24 files changed, 1092 insertions, 18 deletions

diff --git a/meta-gnome/recipes-gnome/gnome-software/gnome-software_48.0.bb b/meta-gnome/recipes-gnome/gnome-software/gnome-software_48.2.bb
index 8dae95dddb..00efac5b4f 100644
--- a/meta-gnome/recipes-gnome/gnome-software/gnome-software_48.0.bb
+++ b/meta-gnome/recipes-gnome/gnome-software/gnome-software_48.2.bb
@@ -28,7 +28,7 @@ RDEPENDS:${PN} = "iso-codes"
 
 EXTRA_OEMESON += "-Dtests=false"
 
-SRC_URI[archive.sha256sum] = "e607af554e838fd6d07c1631f634b20e8bd4e6adf16fc7535c4520874af544f7"
+SRC_URI[archive.sha256sum] = "abfd30643a86c65f4886b6765eb3bb6215c9ea09817d6bd165c50056890822c9"
 
 PACKAGECONFIG ?= "flatpak"
 PACKAGECONFIG[flatpak] = "-Dflatpak=true,-Dflatpak=false,flatpak ostree"
diff --git a/meta-oe/recipes-devtools/suitesparse/suitesparse_5.10.1.bb b/meta-oe/recipes-devtools/suitesparse/suitesparse_5.10.1.bb
index 13e6fd066c..b113145808 100644
--- a/meta-oe/recipes-devtools/suitesparse/suitesparse_5.10.1.bb
+++ b/meta-oe/recipes-devtools/suitesparse/suitesparse_5.10.1.bb
@@ -14,20 +14,6 @@ DEPENDS = "cmake-native lapack gmp mpfr chrpath-native"
 PROVIDES = "mongoose graphblas"
 RPROVIDES:${PN} = "mongoose graphblas"
 
-# The values of $CC, $CXX, and $LD that Bitbake uses have spaces in them which
-# causes problems when the SuiteSparse Makefiles try to pass these values on
-# the command line. To get around this problem, set these variables to only the
-# program name and prepend the rest of the value onto the corresponding FLAGS
-# variable.
-CFLAGS:prepend := "${@" ".join(d.getVar('CC').split()[1:])} "
-export CC := "${@d.getVar('CC').split()[0]}"
-
-CXXFLAGS:prepend := "${@" ".join(d.getVar('CXX').split()[1:])} "
-export CXX := "${@d.getVar('CXX').split()[0]}"
-
-LDFLAGS:prepend := "${@" ".join(d.getVar('LD').split()[1:])} "
-export LD := "${@d.getVar('LD').split()[0]}"
-
 export CMAKE_OPTIONS = " \
     -DCMAKE_INSTALL_PREFIX=${D}${prefix} \
     -DCMAKE_INSTALL_LIBDIR=${baselib} \
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch
index 9ef0643837..d75594bb4f 100644
--- a/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/0001-CVE-2025-32911.patch
@@ -3,7 +3,7 @@ From: Changqing Li <changqing.li@windriver.com>
 Date: Wed, 30 Apr 2025 14:59:55 +0800
 Subject: [PATCH] CVE-2025-32911
 
-CVE: CVE-2025-32911
+CVE: CVE-2025-32911 CVE-2025-32913
 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/422/commits]
 
 Signed-off-by: Changqing Li <changqing.li@windriver.com>
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch
new file mode 100644
index 0000000000..04713850e1
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch
@@ -0,0 +1,150 @@
+From 4a2bb98e03d79146c729dca52c8d6edc635218ff Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Mon, 8 Jul 2024 12:33:15 -0500
+Subject: [PATCH] headers: Strictly don't allow NUL bytes
+
+In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.
+
+CVE: CVE-2024-52530
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/402/diffs?commit_id=04df03bc092ac20607f3e150936624d4f536e68b]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-headers.c      | 15 +++------
+ tests/header-parsing-test.c | 62 +++++++++++++++++--------------------
+ 2 files changed, 32 insertions(+), 45 deletions(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index eec28ad..e5d3c03 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -50,13 +50,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
+         * ignorable trailing whitespace.
+         */
+ 
++       /* No '\0's are allowed */
++       if (memchr (str, '\0', len))
++               return FALSE;
++
+        /* Skip over the Request-Line / Status-Line */
+        headers_start = memchr (str, '\n', len);
+        if (!headers_start)
+                return FALSE;
+-       /* No '\0's in the Request-Line / Status-Line */
+-       if (memchr (str, '\0', headers_start - str))
+-               return FALSE;
+ 
+        /* We work on a copy of the headers, which we can write '\0's
+         * into, so that we don't have to individually g_strndup and
+@@ -68,14 +69,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
+        headers_copy[copy_len] = '\0';
+        value_end = headers_copy;
+ 
+-       /* There shouldn't be any '\0's in the headers already, but
+-        * this is the web we're talking about.
