* [OE-core][kirkstone 01/15] perl: patch CVE-2024-56406
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
@ 2025-05-13 19:07 ` Steve Sakoman
2025-05-13 19:07 ` [OE-core][kirkstone 02/15] libsoup-2.4: Update fix CVE-2024-52532 Steve Sakoman
` (13 subsequent siblings)
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:07 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch mentioned in NVD links for this CVE.
Tested by runniing ptest and CVE reproducer (before&after).
Ptest fails on test dist/threads/t/join, however the same test also
fails without this patch.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...4-56406-Heap-buffer-overflow-with-tr.patch | 30 +++++++++++++++++++
meta/recipes-devtools/perl/perl_5.34.3.bb | 1 +
2 files changed, 31 insertions(+)
create mode 100644 meta/recipes-devtools/perl/files/0001-CVE-2024-56406-Heap-buffer-overflow-with-tr.patch
diff --git a/meta/recipes-devtools/perl/files/0001-CVE-2024-56406-Heap-buffer-overflow-with-tr.patch b/meta/recipes-devtools/perl/files/0001-CVE-2024-56406-Heap-buffer-overflow-with-tr.patch
new file mode 100644
index 0000000000..377ef95f12
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/0001-CVE-2024-56406-Heap-buffer-overflow-with-tr.patch
@@ -0,0 +1,30 @@
+From 87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Wed, 18 Dec 2024 18:25:29 -0700
+Subject: [PATCH] CVE-2024-56406: Heap-buffer-overflow with tr//
+
+This was due to underallocating needed space. If the translation forces
+something to become UTF-8 that is initially bytes, that UTF-8 could
+now require two bytes where previously a single one would do.
+
+(cherry picked from commit f93109c8a6950aafbd7488d98e112552033a3686)
+
+CVE: CVE-2024-56406
+Upstream-Status: Backport [https://github.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ op.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/op.c b/op.c
+index 69ff030e88..298b292633 100644
+--- a/op.c
++++ b/op.c
+@@ -7515,6 +7515,7 @@ S_pmtrans(pTHX_ OP *o, OP *expr, OP *repl)
+ * same time. But otherwise one crosses before the other */
+ if (t_cp < 256 && r_cp_end > 255 && r_cp != t_cp) {
+ can_force_utf8 = TRUE;
++ max_expansion = MAX(2, max_expansion);
+ }
+ }
+
diff --git a/meta/recipes-devtools/perl/perl_5.34.3.bb b/meta/recipes-devtools/perl/perl_5.34.3.bb
index ed3518b62d..f6ebbf2d16 100644
--- a/meta/recipes-devtools/perl/perl_5.34.3.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.3.bb
@@ -21,6 +21,7 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
file://CVE-2023-31484.patch \
file://CVE-2023-31486-0001.patch \
file://CVE-2023-31486-0002.patch \
+ file://0001-CVE-2024-56406-Heap-buffer-overflow-with-tr.patch \
"
SRC_URI:append:class-native = " \
file://perl-configpm-switch.patch \
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][kirkstone 02/15] libsoup-2.4: Update fix CVE-2024-52532
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
2025-05-13 19:07 ` [OE-core][kirkstone 01/15] perl: patch CVE-2024-56406 Steve Sakoman
@ 2025-05-13 19:07 ` Steve Sakoman
2025-05-13 19:08 ` [OE-core][kirkstone 03/15] libsoup-2.4: Fix CVE-2025-32906 Steve Sakoman
` (12 subsequent siblings)
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:07 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6676a37b6485620c332e568e1a3f530ff
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup-2.4/CVE-2024-52532-3.patch | 46 +++++++++++++++++++
.../libsoup/libsoup-2.4_2.74.2.bb | 1 +
2 files changed, 47 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
new file mode 100644
index 0000000000..edcca86e8c
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
@@ -0,0 +1,46 @@
+From 4c9e75c6676a37b6485620c332e568e1a3f530ff Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@debian.org>
+Date: Wed, 13 Nov 2024 14:14:23 +0000
+Subject: [PATCH] websocket-test: Disconnect error signal in another place
+
+This is the same change as commit 29b96fab "websocket-test: disconnect
+error copy after the test ends", and is done for the same reason, but
+replicating it into a different function.
+
+Fixes: 6adc0e3e "websocket: process the frame as soon as we read data"
+Resolves: https://gitlab.gnome.org/GNOME/libsoup/-/issues/399
+Signed-off-by: Simon McVittie <smcv@debian.org>
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6676a37b6485620c332e568e1a3f530ff]
+CVE: CVE-2024-52532
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tests/websocket-test.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tests/websocket-test.c b/tests/websocket-test.c
+index 6a48c1f9..723f2857 100644
+--- a/tests/websocket-test.c
++++ b/tests/websocket-test.c
+@@ -1508,8 +1508,9 @@ test_receive_invalid_encode_length_16 (Test *test,
+ GError *error = NULL;
+ InvalidEncodeLengthTest context = { test, NULL };
+ guint i;
++ guint error_id;
+
+- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
++ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+ g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
+
+ /* We use 126(~) as payload length with 125 extended length */
+@@ -1522,6 +1523,7 @@ test_receive_invalid_encode_length_16 (Test *test,
+ WAIT_UNTIL (error != NULL || received != NULL);
+ g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
+ g_clear_error (&error);
++ g_signal_handler_disconnect (test->client, error_id);
+ g_assert_null (received);
+
+ g_thread_join (thread);
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
index 88d08ad0ec..b299fcf6de 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -16,6 +16,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2024-52530.patch \
file://CVE-2024-52532-1.patch \
file://CVE-2024-52532-2.patch \
+ file://CVE-2024-52532-3.patch \
file://CVE-2024-52531-1.patch \
file://CVE-2024-52531-2.patch \
"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][kirkstone 03/15] libsoup-2.4: Fix CVE-2025-32906
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
2025-05-13 19:07 ` [OE-core][kirkstone 01/15] perl: patch CVE-2024-56406 Steve Sakoman
2025-05-13 19:07 ` [OE-core][kirkstone 02/15] libsoup-2.4: Update fix CVE-2024-52532 Steve Sakoman
@ 2025-05-13 19:08 ` Steve Sakoman
2025-05-13 19:08 ` [OE-core][kirkstone 04/15] libsoup-2.4: Fix CVE-2025-32909 Steve Sakoman
` (11 subsequent siblings)
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:08 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from
https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931
& https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup-2.4/CVE-2025-32906-1.patch | 61 ++++++++++++++
.../libsoup-2.4/CVE-2025-32906-2.patch | 83 +++++++++++++++++++
.../libsoup/libsoup-2.4_2.74.2.bb | 2 +
3 files changed, 146 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch
new file mode 100644
index 0000000000..916a41a71f
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch
@@ -0,0 +1,61 @@
+From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 11 Feb 2025 14:36:26 -0600
+Subject: [PATCH] headers: Handle parsing edge case
+
+This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931]
+CVE: CVE-2025-32906 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-headers.c | 2 +-
+ tests/header-parsing-test.c | 12 ++++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 85385cea..9d6d00a3 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str,
+ !g_ascii_isdigit (version[5]))
+ return SOUP_STATUS_BAD_REQUEST;
+ major_version = strtoul (version + 5, &p, 10);
