eee0f6c078
Import all security patches from OpenEmbedded for libsoup.
This fixes the following 18 known vulnerabilities:
- CVE-2024-52530:
GNOME libsoup before 3.6.0 allows HTTP request smuggling in some
configurations because '\0' characters at the end of header names are
ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the
same as a "Transfer-Encoding: chunked" header.
https://www.cve.org/CVERecord?id=CVE-2024-52530
- CVE-2024-52531:
GNOME libsoup before 3.6.1 allows a buffer overflow in applications that
perform conversion to UTF-8 in soup_header_parse_param_list_strict.
There is a plausible way to reach this remotely via
soup_message_headers_get_content_type (e.g., an application may want to
retrieve the content type of a request or response).
https://www.cve.org/CVERecord?id=CVE-2024-52531
- CVE-2024-52532:
GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption.
During the reading of certain patterns of WebSocket data from clients.
https://www.cve.org/CVERecord?id=CVE-2024-52532
- CVE-2025-2784:
Libsoup: heap buffer over-read in `skip_insignificant_space`
when sniffing content
https://www.cve.org/CVERecord?id=CVE-2025-2784
- CVE-2025-4476:
Libsoup: null pointer dereference in libsoup may lead to denial of service
https://www.cve.org/CVERecord?id=CVE-2025-4476
- CVE-2025-4948:
Libsoup: integer underflow in soup_multipart_new_from_message() leading to
denial of service in libsoup
https://www.cve.org/CVERecord?id=CVE-2025-4948
- CVE-2025-4969:
Libsoup: off-by-one out-of-bounds read in find_boundary() in soup-multipart.c
https://www.cve.org/CVERecord?id=CVE-2025-4969
- CVE-2025-32050:
Libsoup: integer overflow in append_param_quoted
https://www.cve.org/CVERecord?id=CVE-2025-32050
- CVE-2025-32052:
Libsoup: heap buffer overflow in sniff_unknown()
https://www.cve.org/CVERecord?id=CVE-2025-32052
- CVE-2025-32053:
Libsoup: heap buffer overflows in sniff_feed_or_html() and
skip_insignificant_space()
https://www.cve.org/CVERecord?id=CVE-2025-32053
- CVE-2025-32906:
Libsoup: out of bounds reads in soup_headers_parse_request()
https://www.cve.org/CVERecord?id=CVE-2025-32906
- CVE-2025-32910:
Libsoup: null pointer deference on libsoup via /auth/soup-auth-digest.c
through "soup_auth_digest_authenticate" on client when server omits the
"realm" parameter in an unauthorized response with digest authentication
https://www.cve.org/CVERecord?id=CVE-2025-32910
- CVE-2025-32911:
Libsoup: double free on soup_message_headers_get_content_disposition()
through "soup-message-headers.c" via "params" ghashtable value
https://www.cve.org/CVERecord?id=CVE-2025-32911
- CVE-2025-32912:
Libsoup: null pointer dereference in client when server omits the "nonce"
parameter in an unauthorized response with digest authentication
https://www.cve.org/CVERecord?id=CVE-2025-32912
- CVE-2025-32913:
Libsoup: null pointer dereference in
soup_message_headers_get_content_disposition when "filename" parameter is
present, but has no value in content-disposition header
https://www.cve.org/CVERecord?id=CVE-2025-32913
- CVE-2025-32914:
Libsoup: oob read on libsoup through function
"soup_multipart_new_from_message" in soup-multipart.c leads to crash or
exit of process
https://www.cve.org/CVERecord?id=CVE-2025-32914
- CVE-2025-46420:
Libsoup: memory leak on soup_header_parse_quality_list() via soup-headers.c
https://www.cve.org/CVERecord?id=CVE-2025-46420
- CVE-2025-46421:
Libsoup: information disclosure may leads libsoup client sends authorization
header to a different host when being redirected by a server
https://www.cve.org/CVERecord?id=CVE-2025-46421
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
137 lines
4.2 KiB
Diff
137 lines
4.2 KiB
Diff
From 12523a592f1216450d18706bcf6c16e0f1ab0ce0 Mon Sep 17 00:00:00 2001
|
|
From: Changqing Li <changqing.li@windriver.com>
|
|
Date: Fri, 16 May 2025 13:52:37 +0800
|
|
Subject: [PATCH] headers: Be more robust against invalid input when
|
|
parsing params
|
|
|
|
If you pass invalid input to a function such as soup_header_parse_param_list_strict()
|
|
it can cause an overflow if it decodes the input to UTF-8.
|
|
|
|
This should never happen with valid UTF-8 input which libsoup's client API
|
|
ensures, however it's server API does not currently.
