_hash_table_contains (params, "filename"));
+ g_hash_table_destroy (params);
+
soup_message_headers_unref (hdrs);
/* Ensure that soup-multipart always quotes filename */
--
GitLab

44
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32911_CVE-2025-32913-2.patch Normal file
View File

@@ -0,0 +1,44 @@
From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 18:00:39 -0600
Subject: [PATCH] soup_message_headers_get_content_disposition: strdup
truncated filenames
This table frees the strings it contains.
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0]
CVE: CVE-2025-32911 CVE-2025-32913
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-message-headers.c | 2 +-
tests/header-parsing-test.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 04f4c302..ee7a3cb1 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1664,7 +1664,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
char *filename = strrchr (orig_value, '/');
if (filename)
- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1));
} else {
/* filename with no value isn't valid. */
g_hash_table_remove (*params, "filename");
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
index d0b360c8..07ea2866 100644
--- a/tests/header-parsing-test.c
+++ b/tests/header-parsing-test.c
@@ -1150,6 +1150,7 @@ do_content_disposition_tests (void)
soup_test_assert (FALSE, "empty filename decoding FAILED");
return;
}
+ g_free (disposition);
g_assert_false (g_hash_table_contains (params, "filename"));
g_hash_table_destroy (params);
--
GitLab

41
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-1.patch Normal file
View File

@@ -0,0 +1,41 @@
From cd077513f267e43ce4b659eb18a1734d8a369992 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 14:03:05 -0600
Subject: [PATCH] auth-digest: Handle missing nonce
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992]
CVE: CVE-2025-32912
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/auth/soup-auth-digest.c | 2 +-
tests/auth-test.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
index 9eb7fa0e..d69a4013 100644
--- a/libsoup/auth/soup-auth-digest.c
+++ b/libsoup/auth/soup-auth-digest.c
@@ -162,7 +162,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
- if (!soup_auth_get_realm (auth))
+ if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
return FALSE;
g_free (priv->domain);
diff --git a/tests/auth-test.c b/tests/auth-test.c
index c651c7cd..484097f1 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1952,6 +1952,7 @@ main (int argc, char **argv)
g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test);
ret = g_test_run ();
--
GitLab

30
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32912-2.patch Normal file
View File

@@ -0,0 +1,30 @@
From 910ebdcd3dd82386717a201c13c834f3a63eed7f Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sat, 8 Feb 2025 12:30:13 -0600
Subject: [PATCH] digest-auth: Handle NULL nonce
`contains` only handles a missing nonce, `lookup` handles both missing and empty.
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f]
CVE: CVE-2025-32912
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/auth/soup-auth-digest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
index d69a4013..dc4dbfc5 100644
--- a/libsoup/auth/soup-auth-digest.c
+++ b/libsoup/auth/soup-auth-digest.c
@@ -162,7 +162,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
- if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
+ if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce"))
return FALSE;
g_free (priv->domain);
--
GitLab

111
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32914.patch Normal file
View File

@@ -0,0 +1,111 @@
From 5bfcf8157597f2d327050114fb37ff600004dbcf Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Tue, 15 Apr 2025 09:03:00 +0200
Subject: [PATCH] multipart: Fix read out of buffer bounds under
soup_multipart_new_from_message()
This is CVE-2025-32914, special crafted input can cause read out of buffer bounds
of the body argument.
Closes #436
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf]
CVE: CVE-2025-32914
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-multipart.c | 2 +-
tests/multipart-test.c | 58 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 59 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
index 2421c91f8..102ce3722 100644
--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
@@ -173,7 +173,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
return NULL;
}
- split = strstr (start, "\r\n\r\n");
+ split = g_strstr_len (start, body_end - start, "\r\n\r\n");
if (!split || split > end) {
soup_multipart_free (multipart);
return NULL;
diff --git a/tests/multipart-test.c b/tests/multipart-test.c
index 2c0e7e969..f5b986889 100644
--- a/tests/multipart-test.c
+++ b/tests/multipart-test.c
@@ -471,6 +471,62 @@ test_multipart (gconstpointer data)
loop = NULL;
}
+static void
+test_multipart_bounds_good (void)
+{
+ #define TEXT "line1\r\nline2"
+ SoupMultipart *multipart;
+ SoupMessageHeaders *headers, *set_headers = NULL;
+ GBytes *bytes, *set_bytes = NULL;
+ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\n\r\n" TEXT "\r\n--123--\r\n";
+ gboolean success;
+
+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
+
+ bytes = g_bytes_new (raw_data, strlen (raw_data));
+
+ multipart = soup_multipart_new_from_message (headers, bytes);
+
+ g_assert_nonnull (multipart);
+ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1);
+ success = soup_multipart_get_part (multipart, 0, &set_headers, &set_bytes);
+ g_assert_true (success);
+ g_assert_nonnull (set_headers);
+ g_assert_nonnull (set_bytes);
+ g_assert_cmpint (strlen (TEXT), ==, g_bytes_get_size (set_bytes));
+ g_assert_cmpstr ("text/plain", ==, soup_message_headers_get_content_type (set_headers, NULL));
+ g_assert_cmpmem (TEXT, strlen (TEXT), g_bytes_get_data (set_bytes, NULL), g_bytes_get_size (set_bytes));
+
+ soup_message_headers_unref (headers);
+ g_bytes_unref (bytes);
+
+ soup_multipart_free (multipart);
+
+ #undef TEXT
+}
+
+static void
+test_multipart_bounds_bad (void)
+{
+ SoupMultipart *multipart;
+ SoupMessageHeaders *headers;
+ GBytes *bytes;
+ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\nline1\r\nline2\r\n--123--\r\n";
+
+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
+
+ bytes = g_bytes_new (raw_data, strlen (raw_data));
+
+ /* it did read out of raw_data/bytes bounds */
+ multipart = soup_multipart_new_from_message (headers, bytes);
+ g_assert_null (multipart);
+
+ soup_message_headers_unref (headers);
+ g_bytes_unref (bytes);
+}
+
int
main (int argc, char **argv)
{
@@ -498,6 +554,8 @@ main (int argc, char **argv)
g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart);
g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart);
g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
+ g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
+ g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
ret = g_test_run ();
--
GitLab

38
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4476.patch Normal file
View File

@@ -0,0 +1,38 @@
From e64c221f9c7d09b48b610c5626b3b8c400f0907c Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Thu, 8 May 2025 09:27:01 -0500
Subject: [PATCH] auth-digest: fix crash in
soup_auth_digest_get_protection_space()
We need to validate the Domain parameter in the WWW-Authenticate header.
Unfortunately this crash only occurs when listening on default ports 80
and 443, so there's no good way to test for this. The test would require
running as root.
Fixes #440
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c]
CVE: CVE-2025-4476
Signed-off-by: Ashish Sharma <asharma@mvista.com>
libsoup/auth/soup-auth-digest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
index d8bb2910..292f2045 100644
--- a/libsoup/auth/soup-auth-digest.c
+++ b/libsoup/auth/soup-auth-digest.c
@@ -220,7 +220,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, GUri *source_uri)
if (uri &&
g_strcmp0 (g_uri_get_scheme (uri), g_uri_get_scheme (source_uri)) == 0 &&
g_uri_get_port (uri) == g_uri_get_port (source_uri) &&
- !strcmp (g_uri_get_host (uri), g_uri_get_host (source_uri)))
+ !g_strcmp0 (g_uri_get_host (uri), g_uri_get_host (source_uri)))
dir = g_strdup (g_uri_get_path (uri));
else
dir = NULL;
--
GitLab

60
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46420.patch Normal file
View File

