diff mbox series

[scarthgap,v2,1/5] libsoup: Fix CVE-2025-32910

Message ID 20250417104258.64180-1-vanusuri@mvista.com
State Superseded
Delegated to: Steve Sakoman
Headers show
Series [scarthgap,v2,1/5] libsoup: Fix CVE-2025-32910 | expand

Commit Message

Vijay Anusuri April 17, 2025, 10:42 a.m. UTC
From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../libsoup-3.4.4/CVE-2025-32910.patch        | 27 +++++++++++++++++++
 meta/recipes-support/libsoup/libsoup_3.4.4.bb |  1 +
 2 files changed, 28 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch

Comments

Gyorgy Sarvari April 17, 2025, 11:15 a.m. UTC | #1
This seems to be identical to v1.

On 4/17/25 12:42, Vijay Anusuri via lists.openembedded.org wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
>  .../libsoup-3.4.4/CVE-2025-32910.patch        | 27 +++++++++++++++++++
>  meta/recipes-support/libsoup/libsoup_3.4.4.bb |  1 +
>  2 files changed, 28 insertions(+)
>  create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
>
> diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
> new file mode 100644
> index 0000000000..32e0c86e62
> --- /dev/null
> +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
> @@ -0,0 +1,27 @@
> +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001
> +From: Patrick Griffis <pgriffis@igalia.com>
> +Date: Fri, 27 Dec 2024 13:52:52 -0600
> +Subject: [PATCH] auth-digest: Fix leak
> +
> +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
> +CVE: CVE-2025-32910
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + libsoup/auth/soup-auth-digest.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
> +index 350bfde6..9eb7fa0e 100644
> +--- a/libsoup/auth/soup-auth-digest.c
> ++++ b/libsoup/auth/soup-auth-digest.c
> +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object)
> + 	g_free (priv->nonce);
> + 	g_free (priv->domain);
> + 	g_free (priv->cnonce);
> ++        g_free (priv->opaque);
> + 
> + 	memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
> + 	memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
> +-- 
> +GitLab
> +
> diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
> index b2e32b892a..757e6432f7 100644
> --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
> +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
> @@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
>             file://CVE-2024-52531-1.patch \
>             file://CVE-2024-52531-2.patch \
>             file://CVE-2024-52531-3.patch \
> +           file://CVE-2025-32910.patch \
>            "
>  SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
>  
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#215059): https://lists.openembedded.org/g/openembedded-core/message/215059
> Mute This Topic: https://lists.openembedded.org/mt/112311177/6084445
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Vijay Anusuri April 17, 2025, 11:21 a.m. UTC | #2
I have renamed one of the patches in the v2 patch.

Thanks & Regards,
Vijay


On Thu, Apr 17, 2025 at 4:45 PM Gyorgy Sarvari <skandigraun@gmail.com>
wrote:

> This seems to be identical to v1.
>
> On 4/17/25 12:42, Vijay Anusuri via lists.openembedded.org wrote:
> > From: Vijay Anusuri <vanusuri@mvista.com>
> >
> > Upstream-Status: Backport from
> https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832
> >
> > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> > ---
> >  .../libsoup-3.4.4/CVE-2025-32910.patch        | 27 +++++++++++++++++++
> >  meta/recipes-support/libsoup/libsoup_3.4.4.bb |  1 +
> >  2 files changed, 28 insertions(+)
> >  create mode 100644
> meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
> >
> > diff --git
> a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
> b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
> > new file mode 100644
> > index 0000000000..32e0c86e62
> > --- /dev/null
> > +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
> > @@ -0,0 +1,27 @@
> > +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001
> > +From: Patrick Griffis <pgriffis@igalia.com>
> > +Date: Fri, 27 Dec 2024 13:52:52 -0600
> > +Subject: [PATCH] auth-digest: Fix leak
> > +
> > +Upstream-Status: Backport [
> https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832
> ]
> > +CVE: CVE-2025-32910
> > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> > +---
> > + libsoup/auth/soup-auth-digest.c | 1 +
> > + 1 file changed, 1 insertion(+)
> > +
> > +diff --git a/libsoup/auth/soup-auth-digest.c
> b/libsoup/auth/soup-auth-digest.c
> > +index 350bfde6..9eb7fa0e 100644
> > +--- a/libsoup/auth/soup-auth-digest.c
> > ++++ b/libsoup/auth/soup-auth-digest.c
> > +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object)
> > +     g_free (priv->nonce);
> > +     g_free (priv->domain);
> > +     g_free (priv->cnonce);
> > ++        g_free (priv->opaque);
> > +
> > +     memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
> > +     memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
> > +--
> > +GitLab
> > +
> > diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
> b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
> > index b2e32b892a..757e6432f7 100644
> > --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
> > +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
> > @@ -18,6 +18,7 @@ SRC_URI =
> "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
> >             file://CVE-2024-52531-1.patch \
> >             file://CVE-2024-52531-2.patch \
> >             file://CVE-2024-52531-3.patch \
> > +           file://CVE-2025-32910.patch \
> >            "
> >  SRC_URI[sha256sum] =
> "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#215059):
> https://lists.openembedded.org/g/openembedded-core/message/215059
> > Mute This Topic: https://lists.openembedded.org/mt/112311177/6084445
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> skandigraun@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
Gyorgy Sarvari April 17, 2025, 11:25 a.m. UTC | #3
Your reply makes me wonder if my feedback from yesterday reached you:
https://lists.openembedded.org/g/openembedded-core/message/214981 -
don't know if you disagree with it, or maybe you just haven't seen it.

On 4/17/25 13:21, Vijay Anusuri wrote:
> I have renamed one of the patches in the v2 patch.
>
> Thanks & Regards,
> Vijay
>
>
> On Thu, Apr 17, 2025 at 4:45 PM Gyorgy Sarvari <skandigraun@gmail.com>
> wrote:
>
>     This seems to be identical to v1.
>
>     On 4/17/25 12:42, Vijay Anusuri via lists.openembedded.org
>     <http://lists.openembedded.org> wrote:
>     > From: Vijay Anusuri <vanusuri@mvista.com>
>     >
>     > Upstream-Status: Backport from