+-        */
+-       while ((p = memchr (headers_copy, '\0', copy_len))) {
+-               memmove (p, p + 1, copy_len - (p - headers_copy));
+-               copy_len--;
+-       }
+-
+        while (*(value_end + 1)) {
+                name = value_end + 1;
+                name_end = strchr (name, ':');
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 752196e..c1d3b33 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -358,24 +358,6 @@ static struct RequestTest {
+          }
+        },
+ 
+-       { "NUL in header name", "760832",
+-         "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
+-         SOUP_STATUS_OK,
+-         "GET", "/", SOUP_HTTP_1_1,
+-         { { "Host", "example.com" },
+-           { NULL }
+-         }
+-       },
+-
+-       { "NUL in header value", "760832",
+-         "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
+-         SOUP_STATUS_OK,
+-         "GET", "/", SOUP_HTTP_1_1,
+-         { { "Host", "examplecom" },
+-           { NULL }
+-         }
+-       },
+-
+        /************************/
+        /*** INVALID REQUESTS ***/
+        /************************/
+@@ -448,6 +430,21 @@ static struct RequestTest {
+          SOUP_STATUS_EXPECTATION_FAILED,
+          NULL, NULL, -1,
+          { { NULL } }
++       },
++
++       // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
++       { "NUL in header name", NULL,
++         "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
++         SOUP_STATUS_BAD_REQUEST,
++         NULL, NULL, -1,
++         { { NULL } }
++       },
++
++       { "NUL in header value", NULL,
++         "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
++         SOUP_STATUS_BAD_REQUEST,
++           NULL, NULL, -1,
++         { { NULL } }
+        }
+ };
+ static const int num_reqtests = G_N_ELEMENTS (reqtests);
+@@ -620,22 +617,6 @@ static struct ResponseTest {
+            { NULL } }
+        },
+ 
+-       { "NUL in header name", "760832",
+-         "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
+-         SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
+-         { { "Foo", "bar" },
+-           { NULL }
+-         }
+-       },
+-
+-       { "NUL in header value", "760832",
+-         "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+-         SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
+-         { { "Foo", "bar" },
+-           { NULL }
+-         }
+-       },
+-
+        /********************************/
+        /*** VALID CONTINUE RESPONSES ***/
+        /********************************/
+@@ -768,6 +749,19 @@ static struct ResponseTest {
+          { { NULL }
+          }
+        },
++
++       // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
++       { "NUL in header name", NULL,
++         "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
++         -1, 0, NULL,
++         { { NULL } }
++       },
++
++       { "NUL in header value", "760832",
++         "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
++         -1, 0, NULL,
++         { { NULL } }
++       },
+ };
+ static const int num_resptests = G_N_ELEMENTS (resptests);
+ 
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch
new file mode 100644
index 0000000000..9de0310c8d
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch
@@ -0,0 +1,39 @@
+From 8331e681c85c3b1893d8d5193783f631bfc07acb Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Fri, 16 May 2025 13:42:08 +0800
+Subject: [PATCH] tests: Add test for passing invalid UTF-8 to
+ soup_header_parse_semi_param_list()
+
+CVE: CVE-2024-52531
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=825fda3425546847b42ad5270544e9388ff349fe]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ tests/header-parsing-test.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index b811115..cfcc003 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -836,6 +836,17 @@ static struct ParamListTest {
+            { "filename", "t\xC3\xA9st.txt" },
+          },
+        },
++
++/* This tests invalid UTF-8 data which *should* never be passed here but it was designed to be robust against it. */
++       { TRUE,
++         "invalid*=\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; filename*=iso-8859-1''\x69\x27\x27\x93\x93\x93\x93\xff\x61\x61\x61\x61\x61\x61\x61\x62\x63\x64\x65\x0a; foo",
++          {
++               { "filename", "i''\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
++               { "invalid", "\302\223\302\223\302\223\302\223\303\277aaaaaaabcde" },
++               { "foo", NULL },
++          },
++       }
++
+ };
+ static const int num_paramlisttests = G_N_ELEMENTS (paramlisttests);
+ 
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
new file mode 100644
index 0000000000..740c28c016
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
@@ -0,0 +1,133 @@
+From 12523a592f1216450d18706bcf6c16e0f1ab0ce0 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Fri, 16 May 2025 13:52:37 +0800
+Subject: [PATCH] headers: Be more robust against invalid input when
+ parsing params
+
+If you pass invalid input to a function such as soup_header_parse_param_list_strict()
+it can cause an overflow if it decodes the input to UTF-8.
