mirror of
https://git.yoctoproject.org/poky
synced 2026-04-25 15:32:13 +02:00
libsoup: Fix CVE-2025-2784
Upstream-Status: Backport [242a10fbb1&c415ad0b67] https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435 (From OE-Core rev: b51135e1f7eaa20c97e54f5c52b98963819127e9) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Vijay Anusuri
committed by
Steve Sakoman
Steve Sakoman
parent
f49fc9966d
commit
07f522869c
73
meta/recipes-support/libsoup/libsoup/CVE-2025-2784-1.patch
Normal file
73
meta/recipes-support/libsoup/libsoup/CVE-2025-2784-1.patch
Normal file
@@ -0,0 +1,73 @@
|
||||
From 242a10fbb12dbdc12d254bd8fc8669a0ac055304 Mon Sep 17 00:00:00 2001
|
||||
From: Patrick Griffis <pgriffis@igalia.com>
|
||||
Date: Wed, 5 Feb 2025 14:39:42 -0600
|
||||
Subject: [PATCH] sniffer: Fix potential overflow
|
||||
|
||||
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/242a10fbb12dbdc12d254bd8fc8669a0ac055304]
|
||||
CVE: CVE-2025-2784
|
||||
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
||||
---
|
||||
libsoup/content-sniffer/soup-content-sniffer.c | 2 +-
|
||||
tests/meson.build | 4 +++-
|
||||
tests/sniffing-test.c | 5 +++++
|
||||
tests/soup-tests.gresource.xml | 1 +
|
||||
4 files changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
|
||||
index d7c46c8..648ea04 100644
|
||||
--- a/libsoup/content-sniffer/soup-content-sniffer.c
|
||||
+++ b/libsoup/content-sniffer/soup-content-sniffer.c
|
||||
@@ -666,7 +666,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
|
||||
pos = 3;
|
||||
|
||||
look_for_tag:
|
||||
- if (pos > resource_length)
|
||||
+ if (pos >= resource_length)
|
||||
goto text_html;
|
||||
|
||||
if (skip_insignificant_space (resource, &pos, resource_length))
|
||||
diff --git a/tests/meson.build b/tests/meson.build
|
||||
index 7851e57..450becb 100644
|
||||
--- a/tests/meson.build
|
||||
+++ b/tests/meson.build
|
||||
@@ -92,7 +92,9 @@ tests = [
|
||||
{'name': 'session'},
|
||||
{'name': 'server-auth'},
|
||||
{'name': 'server'},
|
||||
- {'name': 'sniffing'},
|
||||
+ {'name': 'sniffing',
|
||||
+ 'depends': [test_resources],
|
||||
+ },
|
||||
{'name': 'socket'},
|
||||
{'name': 'ssl',
|
||||
'dependencies': [gnutls_dep],
|
||||
diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
|
||||
index 6116719..b542817 100644
|
||||
--- a/tests/sniffing-test.c
|
||||
+++ b/tests/sniffing-test.c
|
||||
@@ -512,6 +512,11 @@ main (int argc, char **argv)
|
||||
"type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8",
|
||||
do_sniffing_test);
|
||||
|
||||
+ /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */
|
||||
+ g_test_add_data_func ("/sniffing/whitespace",
|
||||
+ "type/text_html/whitespace.html => text/html",
|
||||
+ do_sniffing_test);
|
||||
+
|
||||
/* Test that disabling the sniffer works correctly */
|
||||
g_test_add_data_func ("/sniffing/disabled",
|
||||
"/text_or_binary/home.gif",
|
||||
diff --git a/tests/soup-tests.gresource.xml b/tests/soup-tests.gresource.xml
|
||||
index 9c08d17..cbef1d4 100644
|
||||
--- a/tests/soup-tests.gresource.xml
|
||||
+++ b/tests/soup-tests.gresource.xml
|
||||
@@ -25,5 +25,6 @@
|
||||
<file>resources/text.txt</file>
|
||||
<file>resources/text_binary.txt</file>
|
||||
<file>resources/tux.webp</file>
|
||||
+ <file>resources/whitespace.html</file>
|
||||
</gresource>
|
||||
</gresources>
|
||||
--
|
||||
2.25.1
|
||||
|
||||
140
meta/recipes-support/libsoup/libsoup/CVE-2025-2784-2.patch
Normal file
140
meta/recipes-support/libsoup/libsoup/CVE-2025-2784-2.patch
Normal file
@@ -0,0 +1,140 @@
|
||||
From c415ad0b6771992e66c70edf373566c6e247089d Mon Sep 17 00:00:00 2001
|
||||
From: Patrick Griffis <pgriffis@igalia.com>
|
||||
Date: Tue, 18 Feb 2025 14:29:50 -0600
|
||||
Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space()
|
||||
|
||||
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/c415ad0b6771992e66c70edf373566c6e247089d]
|
||||
CVE: CVE-2025-2784
|
||||
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
||||
---
|
||||
.../content-sniffer/soup-content-sniffer.c | 10 ++--
|
||||
tests/sniffing-test.c | 53 +++++++++++++++++--
|
||||
tests/soup-tests.gresource.xml | 1 -
|
||||
3 files changed, 53 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
|
||||
index 648ea04..ebe8f6d 100644
|
||||
--- a/libsoup/content-sniffer/soup-content-sniffer.c
|
||||
+++ b/libsoup/content-sniffer/soup-content-sniffer.c
|
||||
@@ -635,8 +635,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, GBytes *buffer)
|
||||
}
|
||||
|
||||
static gboolean
|
||||
-skip_insignificant_space (const char *resource, int *pos, int resource_length)
