From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 01/12] libsoup: fix CVE-2025-32908
Date: Fri, 6 Jun 2025 08:59:54 -0700 [thread overview]
Message-ID: <ff7440fddf5ada072f60cc25f3670cbb74f58167.1749225418.git.steve@sakoman.com> (raw)
In-Reply-To: <cover.1749225417.git.steve@sakoman.com>
From: Changqing Li <changqing.li@windriver.com>
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/429
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup-3.4.4/CVE-2025-32908-1.patch | 89 +++++++++++++++++++
.../libsoup-3.4.4/CVE-2025-32908-2.patch | 53 +++++++++++
meta/recipes-support/libsoup/libsoup_3.4.4.bb | 4 +-
3 files changed, 145 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-2.patch
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-1.patch
new file mode 100644
index 0000000000..8ad0e16d45
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-1.patch
@@ -0,0 +1,89 @@
+From 56b8eb061a02c4e99644d6f1e62e601d0d814beb Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Tue, 15 Apr 2025 09:59:05 +0200
+Subject: [PATCH 1/2] soup-server-http2: Check validity of the constructed
+ connection URI
+
+The HTTP/2 pseudo-headers can contain invalid values, which the GUri rejects
+and returns NULL, but the soup-server did not check the validity and could
+abort the server itself later in the code.
+
+Closes #429
+
+CVE: CVE-2025-32908
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/451/diffs?commit_id=a792b23ab87cacbf4dd9462bf7b675fa678efbae]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ .../http2/soup-server-message-io-http2.c | 4 +++
+ tests/http2-test.c | 28 +++++++++++++++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c
+index 943ecfd..f1fe2d5 100644
+--- a/libsoup/server/http2/soup-server-message-io-http2.c
++++ b/libsoup/server/http2/soup-server-message-io-http2.c
+@@ -771,9 +771,13 @@ on_frame_recv_callback (nghttp2_session *session,
+ char *uri_string;
+ GUri *uri;
+
++ if (msg_io->scheme == NULL || msg_io->authority == NULL || msg_io->path == NULL)
++ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path);
+ uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL);
+ g_free (uri_string);
++ if (uri == NULL)
++ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ soup_server_message_set_uri (msg_io->msg, uri);
+ g_uri_unref (uri);
+
+diff --git a/tests/http2-test.c b/tests/http2-test.c
+index ef097f4..df86d9b 100644
+--- a/tests/http2-test.c
++++ b/tests/http2-test.c
+@@ -1241,6 +1241,30 @@ do_connection_closed_test (Test *test, gconstpointer data)
+ g_uri_unref (uri);
+ }
+
++static void
++do_broken_pseudo_header_test (Test *test, gconstpointer data)
++{
++ char *path;
++ SoupMessage *msg;
++ GUri *uri;
++ GBytes *body = NULL;
++ GError *error = NULL;
++
++ uri = g_uri_parse_relative (base_uri, "/ag", SOUP_HTTP_URI_FLAGS, NULL);
++
++ /* an ugly cheat to construct a broken URI, which can be sent from other libs */
++ path = (char *) g_uri_get_path (uri);
++ path[1] = '%';
++
++ msg = soup_message_new_from_uri (SOUP_METHOD_GET, uri);
++ body = soup_test_session_async_send (test->session, msg, NULL, &error);
++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_PARTIAL_INPUT);
++ g_assert_null (body);
++ g_clear_error (&error);
++ g_object_unref (msg);
++ g_uri_unref (uri);
++}
++
+ static gboolean
+ unpause_message (SoupServerMessage *msg)
+ {
+@@ -1549,6 +1573,10 @@ main (int argc, char **argv)
+ setup_session,
+ do_connection_closed_test,
+ teardown_session);
++ g_test_add ("/http2/broken-pseudo-header", Test, NULL,
++ setup_session,
++ do_broken_pseudo_header_test,
++ teardown_session);
+
+ ret = g_test_run ();
+
+--
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-2.patch
new file mode 100644
index 0000000000..b53c7efb7b
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32908-2.patch
@@ -0,0 +1,53 @@
+From aad0dcf22ee9fdfefa6b72055268240cceccfe4c Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Mon, 28 Apr 2025 10:55:42 +0200
+Subject: [PATCH 2/2] soup-server-http2: Correct check of the validity of the
+ constructed connection URI
+
+RFC 5740: the CONNECT has unset the "scheme" and "path", thus allow them unset.