+
+This should never happen with valid UTF-8 input which libsoup's client API
+ensures, however it's server API does not currently.
+
+CVE: CVE-2024-52531
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/diffs?commit_id=a35222dd0bfab2ac97c10e86b95f762456628283]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-headers.c | 45 +++++++++++++++++++++---------------------
+ 1 file changed, 23 insertions(+), 22 deletions(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 67905b2..39e8d34 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -642,8 +642,9 @@ soup_header_contains (const char *header, const char *token)
+ }
+ 
+ static void
+-decode_quoted_string (char *quoted_string)
++decode_quoted_string_inplace (GString *quoted_gstring)
+ {
++       char *quoted_string = quoted_gstring->str;
+        char *src, *dst;
+ 
+        src = quoted_string + 1;
+@@ -657,10 +658,11 @@ decode_quoted_string (char *quoted_string)
+ }
+ 
+ static gboolean
+-decode_rfc5987 (char *encoded_string)
++decode_rfc5987_inplace (GString *encoded_gstring)
+ {
+        char *q, *decoded;
+        gboolean iso_8859_1 = FALSE;
++       const char *encoded_string = encoded_gstring->str;
+ 
+        q = strchr (encoded_string, '\'');
+        if (!q)
+@@ -689,14 +691,7 @@ decode_rfc5987 (char *encoded_string)
+                decoded = utf8;
+        }
+ 
+-       /* If encoded_string was UTF-8, then each 3-character %-escape
+-        * will be converted to a single byte, and so decoded is
+-        * shorter than encoded_string. If encoded_string was
+-        * iso-8859-1, then each 3-character %-escape will be
+-        * converted into at most 2 bytes in UTF-8, and so it's still
+-        * shorter.
+-        */
+-       strcpy (encoded_string, decoded);
++       g_string_assign (encoded_gstring, decoded);
+        g_free (decoded);
+        return TRUE;
+ }
+@@ -706,15 +701,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
+ {
+        GHashTable *params;
+        GSList *list, *iter;
+-       char *item, *eq, *name_end, *value;
+-       gboolean override, duplicated;
+ 
+        params = g_hash_table_new_full (soup_str_case_hash, 
+                                        soup_str_case_equal,
+-                                       g_free, NULL);
++                                       g_free, g_free);
+ 
+        list = parse_list (header, delim);
+        for (iter = list; iter; iter = iter->next) {
++               char *item, *eq, *name_end;
++               gboolean override, duplicated;
++               GString *parsed_value = NULL;
+                item = iter->data;
+                override = FALSE;
+ 
+@@ -729,19 +725,19 @@ parse_param_list (const char *header, char delim, gboolean strict)
+ 
+                        *name_end = '\0';
+ 
+-                       value = (char *)skip_lws (eq + 1);
++                       parsed_value = g_string_new ((char *)skip_lws (eq + 1));
+ 
+                        if (name_end[-1] == '*' && name_end > item + 1) {
+                                name_end[-1] = '\0';
+-                               if (!decode_rfc5987 (value)) {
++                               if (!decode_rfc5987_inplace (parsed_value)) {
++                                       g_string_free (parsed_value, TRUE);
+                                        g_free (item);
+                                        continue;
+                                }
+                                override = TRUE;
+-                       } else if (*value == '"')
+-                               decode_quoted_string (value);
+-               } else
+-                       value = NULL;
++                       } else if (parsed_value->str[0] == '"')
++                               decode_quoted_string_inplace (parsed_value);
++                       }
+ 
+                duplicated = g_hash_table_lookup_extended (params, item, NULL, NULL);
+ 
+@@ -749,11 +745,16 @@ parse_param_list (const char *header, char delim, gboolean strict)
+                        soup_header_free_param_list (params);
+                        params = NULL;
+                        g_slist_foreach (iter, (GFunc)g_free, NULL);
++                       if (parsed_value)
++                               g_string_free (parsed_value, TRUE);
+                        break;
+-               } else if (override || !duplicated)
+-                       g_hash_table_replace (params, item, value);
+-               else
++               } else if (override || !duplicated) {
++                       g_hash_table_replace (params, item, parsed_value ? g_string_free (parsed_value, FALSE) : NULL);
++               } else {
++                       if (parsed_value)
++                               g_string_free (parsed_value, TRUE);
+                        g_free (item);
++               }
+        }
+ 
+        g_slist_free (list);
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch
new file mode 100644
index 0000000000..106f907168
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-2784.patch
@@ -0,0 +1,56 @@
+From 2eacbd762332795e00692ddab2515c6da23198d3 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Mon, 12 May 2025 14:06:41 +0800
+Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space()
+
+CVE: CVE-2025-2784
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/435/diffs?commit_id=242a10fbb12dbdc12d254bd8fc8669a0ac055304;
+ https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/442/diffs?commit_id=c415ad0b6771992e66c70edf373566c6e247089d]
+
+Test code is not added since it uses some functions not defined in
+version 2.74. These tests are not used now, so just ignore them.