|
|
|
|
CVE: CVE-2024-52531
|
|
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=a35222dd0bfab2ac97c10e86b95f762456628283]
|
|
|
|
Upstream: https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
|
|
|
|
Signed-off-by: Changqing Li <changqing.li@windriver.com>
|
|
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
|
|
---
|
|
libsoup/soup-headers.c | 45 +++++++++++++++++++++---------------------
|
|
1 file changed, 23 insertions(+), 22 deletions(-)
|
|
|
|
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
|
|
index 67905b2..39e8d34 100644
|
|
--- a/libsoup/soup-headers.c
|
|
+++ b/libsoup/soup-headers.c
|
|
@@ -642,8 +642,9 @@ soup_header_contains (const char *header, const char *token)
|
|
}
|
|
|
|
static void
|
|
-decode_quoted_string (char *quoted_string)
|
|
+decode_quoted_string_inplace (GString *quoted_gstring)
|
|
{
|
|
+ char *quoted_string = quoted_gstring->str;
|
|
char *src, *dst;
|
|
|
|
src = quoted_string + 1;
|
|
@@ -657,10 +658,11 @@ decode_quoted_string (char *quoted_string)
|
|
}
|
|
|
|
static gboolean
|
|
-decode_rfc5987 (char *encoded_string)
|
|
+decode_rfc5987_inplace (GString *encoded_gstring)
|
|
{
|
|
char *q, *decoded;
|
|
gboolean iso_8859_1 = FALSE;
|
|
+ const char *encoded_string = encoded_gstring->str;
|
|
|
|
q = strchr (encoded_string, '\'');
|
|
if (!q)
|
|
@@ -689,14 +691,7 @@ decode_rfc5987 (char *encoded_string)
|
|
decoded = utf8;
|
|
}
|
|
|
|
- /* If encoded_string was UTF-8, then each 3-character %-escape
|
|
- * will be converted to a single byte, and so decoded is
|
|
- * shorter than encoded_string. If encoded_string was
|
|
- * iso-8859-1, then each 3-character %-escape will be
|
|
- * converted into at most 2 bytes in UTF-8, and so it's still
|
|
- * shorter.
|
|
- */
|
|
- strcpy (encoded_string, decoded);
|
|
+ g_string_assign (encoded_gstring, decoded);
|
|
g_free (decoded);
|
|
return TRUE;
|
|
}
|
|
@@ -706,15 +701,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
|
|
{
|
|
GHashTable *params;
|
|
GSList *list, *iter;
|
|
- char *item, *eq, *name_end, *value;
|
|
- gboolean override, duplicated;
|
|
|
|
params = g_hash_table_new_full (soup_str_case_hash,
|
|
soup_str_case_equal,
|
|
- g_free, NULL);
|
|
+ g_free, g_free);
|
|
|
|
list = parse_list (header, delim);
|
|
for (iter = list; iter; iter = iter->next) {
|
|
+ char *item, *eq, *name_end;
|
|
+ gboolean override, duplicated;
|
|
+ GString *parsed_value = NULL;
|
|
item = iter->data;
|
|
override = FALSE;
|
|
|
|
@@ -729,19 +725,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
|
|
|
|
*name_end = '\0';
|
|
|
|
- value = (char *)skip_lws (eq + 1);
|
|
+ parsed_value = g_string_new ((char *)skip_lws (eq + 1));
|
|
|
|
if (name_end[-1] == '*' && name_end > item + 1) {
|
|
name_end[-1] = '\0';
|
|
- if (!decode_rfc5987 (value)) {
|
|
+ if (!decode_rfc5987_inplace (parsed_value)) {
|
|
+ g_string_free (parsed_value, TRUE);
|
|
g_free (item);
|
|
continue;
|
|
}
|
|
override = TRUE;
|
|
- } else if (*value == '"')
|
|
- decode_quoted_string (value);
|
|
- } else
|
|
- value = NULL;
|
|
+ } else if (parsed_value->str[0] == '"')
|
|
+ decode_quoted_string_inplace (parsed_value);
|
|
+ }
|
|
|
|
duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
|
|
|
|
@@ -749,11 +745,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
|
|
soup_header_free_param_list (params);
|
|
params = NULL;
|
|
g_slist_foreach (iter, (GFunc)g_free, NULL);
|
|
+ if (parsed_value)
|
|
+ g_string_free (parsed_value, TRUE);
|
|
break;
|
|
- } else if (override || !duplicated)
|
|
- g_hash_table_replace (params, item, value);
|
|
- else
|
|
+ } else if (override || !duplicated) {
|
|
+ g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
|
|
+ } else {
|
|
+ if (parsed_value)
|
|
+ g_string_free (parsed_value, TRUE);
|
|
g_free (item);
|
|
+ }
|
|
}
|
|
|
|
g_slist_free (list);
|
|
--
|
|
2.34.1
|
|
|