>     https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832
>     >
>     > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
>     > ---
>     >  .../libsoup-3.4.4/CVE-2025-32910.patch        | 27
>     +++++++++++++++++++
>     >  meta/recipes-support/libsoup/libsoup_3.4.4.bb
>     <http://libsoup_3.4.4.bb> |  1 +
>     >  2 files changed, 28 insertions(+)
>     >  create mode 100644
>     meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
>     >
>     > diff --git
>     a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
>     b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
>     > new file mode 100644
>     > index 0000000000..32e0c86e62
>     > --- /dev/null
>     > +++
>     b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
>     > @@ -0,0 +1,27 @@
>     > +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17
>     00:00:00 2001
>     > +From: Patrick Griffis <pgriffis@igalia.com>
>     > +Date: Fri, 27 Dec 2024 13:52:52 -0600
>     > +Subject: [PATCH] auth-digest: Fix leak
>     > +
>     > +Upstream-Status: Backport
>     [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
>     > +CVE: CVE-2025-32910
>     > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
>     > +---
>     > + libsoup/auth/soup-auth-digest.c | 1 +
>     > + 1 file changed, 1 insertion(+)
>     > +
>     > +diff --git a/libsoup/auth/soup-auth-digest.c
>     b/libsoup/auth/soup-auth-digest.c
>     > +index 350bfde6..9eb7fa0e 100644
>     > +--- a/libsoup/auth/soup-auth-digest.c
>     > ++++ b/libsoup/auth/soup-auth-digest.c
>     > +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object)
>     > +     g_free (priv->nonce);
>     > +     g_free (priv->domain);
>     > +     g_free (priv->cnonce);
>     > ++        g_free (priv->opaque);
>     > +
>     > +     memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
>     > +     memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
>     > +--
>     > +GitLab
>     > +
>     > diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
>     <http://libsoup_3.4.4.bb>
>     b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
>     <http://libsoup_3.4.4.bb>
>     > index b2e32b892a..757e6432f7 100644
>     > --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
>     <http://libsoup_3.4.4.bb>
>     > +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
>     <http://libsoup_3.4.4.bb>
>     > @@ -18,6 +18,7 @@ SRC_URI =
>     "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
>     >             file://CVE-2024-52531-1.patch \
>     >             file://CVE-2024-52531-2.patch \
>     >             file://CVE-2024-52531-3.patch \
>     > +           file://CVE-2025-32910.patch \
>     >            "
>     >  SRC_URI[sha256sum] =
>     "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
>     > 
>     >
>     > -=-=-=-=-=-=-=-=-=-=-=-
>     > Links: You receive all messages sent to this group.
>     > View/Reply Online (#215059):
>     https://lists.openembedded.org/g/openembedded-core/message/215059
>     > Mute This Topic: https://lists.openembedded.org/mt/112311177/6084445
>     > Group Owner: openembedded-core+owner@lists.openembedded.org
>     <mailto:openembedded-core%2Bowner@lists.openembedded.org>
>     > Unsubscribe:
>     https://lists.openembedded.org/g/openembedded-core/unsub
>     [skandigraun@gmail.com]
>     > -=-=-=-=-=-=-=-=-=-=-=-
>     >
>
Vijay Anusuri April 17, 2025, 11:45 a.m. UTC | #4
I haven't seen your yesterday's message :
https://lists.openembedded.org/g/openembedded-core/message/214981