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-content-sniffer.c |  9 +++----
+ 1 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
+index 5f2896e..9554636 100644
+--- a/libsoup/soup-content-sniffer.c
++++ b/libsoup/soup-content-sniffer.c
+@@ -612,8 +612,10 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+ }
+ 
+ static gboolean
+-skip_insignificant_space (const char *resource, int *pos, int resource_length)
++skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length)
+ {
++       if (*pos >= resource_length)
++               return TRUE;
+        while ((resource[*pos] == '\x09') ||
+               (resource[*pos] == '\x20') ||
+               (resource[*pos] == '\x0A') ||
+@@ -632,7 +634,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+ {
+        const char *resource = (const char *)buffer->data;
+        int resource_length = MIN (512, buffer->length);
+-       int pos = 0;
++       gsize pos = 0;
+ 
+        if (resource_length < 3)
+                goto text_html;
+@@ -642,9 +644,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+                pos = 3;
+ 
+  look_for_tag:
+-       if (pos > resource_length)
+-               goto text_html;
+-
+        if (skip_insignificant_space (resource, &pos, resource_length))
+                goto text_html;
+
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch
new file mode 100644
index 0000000000..c032846ef0
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32050.patch
@@ -0,0 +1,29 @@
+From 5709dfffb6fdc5b66ce001bf82a755ad8ad1d992 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Mon, 28 Oct 2024 12:29:48 -0500
+Subject: [PATCH] Fix using int instead of size_t for strcspn return
+
+CVE: CVE-2025-32050
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-headers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 9707ca0..67905b2 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -902,7 +902,7 @@ append_param_quoted (GString    *string,
+                     const char *name,
+                     const char *value)
+ {
+-       int len;
++       gsize len;
+ 
+        g_string_append (string, name);
+        g_string_append (string, "=\"");
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch
new file mode 100644
index 0000000000..34bc8113a4
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32052.patch
@@ -0,0 +1,32 @@
+From f4a67a9a3033586edaee715d40d5992e02d32893 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Sat, 16 Nov 2024 12:07:30 -0600
+Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff
+
+Co-Author: Ar Jun <pkillarjun@protonmail.com>
+
+CVE: CVE-2025-32052
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652#500da7cfde649872c49169be34b03a1c42a53ddb]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-content-sniffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
+index 9554636..eac9e7b 100644
+--- a/libsoup/soup-content-sniffer.c
++++ b/libsoup/soup-content-sniffer.c
+@@ -504,7 +504,7 @@ sniff_unknown (SoupContentSniffer *sniffer, SoupBuffer *buffer,
+                        guint index_pattern = 0;
+                        gboolean skip_row = FALSE;
+ 
+-                       while ((index_stream < resource_length) &&
++                       while ((index_stream < resource_length - 1) &&
+                               (index_pattern <= type_row->pattern_length)) {
+                                /* Skip insignificant white space ("WS" in the spec) */
+                                if (type_row->pattern[index_pattern] == ' ') {
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch
new file mode 100644
index 0000000000..0d829d6200
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32053.patch
@@ -0,0 +1,39 @@
+From d9bcffd6cd5e8ec32889a594f7348d67a5101b3a Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Mon, 12 May 2025 13:58:42 +0800
+Subject: [PATCH] Fix heap buffer overflow in
+ soup-content-sniffer.c:sniff_feed_or_html()
+
+CVE: CVE-2025-32053
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/eaed42ca8d40cd9ab63764e3d63641180505f40a]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-content-sniffer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
+index 967ec61..5f2896e 100644
+--- a/libsoup/soup-content-sniffer.c
++++ b/libsoup/soup-content-sniffer.c
+@@ -620,7 +620,7 @@ skip_insignificant_space (const char *resource, int *pos, int resource_length)
+               (resource[*pos] == '\x0D')) {
+                *pos = *pos + 1;
+ 
+-               if (*pos > resource_length)
++               if (*pos >= resource_length)
+                        return TRUE;
+        }
+ 
+@@ -682,7 +682,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+                do {
+                        pos++;
+ 
+-                       if (pos > resource_length)
++                       if ((pos + 1) > resource_length)
+                                goto text_html;
+                } while (resource[pos] != '>');
+ 
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch
new file mode 100644
index 0000000000..c33ebf8056
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906.patch
@@ -0,0 +1,71 @@
+From 4b8809cca4bbcbf9514314d86227f985362258b0 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 12 Feb 2025 11:30:02 -0600
+Subject: [PATCH] headers: Handle parsing only newlines
+
+Closes #404
+Closes #407
+
+CVE: CVE-2025-32906
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af5b9a4a3945c52b940d5ac181ef51bb12011f1f]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-headers.c      |  4 ++--
+ tests/header-parsing-test.c | 11 +++++++++++
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index e5d3c03..87bb3dc 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -185,7 +185,7 @@ soup_headers_parse_request (const char          *str,
+        /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s)
+         * received where a Request-Line is expected."
+         */
+-       while ((*str == '\r' || *str == '\n') && len > 0) {
++       while (len > 0 && (*str == '\r' || *str == '\n')) {
+                str++;
+                len--;
+        }
+@@ -369,7 +369,7 @@ soup_headers_parse_response (const char          *str,
+         * after a response, which we then see prepended to the next
+         * response on that connection.
+         */
+-       while ((*str == '\r' || *str == '\n') && len > 0) {
++       while (len > 0 && (*str == '\r' || *str == '\n')) {
+                str++;
+                len--;
+        }
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index c1d3b33..b811115 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -6,6 +6,10 @@ typedef struct {
+        const char *name, *value;
+ } Header;
+ 
++static char only_newlines[] = {
++        '\n', '\n', '\n', '\n'
++};
++
+ static struct RequestTest {
+        const char *description;
+        const char *bugref;
+@@ -445,6 +449,13 @@ static struct RequestTest {
+          SOUP_STATUS_BAD_REQUEST,
+            NULL, NULL, -1,
+          { { NULL } }
++       },
++
++       { "Only newlines", NULL,
++         only_newlines, sizeof (only_newlines),
++         SOUP_STATUS_BAD_REQUEST,
++           NULL, NULL, -1,
++         { { NULL } }
+        }
+ };
+ static const int num_reqtests = G_N_ELEMENTS (reqtests);
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch
new file mode 100644
index 0000000000..41dd3ff3f4
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32907.patch
@@ -0,0 +1,39 @@
+From 8158b4084dcba2a233dfcb7359c53ab2840148f7 Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Tue, 15 Apr 2025 12:17:39 +0200
+Subject: [PATCH 1/2] soup-message-headers: Correct merge of ranges
+
+It had been skipping every second range, which generated an array
+of a lot of insane ranges, causing large memory usage by the server.
+
+Closes #428
+
+Part-of: <https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452>
+
+CVE: CVE-2025-32907
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452/diffs?commit_id=9bb92f7a685e31e10e9e8221d0342280432ce836]
+
+Test part not applied since test codes use some functions not in this
+version
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-message-headers.c |   1 +
+ 1 files changed, 1 insertions(+)
+
+diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
+index 78b2455..00b9763 100644
+--- a/libsoup/soup-message-headers.c
++++ b/libsoup/soup-message-headers.c
+@@ -1024,6 +1024,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders  *hdrs,
+                        if (cur->start <= prev->end) {
+                                prev->end = MAX (prev->end, cur->end);
+                                g_array_remove_index (array, i);
++                               i--;
+                        }
+                }
+        }
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch
new file mode 100644
index 0000000000..2f5366348d
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch
@@ -0,0 +1,38 @@
+From e6e088e62c10ab91fa2f2ad5c122332aa7cde97c Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Mon, 12 May 2025 16:55:37 +0800
+Subject: [PATCH] content-sniffer: Handle sniffing resource shorter than
+ 4 bytes
+
+CVE: CVE-2025-32909
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-content-sniffer.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c
+index eac9e7b..73d2245 100644
+--- a/libsoup/soup-content-sniffer.c
++++ b/libsoup/soup-content-sniffer.c
+@@ -227,9 +227,14 @@ sniff_mp4 (SoupContentSniffer *sniffer, SoupBuffer *buffer)
+ {
+        const char *resource = (const char *)buffer->data;
+        guint resource_length = MIN (512, buffer->length);
+-       guint32 box_size = *((guint32*)resource);
++       guint32 box_size;
+        guint i;
+ 
++       if (resource_length < sizeof (guint32))
++               return FALSE;
++
++       box_size = *((guint32*)resource);
++
+ #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
+        box_size = ((box_size >> 24) |
+                    ((box_size << 8) & 0x00FF0000) |
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
new file mode 100644
index 0000000000..c1dc6860f2
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
@@ -0,0 +1,32 @@
+From a7e711d0f162c6edc8acad2a96981d4890784ea3 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Mon, 12 May 2025 17:02:55 +0800
+Subject: [PATCH] auth-digest: Handle missing realm/nonce in authenticate
+ header
+
+CVE: CVE-2025-32910
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=e40df6d48a1cbab56f5d15016cc861a503423cfe]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-auth-digest.c |  3 +++
+ 1 files changed, 3 insertions(+)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index e8ba990..0ab3499 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+        guint qop_options;
+        gboolean ok = TRUE;
+ 
++        if (!soup_auth_get_realm (auth))
++               return FALSE;
++
+        g_free (priv->domain);
+        g_free (priv->nonce);
+        g_free (priv->opaque);
+ 
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
new file mode 100644
index 0000000000..019a35e3be
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
@@ -0,0 +1,94 @@
+From eccfca1074fc485a0b60dfb9c8385429a226bf73 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Fri, 16 May 2025 13:19:38 +0800
+Subject: [PATCH] auth-digest: Handle missing nonce
+
+CVE: CVE-2025-32910
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=405a8a34597a44bd58c4759e7d5e23f02c3b556a]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-auth-digest.c | 45 ++++++++++++++++++++++++++++----------
+ 1 files changed, 28 insertions(+), 10 deletions(-)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index 0ab3499..10a8591 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
+        return g_string_free (out, FALSE);
+ }
+ 
++static gboolean
++validate_params (SoupAuthDigest *auth_digest)
++{
++       SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
++
++       if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
++               if (!priv->nonce)
++                       return FALSE;
++       }
++
++       return TRUE;
++}
++
+ static gboolean
+ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+                         GHashTable *auth_params)
+@@ -169,17 +182,22 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+        if (priv->algorithm == -1)
+                ok = FALSE;
+ 
+-       stale = g_hash_table_lookup (auth_params, "stale");
+-       if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+-               recompute_hex_a1 (priv);
+-       else {
+-               g_free (priv->user);
+-               priv->user = NULL;
+-               g_free (priv->cnonce);
+-               priv->cnonce = NULL;
+-               memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+-               memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+-        }
++       if (!validate_params (auth_digest))
++               ok = FALSE;
++
++       if (ok) {
++               stale = g_hash_table_lookup (auth_params, "stale");
++               if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
++                       recompute_hex_a1 (priv);
++               else {
++                       g_free (priv->user);
++                       priv->user = NULL;
++                       g_free (priv->cnonce);
++                       priv->cnonce = NULL;
++                       memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
++                       memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
++               }
++       }
+ 
+        return ok;
+ }
+@@ -359,6 +377,8 @@ soup_auth_digest_compute_response (const char        *method,
+        if (qop) {
+                char tmp[9];
+ 
++               g_assert (cnonce);
++
+                g_snprintf (tmp, 9, "%.8x", nc);
+                g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
+                g_checksum_update (checksum, (guchar *)":", 1);
+@@ -422,6 +442,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
+        g_return_val_if_fail (uri != NULL, NULL);
+        url = soup_uri_to_string (uri, TRUE);
+ 
++       g_assert (priv->nonce);
++       g_assert (!priv->qop || priv->cnonce);
++
+        soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
+                                           priv->qop, priv->nonce,
+                                           priv->cnonce, priv->nc,
+ 
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
new file mode 100644
index 0000000000..bdf4d64ca3
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
@@ -0,0 +1,28 @@
+From 74c95d54fe42041fe161cb74c76d942ffd37a5dd Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Fri, 16 May 2025 13:21:43 +0800
+Subject: [PATCH] auth-digest: Fix leak
+
+CVE: CVE-2025-32910
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=ea16eeacb052e423eb5c3b0b705e5eab34b13832]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-auth-digest.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index 10a8591..6d965d2 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object)
+        g_free (priv->nonce);
+        g_free (priv->domain);
+        g_free (priv->cnonce);
++       g_free (priv->opaque);
+ 
+        memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+        memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch
new file mode 100644
index 0000000000..b3ce9d8bc3
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912.patch
@@ -0,0 +1,32 @@
+From 0984dddb11daf14fdf5ca24077cd0ebda796439a Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Fri, 16 May 2025 13:25:32 +0800
+Subject: [PATCH] auth-digest: Handle missing nonce
+
+CVE: CVE-2025-32912
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992?merge_request_iid=434
+https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-auth-digest.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index 6d965d2..f1621ec 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+        guint qop_options;
+        gboolean ok = TRUE;
+ 
+-        if (!soup_auth_get_realm (auth))
++       if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce"))
+                return FALSE;
+ 
+        g_free (priv->domain);
+
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
new file mode 100644
index 0000000000..9f3bb21a25
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
@@ -0,0 +1,35 @@
+From ac844b9fc7945c38ea21fb7cf1a49a5c226d7c9c Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Mon, 12 May 2025 16:17:20 +0800
+Subject: [PATCH] Resolve "(CVE-2025-32914) (#YWH-PGM9867-23) OOB Read on
+ libsoup through function "soup_multipart_new_from_message" in
