libsoup-2.4: fix CVE-2025-4945

Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/448

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch
new file mode 100644 (file)
index 0000000..c9fbdba
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch
@@ -0,0 +1,117 @@
+From 3844026f74a41dd9ccab955899e005995293d246 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 8 Jul 2025 14:58:30 +0800
+Subject: [PATCH] soup-date-utils: Add value checks for date/time parsing
+
+Reject date/time when it does not represent a valid value.
+
+Closes #448
+
+CVE: CVE-2025-4945
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-date.c  | 21 +++++++++++++++------
+ tests/cookies-test.c | 10 ++++++++++
+ 2 files changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/libsoup/soup-date.c b/libsoup/soup-date.c
+index 9602d1f..4c114c1 100644
+--- a/libsoup/soup-date.c
++++ b/libsoup/soup-date.c
+@@ -284,7 +284,7 @@ parse_day (SoupDate *date, const char **date_string)
+       while (*end == ' ' || *end == '-')
+               end++;
+       *date_string = end;
+-      return TRUE;
++      return date->day >= 1 && date->day <= 31;
+ }
+ 
+ static inline gboolean
+@@ -324,7 +324,7 @@ parse_year (SoupDate *date, const char **date_string)
+       while (*end == ' ' || *end == '-')
+               end++;
+       *date_string = end;
+-      return TRUE;
++      return date->year > 0 && date->year < 9999;
+ }
+ 
+ static inline gboolean
+@@ -348,7 +348,7 @@ parse_time (SoupDate *date, const char **date_string)
+       while (*p == ' ')
+               p++;
+       *date_string = p;
+-      return TRUE;
++      return  date->hour >= 0 && date->hour < 24 && date->minute >= 0 && date->minute < 60 && date->second >= 0 && date->second < 60;
+ }
+ 
+ static inline gboolean
+@@ -361,8 +361,15 @@ parse_timezone (SoupDate *date, const char **date_string)
+               gulong val;
+               int sign = (**date_string == '+') ? -1 : 1;
+               val = strtoul (*date_string + 1, (char **)date_string, 10);
++              if (val > 9999)
++                      return FALSE;
+               if (**date_string == ':')
+-                      val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10);
++              {
++                      gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10);
++                      if (val > 99 || val2 > 99)
++                              return FALSE;
++                      val = 60 * val + val2;
++              }
+               else
+                       val =  60 * (val / 100) + (val % 100);
+               date->offset = sign * val;
+@@ -407,7 +414,8 @@ parse_textual_date (SoupDate *date, const char *date_string)
+               if (!parse_month (date, &date_string) ||
+                   !parse_day (date, &date_string) ||
+                   !parse_time (date, &date_string) ||
+-                  !parse_year (date, &date_string))
++                  !parse_year (date, &date_string) ||
++                  !g_date_valid_dmy(date->day, date->month, date->year))
+                       return FALSE;
+ 
+               /* There shouldn't be a timezone, but check anyway */
+@@ -419,7 +427,8 @@ parse_textual_date (SoupDate *date, const char *date_string)
+               if (!parse_day (date, &date_string) ||
+                   !parse_month (date, &date_string) ||
+                   !parse_year (date, &date_string) ||
+-                  !parse_time (date, &date_string))
++                  !parse_time (date, &date_string) ||
++                  !g_date_valid_dmy(date->day, date->month, date->year))
+                       return FALSE;
+ 
+               /* This time there *should* be a timezone, but we
+diff --git a/tests/cookies-test.c b/tests/cookies-test.c
+index 2e2a54f..6035a86 100644
+--- a/tests/cookies-test.c
++++ b/tests/cookies-test.c
+@@ -413,6 +413,15 @@ do_remove_feature_test (void)
+       soup_uri_free (uri);
+ }
+ 
++static void
++do_cookies_parsing_int32_overflow (void)
++{
++      SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9    999:9:9+ 999999999-age=main=gne=", NULL);
++      g_assert_nonnull (cookie);
++      g_assert_null (soup_cookie_get_expires (cookie));
++      soup_cookie_free (cookie);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -434,6 +443,7 @@ main (int argc, char **argv)
+       g_test_add_func ("/cookies/accept-policy-subdomains", do_cookies_subdomain_policy_test);
+       g_test_add_func ("/cookies/parsing", do_cookies_parsing_test);
+       g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin);
++      g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow);
+       g_test_add_func ("/cookies/get-cookies/empty-host", do_get_cookies_empty_host_test);
+       g_test_add_func ("/cookies/remove-feature", do_remove_feature_test);
+       g_test_add_func ("/cookies/secure-cookies", do_cookies_strict_secure_test);
+-- 
+2.34.1
+

diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index e005e7200e3b358edce5042ba502bde663bc51e3..47f7ba385c9d42948c239823623f266251f67116 100644 (file)
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -37,6 +37,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2025-32907.patch \
            file://CVE-2025-4948.patch \
            file://CVE-2025-4969.patch \
+           file://CVE-2025-4945.patch \
 "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"