+
+The commit a792b23ab87cacbf4dd9462bf7b675fa678efbae also missed to decrement
+the `io->in_callback` in the early returns.
+
+Related to #429
+
+CVE: CVE-2025-32908
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/453/diffs?commit_id=527428a033df573ef4558ce1106e080fd9ec5c71]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ .../server/http2/soup-server-message-io-http2.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c
+index f1fe2d5..913afb4 100644
+--- a/libsoup/server/http2/soup-server-message-io-http2.c
++++ b/libsoup/server/http2/soup-server-message-io-http2.c
+@@ -771,13 +771,18 @@ on_frame_recv_callback (nghttp2_session *session,
+ char *uri_string;
+ GUri *uri;
+
+- if (msg_io->scheme == NULL || msg_io->authority == NULL || msg_io->path == NULL)
+- return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+- uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path);
++ if (msg_io->authority == NULL) {
++ io->in_callback--;
++ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
++ }
++ /* RFC 5740: the CONNECT has unset the "scheme" and "path", but the GUri requires the scheme, thus let it be "(null)" */
++ uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path == NULL ? "" : msg_io->path);
+ uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL);
+ g_free (uri_string);
+- if (uri == NULL)
+- return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
++ if (uri == NULL) {
++ io->in_callback--;
++ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
++ }
+ soup_server_message_set_uri (msg_io->msg, uri);
+ g_uri_unref (uri);
+
+--
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
index 21a1bbe6cd..c19be9b5f4 100644
--- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
@@ -32,7 +32,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32914.patch \
file://CVE-2025-4476.patch \
file://CVE-2025-4969.patch \
- "
+ file://CVE-2025-32908-1.patch \
+ file://CVE-2025-32908-2.patch \
+"
SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
PROVIDES = "libsoup-3.0"
--
2.43.0
next prev parent reply other threads:[~2025-06-06 16:00 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-06 15:59 [OE-core][scarthgap 00/12] Patch review Steve Sakoman
2025-06-06 15:59 ` Steve Sakoman [this message]
2025-06-06 15:59 ` [OE-core][scarthgap 02/12] libsoup: fix CVE-2025-32907 Steve Sakoman
2025-06-06 15:59 ` [OE-core][scarthgap 03/12] libsoup-2.4: " Steve Sakoman
2025-06-06 15:59 ` [OE-core][scarthgap 04/12] libsoup-2.4: fix do_compile failure Steve Sakoman
2025-06-06 15:59 ` [OE-core][scarthgap 05/12] libsoup-2.4: fix CVE-2025-32053 Steve Sakoman
2025-06-06 15:59 ` [OE-core][scarthgap 06/12] libsoup: " Steve Sakoman
2025-06-06 16:00 ` [OE-core][scarthgap 07/12] python3-setuptools: Fix CVE-2025-47273 Steve Sakoman
2025-06-06 16:00 ` [OE-core][scarthgap 08/12] binutils: Fix CVE-2025-5245 Steve Sakoman
2025-06-06 16:00 ` [OE-core][scarthgap 09/12] binutils: Fix CVE-2025-5244 Steve Sakoman
2025-06-06 16:00 ` [OE-core][scarthgap 10/12] screen: fix CVE-2025-46802 Steve Sakoman
2025-06-06 16:00 ` [OE-core][scarthgap 11/12] screen: fix CVE-2025-46804 Steve Sakoman
2025-06-06 16:00 ` [OE-core][scarthgap 12/12] systemd: upgrade 255.18 -> 255.21 Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ff7440fddf5ada072f60cc25f3670cbb74f58167.1749225418.git.steve@sakoman.com \
--to=steve@sakoman.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox