mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-05 08:02:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

libsoup-2.4: Fix CVE-2025-2784

Browse Source 
Upstream-Status: Backport
[242a10fbb1
&
c415ad0b67]

https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435

(From OE-Core rev: 5cea727e87489b144cba9b2aa491d0c90f34f93d)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Vijay Anusuri
2025-06-13 11:14:46 +05:30
committed by Steve Sakoman
parent 523a48d5c8
commit f49fc9966d
3 changed files with 189 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-1.patch Normal file
View File

@@ -0,0 +1,52 @@
From 242a10fbb12dbdc12d254bd8fc8669a0ac055304 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 14:39:42 -0600
Subject: [PATCH] sniffer: Fix potential overflow
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2025-2784-1.patch?h=ubuntu/focal-security
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/242a10fbb12dbdc12d254bd8fc8669a0ac055304]
CVE: CVE-2025-2784
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/content-sniffer/soup-content-sniffer.c | 2 +-
tests/meson.build | 4 +++-
tests/resources/whitespace.html | Bin 0 -> 512 bytes
tests/sniffing-test.c | 5 +++++
tests/soup-tests.gresource.xml | 1 +
5 files changed, 10 insertions(+), 2 deletions(-)
create mode 100644 tests/resources/whitespace.html
--- libsoup2.4-2.70.0.orig/libsoup/soup-content-sniffer.c
+++ libsoup2.4-2.70.0/libsoup/soup-content-sniffer.c
@@ -642,7 +642,7 @@ sniff_feed_or_html (SoupContentSniffer *
pos = 3;
look_for_tag:
- if (pos > resource_length)
+ if (pos >= resource_length)
goto text_html;
if (skip_insignificant_space (resource, &pos, resource_length))
--- libsoup2.4-2.70.0.orig/tests/sniffing-test.c
+++ libsoup2.4-2.70.0/tests/sniffing-test.c
@@ -601,6 +601,11 @@ main (int argc, char **argv)
"type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8",
do_sniffing_test);
+ /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */
+ g_test_add_data_func ("/sniffing/whitespace",
+ "type/text_html/whitespace.html => text/html",
+ do_sniffing_test);
+
/* Test that disabling the sniffer works correctly */
g_test_add_data_func ("/sniffing/disabled",
"/text_or_binary/home.gif",
--- libsoup2.4-2.70.0.orig/tests/soup-tests.gresource.xml
+++ libsoup2.4-2.70.0/tests/soup-tests.gresource.xml
@@ -25,5 +25,6 @@
<file>resources/text.txt</file>
<file>resources/text_binary.txt</file>
<file>resources/tux.webp</file>
+ <file>resources/whitespace.html</file>
</gresource>
</gresources>

135
meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784-2.patch Normal file
View File