|
||||
+skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
|
||||
{
|
||||
+ if (*pos >= resource_length)
|
||||
+ return TRUE;
|
||||
+
|
||||
while ((resource[*pos] == '\x09') ||
|
||||
(resource[*pos] == '\x20') ||
|
||||
(resource[*pos] == '\x0A') ||
|
||||
@@ -656,7 +659,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
|
||||
gsize resource_length;
|
||||
const char *resource = g_bytes_get_data (buffer, &resource_length);
|
||||
resource_length = MIN (512, resource_length);
|
||||
- int pos = 0;
|
||||
+ gsize pos = 0;
|
||||
|
||||
if (resource_length < 3)
|
||||
goto text_html;
|
||||
@@ -666,9 +669,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, GBytes *buffer)
|
||||
pos = 3;
|
||||
|
||||
look_for_tag:
|
||||
- if (pos >= resource_length)
|
||||
- goto text_html;
|
||||
-
|
||||
if (skip_insignificant_space (resource, &pos, resource_length))
|
||||
goto text_html;
|
||||
|
||||
diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c
|
||||
index b542817..7857732 100644
|
||||
--- a/tests/sniffing-test.c
|
||||
+++ b/tests/sniffing-test.c
|
||||
@@ -342,6 +342,52 @@ test_disabled (gconstpointer data)
|
||||
g_uri_unref (uri);
|
||||
}
|
||||
|
||||
+static const gsize MARKUP_LENGTH = strlen ("<!--") + strlen ("-->");
|
||||
+
|
||||
+static void
|
||||
+do_skip_whitespace_test (void)
|
||||
+{
|
||||
+ SoupContentSniffer *sniffer = soup_content_sniffer_new ();
|
||||
+ SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org");
|
||||
+ const char *test_cases[] = {
|
||||
+ "",
|
||||
+ "<rdf:RDF",
|
||||
+ "<rdf:RDFxmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"",
|
||||
+ "<rdf:RDFxmlns=\"http://purl.org/rss/1.0/\"",
|
||||
+ };
|
||||
+
|
||||
+ soup_message_headers_set_content_type (soup_message_get_response_headers (msg), "text/html", NULL);
|
||||
+
|
||||
+ for (guint i = 0; i < G_N_ELEMENTS (test_cases); i++) {
|
||||
+ const char *trailing_data = test_cases[i];
|
||||
+ gsize leading_zeros = 512 - MARKUP_LENGTH - strlen (trailing_data);
|
||||
+ gsize testsize = MARKUP_LENGTH + leading_zeros + strlen (trailing_data);
|
||||
+ guint8 *data = g_malloc0 (testsize);
|
||||
+ guint8 *p = data;
|
||||
+ char *content_type;
|
||||
+ GBytes *buffer;
|
||||
+
|
||||
+ // Format of <!--[0x00 * $leading_zeros]-->$trailing_data
|
||||
+ memcpy (p, "<!--", strlen ("<!--"));
|
||||
+ p += strlen ("<!--");
|
||||
+ p += leading_zeros;
|
||||
+ memcpy (p, "-->", strlen ("-->"));
|
||||
+ p += strlen ("-->");
|
||||
+ if (strlen (trailing_data))
|
||||
+ memcpy (p, trailing_data, strlen (trailing_data));
|
||||
+ // Purposefully not NUL terminated.
|
||||
+
|
||||
+ buffer = g_bytes_new_take (g_steal_pointer (&data), testsize);
|
||||
+ content_type = soup_content_sniffer_sniff (sniffer, msg, buffer, NULL);
|
||||
+
|
||||
+ g_free (content_type);
|
||||
+ g_bytes_unref (buffer);
|
||||
+ }
|
||||
+
|
||||
+ g_object_unref (msg);
|
||||
+ g_object_unref (sniffer);
|
||||
+}
|
||||
+
|
||||
int
|
||||
main (int argc, char **argv)
|
||||
{
|
||||
@@ -512,16 +558,13 @@ main (int argc, char **argv)
|
||||
"type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8",
|
||||
do_sniffing_test);
|
||||
|
||||
- /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */
|
||||
- g_test_add_data_func ("/sniffing/whitespace",
|
||||
- "type/text_html/whitespace.html => text/html",
|
||||
- do_sniffing_test);
|
||||
-
|
||||
/* Test that disabling the sniffer works correctly */
|
||||
g_test_add_data_func ("/sniffing/disabled",
|
||||
"/text_or_binary/home.gif",
|
||||
test_disabled);
|
||||
|
||||
+ g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test);
|
||||
+
|
||||
ret = g_test_run ();
|
||||
|
||||
g_uri_unref (base_uri);
|
||||
diff --git a/tests/soup-tests.gresource.xml b/tests/soup-tests.gresource.xml
|
||||
index cbef1d4..9c08d17 100644
|
||||
--- a/tests/soup-tests.gresource.xml
|
||||
+++ b/tests/soup-tests.gresource.xml
|
||||
@@ -25,6 +25,5 @@
|
||||
<file>resources/text.txt</file>
|
||||
<file>resources/text_binary.txt</file>
|
||||
<file>resources/tux.webp</file>
|
||||
- <file>resources/whitespace.html</file>
|
||||
</gresource>
|
||||
</gresources>
|
||||
--
|
||||
2.25.1
|
||||
|
||||
@@ -30,6 +30,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
|
||||
file://CVE-2025-32912-1.patch \
|
||||
file://CVE-2025-32912-2.patch \
|
||||
file://CVE-2025-32914.patch \
|
||||
file://CVE-2025-2784-1.patch \
|
||||
file://CVE-2025-2784-2.patch \
|
||||
"
|
||||
SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user