From: Hitendra Prajapati Date: Wed, 18 Jun 2025 02:59:36 +0000 (+0800) Subject: libsoup: Fix CVE-2025-4969 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea267b82e1fdc5cc7bf055d3eec1190e19ae79de;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git libsoup: Fix CVE-2025-4969 Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/07b94e27afafebf31ef3cd868866a1e383750086 Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-4969.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-4969.patch new file mode 100644 index 0000000000..70c5fd5593 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-4969.patch @@ -0,0 +1,76 @@ +From 07b94e27afafebf31ef3cd868866a1e383750086 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Mon, 19 May 2025 17:48:27 +0200 +Subject: [PATCH] soup-multipart: Verify array bounds before accessing its + members + +The boundary could be at a place which, calculated, pointed +before the beginning of the array. Check the bounds, to avoid +read out of the array bounds. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/07b94e27afafebf31ef3cd868866a1e383750086] +CVE: CVE-2025-4969 +Signed-off-by: Hitendra Prajapati +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 22 ++++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index 102ce37..e1c442e 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -104,7 +104,7 @@ find_boundary (const char *start, const char *end, + continue; + + /* Check that it's at start of line */ +- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r'))) ++ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r'))) + continue; + + /* Check for "--" or "\r\n" after boundary */ +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index ab5f41c..84852e2 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -527,6 +527,27 @@ test_multipart_bounds_bad (void) + g_bytes_unref (bytes); + } + ++static void ++test_multipart_bounds_bad_2 (void) ++{ ++ SoupMultipart *multipart; ++ SoupMessageHeaders *headers; ++ GBytes *bytes; ++ const char *raw_data = "\n--123\r\nline\r\n--123--\r"; ++ ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); ++ ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); ++ ++ multipart = soup_multipart_new_from_message (headers, bytes); ++ g_assert_nonnull (multipart); ++ ++ soup_multipart_free (multipart); ++ soup_message_headers_unref (headers); ++ g_bytes_unref (bytes); ++} ++ + int + main (int argc, char **argv) + { +@@ -556,6 +577,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); ++ g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2); + + ret = g_test_run (); + +-- +2.49.0 + diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb index 83ed88e785..d0cd1f436a 100644 --- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb +++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb @@ -37,6 +37,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32053.patch \ file://CVE-2025-46420.patch \ file://CVE-2025-4476.patch \ + file://CVE-2025-4969.patch \ " SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8"