Hello, On Wed Feb 18, 2026 at 7:42 AM CET, Hitendra Prajapati via lists.openembedded.org wrote: > Refer: > https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
That issue is for CVE-2025-4945. > https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/408 (simplified) > > Signed-off-by: Hitendra Prajapati <[email protected]> > --- > .../libsoup/libsoup-2.4/CVE-2025-32049.patch | 36 +++++++++++++++++++ > .../libsoup/libsoup-2.4_2.74.2.bb | 1 + > 2 files changed, 37 insertions(+) > create mode 100644 > meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049.patch > > diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049.patch > b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049.patch > new file mode 100644 > index 0000000000..465f8ed3fb > --- /dev/null > +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049.patch > @@ -0,0 +1,36 @@ > +From 6ec7c5be50b48d6ce0a09aa3468f2c5725406a97 Mon Sep 17 00:00:00 2001 > +From: Michael Catanzaro <[email protected]> > +Date: Wed, 21 May 2025 10:42:51 -0500 > +Subject: [PATCH] Add size limit for total message size > + > +This size limit could break applications, but it will close the denial > +of service issue. > + > +Reference : https://access.redhat.com/errata/RHSA-2025:8132 > + > +CVE: CVE-2025-32049 > +Upstream-Status: Backport > [https://gitlab.gnome.org/GNOME/libsoup/-/commit/6ec7c5be50b48d6ce0a09aa3468f2c5725406a9] That URL is 404. I'm not sure this commit exists (?) Please target a commit on a merged branch. > +Signed-off-by: Hitendra Prajapati <[email protected]> > +--- > + libsoup/soup-websocket-connection.c | 5 +++++ > + 1 file changed, 5 insertions(+) > + > +diff --git a/libsoup/soup-websocket-connection.c > b/libsoup/soup-websocket-connection.c > +index 9d5f4f8..9493fdf 100644 > +--- a/libsoup/soup-websocket-connection.c > ++++ b/libsoup/soup-websocket-connection.c > +@@ -913,6 +913,11 @@ process_contents (SoupWebsocketConnection *self, > + switch (pv->message_opcode) { > + case 0x01: > + case 0x02: > ++ /* Safety valve */ > ++ if (pv->message_data->len + payload_len > > pv->max_incoming_payload_size) { > ++ too_big_error_and_close (self, > (pv->message_data->len + payload_len)); > ++ return; > ++ } > + g_byte_array_append (pv->message_data, payload, > payload_len); > + break; > + default: > +-- > +2.50.1 > + > diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb > b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb > index 0cc90a17cc..bd3960e2f7 100644 > --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb > +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb > @@ -43,6 +43,7 @@ SRC_URI = > "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ > file://CVE-2025-4948.patch \ > file://CVE-2025-4476.patch \ > file://CVE-2025-4945.patch \ > + file://CVE-2025-32049.patch \ > " > SRC_URI[sha256sum] = > "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159" > Can you send a v2 with the above remarks fixed? Thanks! -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231671): https://lists.openembedded.org/g/openembedded-core/message/231671 Mute This Topic: https://lists.openembedded.org/mt/117871379/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
