eee0f6c078
Import all security patches from OpenEmbedded for libsoup.
This fixes the following 18 known vulnerabilities:
- CVE-2024-52530:
GNOME libsoup before 3.6.0 allows HTTP request smuggling in some
configurations because '\0' characters at the end of header names are
ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the
same as a "Transfer-Encoding: chunked" header.
https://www.cve.org/CVERecord?id=CVE-2024-52530
- CVE-2024-52531:
GNOME libsoup before 3.6.1 allows a buffer overflow in applications that
perform conversion to UTF-8 in soup_header_parse_param_list_strict.
There is a plausible way to reach this remotely via
soup_message_headers_get_content_type (e.g., an application may want to
retrieve the content type of a request or response).
https://www.cve.org/CVERecord?id=CVE-2024-52531
- CVE-2024-52532:
GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption.
During the reading of certain patterns of WebSocket data from clients.
https://www.cve.org/CVERecord?id=CVE-2024-52532
- CVE-2025-2784:
Libsoup: heap buffer over-read in `skip_insignificant_space`
when sniffing content
https://www.cve.org/CVERecord?id=CVE-2025-2784
- CVE-2025-4476:
Libsoup: null pointer dereference in libsoup may lead to denial of service
https://www.cve.org/CVERecord?id=CVE-2025-4476
- CVE-2025-4948:
Libsoup: integer underflow in soup_multipart_new_from_message() leading to
denial of service in libsoup
https://www.cve.org/CVERecord?id=CVE-2025-4948
- CVE-2025-4969:
Libsoup: off-by-one out-of-bounds read in find_boundary() in soup-multipart.c
https://www.cve.org/CVERecord?id=CVE-2025-4969
- CVE-2025-32050:
Libsoup: integer overflow in append_param_quoted
https://www.cve.org/CVERecord?id=CVE-2025-32050
- CVE-2025-32052:
Libsoup: heap buffer overflow in sniff_unknown()
https://www.cve.org/CVERecord?id=CVE-2025-32052
- CVE-2025-32053:
Libsoup: heap buffer overflows in sniff_feed_or_html() and
skip_insignificant_space()
https://www.cve.org/CVERecord?id=CVE-2025-32053
- CVE-2025-32906:
Libsoup: out of bounds reads in soup_headers_parse_request()
https://www.cve.org/CVERecord?id=CVE-2025-32906
- CVE-2025-32910:
Libsoup: null pointer deference on libsoup via /auth/soup-auth-digest.c
through "soup_auth_digest_authenticate" on client when server omits the
"realm" parameter in an unauthorized response with digest authentication
https://www.cve.org/CVERecord?id=CVE-2025-32910
- CVE-2025-32911:
Libsoup: double free on soup_message_headers_get_content_disposition()
through "soup-message-headers.c" via "params" ghashtable value
https://www.cve.org/CVERecord?id=CVE-2025-32911
- CVE-2025-32912:
Libsoup: null pointer dereference in client when server omits the "nonce"
parameter in an unauthorized response with digest authentication
https://www.cve.org/CVERecord?id=CVE-2025-32912
- CVE-2025-32913:
Libsoup: null pointer dereference in
soup_message_headers_get_content_disposition when "filename" parameter is
present, but has no value in content-disposition header
https://www.cve.org/CVERecord?id=CVE-2025-32913
- CVE-2025-32914:
Libsoup: oob read on libsoup through function
"soup_multipart_new_from_message" in soup-multipart.c leads to crash or
exit of process
https://www.cve.org/CVERecord?id=CVE-2025-32914
- CVE-2025-46420:
Libsoup: memory leak on soup_header_parse_quality_list() via soup-headers.c
https://www.cve.org/CVERecord?id=CVE-2025-46420
- CVE-2025-46421:
Libsoup: information disclosure may leads libsoup client sends authorization
header to a different host when being redirected by a server
https://www.cve.org/CVERecord?id=CVE-2025-46421
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
From 52a0f9234d384b9dab368835b22e5a5a01542168 Mon Sep 17 00:00:00 2001
|
|
From: Changqing Li <changqing.li@windriver.com>
|
|
Date: Fri, 16 May 2025 14:16:10 +0800
|
|
Subject: [PATCH] auth-digest: fix crash in
|
|
soup_auth_digest_get_protection_space()
|
|
|
|
We need to validate the Domain parameter in the WWW-Authenticate header.
|
|
|
|
Unfortunately this crash only occurs when listening on default ports 80
|
|
and 443, so there's no good way to test for this. The test would require
|
|
running as root.
|
|
|
|
Fixes #440
|
|
|
|
CVE: CVE-2025-4476
|
|
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c?merge_request_iid=457]
|
|
|
|
Upstream: https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch
|
|
|
|
Signed-off-by: Changqing Li <changqing.li@windriver.com>
|
|
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
|
|
---
|
|
libsoup/soup-auth-digest.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
|
|
index f1621ec..a2dc560 100644
|
|
--- a/libsoup/soup-auth-digest.c
|
|
+++ b/libsoup/soup-auth-digest.c
|
|
@@ -229,7 +229,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, SoupURI *source_uri)
|
|
uri = soup_uri_new (d);
|
|
if (uri && uri->scheme == source_uri->scheme &&
|
|
uri->port == source_uri->port &&
|
|
- !strcmp (uri->host, source_uri->host))
|
|
+ !g_strcmp0 (uri->host, source_uri->host))
|
|
dir = g_strdup (uri->path);
|
|
else
|
|
dir = NULL;
|
|
--
|
|
2.34.1
|
|
|