+- if (*p != '.' || !g_ascii_isdigit (p[1]))
++ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1]))
+ return SOUP_STATUS_BAD_REQUEST;
+ minor_version = strtoul (p + 1, &p, 10);
+ version_end = p;
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 07ea2866..10ddb684 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -6,6 +6,10 @@ typedef struct {
+ const char *name, *value;
+ } Header;
+
++static char unterminated_http_version[] = {
++ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
++};
++
+ static struct RequestTest {
+ const char *description;
+ const char *bugref;
+@@ -383,6 +387,14 @@ static struct RequestTest {
+ { { NULL } }
+ },
+
++ /* This couldn't be a C string as going one byte over would have been safe. */
++ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
++ unterminated_http_version, sizeof (unterminated_http_version),
++ SOUP_STATUS_BAD_REQUEST,
++ NULL, NULL, -1,
++ { { NULL } }
++ },
++
+ { "Non-HTTP request", NULL,
+ "GET / SOUP/1.1\r\nHost: example.com\r\n", -1,
+ SOUP_STATUS_BAD_REQUEST,
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch
new file mode 100644
index 0000000000..5baad15648
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch
@@ -0,0 +1,83 @@
+From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 12 Feb 2025 11:30:02 -0600
+Subject: [PATCH] headers: Handle parsing only newlines
+
+Closes #404
+Closes #407
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f]
+CVE: CVE-2025-32906
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-headers.c | 4 ++--
+ tests/header-parsing-test.c | 13 ++++++++++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 9d6d00a3..52ef2ece 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str,
+ /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
+ * received where a Request-Line is expected."
+ */
+- while ((*str == '\r' || *str == '\n') && len > 0) {
++ while (len > 0 && (*str == '\r' || *str == '\n')) {
+ str++;
+ len--;
+ }
+@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str,
+ * after a response, which we then see prepended to the next
+ * response on that connection.
+ */
+- while ((*str == '\r' || *str == '\n') && len > 0) {
++ while (len > 0 && (*str == '\r' || *str == '\n')) {
+ str++;
+ len--;
+ }
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 10ddb684..4faafbd6 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -6,10 +6,15 @@ typedef struct {
+ const char *name, *value;
+ } Header;
+
++/* These are not C strings to ensure going one byte over is not safe. */
+ static char unterminated_http_version[] = {
+ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
+ };
+
++static char only_newlines[] = {
++ '\n', '\n', '\n', '\n'
++};
++
+ static struct RequestTest {
+ const char *description;
+ const char *bugref;
+@@ -387,7 +392,6 @@ static struct RequestTest {
+ { { NULL } }
+ },
+
+- /* This couldn't be a C string as going one byte over would have been safe. */
+ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
+ unterminated_http_version, sizeof (unterminated_http_version),
+ SOUP_STATUS_BAD_REQUEST,
+@@ -457,6 +461,13 @@ static struct RequestTest {
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
++ },
++
++ { "Only newlines", NULL,
++ only_newlines, sizeof (only_newlines),
++ SOUP_STATUS_BAD_REQUEST,
++ NULL, NULL, -1,
++ { { NULL } }
+ }
+ };
+ static const int num_reqtests = G_N_ELEMENTS (reqtests);
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
index b299fcf6de..f409816fc2 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -19,6 +19,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2024-52532-3.patch \
file://CVE-2024-52531-1.patch \
file://CVE-2024-52531-2.patch \
+ file://CVE-2025-32906-1.patch \
+ file://CVE-2025-32906-2.patch \
"
SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][kirkstone 04/15] libsoup-2.4: Fix CVE-2025-32909
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-05-13 19:08 ` [OE-core][kirkstone 03/15] libsoup-2.4: Fix CVE-2025-32906 Steve Sakoman
@ 2025-05-13 19:08 ` Steve Sakoman
2025-05-13 19:08 ` [OE-core][kirkstone 05/15] libsoup: update fix CVE-2024-52532 Steve Sakoman
` (10 subsequent siblings)
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:08 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/comm
it/ba4c3a6f988beff59e45801ab36067293d24ce92
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup/libsoup-2.4/CVE-2025-32909.patch | 36 +++++++++++++++++++
.../libsoup/libsoup-2.4_2.74.2.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch
new file mode 100644
index 0000000000..046f20203f
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch
@@ -0,0 +1,36 @@
+From ba4c3a6f988beff59e45801ab36067293d24ce92 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 8 Jan 2025 16:30:17 -0600
+Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than 4
+ bytes
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92]
+CVE: CVE-2025-32909
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-content-sniffer.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
+index 967ec61..a1f23c2 100644
+--- a/libsoup/soup-content-sniffer.c
++++ b/libsoup/soup-content-sniffer.c
+@@ -227,9 +227,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+ {
+ const char *resource = (const char *)buffer->data;
+ guint resource_length = MIN (512, buffer->length);
+- guint32 box_size = *((guint32*)resource);
++ guint32 box_size;
+ guint i;
+
++ if (resource_length < sizeof (guint32))
++ return FALSE;
++
++ box_size = *((guint32*)resource);
++
+ #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
+ box_size = ((box_size >> 24) |
+ ((box_size << 8) & 0x00FF0000) |
+--
+2.25.1
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
index f409816fc2..00f7fea41a 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2024-52531-2.patch \
file://CVE-2025-32906-1.patch \
file://CVE-2025-32906-2.patch \
+ file://CVE-2025-32909.patch \
"
SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][kirkstone 05/15] libsoup: update fix CVE-2024-52532
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-05-13 19:08 ` [OE-core][kirkstone 04/15] libsoup-2.4: Fix CVE-2025-32909 Steve Sakoman
@ 2025-05-13 19:08 ` Steve Sakoman
2025-05-13 19:08 ` [OE-core][kirkstone 06/15] libsoup: Fix CVE-2025-32906 Steve Sakoman
` (9 subsequent siblings)
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:08 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6676a37b6485620c332e568e1a3f530ff
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup/libsoup/CVE-2024-52532-3.patch | 46 +++++++++++++++++++
meta/recipes-support/libsoup/libsoup_3.0.7.bb | 1 +
2 files changed, 47 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2024-52532-3.patch
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2024-52532-3.patch b/meta/recipes-support/libsoup/libsoup/CVE-2024-52532-3.patch
new file mode 100644
index 0000000000..edcca86e8c
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2024-52532-3.patch
@@ -0,0 +1,46 @@
+From 4c9e75c6676a37b6485620c332e568e1a3f530ff Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@debian.org>
+Date: Wed, 13 Nov 2024 14:14:23 +0000
+Subject: [PATCH] websocket-test: Disconnect error signal in another place
+
+This is the same change as commit 29b96fab "websocket-test: disconnect
+error copy after the test ends", and is done for the same reason, but
+replicating it into a different function.