+ soup-multipart.c leads to crash or exit of process"
+
+CVE: CVE-2025-32914
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450/diffs?commit_id=5bfcf8157597f2d327050114fb37ff600004dbcf]
+
+Test code are not added since some functions not aligned with version
+2.74.3
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-multipart.c |  2 +-
+ 1 files changed, 1 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index a7e550f..dd93973 100644
+--- a/libsoup/soup-multipart.c
++++ b/libsoup/soup-multipart.c
+@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
+                        return NULL;
+                }
+ 
+-               split = strstr (start, "\r\n\r\n");
++               split = g_strstr_len (start, body_end - start, "\r\n\r\n");
+                if (!split || split > end) {
+                        soup_multipart_free (multipart);
+                        soup_buffer_free (flattened);
+ 
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch
new file mode 100644
index 0000000000..874f62e7ad
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch
@@ -0,0 +1,38 @@
+From 52a0f9234d384b9dab368835b22e5a5a01542168 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Fri, 16 May 2025 14:16:10 +0800
+Subject: [PATCH] auth-digest: fix crash in
+ soup_auth_digest_get_protection_space()
+
+We need to validate the Domain parameter in the WWW-Authenticate header.
+
+Unfortunately this crash only occurs when listening on default ports 80
+and 443, so there's no good way to test for this. The test would require
+running as root.
+
+Fixes #440
+
+CVE: CVE-2025-4476
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c?merge_request_iid=457]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-auth-digest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index f1621ec..a2dc560 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -229,7 +229,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, SoupURI *source_uri)
+                        uri = soup_uri_new (d);
+                        if (uri && uri->scheme == source_uri->scheme &&
+                            uri->port == source_uri->port &&
+-                           !strcmp (uri->host, source_uri->host))
++                           !g_strcmp0 (uri->host, source_uri->host))
+                                dir = g_strdup (uri->path);
+                        else
+                                dir = NULL;
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch
new file mode 100644
index 0000000000..c970661694
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch
@@ -0,0 +1,61 @@
+From 81e03c538d6a102406114567f4f1c468033ce2e4 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Thu, 26 Dec 2024 18:31:42 -0600
+Subject: [PATCH] soup_header_parse_quality_list: Fix leak
+
+When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings.
+
+CVE: CVE-2025-46420
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/421/diffs?commit_id=c9083869ec2a3037e6df4bd86b45c419ba295f8e]
+
+ Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-headers.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 87bb3dc..9707ca0 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -528,7 +528,7 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
+        GSList *unsorted;
+        QualityItem *array;
+        GSList *sorted, *iter;
+-       char *item, *semi;
++       char *semi;
+        const char *param, *equal, *value;
+        double qval;
+        int n;
+@@ -541,9 +541,8 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
+        unsorted = soup_header_parse_list (header);
+        array = g_new0 (QualityItem, g_slist_length (unsorted));
+        for (iter = unsorted, n = 0; iter; iter = iter->next) {
+-               item = iter->data;
+                qval = 1.0;
+-               for (semi = strchr (item, ';'); semi; semi = strchr (semi + 1, ';')) {
++               for (semi = strchr (iter->data, ';'); semi; semi = strchr (semi + 1, ';')) {
+                        param = skip_lws (semi + 1);
+                        if (*param != 'q')
+                                continue;
+@@ -575,15 +574,15 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
+                if (qval == 0.0) {
+                        if (unacceptable) {
+                                *unacceptable = g_slist_prepend (*unacceptable,
+-                                                                item);
++                                                                g_steal_pointer (&iter->data));
+                        }
+                } else {
+-                       array[n].item = item;
++                       array[n].item = g_steal_pointer (&iter->data);
+                        array[n].qval = qval;
+                        n++;
+                }
+        }
+-       g_slist_free (unsorted);
++       g_slist_free_full (unsorted, g_free);
+ 
+        qsort (array, n, sizeof (QualityItem), sort_by_qval);
+        sorted = NULL;
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch
new file mode 100644
index 0000000000..3318093400
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch
@@ -0,0 +1,47 @@
+From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 5 Feb 2025 16:18:10 -0600
+Subject: [PATCH] session: Strip authentication credentails on
+ cross-origin redirect
+
+This should match the behavior of Firefox and Safari but not of Chromium.