@@ -0,0 +1,135 @@
From c415ad0b6771992e66c70edf373566c6e247089d Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Tue, 18 Feb 2025 14:29:50 -0600
Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space()
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches/CVE-2025-2784-2.patch?h=ubuntu/focal-security
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/c415ad0b6771992e66c70edf373566c6e247089d]
CVE: CVE-2025-2784
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
.../content-sniffer/soup-content-sniffer.c | 10 ++--
tests/resources/whitespace.html | Bin 512 -> 0 bytes
tests/sniffing-test.c | 53 ++++++++++++++++--
tests/soup-tests.gresource.xml | 1 -
4 files changed, 53 insertions(+), 11 deletions(-)
delete mode 100644 tests/resources/whitespace.html
--- libsoup2.4-2.70.0.orig/libsoup/soup-content-sniffer.c
+++ libsoup2.4-2.70.0/libsoup/soup-content-sniffer.c
@@ -612,8 +612,11 @@ sniff_text_or_binary (SoupContentSniffer
}
static gboolean
-skip_insignificant_space (const char *resource, int *pos, int resource_length)
+skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
{
+ if (*pos >= resource_length)
+ return TRUE;
+
while ((resource[*pos] == '\x09') ||
(resource[*pos] == '\x20') ||
(resource[*pos] == '\x0A') ||
@@ -632,7 +635,7 @@ sniff_feed_or_html (SoupContentSniffer *
{
const char *resource = (const char *)buffer->data;
int resource_length = MIN (512, buffer->length);
- int pos = 0;
+ gsize pos = 0;
if (resource_length < 3)
goto text_html;
@@ -642,9 +645,6 @@ sniff_feed_or_html (SoupContentSniffer *
pos = 3;
look_for_tag:
- if (pos >= resource_length)
- goto text_html;
-
if (skip_insignificant_space (resource, &pos, resource_length))
goto text_html;
--- libsoup2.4-2.70.0.orig/tests/sniffing-test.c
+++ libsoup2.4-2.70.0/tests/sniffing-test.c
@@ -432,6 +432,53 @@ test_disabled (gconstpointer data)
soup_uri_free (uri);
}
+static const gsize MARKUP_LENGTH = strlen ("<!--") + strlen ("-->");
+
+static void
+do_skip_whitespace_test (void)
+{
+ SoupContentSniffer *sniffer = soup_content_sniffer_new ();
+ SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org");
+ const char *test_cases[] = {
+ "",
+ "<rdf:RDF",
+ "<rdf:RDFxmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"",
+ "<rdf:RDFxmlns=\"http://purl.org/rss/1.0/\"",
+ };
+
+ soup_message_headers_set_content_type (msg->response_headers, "text/html", NULL);
+
+ guint i;
+ for (i = 0; i < G_N_ELEMENTS (test_cases); i++) {
+ const char *trailing_data = test_cases[i];
+ gsize leading_zeros = 512 - MARKUP_LENGTH - strlen (trailing_data);
+ gsize testsize = MARKUP_LENGTH + leading_zeros + strlen (trailing_data);
+ guint8 *data = g_malloc0 (testsize);
+ guint8 *p = data;
+ char *content_type;
+ GBytes *buffer;
+
+ /* Format of <!--[0x00 * $leading_zeros]-->$trailing_data */
+ memcpy (p, "<!--", strlen ("<!--"));
+ p += strlen ("<!--");
+ p += leading_zeros;
+ memcpy (p, "-->", strlen ("-->"));
+ p += strlen ("-->");
+ if (strlen (trailing_data))
+ memcpy (p, trailing_data, strlen (trailing_data));
+ /* Purposefully not NUL terminated. */
+
+ buffer = g_bytes_new_take (g_steal_pointer (&data), testsize);
+ content_type = soup_content_sniffer_sniff (sniffer, msg, (SoupBuffer *) buffer, NULL);
+
+ g_free (content_type);
+ g_bytes_unref (buffer);
+ }
+
+ g_object_unref (msg);
+ g_object_unref (sniffer);
+}
+
int
main (int argc, char **argv)
{
@@ -601,16 +648,13 @@ main (int argc, char **argv)
"type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8",
do_sniffing_test);
- /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */
- g_test_add_data_func ("/sniffing/whitespace",
- "type/text_html/whitespace.html => text/html",
- do_sniffing_test);
-
/* Test that disabling the sniffer works correctly */
g_test_add_data_func ("/sniffing/disabled",
"/text_or_binary/home.gif",
test_disabled);
+ g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test);
+
ret = g_test_run ();
soup_uri_free (base_uri);
--- libsoup2.4-2.70.0.orig/tests/soup-tests.gresource.xml
+++ libsoup2.4-2.70.0/tests/soup-tests.gresource.xml
@@ -25,6 +25,5 @@
<file>resources/text.txt</file>
<file>resources/text_binary.txt</file>
<file>resources/tux.webp</file>
- <file>resources/whitespace.html</file>
</gresource>
</gresources>

2
meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
View File

@@ -32,6 +32,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32912-1.patch \
file://CVE-2025-32912-2.patch \
file://CVE-2025-32914.patch \
file://CVE-2025-2784-1.patch \
file://CVE-2025-2784-2.patch \
"
SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"