Those 2 missing commits were added as part of CVE-2025-32912 patch.

Thanks for letting me know. I will rename those patches and will send a v3
patch.

Thanks & Regards,
Vijay

On Thu, Apr 17, 2025 at 4:55 PM Gyorgy Sarvari <skandigraun@gmail.com>
wrote:

> Your reply makes me wonder if my feedback from yesterday reached you:
> https://lists.openembedded.org/g/openembedded-core/message/214981 -
> don't know if you disagree with it, or maybe you just haven't seen it.
>
> On 4/17/25 13:21, Vijay Anusuri wrote:
> > I have renamed one of the patches in the v2 patch.
> >
> > Thanks & Regards,
> > Vijay
> >
> >
> > On Thu, Apr 17, 2025 at 4:45 PM Gyorgy Sarvari <skandigraun@gmail.com>
> > wrote:
> >
> >     This seems to be identical to v1.
> >
> >     On 4/17/25 12:42, Vijay Anusuri via lists.openembedded.org
> >     <http://lists.openembedded.org> wrote:
> >     > From: Vijay Anusuri <vanusuri@mvista.com>
> >     >
> >     > Upstream-Status: Backport from
> >
> https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832
> >     >
> >     > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> >     > ---
> >     >  .../libsoup-3.4.4/CVE-2025-32910.patch        | 27
> >     +++++++++++++++++++
> >     >  meta/recipes-support/libsoup/libsoup_3.4.4.bb
> >     <http://libsoup_3.4.4.bb> |  1 +
> >     >  2 files changed, 28 insertions(+)
> >     >  create mode 100644
> >     meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
> >     >
> >     > diff --git
> >     a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
> >     b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
> >     > new file mode 100644
> >     > index 0000000000..32e0c86e62
> >     > --- /dev/null
> >     > +++
> >     b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
> >     > @@ -0,0 +1,27 @@
> >     > +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17
> >     00:00:00 2001
> >     > +From: Patrick Griffis <pgriffis@igalia.com>
> >     > +Date: Fri, 27 Dec 2024 13:52:52 -0600
> >     > +Subject: [PATCH] auth-digest: Fix leak
> >     > +
> >     > +Upstream-Status: Backport
> >     [
> https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832
> ]
> >     > +CVE: CVE-2025-32910
> >     > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> >     > +---
> >     > + libsoup/auth/soup-auth-digest.c | 1 +
> >     > + 1 file changed, 1 insertion(+)
> >     > +
> >     > +diff --git a/libsoup/auth/soup-auth-digest.c
> >     b/libsoup/auth/soup-auth-digest.c
> >     > +index 350bfde6..9eb7fa0e 100644
> >     > +--- a/libsoup/auth/soup-auth-digest.c
> >     > ++++ b/libsoup/auth/soup-auth-digest.c
> >     > +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object)
> >     > +     g_free (priv->nonce);
> >     > +     g_free (priv->domain);
> >     > +     g_free (priv->cnonce);
> >     > ++        g_free (priv->opaque);
> >     > +
> >     > +     memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
> >     > +     memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
> >     > +--
> >     > +GitLab
> >     > +
> >     > diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
> >     <http://libsoup_3.4.4.bb>
> >     b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
> >     <http://libsoup_3.4.4.bb>
> >     > index b2e32b892a..757e6432f7 100644
> >     > --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
> >     <http://libsoup_3.4.4.bb>
> >     > +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
> >     <http://libsoup_3.4.4.bb>
> >     > @@ -18,6 +18,7 @@ SRC_URI =
> >     "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
> >     >             file://CVE-2024-52531-1.patch \
> >     >             file://CVE-2024-52531-2.patch \
> >     >             file://CVE-2024-52531-3.patch \
> >     > +           file://CVE-2025-32910.patch \
> >     >            "
> >     >  SRC_URI[sha256sum] =
> >     "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
> >     >
> >     >
> >     > -=-=-=-=-=-=-=-=-=-=-=-
> >     > Links: You receive all messages sent to this group.
> >     > View/Reply Online (#215059):
> >     https://lists.openembedded.org/g/openembedded-core/message/215059
> >     > Mute This Topic:
> https://lists.openembedded.org/mt/112311177/6084445
> >     > Group Owner: openembedded-core+owner@lists.openembedded.org
> >     <mailto:openembedded-core%2Bowner@lists.openembedded.org>
> >     > Unsubscribe:
> >     https://lists.openembedded.org/g/openembedded-core/unsub
> >     [skandigraun@gmail.com]
> >     > -=-=-=-=-=-=-=-=-=-=-=-
> >     >
> >
>
Gyorgy Sarvari April 17, 2025, 11:49 a.m. UTC | #5
Ahh, so I was missing something, it fixes multiple CVEs... thanks for
the clarification.

On 4/17/25 13:45, Vijay Anusuri wrote:
> I haven't seen your yesterday's message :
> https://lists.openembedded.org/g/openembedded-core/message/214981
>
> Those 2 missing commits were added as part of CVE-2025-32912 patch.
>
> Thanks for letting me know. I will rename those patches and will send
> a v3 patch.
>
> Thanks & Regards,
> Vijay
>
> On Thu, Apr 17, 2025 at 4:55 PM Gyorgy Sarvari <skandigraun@gmail.com>
> wrote:
>
>     Your reply makes me wonder if my feedback from yesterday reached you:
>     https://lists.openembedded.org/g/openembedded-core/message/214981 -
>     don't know if you disagree with it, or maybe you just haven't seen it.
>
>     On 4/17/25 13:21, Vijay Anusuri wrote:
>     > I have renamed one of the patches in the v2 patch.
>     >
>     > Thanks & Regards,
>     > Vijay
>     >
>     >
>     > On Thu, Apr 17, 2025 at 4:45 PM Gyorgy Sarvari
>     <skandigraun@gmail.com>
>     > wrote:
>     >
>     >     This seems to be identical to v1.
>     >
>     >     On 4/17/25 12:42, Vijay Anusuri via lists.openembedded.org
>     <http://lists.openembedded.org>
>     >     <http://lists.openembedded.org> wrote:
>     >     > From: Vijay Anusuri <vanusuri@mvista.com>
>     >     >
>     >     > Upstream-Status: Backport from
>     >   
>      https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832
>     >     >
>     >     > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
>     >     > ---
>     >     >  .../libsoup-3.4.4/CVE-2025-32910.patch        | 27
>     >     +++++++++++++++++++
>     >     >  meta/recipes-support/libsoup/libsoup_3.4.4.bb
>     <http://libsoup_3.4.4.bb>
>     >     <http://libsoup_3.4.4.bb> |  1 +
>     >     >  2 files changed, 28 insertions(+)
>     >     >  create mode 100644
>     >     meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
>     >     >
>     >     > diff --git
>     >   
>      a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
>     >   
>      b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
>     >     > new file mode 100644
>     >     > index 0000000000..32e0c86e62
>     >     > --- /dev/null
>     >     > +++
>     >   
>      b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
>     >     > @@ -0,0 +1,27 @@
>     >     > +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17
>     >     00:00:00 2001
>     >     > +From: Patrick Griffis <pgriffis@igalia.com>
>     >     > +Date: Fri, 27 Dec 2024 13:52:52 -0600
>     >     > +Subject: [PATCH] auth-digest: Fix leak
>     >     > +
>     >     > +Upstream-Status: Backport
>     >   
>      [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
>     >     > +CVE: CVE-2025-32910
>     >     > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
>     >     > +---
>     >     > + libsoup/auth/soup-auth-digest.c | 1 +
>     >     > + 1 file changed, 1 insertion(+)
>     >     > +
>     >     > +diff --git a/libsoup/auth/soup-auth-digest.c
>     >     b/libsoup/auth/soup-auth-digest.c
>     >     > +index 350bfde6..9eb7fa0e 100644
>     >     > +--- a/libsoup/auth/soup-auth-digest.c
>     >     > ++++ b/libsoup/auth/soup-auth-digest.c
>     >     > +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object)
>     >     > +     g_free (priv->nonce);
>     >     > +     g_free (priv->domain);
>     >     > +     g_free (priv->cnonce);
>     >     > ++        g_free (priv->opaque);
>     >     > +
>     >     > +     memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
>     >     > +     memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
>     >     > +--
>     >     > +GitLab
>     >     > +
>     >     > diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
>     <http://libsoup_3.4.4.bb>
>     >     <http://libsoup_3.4.4.bb>
>     >     b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
>     <http://libsoup_3.4.4.bb>
>     >     <http://libsoup_3.4.4.bb>
>     >     > index b2e32b892a..757e6432f7 100644
>     >     > --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
>     <http://libsoup_3.4.4.bb>
>     >     <http://libsoup_3.4.4.bb>
>     >     > +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
>     <http://libsoup_3.4.4.bb>
>     >     <http://libsoup_3.4.4.bb>
>     >     > @@ -18,6 +18,7 @@ SRC_URI =
>     >     "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
>     >     >             file://CVE-2024-52531-1.patch \
>     >     >             file://CVE-2024-52531-2.patch \
>     >     >             file://CVE-2024-52531-3.patch \
>     >     > +           file://CVE-2025-32910.patch \
>     >     >            "
>     >     >  SRC_URI[sha256sum] =
>     >   
>      "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
>     >     > 
>     >     >
>     >     > -=-=-=-=-=-=-=-=-=-=-=-
>     >     > Links: You receive all messages sent to this group.
>     >     > View/Reply Online (#215059):
>     >   
>      https://lists.openembedded.org/g/openembedded-core/message/215059
>     >     > Mute This Topic:
>     https://lists.openembedded.org/mt/112311177/6084445
>     >     > Group Owner:
>     openembedded-core+owner@lists.openembedded.org
>     <mailto:openembedded-core%2Bowner@lists.openembedded.org>
>     >     <mailto:openembedded-core%2Bowner@lists.openembedded.org
>     <mailto:openembedded-core%252Bowner@lists.openembedded.org>>
>     >     > Unsubscribe:
>     >     https://lists.openembedded.org/g/openembedded-core/unsub
>     >     [skandigraun@gmail.com]
>     >     > -=-=-=-=-=-=-=-=-=-=-=-
>     >     >
>     >
>
diff mbox series

Patch

diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
new file mode 100644
index 0000000000..32e0c86e62
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch
@@ -0,0 +1,27 @@ 
+From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Fri, 27 Dec 2024 13:52:52 -0600
+Subject: [PATCH] auth-digest: Fix leak
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/auth/soup-auth-digest.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
+index 350bfde6..9eb7fa0e 100644
+--- a/libsoup/auth/soup-auth-digest.c
++++ b/libsoup/auth/soup-auth-digest.c
+@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object)
+ 	g_free (priv->nonce);
+ 	g_free (priv->domain);
+ 	g_free (priv->cnonce);
++        g_free (priv->opaque);
+ 
+ 	memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+ 	memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+-- 
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
index b2e32b892a..757e6432f7 100644
--- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
@@ -18,6 +18,7 @@  SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2024-52531-1.patch \
            file://CVE-2024-52531-2.patch \
            file://CVE-2024-52531-3.patch \
+           file://CVE-2025-32910.patch \
           "
 SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"