@@ -0,0 +1,60 @@
From c9083869ec2a3037e6df4bd86b45c419ba295f8e Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Thu, 26 Dec 2024 18:31:42 -0600
Subject: [PATCH] soup_header_parse_quality_list: Fix leak
When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings.
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/c9083869ec2a3037e6df4bd86b45c419ba295f8e]
CVE: CVE-2025-46420
Signed-off-by: Ashish Sharma <asharma@mvista.com>
libsoup/soup-headers.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index a5f7a7f6..85385cea 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -530,7 +530,7 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
GSList *unsorted;
QualityItem *array;
GSList *sorted, *iter;
- char *item, *semi;
+ char *semi;
const char *param, *equal, *value;
double qval;
int n;
@@ -543,9 +543,8 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
unsorted = soup_header_parse_list (header);
array = g_new0 (QualityItem, g_slist_length (unsorted));
for (iter = unsorted, n = 0; iter; iter = iter->next) {
- item = iter->data;
qval = 1.0;
- for (semi = strchr (item, ';'); semi; semi = strchr (semi + 1, ';')) {
+ for (semi = strchr (iter->data, ';'); semi; semi = strchr (semi + 1, ';')) {
param = skip_lws (semi + 1);
if (*param != 'q')
continue;
@@ -577,15 +576,15 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
if (qval == 0.0) {
if (unacceptable) {
*unacceptable = g_slist_prepend (*unacceptable,
- item);
+ g_steal_pointer (&iter->data));
}
} else {
- array[n].item = item;
+ array[n].item = g_steal_pointer (&iter->data);
array[n].qval = qval;
n++;
}
}
- g_slist_free (unsorted);
+ g_slist_free_full (unsorted, g_free);
qsort (array, n, sizeof (QualityItem), sort_by_qval);
sorted = NULL;
--
GitLab

139
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46421.patch Normal file
View File

@@ -0,0 +1,139 @@
From 85c5227eef7370832044eb918e8a99c0bcbab86f Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 16:18:10 -0600
Subject: [PATCH] session: Strip authentication credentails on cross-origin
redirect
This should match the behavior of Firefox and Safari but not of Chromium.
CVE: CVE-2025-46421
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-session.c | 6 ++++
tests/auth-test.c | 77 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 83 insertions(+)
diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
index 631bec0..9f00b05 100644
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -1230,6 +1230,12 @@ soup_session_redirect_message (SoupSession *session,
SOUP_ENCODING_NONE);
}
+ /* Strip all credentials on cross-origin redirect. */
+ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
+ soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION);
+ soup_message_set_auth (msg, NULL);
+ }
+
soup_message_set_request_host_from_uri (msg, new_uri);
soup_message_set_uri (msg, new_uri);
g_uri_unref (new_uri);
diff --git a/tests/auth-test.c b/tests/auth-test.c
index 484097f..7c3b551 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1,6 +1,7 @@
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
#include "test-utils.h"
+#include "soup-uri-utils-private.h"
static const char *base_uri;
static GMainLoop *loop;
@@ -1916,6 +1917,81 @@ do_missing_params_test (gconstpointer auth_header)
soup_test_server_quit_unref (server);
}
+static void
+redirect_server_callback (SoupServer *server,
+ SoupServerMessage *msg,
+ const char *path,
+ GHashTable *query,
+ gpointer user_data)
+{
+ static gboolean redirected = FALSE;
+
+ if (!redirected) {
+ char *redirect_uri = g_uri_to_string (user_data);
+ soup_server_message_set_redirect (msg, SOUP_STATUS_MOVED_PERMANENTLY, redirect_uri);
+ g_free (redirect_uri);
+ redirected = TRUE;
+ return;
+ }
+
+ g_assert_not_reached ();
+}
+
+static gboolean
+auth_for_redirect_callback (SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer user_data)
+{
+ GUri *known_server_uri = user_data;
+
+ if (!soup_uri_host_equal (known_server_uri, soup_message_get_uri (msg)))
+ return FALSE;
+
+ soup_auth_authenticate (auth, "user", "good-basic");
+
+ return TRUE;
+}
+
+static void
+do_strip_on_crossorigin_redirect (void)
+{
+ SoupSession *session;
+ SoupMessage *msg;
+ SoupServer *server1, *server2;
+ SoupAuthDomain *auth_domain;
+ GUri *uri;
+ gint status;
+
+ server1 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+ server2 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+
+ /* Both servers have the same credentials. */
+ auth_domain = soup_auth_domain_basic_new ("realm", "auth-test", "auth-callback", server_basic_auth_callback, NULL);
+ soup_auth_domain_add_path (auth_domain, "/");
+ soup_server_add_auth_domain (server1, auth_domain);
+ soup_server_add_auth_domain (server2, auth_domain);
+ g_object_unref (auth_domain);
+
+ /* Server 1 asks for auth, then redirects to Server 2. */
+ soup_server_add_handler (server1, NULL,
+ redirect_server_callback,
+ soup_test_server_get_uri (server2, "http", NULL), (GDestroyNotify)g_uri_unref);
+ /* Server 2 requires auth. */
+ soup_server_add_handler (server2, NULL, server_callback, NULL, NULL);
+
+ session = soup_test_session_new (NULL);
+ uri = soup_test_server_get_uri (server1, "http", NULL);
+ msg = soup_message_new_from_uri ("GET", uri);
+ /* The client only sends credentials for the host it knows. */
+ g_signal_connect (msg, "authenticate", G_CALLBACK (auth_for_redirect_callback), uri);
+
+ status = soup_test_session_send_message (session, msg);
+
+ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
+
+ g_uri_unref (uri);
+ soup_test_server_quit_unref (server1);
+ soup_test_server_quit_unref (server2);
+}
+
int
main (int argc, char **argv)
{
@@ -1949,6 +2025,7 @@ main (int argc, char **argv)
g_test_add_func ("/auth/auth-uri", do_auth_uri_test);
g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate);
g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms);
+ g_test_add_func ("/auth/strip-on-crossorigin-redirect", do_strip_on_crossorigin_redirect);
g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
--
2.34.1

118
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4945.patch Normal file
View File