+
+Fixes: 6adc0e3e "websocket: process the frame as soon as we read data"
+Resolves: https://gitlab.gnome.org/GNOME/libsoup/-/issues/399
+Signed-off-by: Simon McVittie <smcv@debian.org>
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6676a37b6485620c332e568e1a3f530ff]
+CVE: CVE-2024-52532
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tests/websocket-test.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tests/websocket-test.c b/tests/websocket-test.c
+index 6a48c1f9..723f2857 100644
+--- a/tests/websocket-test.c
++++ b/tests/websocket-test.c
+@@ -1508,8 +1508,9 @@ test_receive_invalid_encode_length_16 (Test *test,
+ GError *error = NULL;
+ InvalidEncodeLengthTest context = { test, NULL };
+ guint i;
++ guint error_id;
+
+- g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
++ error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
+ g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
+
+ /* We use 126(~) as payload length with 125 extended length */
+@@ -1522,6 +1523,7 @@ test_receive_invalid_encode_length_16 (Test *test,
+ WAIT_UNTIL (error != NULL || received != NULL);
+ g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
+ g_clear_error (&error);
++ g_signal_handler_disconnect (test->client, error_id);
+ g_assert_null (received);
+
+ g_thread_join (thread);
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
index 869f0f1696..4b723d3150 100644
--- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
@@ -15,6 +15,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2024-52530.patch \
file://CVE-2024-52532-1.patch \
file://CVE-2024-52532-2.patch \
+ file://CVE-2024-52532-3.patch \
file://CVE-2024-52531-1.patch \
file://CVE-2024-52531-2.patch \
file://CVE-2024-52531-3.patch \
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][kirkstone 06/15] libsoup: Fix CVE-2025-32906
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-05-13 19:08 ` [OE-core][kirkstone 05/15] libsoup: update fix CVE-2024-52532 Steve Sakoman
@ 2025-05-13 19:08 ` Steve Sakoman
2025-05-13 19:08 ` [OE-core][kirkstone 07/15] libsoup: Fix CVE-2025-32909 Steve Sakoman
` (8 subsequent siblings)
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:08 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from
https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931
& https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup/libsoup/CVE-2025-32906-1.patch | 61 ++++++++++++++
.../libsoup/libsoup/CVE-2025-32906-2.patch | 83 +++++++++++++++++++
meta/recipes-support/libsoup/libsoup_3.0.7.bb | 2 +
3 files changed, 146 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32906-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32906-2.patch
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32906-1.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32906-1.patch
new file mode 100644
index 0000000000..916a41a71f
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32906-1.patch
@@ -0,0 +1,61 @@
+From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Tue, 11 Feb 2025 14:36:26 -0600
+Subject: [PATCH] headers: Handle parsing edge case
+
+This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/1f509f31b6f8420a3661c3f990424ab7b9164931]
+CVE: CVE-2025-32906 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-headers.c | 2 +-
+ tests/header-parsing-test.c | 12 ++++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 85385cea..9d6d00a3 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str,
+ !g_ascii_isdigit (version[5]))
+ return SOUP_STATUS_BAD_REQUEST;
+ major_version = strtoul (version + 5, &p, 10);
+- if (*p != '.' || !g_ascii_isdigit (p[1]))
++ if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1]))
+ return SOUP_STATUS_BAD_REQUEST;
+ minor_version = strtoul (p + 1, &p, 10);
+ version_end = p;
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 07ea2866..10ddb684 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -6,6 +6,10 @@ typedef struct {
+ const char *name, *value;
+ } Header;
+
++static char unterminated_http_version[] = {
++ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
++};
++
+ static struct RequestTest {
+ const char *description;
+ const char *bugref;
+@@ -383,6 +387,14 @@ static struct RequestTest {
+ { { NULL } }
+ },
+
++ /* This couldn't be a C string as going one byte over would have been safe. */
++ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
++ unterminated_http_version, sizeof (unterminated_http_version),
++ SOUP_STATUS_BAD_REQUEST,
++ NULL, NULL, -1,
++ { { NULL } }
++ },
++
+ { "Non-HTTP request", NULL,
+ "GET / SOUP/1.1\r\nHost: example.com\r\n", -1,
+ SOUP_STATUS_BAD_REQUEST,
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32906-2.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32906-2.patch
new file mode 100644
index 0000000000..5baad15648
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32906-2.patch
@@ -0,0 +1,83 @@
+From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 12 Feb 2025 11:30:02 -0600
+Subject: [PATCH] headers: Handle parsing only newlines
+
+Closes #404
+Closes #407
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f]
+CVE: CVE-2025-32906
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-headers.c | 4 ++--
+ tests/header-parsing-test.c | 13 ++++++++++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 9d6d00a3..52ef2ece 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str,
+ /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
+ * received where a Request-Line is expected."
+ */
+- while ((*str == '\r' || *str == '\n') && len > 0) {
++ while (len > 0 && (*str == '\r' || *str == '\n')) {
+ str++;
+ len--;
+ }
+@@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str,
+ * after a response, which we then see prepended to the next
+ * response on that connection.
+ */
+- while ((*str == '\r' || *str == '\n') && len > 0) {
++ while (len > 0 && (*str == '\r' || *str == '\n')) {
+ str++;
+ len--;
+ }
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 10ddb684..4faafbd6 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -6,10 +6,15 @@ typedef struct {
+ const char *name, *value;
+ } Header;
+
++/* These are not C strings to ensure going one byte over is not safe. */
+ static char unterminated_http_version[] = {
+ 'G','E','T',' ','/',' ','H','T','T','P','/','1', '0', '0', '.'