+
+CVE: CVE-2025-46421
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b]
+
+Test code not added since it included some headers not in version 2.74.3
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-session.c |  8 ++++-
+ 2 files changed, 85 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
+index 83421ef..8d6ac61 100644
+--- a/libsoup/soup-session.c
++++ b/libsoup/soup-session.c
+@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg)
+                                                   SOUP_ENCODING_NONE);
+        }
+ 
++       /* Strip all credentials on cross-origin redirect. */
++       if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
++               soup_message_headers_remove (msg->request_headers, "Authorization");
++               soup_message_set_auth (msg, NULL);
++       }
++
+        soup_message_set_uri (msg, new_uri);
+        soup_uri_free (new_uri);
+ 
+        soup_session_requeue_message (session, msg);
+        return TRUE;
+-}
++}
+ 
+ static void
+ redirect_handler (SoupMessage *msg, gpointer user_data)
+ 
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch
new file mode 100644
index 0000000000..b15b8c763d
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4948.patch
@@ -0,0 +1,38 @@
+From dfdc9b3cc73e6fe88cc12792ba00e14642572339 Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Thu, 15 May 2025 17:49:11 +0200
+Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body
+
+It could happen that the boundary started at a place which resulted into
+a negative number, which in an unsigned integer is a very large value.
+Check the body size is not a negative value before setting it.
+
+Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
+
+Part-of: <https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463>
+
+CVE: CVE-2025-4948
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463/diffs?commit_id=f2f28afe0b3b2b3009ab67d6874457ec6bac70c0]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-multipart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index dd93973..ce2fc10 100644
+--- a/libsoup/soup-multipart.c
++++ b/libsoup/soup-multipart.c
+@@ -214,7 +214,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
+                 */
+                part_body = soup_buffer_new_subbuffer (flattened,
+                                                       split - flattened->data,
+-                                                      end - 2 - split);
++                                                      end - 2 >= split ? end - 2 - split : 0);
+                g_ptr_array_add (multipart->bodies, part_body);
+ 
+                start = end;
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch
new file mode 100644
index 0000000000..7bc3e8da99
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch
@@ -0,0 +1,37 @@
+From a7d0c58608ed830bedfb6b92aea11e00feb55aa9 Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Mon, 19 May 2025 17:48:27 +0200
+Subject: [PATCH] soup-multipart: Verify array bounds before accessing its
+ members
+
+The boundary could be at a place which, calculated, pointed
+before the beginning of the array. Check the bounds, to avoid
+read out of the array bounds.
+
+Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447
+
+CVE: CVE-2025-4969
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/467/diffs?commit_id=b5b4dd10d4810f0c87b4eaffe88504f06e502f33]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-multipart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index ce2fc10..a29cdf0 100644
+--- a/libsoup/soup-multipart.c
++++ b/libsoup/soup-multipart.c
+@@ -108,7 +108,7 @@ find_boundary (const char *start, const char *end,
+                        continue;
+ 
+                /* Check that it's at start of line */
+-               if (!(b == start || (b[-1] == '\n' && b[-2] == '\r')))
++               if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r')))
+                        continue;
+ 
+                /* Check for "--" or "\r\n" after boundary */
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index 7e275a48f4..52e732b78d 100644
--- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -18,8 +18,28 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://0001-Remove-http-and-https-aliases-support-test.patch \
            file://CVE-2024-52532-1.patch \
            file://CVE-2024-52532-2.patch \
-           file://CVE-2024-52532-3.patch"
-
+           file://CVE-2024-52532-3.patch \
+           file://CVE-2025-32053.patch \
+           file://CVE-2025-2784.patch \
+           file://CVE-2024-52530.patch \
+           file://CVE-2025-32906.patch \
+           file://CVE-2025-32914.patch \
+           file://CVE-2025-46420.patch \
+           file://CVE-2025-46421.patch \
+           file://CVE-2025-32050.patch \
+           file://CVE-2025-32052.patch \
+           file://CVE-2025-32909.patch \
+           file://CVE-2025-32910-1.patch \
+           file://CVE-2025-32910-2.patch \
+           file://CVE-2025-32910-3.patch \
+           file://CVE-2025-32912.patch \
+           file://CVE-2024-52531-1.patch \
+           file://CVE-2024-52531-2.patch \
+           file://CVE-2025-4476.patch \
+           file://CVE-2025-32907.patch \
+           file://CVE-2025-4948.patch \
+           file://CVE-2025-4969.patch \
+"
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
 
 CVE_PRODUCT = "libsoup"