@@ -0,0 +1,118 @@
From f168bc7d6dbf04915cd7bf6bfe962bd23f63ec3b Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Thu, 15 May 2025 07:59:14 +0200
Subject: [PATCH] soup-date-utils: Add value checks for date/time parsing
Reject date/time when it does not represent a valid value.
Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
CVE: CVE-2025-4945
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-date-utils.c | 23 +++++++++++++++--------
tests/cookies-test.c | 10 ++++++++++
2 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/libsoup/soup-date-utils.c b/libsoup/soup-date-utils.c
index fd785f5..34ca995 100644
--- a/libsoup/soup-date-utils.c
+++ b/libsoup/soup-date-utils.c
@@ -129,7 +129,7 @@ parse_day (int *day, const char **date_string)
while (*end == ' ' || *end == '-')
end++;
*date_string = end;
- return TRUE;
+ return *day >= 1 && *day <= 31;
}
static inline gboolean
@@ -169,7 +169,7 @@ parse_year (int *year, const char **date_string)
while (*end == ' ' || *end == '-')
end++;
*date_string = end;
- return TRUE;
+ return *year > 0 && *year < 9999;
}
static inline gboolean
@@ -193,7 +193,7 @@ parse_time (int *hour, int *minute, int *second, const char **date_string)
while (*p == ' ')
p++;
*date_string = p;
- return TRUE;
+ return *hour >= 0 && *hour < 24 && *minute >= 0 && *minute < 60 && *second >= 0 && *second < 60;
}
static inline gboolean
@@ -209,9 +209,14 @@ parse_timezone (GTimeZone **timezone, const char **date_string)
gulong val;
int sign = (**date_string == '+') ? 1 : -1;
val = strtoul (*date_string + 1, (char **)date_string, 10);
- if (**date_string == ':')
- val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10);
- else
+ if (val > 9999)
+ return FALSE;
+ if (**date_string == ':') {
+ gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10);
+ if (val > 99 || val2 > 99)
+ return FALSE;
+ val = 60 * val + val2;
+ } else
val = 60 * (val / 100) + (val % 100);
offset_minutes = sign * val;
utc = (sign == -1) && !val;
@@ -264,7 +269,8 @@ parse_textual_date (const char *date_string)
if (!parse_month (&month, &date_string) ||
!parse_day (&day, &date_string) ||
!parse_time (&hour, &minute, &second, &date_string) ||
- !parse_year (&year, &date_string))
+ !parse_year (&year, &date_string) ||
+ !g_date_valid_dmy (day, month, year))
return NULL;
/* There shouldn't be a timezone, but check anyway */
@@ -276,7 +282,8 @@ parse_textual_date (const char *date_string)
if (!parse_day (&day, &date_string) ||
!parse_month (&month, &date_string) ||
!parse_year (&year, &date_string) ||
- !parse_time (&hour, &minute, &second, &date_string))
+ !parse_time (&hour, &minute, &second, &date_string) ||
+ !g_date_valid_dmy (day, month, year))
return NULL;
/* This time there *should* be a timezone, but we
diff --git a/tests/cookies-test.c b/tests/cookies-test.c
index cafa26e..ccf7a4c 100644
--- a/tests/cookies-test.c
+++ b/tests/cookies-test.c
@@ -434,6 +434,15 @@ do_cookies_parsing_nopath_nullorigin (void)
soup_cookie_free (cookie);
}
+static void
+do_cookies_parsing_int32_overflow (void)
+{
+ SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9 999:9:9+ 999999999-age=main=gne=", NULL);
+ g_assert_nonnull (cookie);
+ g_assert_null (soup_cookie_get_expires (cookie));
+ soup_cookie_free (cookie);
+}
+
static void
do_cookies_equal_nullpath (void)
{
@@ -655,6 +664,7 @@ main (int argc, char **argv)
g_test_add_func ("/cookies/accept-policy-subdomains", do_cookies_subdomain_policy_test);
g_test_add_func ("/cookies/parsing", do_cookies_parsing_test);
g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin);
+ g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow);
g_test_add_func ("/cookies/parsing/equal-nullpath", do_cookies_equal_nullpath);
g_test_add_func ("/cookies/parsing/control-characters", do_cookies_parsing_control_characters);
g_test_add_func ("/cookies/get-cookies/empty-host", do_get_cookies_empty_host_test);
--
2.34.1

97
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4948.patch Normal file
View File

@@ -0,0 +1,97 @@
From a23ce8f8e60e79990e26376c8b0d40841aed4b81 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Thu, 15 May 2025 17:49:11 +0200
Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body
It could happen that the boundary started at a place which resulted into
a negative number, which in an unsigned integer is a very large value.
Check the body size is not a negative value before setting it.
Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
Part-of: <https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463>
CVE: CVE-2025-4948
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463/diffs?commit_id=f2f28afe0b3b2b3009ab67d6874457ec6bac70c0]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-multipart.c | 2 +-
tests/multipart-test.c | 40 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
index e1c442e..27257e4 100644
--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
@@ -204,7 +204,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
*/
part_body = g_bytes_new_from_bytes (body, // FIXME
split - body_data,
- end - 2 - split);
+ end - 2 >= split ? end - 2 - split : 0);
g_ptr_array_add (multipart->bodies, part_body);
start = end;
diff --git a/tests/multipart-test.c b/tests/multipart-test.c
index 84852e2..2ae888c 100644
--- a/tests/multipart-test.c
+++ b/tests/multipart-test.c
@@ -548,6 +548,45 @@ test_multipart_bounds_bad_2 (void)
g_bytes_unref (bytes);
}
+static void
+test_multipart_too_large (void)
+{
+ const char *raw_body =
+ "-------------------\r\n"
+ "-\n"
+ "Cont\"\r\n"
+ "Content-Tynt----e:n\x8erQK\r\n"
+ "Content-Disposition: name= form-; name=\"file\"; filename=\"ype:i/ -d; ----\xae\r\n"
+ "Content-Typimag\x01/png--\\\n"
+ "\r\n"
+ "---:\n\r\n"
+ "\r\n"
+ "-------------------------------------\r\n"
+ "---------\r\n"
+ "----------------------";
+ GBytes *body;
+ GHashTable *params;
+ SoupMessageHeaders *headers;
+ SoupMultipart *multipart;
+
+ params = g_hash_table_new (g_str_hash, g_str_equal);
+ g_hash_table_insert (params, (gpointer) "boundary", (gpointer) "-----------------");
+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+ soup_message_headers_set_content_type (headers, "multipart/form-data", params);
+ g_hash_table_unref (params);
+
+ body = g_bytes_new_static (raw_body, strlen (raw_body));
+ multipart = soup_multipart_new_from_message (headers, body);
+ soup_message_headers_unref (headers);
+ g_bytes_unref (body);
+
+ g_assert_nonnull (multipart);
+ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1);
+ g_assert_true (soup_multipart_get_part (multipart, 0, &headers, &body));
+ g_assert_cmpint (g_bytes_get_size (body), ==, 0);
+ soup_multipart_free (multipart);
+}
+
int
main (int argc, char **argv)
{
@@ -578,6 +617,7 @@ main (int argc, char **argv)
g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2);
+ g_test_add_func ("/multipart/too-large", test_multipart_too_large);
ret = g_test_run ();
--
2.34.1

76
sources/poky/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4969.patch Normal file
View File

@@ -0,0 +1,76 @@
From 07b94e27afafebf31ef3cd868866a1e383750086 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Mon, 19 May 2025 17:48:27 +0200
Subject: [PATCH] soup-multipart: Verify array bounds before accessing its
members
The boundary could be at a place which, calculated, pointed
before the beginning of the array. Check the bounds, to avoid
read out of the array bounds.
Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/07b94e27afafebf31ef3cd868866a1e383750086]
CVE: CVE-2025-4969
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
libsoup/soup-multipart.c | 2 +-
tests/multipart-test.c | 22 ++++++++++++++++++++++
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
index 102ce37..e1c442e 100644
--- a/libsoup/soup-multipart.c
+++ b/libsoup/soup-multipart.c
@@ -104,7 +104,7 @@ find_boundary (const char *start, const char *end,
continue;
/* Check that it's at start of line */
- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r')))
+ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r')))
continue;
/* Check for "--" or "\r\n" after boundary */
diff --git a/tests/multipart-test.c b/tests/multipart-test.c
index ab5f41c..84852e2 100644
--- a/tests/multipart-test.c
+++ b/tests/multipart-test.c
@@ -527,6 +527,27 @@ test_multipart_bounds_bad (void)
g_bytes_unref (bytes);
}
+static void
+test_multipart_bounds_bad_2 (void)
+{
+ SoupMultipart *multipart;
+ SoupMessageHeaders *headers;
+ GBytes *bytes;
+ const char *raw_data = "\n--123\r\nline\r\n--123--\r";
+
+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
+ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
+
+ bytes = g_bytes_new (raw_data, strlen (raw_data));
+
+ multipart = soup_multipart_new_from_message (headers, bytes);
+ g_assert_nonnull (multipart);
+
+ soup_multipart_free (multipart);
+ soup_message_headers_unref (headers);
+ g_bytes_unref (bytes);
+}
+
int
main (int argc, char **argv)
{
@@ -556,6 +577,7 @@ main (int argc, char **argv)
g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
+ g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2);
ret = g_test_run ();
--
2.49.0