+ };
+
++static char only_newlines[] = {
++ '\n', '\n', '\n', '\n'
++};
++
+ static struct RequestTest {
+ const char *description;
+ const char *bugref;
+@@ -387,7 +392,6 @@ static struct RequestTest {
+ { { NULL } }
+ },
+
+- /* This couldn't be a C string as going one byte over would have been safe. */
+ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
+ unterminated_http_version, sizeof (unterminated_http_version),
+ SOUP_STATUS_BAD_REQUEST,
+@@ -457,6 +461,13 @@ static struct RequestTest {
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+ { { NULL } }
++ },
++
++ { "Only newlines", NULL,
++ only_newlines, sizeof (only_newlines),
++ SOUP_STATUS_BAD_REQUEST,
++ NULL, NULL, -1,
++ { { NULL } }
+ }
+ };
+ static const int num_reqtests = G_N_ELEMENTS (reqtests);
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
index 4b723d3150..a5b6c2f039 100644
--- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
@@ -19,6 +19,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2024-52531-1.patch \
file://CVE-2024-52531-2.patch \
file://CVE-2024-52531-3.patch \
+ file://CVE-2025-32906-1.patch \
+ file://CVE-2025-32906-2.patch \
"
SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][kirkstone 07/15] libsoup: Fix CVE-2025-32909
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-05-13 19:08 ` [OE-core][kirkstone 06/15] libsoup: Fix CVE-2025-32906 Steve Sakoman
@ 2025-05-13 19:08 ` Steve Sakoman
2025-05-13 19:08 ` [OE-core][kirkstone 08/15] libsoup: Fix CVE-2025-32910 Steve Sakoman
` (7 subsequent siblings)
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:08 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/comm
it/ba4c3a6f988beff59e45801ab36067293d24ce92
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup/libsoup/CVE-2025-32909.patch | 36 +++++++++++++++++++
meta/recipes-support/libsoup/libsoup_3.0.7.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32909.patch
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32909.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32909.patch
new file mode 100644
index 0000000000..8982da58f1
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32909.patch
@@ -0,0 +1,36 @@
+From ba4c3a6f988beff59e45801ab36067293d24ce92 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 8 Jan 2025 16:30:17 -0600
+Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than 4
+ bytes
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92]
+CVE: CVE-2025-32909
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/content-sniffer/soup-content-sniffer.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
+index 5a181ff1..aeee2e25 100644
+--- a/libsoup/content-sniffer/soup-content-sniffer.c
++++ b/libsoup/content-sniffer/soup-content-sniffer.c
+@@ -243,9 +243,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, GBytes *buffer)
+ gsize resource_length;
+ const char *resource = g_bytes_get_data (buffer, &resource_length);
+ resource_length = MIN (512, resource_length);
+- guint32 box_size = *((guint32*)resource);
++ guint32 box_size;
+ guint i;
+
++ if (resource_length < sizeof (guint32))
++ return FALSE;
++
++ box_size = *((guint32*)resource);
++
+ #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
+ box_size = ((box_size >> 24) |
+ ((box_size << 8) & 0x00FF0000) |
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
index a5b6c2f039..4fa8fce1c4 100644
--- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2024-52531-3.patch \
file://CVE-2025-32906-1.patch \
file://CVE-2025-32906-2.patch \
+ file://CVE-2025-32909.patch \
"
SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][kirkstone 08/15] libsoup: Fix CVE-2025-32910
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (6 preceding siblings ...)
2025-05-13 19:08 ` [OE-core][kirkstone 07/15] libsoup: Fix CVE-2025-32909 Steve Sakoman
@ 2025-05-13 19:08 ` Steve Sakoman
2025-05-13 19:08 ` [OE-core][kirkstone 09/15] libsoup: Fix CVE-2025-32911 & CVE-2025-32913 Steve Sakoman
` (6 subsequent siblings)
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:08 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from
https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe
&
https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a
& https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup/libsoup/CVE-2025-32910-1.patch | 98 ++++++++++++
.../libsoup/libsoup/CVE-2025-32910-2.patch | 149 ++++++++++++++++++
.../libsoup/libsoup/CVE-2025-32910-3.patch | 27 ++++
meta/recipes-support/libsoup/libsoup_3.0.7.bb | 3 +
4 files changed, 277 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32910-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32910-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32910-3.patch
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32910-1.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32910-1.patch
new file mode 100644
index 0000000000..27011f587f
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32910-1.patch
@@ -0,0 +1,98 @@
+From e40df6d48a1cbab56f5d15016cc861a503423cfe Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Sun, 8 Dec 2024 20:00:35 -0600
+Subject: [PATCH] auth-digest: Handle missing realm in authenticate header
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/auth/soup-auth-digest.c | 3 ++
+ tests/auth-test.c | 50 +++++++++++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+
+diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
+index 2e81849af..4f12e87a5 100644
+--- a/libsoup/auth/soup-auth-digest.c
++++ b/libsoup/auth/soup-auth-digest.c
+@@ -148,6 +148,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ guint qop_options;
+ gboolean ok = TRUE;
+
++ if (!soup_auth_get_realm (auth))
++ return FALSE;
++
+ g_free (priv->domain);
+ g_free (priv->nonce);
+ g_free (priv->opaque);
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index 158fdac10..3066e904a 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1866,6 +1866,55 @@ do_multiple_digest_algorithms (void)
+ soup_test_server_quit_unref (server);
+ }
+
++static void
++on_request_read_for_missing_realm (SoupServer *server,
++ SoupServerMessage *msg,
++ gpointer user_data)
++{
++ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
++ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
++}
++
++static void
++do_missing_realm_test (void)
++{
++ SoupSession *session;
++ SoupMessage *msg;
++ SoupServer *server;
++ SoupAuthDomain *digest_auth_domain;
++ gint status;
++ GUri *uri;
++
++ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
++ soup_server_add_handler (server, NULL,
++ server_callback, NULL, NULL);
++ uri = soup_test_server_get_uri (server, "http", NULL);
++
++ digest_auth_domain = soup_auth_domain_digest_new (
++ "realm", "auth-test",
++ "auth-callback", server_digest_auth_callback,
++ NULL);
++ soup_auth_domain_add_path (digest_auth_domain, "/");
++ soup_server_add_auth_domain (server, digest_auth_domain);
++ g_object_unref (digest_auth_domain);
++
++ g_signal_connect (server, "request-read",
++ G_CALLBACK (on_request_read_for_missing_realm),
++ NULL);
++
++ session = soup_test_session_new (NULL);
++ msg = soup_message_new_from_uri ("GET", uri);
++ g_signal_connect (msg, "authenticate",
++ G_CALLBACK (on_digest_authenticate),
++ NULL);
++
++ status = soup_test_session_send_message (session, msg);
++
++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
++ g_uri_unref (uri);
++ soup_test_server_quit_unref (server);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -1899,6 +1948,7 @@ main (int argc, char **argv)
+ g_test_add_func ("/auth/auth-uri", do_auth_uri_test);
+ g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate);
+ g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms);
++ g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
+
+ ret = g_test_run ();
+
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32910-2.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32910-2.patch
new file mode 100644
index 0000000000..b62e09cbdb
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32910-2.patch
@@ -0,0 +1,149 @@
+From 405a8a34597a44bd58c4759e7d5e23f02c3b556a Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Thu, 26 Dec 2024 18:18:35 -0600
+Subject: [PATCH] auth-digest: Handle missing nonce
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/auth/soup-auth-digest.c | 45 +++++++++++++++++++++++++--------
+ tests/auth-test.c | 19 ++++++++------
+ 2 files changed, 46 insertions(+), 18 deletions(-)
+
+diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
+index 4f12e87a..350bfde6 100644
+--- a/libsoup/auth/soup-auth-digest.c
++++ b/libsoup/auth/soup-auth-digest.c
+@@ -138,6 +138,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
+ return g_string_free (out, FALSE);
+ }
+
++static gboolean
++validate_params (SoupAuthDigest *auth_digest)
++{
++ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
++
++ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
++ if (!priv->nonce)
++ return FALSE;
++ }
++
++ return TRUE;
++}
++
+ static gboolean
+ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ GHashTable *auth_params)
+@@ -175,16 +188,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ if (priv->algorithm == -1)
+ ok = FALSE;
+
+- stale = g_hash_table_lookup (auth_params, "stale");
+- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+- recompute_hex_a1 (priv);
+- else {
+- g_free (priv->user);
+- priv->user = NULL;
+- g_free (priv->cnonce);
+- priv->cnonce = NULL;
+- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
++ if (!validate_params (auth_digest))
++ ok = FALSE;
++
++ if (ok) {
++ stale = g_hash_table_lookup (auth_params, "stale");
++ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
++ recompute_hex_a1 (priv);
++ else {
++ g_free (priv->user);
++ priv->user = NULL;
++ g_free (priv->cnonce);
++ priv->cnonce = NULL;
++ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
++ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
++ }
+ }
+
+ return ok;
+@@ -276,6 +294,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp,
+
+ /* In MD5-sess, A1 is hex_urp:nonce:cnonce */
+
++ g_assert (nonce && cnonce);
++
+ checksum = g_checksum_new (G_CHECKSUM_MD5);
+ g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));
+ g_checksum_update (checksum, (guchar *)":", 1);
+@@ -366,6 +386,8 @@ soup_auth_digest_compute_response (const char *method,
+ if (qop) {
+ char tmp[9];
+
++ g_assert (cnonce);
++
+ g_snprintf (tmp, 9, "%.8x", nc);
+ g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
+ g_checksum_update (checksum, (guchar *)":", 1);
+@@ -429,6 +451,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
+ g_return_val_if_fail (uri != NULL, NULL);
+ url = soup_uri_get_path_and_query (uri);
+
++ g_assert (priv->nonce);
++ g_assert (!priv->qop || priv->cnonce);
++
+ soup_auth_digest_compute_response (soup_message_get_method (msg), url, priv->hex_a1,
+ priv->qop, priv->nonce,
+ priv->cnonce, priv->nc,
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index 3066e904..c651c7cd 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1867,16 +1867,17 @@ do_multiple_digest_algorithms (void)
+ }
+
+ static void
+-on_request_read_for_missing_realm (SoupServer *server,
+- SoupServerMessage *msg,
+- gpointer user_data)
++on_request_read_for_missing_params (SoupServer *server,
++ SoupServerMessage *msg,
++ gpointer user_data)
+ {
++ const char *auth_header = user_data;
+ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
+- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
++ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
+ }
+
+ static void
+-do_missing_realm_test (void)
++do_missing_params_test (gconstpointer auth_header)
+ {
+ SoupSession *session;
+ SoupMessage *msg;
+@@ -1899,8 +1900,8 @@ do_missing_realm_test (void)
+ g_object_unref (digest_auth_domain);
+
+ g_signal_connect (server, "request-read",
+- G_CALLBACK (on_request_read_for_missing_realm),
+- NULL);
++ G_CALLBACK (on_request_read_for_missing_params),
++ (gpointer)auth_header);
+
+ session = soup_test_session_new (NULL);
+ msg = soup_message_new_from_uri ("GET", uri);
+@@ -1948,7 +1949,9 @@ main (int argc, char **argv)
+ g_test_add_func ("/auth/auth-uri", do_auth_uri_test);
+ g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate);
+ g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms);
+- g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
++ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
++ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
++ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
+
+ ret = g_test_run ();
+
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32910-3.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32910-3.patch
new file mode 100644
index 0000000000..32e0c86e62
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32910-3.patch
@@ -0,0 +1,27 @@
+From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Fri, 27 Dec 2024 13:52:52 -0600
+Subject: [PATCH] auth-digest: Fix leak
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/auth/soup-auth-digest.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
+index 350bfde6..9eb7fa0e 100644
+--- a/libsoup/auth/soup-auth-digest.c
++++ b/libsoup/auth/soup-auth-digest.c
+@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object)
+ g_free (priv->nonce);
+ g_free (priv->domain);
+ g_free (priv->cnonce);
++ g_free (priv->opaque);
+
+ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
index 4fa8fce1c4..2c05ef338e 100644
--- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
@@ -22,6 +22,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32906-1.patch \
file://CVE-2025-32906-2.patch \
file://CVE-2025-32909.patch \
+ file://CVE-2025-32910-1.patch \
+ file://CVE-2025-32910-2.patch \
+ file://CVE-2025-32910-3.patch \
"
SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][kirkstone 09/15] libsoup: Fix CVE-2025-32911 & CVE-2025-32913
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (7 preceding siblings ...)
2025-05-13 19:08 ` [OE-core][kirkstone 08/15] libsoup: Fix CVE-2025-32910 Steve Sakoman
@ 2025-05-13 19:08 ` Steve Sakoman
2025-05-13 19:08 ` [OE-core][kirkstone 10/15] libsoup: Fix CVE-2025-32912 Steve Sakoman
` (5 subsequent siblings)
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:08 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from
https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34
& https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../CVE-2025-32911_CVE-2025-32913-1.patch | 72 +++++++++++++++++++
.../CVE-2025-32911_CVE-2025-32913-2.patch | 44 ++++++++++++
meta/recipes-support/libsoup/libsoup_3.0.7.bb | 2 +
3 files changed, 118 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32911_CVE-2025-32913-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32911_CVE-2025-32913-2.patch
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32911_CVE-2025-32913-1.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32911_CVE-2025-32913-1.patch
new file mode 100644
index 0000000000..4e1d8212f5
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32911_CVE-2025-32913-1.patch
@@ -0,0 +1,72 @@
+From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Fri, 27 Dec 2024 17:53:50 -0600
+Subject: [PATCH] soup_message_headers_get_content_disposition: Fix NULL deref
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34]
+CVE: CVE-2025-32911 CVE-2025-32913 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-message-headers.c | 13 +++++++++----
+ tests/header-parsing-test.c | 14 ++++++++++++++
+ 2 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
+index 56cc1e9d..04f4c302 100644
+--- a/libsoup/soup-message-headers.c
++++ b/libsoup/soup-message-headers.c
+@@ -1660,10 +1660,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
+ */
+ if (params && g_hash_table_lookup_extended (*params, "filename",
+ &orig_key, &orig_value)) {
+- char *filename = strrchr (orig_value, '/');
+-
+- if (filename)
+- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
++ if (orig_value) {
++ char *filename = strrchr (orig_value, '/');
++
++ if (filename)
++ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
++ } else {
++ /* filename with no value isn't valid. */
++ g_hash_table_remove (*params, "filename");
++ }
+ }
+ return TRUE;
+ }
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 5e423d2b..d0b360c8 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -1039,6 +1039,7 @@ do_param_list_tests (void)
+ #define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\""
+ #define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\""
+ #define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar"
++#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename"
+
+ static void
+ do_content_disposition_tests (void)
+@@ -1139,6 +1140,19 @@ do_content_disposition_tests (void)
+ g_assert_cmpstr (parameter2, ==, "bar");
+ g_hash_table_destroy (params);
+
++ /* Empty filename */
++ soup_message_headers_clear (hdrs);
++ soup_message_headers_append (hdrs, "Content-Disposition",
++ RFC5987_TEST_HEADER_EMPTY_FILENAME);
++ if (!soup_message_headers_get_content_disposition (hdrs,
++ &disposition,
++ ¶ms)) {
++ soup_test_assert (FALSE, "empty filename decoding FAILED");
++ return;
++ }
++ g_assert_false (g_hash_table_contains (params, "filename"));
++ g_hash_table_destroy (params);
++
+ soup_message_headers_unref (hdrs);
+
+ /* Ensure that soup-multipart always quotes filename */
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32911_CVE-2025-32913-2.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32911_CVE-2025-32913-2.patch
new file mode 100644
index 0000000000..5d9f33c736
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32911_CVE-2025-32913-2.patch
@@ -0,0 +1,44 @@
+From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Fri, 27 Dec 2024 18:00:39 -0600
+Subject: [PATCH] soup_message_headers_get_content_disposition: strdup
+ truncated filenames
+
+This table frees the strings it contains.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0]
+CVE: CVE-2025-32911 CVE-2025-32913
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-message-headers.c | 2 +-
+ tests/header-parsing-test.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
+index 04f4c302..ee7a3cb1 100644
+--- a/libsoup/soup-message-headers.c
++++ b/libsoup/soup-message-headers.c
+@@ -1664,7 +1664,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
+ char *filename = strrchr (orig_value, '/');
+
+ if (filename)
+- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
++ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1));
+ } else {
+ /* filename with no value isn't valid. */
+ g_hash_table_remove (*params, "filename");
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index d0b360c8..07ea2866 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -1150,6 +1150,7 @@ do_content_disposition_tests (void)
+ soup_test_assert (FALSE, "empty filename decoding FAILED");
+ return;
+ }
++ g_free (disposition);
+ g_assert_false (g_hash_table_contains (params, "filename"));
+ g_hash_table_destroy (params);
+
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
index 2c05ef338e..f5877c3419 100644
--- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
@@ -25,6 +25,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32910-1.patch \
file://CVE-2025-32910-2.patch \
file://CVE-2025-32910-3.patch \
+ file://CVE-2025-32911_CVE-2025-32913-1.patch \
+ file://CVE-2025-32911_CVE-2025-32913-2.patch \
"
SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][kirkstone 10/15] libsoup: Fix CVE-2025-32912
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (8 preceding siblings ...)
2025-05-13 19:08 ` [OE-core][kirkstone 09/15] libsoup: Fix CVE-2025-32911 & CVE-2025-32913 Steve Sakoman
@ 2025-05-13 19:08 ` Steve Sakoman
2025-05-13 19:08 ` [OE-core][kirkstone 11/15] libsoup: Fix CVE-2025-32914 Steve Sakoman
` (4 subsequent siblings)
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:08 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from
https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992
& https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup/libsoup/CVE-2025-32912-1.patch | 41 +++++++++++++++++++
.../libsoup/libsoup/CVE-2025-32912-2.patch | 30 ++++++++++++++
meta/recipes-support/libsoup/libsoup_3.0.7.bb | 2 +
3 files changed, 73 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32912-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32912-2.patch
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32912-1.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32912-1.patch
new file mode 100644
index 0000000000..c35c599502
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32912-1.patch
@@ -0,0 +1,41 @@
+From cd077513f267e43ce4b659eb18a1734d8a369992 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 5 Feb 2025 14:03:05 -0600
+Subject: [PATCH] auth-digest: Handle missing nonce
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992]
+CVE: CVE-2025-32912
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/auth/soup-auth-digest.c | 2 +-
+ tests/auth-test.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
+index 9eb7fa0e..d69a4013 100644
+--- a/libsoup/auth/soup-auth-digest.c
++++ b/libsoup/auth/soup-auth-digest.c
+@@ -162,7 +162,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ guint qop_options;
+ gboolean ok = TRUE;
+
+- if (!soup_auth_get_realm (auth))
++ if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
+ return FALSE;
+
+ g_free (priv->domain);
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index c651c7cd..484097f1 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1952,6 +1952,7 @@ main (int argc, char **argv)
+ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
++ g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test);
+
+ ret = g_test_run ();
+
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32912-2.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32912-2.patch
new file mode 100644
index 0000000000..ad6f3a8028
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32912-2.patch
@@ -0,0 +1,30 @@
+From 910ebdcd3dd82386717a201c13c834f3a63eed7f Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Sat, 8 Feb 2025 12:30:13 -0600
+Subject: [PATCH] digest-auth: Handle NULL nonce
+
+`contains` only handles a missing nonce, `lookup` handles both missing and empty.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f]
+CVE: CVE-2025-32912
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/auth/soup-auth-digest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
+index d69a4013..dc4dbfc5 100644
+--- a/libsoup/auth/soup-auth-digest.c
++++ b/libsoup/auth/soup-auth-digest.c
+@@ -162,7 +162,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ guint qop_options;
+ gboolean ok = TRUE;
+
+- if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
++ if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce"))
+ return FALSE;
+
+ g_free (priv->domain);
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
index f5877c3419..dbf437c42f 100644
--- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
@@ -27,6 +27,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32910-3.patch \
file://CVE-2025-32911_CVE-2025-32913-1.patch \
file://CVE-2025-32911_CVE-2025-32913-2.patch \
+ file://CVE-2025-32912-1.patch \
+ file://CVE-2025-32912-2.patch \
"
SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][kirkstone 11/15] libsoup: Fix CVE-2025-32914
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (9 preceding siblings ...)
2025-05-13 19:08 ` [OE-core][kirkstone 10/15] libsoup: Fix CVE-2025-32912 Steve Sakoman
@ 2025-05-13 19:08 ` Steve Sakoman
2025-05-13 19:08 ` [OE-core][kirkstone 12/15] scripts/install-buildtools: Update to 4.0.26 Steve Sakoman
` (3 subsequent siblings)
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:08 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup/libsoup/CVE-2025-32914.patch | 111 ++++++++++++++++++
meta/recipes-support/libsoup/libsoup_3.0.7.bb | 1 +
2 files changed, 112 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32914.patch
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32914.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32914.patch
new file mode 100644
index 0000000000..0ada9f3134
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32914.patch
@@ -0,0 +1,111 @@
+From 5bfcf8157597f2d327050114fb37ff600004dbcf Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Tue, 15 Apr 2025 09:03:00 +0200
+Subject: [PATCH] multipart: Fix read out of buffer bounds under
+ soup_multipart_new_from_message()
+
+This is CVE-2025-32914, special crafted input can cause read out of buffer bounds
+of the body argument.
+
+Closes #436
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf]
+CVE: CVE-2025-32914
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-multipart.c | 2 +-
+ tests/multipart-test.c | 58 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index 2421c91f8..102ce3722 100644
+--- a/libsoup/soup-multipart.c
++++ b/libsoup/soup-multipart.c
+@@ -173,7 +173,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
+ return NULL;
+ }
+
+- split = strstr (start, "\r\n\r\n");
++ split = g_strstr_len (start, body_end - start, "\r\n\r\n");
+ if (!split || split > end) {
+ soup_multipart_free (multipart);
+ return NULL;
+diff --git a/tests/multipart-test.c b/tests/multipart-test.c
+index 2c0e7e969..f5b986889 100644
+--- a/tests/multipart-test.c
++++ b/tests/multipart-test.c
+@@ -471,6 +471,62 @@ test_multipart (gconstpointer data)
+ loop = NULL;
+ }
+
++static void
++test_multipart_bounds_good (void)
++{
++ #define TEXT "line1\r\nline2"
++ SoupMultipart *multipart;
++ SoupMessageHeaders *headers, *set_headers = NULL;
++ GBytes *bytes, *set_bytes = NULL;
++ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\n\r\n" TEXT "\r\n--123--\r\n";
++ gboolean success;
++
++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
++
++ bytes = g_bytes_new (raw_data, strlen (raw_data));
++
++ multipart = soup_multipart_new_from_message (headers, bytes);
++
++ g_assert_nonnull (multipart);
++ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1);
++ success = soup_multipart_get_part (multipart, 0, &set_headers, &set_bytes);
++ g_assert_true (success);
++ g_assert_nonnull (set_headers);
++ g_assert_nonnull (set_bytes);
++ g_assert_cmpint (strlen (TEXT), ==, g_bytes_get_size (set_bytes));
++ g_assert_cmpstr ("text/plain", ==, soup_message_headers_get_content_type (set_headers, NULL));
++ g_assert_cmpmem (TEXT, strlen (TEXT), g_bytes_get_data (set_bytes, NULL), g_bytes_get_size (set_bytes));
++
++ soup_message_headers_unref (headers);
++ g_bytes_unref (bytes);
++
++ soup_multipart_free (multipart);
++
++ #undef TEXT
++}
++
++static void
++test_multipart_bounds_bad (void)
++{
++ SoupMultipart *multipart;
++ SoupMessageHeaders *headers;
++ GBytes *bytes;
++ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\nline1\r\nline2\r\n--123--\r\n";
++
++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
++
++ bytes = g_bytes_new (raw_data, strlen (raw_data));
++
++ /* it did read out of raw_data/bytes bounds */
++ multipart = soup_multipart_new_from_message (headers, bytes);
++ g_assert_null (multipart);
++
++ soup_message_headers_unref (headers);
++ g_bytes_unref (bytes);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -498,6 +554,8 @@ main (int argc, char **argv)
+ g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart);
+ g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart);
+ g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
++ g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
++ g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
+
+ ret = g_test_run ();
+
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
index dbf437c42f..87ffb34f7d 100644
--- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
@@ -29,6 +29,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32911_CVE-2025-32913-2.patch \
file://CVE-2025-32912-1.patch \
file://CVE-2025-32912-2.patch \
+ file://CVE-2025-32914.patch \
"
SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][kirkstone 12/15] scripts/install-buildtools: Update to 4.0.26
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (10 preceding siblings ...)
2025-05-13 19:08 ` [OE-core][kirkstone 11/15] libsoup: Fix CVE-2025-32914 Steve Sakoman
@ 2025-05-13 19:08 ` Steve Sakoman
2025-05-13 19:08 ` [OE-core][kirkstone 13/15] glibc: stable 2.35 branch updates Steve Sakoman
` (2 subsequent siblings)
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:08 UTC (permalink / raw)
To: openembedded-core
From: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com>
Update to the 4.0.26 release of the 4.0 series for buildtools
Signed-off-by: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
scripts/install-buildtools | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/install-buildtools b/scripts/install-buildtools
index 56b22e4270..8e55bd69c8 100755
--- a/scripts/install-buildtools
+++ b/scripts/install-buildtools
@@ -57,8 +57,8 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout)
DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools')
DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto'
-DEFAULT_RELEASE = 'yocto-4.0.24'
-DEFAULT_INSTALLER_VERSION = '4.0.24'
+DEFAULT_RELEASE = 'yocto-4.0.26'
+DEFAULT_INSTALLER_VERSION = '4.0.26'
DEFAULT_BUILDDATE = '202110XX'
# Python version sanity check
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][kirkstone 13/15] glibc: stable 2.35 branch updates
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (11 preceding siblings ...)
2025-05-13 19:08 ` [OE-core][kirkstone 12/15] scripts/install-buildtools: Update to 4.0.26 Steve Sakoman
@ 2025-05-13 19:08 ` Steve Sakoman
2025-05-13 19:08 ` [OE-core][kirkstone 14/15] module.bbclass: add KBUILD_EXTRA_SYMBOLS to install Steve Sakoman
2025-05-13 19:08 ` [OE-core][kirkstone 15/15] perl: enable _GNU_SOURCE define via d_gnulibc Steve Sakoman
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:08 UTC (permalink / raw)
To: openembedded-core
From: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
d2febe7c40 math: Improve layout of exp/exp10 data
20b5d5ce26 AArch64: Use prefer_sve_ifuncs for SVE memset
9569a67a58 AArch64: Add SVE memset
59f67e1b82 math: Improve layout of expf data
904c58e47b AArch64: Remove zva_128 from memset
8042d17638 AArch64: Optimize memset
be451d6053 AArch64: Improve generic strlen
8b3d09dc0d assert: Add test for CVE-2025-0395
29d9b1e59e assert: Reformat Makefile.
Testresults:
Before update |After update |Difference
PASS: 4832 |PASS:4833 |PASS: +1
FAIL: 132 |FAIL:132 |FAIL: 0
XPASS: 6 |XPASS:6 |XPASS: 0
XFAIL: 16 |XFAIL:16 |XFAIL: 0
UNSUPPORTED: 200|UNSUPPORTED:200 |UNSUPPORTED: 0
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/glibc/glibc-version.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index d98b6a4911..34b199c02b 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
SRCBRANCH ?= "release/2.35/master"
PV = "2.35"
-SRCREV_glibc ?= "549d8315791aa8176ff1537db3e09c185c6e602f"
+SRCREV_glibc ?= "d2febe7c407665c18cfea1930c65f41899ab3aa3"
SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][kirkstone 14/15] module.bbclass: add KBUILD_EXTRA_SYMBOLS to install
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (12 preceding siblings ...)
2025-05-13 19:08 ` [OE-core][kirkstone 13/15] glibc: stable 2.35 branch updates Steve Sakoman
@ 2025-05-13 19:08 ` Steve Sakoman
2025-05-13 19:08 ` [OE-core][kirkstone 15/15] perl: enable _GNU_SOURCE define via d_gnulibc Steve Sakoman
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:08 UTC (permalink / raw)
To: openembedded-core
From: Alon Bar-Lev <alon.barlev@gmail.com>
Symbols are used during install as well, adding KBUILD_EXTRA_SYMBOLS enables
successful installation.
| DEBUG: Executing shell function do_install
| NOTE: make -j 22 KERNEL_SRC=xxx/kernel-source -C xxx/drivers
KDIR=xxx/kernel-source DEPMOD=echo
MODLIB=xxx/image/lib/modules/6.6.75-yocto-standard-00189-g530c419bc9db
INSTALL_FW_PATH=xxx/image/lib/firmware CC=aarch64-poky-linux-gcc
-fuse-ld=bfd -fcanon-prefix-map LD=aarch64-poky-linux-ld.bfd
OBJCOPY=aarch64-poky-linux-objcopy STRIP=aarch64-poky-linux-strip
O=xxx/kernel-build-artifacts modules_install
| make: Entering directory 'xxx/drivers'
| make -C xxx/kernel-source M=xxx/drivers modules
| make[1]: Entering directory 'xxx/kernel-source'
| make[2]: Entering directory 'xxx/kernel-build-artifacts'
| MODPOST xxx/drivers/Module.symvers
| ERROR: modpost: "xxx" [xxx/xxx.ko] undefined!
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0ef80eeda967a9e04ff91c3583aabbc35c9868e8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/module.bbclass | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/classes/module.bbclass b/meta/classes/module.bbclass
index a09ec3ed1e..2315f3c834 100644
--- a/meta/classes/module.bbclass
+++ b/meta/classes/module.bbclass
@@ -51,6 +51,7 @@ module_do_install() {
INSTALL_FW_PATH="${D}${nonarch_base_libdir}/firmware" \
CC="${KERNEL_CC}" LD="${KERNEL_LD}" \
O=${STAGING_KERNEL_BUILDDIR} \
+ KBUILD_EXTRA_SYMBOLS="${KBUILD_EXTRA_SYMBOLS}" \
${MODULES_INSTALL_TARGET}
if [ ! -e "${B}/${MODULES_MODULE_SYMVERS_LOCATION}/Module.symvers" ] ; then
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][kirkstone 15/15] perl: enable _GNU_SOURCE define via d_gnulibc
2025-05-13 19:07 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
` (13 preceding siblings ...)
2025-05-13 19:08 ` [OE-core][kirkstone 14/15] module.bbclass: add KBUILD_EXTRA_SYMBOLS to install Steve Sakoman
@ 2025-05-13 19:08 ` Steve Sakoman
14 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-05-13 19:08 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
This is needed to properly support memmem() and friends under musl
as musl guards the declarations with _GNU_SOURCE define, and if the
declarations are not present, gcc will issue warnings and generate
assembly that assumes the functions return int (instead of e.g.
void*), with catastrophic consequences at runtime.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6422e62fbc5c65a2165a72c97c880cfa9a80e957)
Signed-off-by: Peter Hurley <peter@meraki.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/perl/perl_5.34.3.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-devtools/perl/perl_5.34.3.bb b/meta/recipes-devtools/perl/perl_5.34.3.bb
index f6ebbf2d16..c8475fc450 100644
--- a/meta/recipes-devtools/perl/perl_5.34.3.bb
+++ b/meta/recipes-devtools/perl/perl_5.34.3.bb
@@ -70,6 +70,7 @@ do_configure:class-target() {
-Dlibpth='${libdir} ${base_libdir}' \
-Dglibpth='${libdir} ${base_libdir}' \
-Alddlflags=' ${LDFLAGS}' \
+ -Dd_gnulibc=define \
${PACKAGECONFIG_CONFARGS}
#perl.c uses an ARCHLIB_EXP define to generate compile-time code that
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread