| Message ID | 20250604113426.464818-7-changqing.li@windriver.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | fix several CVE for libsoup/libsoup-2.4 | expand |
On 6/4/25 13:34, Changqing Li via lists.openembedded.org wrote: > From: Changqing Li <changqing.li@windriver.com> > > Refer: > https://gitlab.gnome.org/GNOME/libsoup/-/issues/439 > > Signed-off-by: Changqing Li <changqing.li@windriver.com> > --- > .../libsoup/libsoup-2.4/CVE-2025-46421.patch | 48 +++++++++++++++++++ > .../libsoup/libsoup-2.4_2.74.3.bb | 1 + > 2 files changed, 49 insertions(+) > create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch > > diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch > new file mode 100644 > index 0000000000..64706f43aa > --- /dev/null > +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch > @@ -0,0 +1,48 @@ > +From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001 > +From: Patrick Griffis <pgriffis@igalia.com> > +Date: Wed, 5 Feb 2025 16:18:10 -0600 > +Subject: [PATCH] session: Strip authentication credentails on > + cross-origin redirect > + > +This should match the behavior of Firefox and Safari but not of Chromium. > + > +CVE: CVE-2025-46421 > +Upstream-Status: Backport > +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b] > + > +Test code not added since it included some headers not in version 2.74.3 > + > +Signed-off-by: Changqing Li <changqing.li@windriver.com> > +--- > + libsoup/soup-session.c | 8 ++++- > + tests/auth-test.c | 78 ++++++++++++++++++++++++++++++++++++++++++ > + 2 files changed, 85 insertions(+), 1 deletion(-) > + > +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c > +index 83421ef..8d6ac61 100644 > +--- a/libsoup/soup-session.c > ++++ b/libsoup/soup-session.c > +@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg) > + SOUP_ENCODING_NONE); > + } > + > ++ /* Strip all credentials on cross-origin redirect. */ > ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { > ++ //soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION); I think for libsoup-2.4 this would be something along the lines of soup_message_headers_remove(msg->request_headers, "Authorization"); or wouldn't it? > ++ soup_message_set_auth (msg, NULL); > ++ } > ++ > + soup_message_set_uri (msg, new_uri); > + soup_uri_free (new_uri); > + > + soup_session_requeue_message (session, msg); > + return TRUE; > +-} > ++} > + > + static void > + redirect_handler (SoupMessage *msg, gpointer user_data) > + > +-- > +2.34.1 > + > diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb > index 3f66099361..d37b553a92 100644 > --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb > +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb > @@ -35,6 +35,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ > file://CVE-2025-32053.patch \ > file://CVE-2025-32052.patch \ > file://CVE-2025-32050.patch \ > + file://CVE-2025-46421.patch \ > " > SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#217933): https://lists.openembedded.org/g/openembedded-core/message/217933 > Mute This Topic: https://lists.openembedded.org/mt/113464308/6084445 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [skandigraun@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 6/4/25 20:13, Gyorgy Sarvari wrote: > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and know the content is safe. > > On 6/4/25 13:34, Changqing Li via lists.openembedded.org wrote: >> From: Changqing Li<changqing.li@windriver.com> >> >> Refer: >> https://gitlab.gnome.org/GNOME/libsoup/-/issues/439 >> >> Signed-off-by: Changqing Li<changqing.li@windriver.com> >> --- >> .../libsoup/libsoup-2.4/CVE-2025-46421.patch | 48 +++++++++++++++++++ >> .../libsoup/libsoup-2.4_2.74.3.bb | 1 + >> 2 files changed, 49 insertions(+) >> create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch >> >> diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch >> new file mode 100644 >> index 0000000000..64706f43aa >> --- /dev/null >> +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch >> @@ -0,0 +1,48 @@ >> +From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001 >> +From: Patrick Griffis<pgriffis@igalia.com> >> +Date: Wed, 5 Feb 2025 16:18:10 -0600 >> +Subject: [PATCH] session: Strip authentication credentails on >> + cross-origin redirect >> + >> +This should match the behavior of Firefox and Safari but not of Chromium. >> + >> +CVE: CVE-2025-46421 >> +Upstream-Status: Backport >> +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b] >> + >> +Test code not added since it included some headers not in version 2.74.3 >> + >> +Signed-off-by: Changqing Li<changqing.li@windriver.com> >> +--- >> + libsoup/soup-session.c | 8 ++++- >> + tests/auth-test.c | 78 ++++++++++++++++++++++++++++++++++++++++++ >> + 2 files changed, 85 insertions(+), 1 deletion(-) >> + >> +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c >> +index 83421ef..8d6ac61 100644 >> +--- a/libsoup/soup-session.c >> ++++ b/libsoup/soup-session.c >> +@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg) >> + SOUP_ENCODING_NONE); >> + } >> + >> ++ /* Strip all credentials on cross-origin redirect. */ >> ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { >> ++ //soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION); > I think for libsoup-2.4 this would be something along the lines of > > soup_message_headers_remove(msg->request_headers, "Authorization"); > > or wouldn't it? Gyorgy, great thanks for point this out. I think you are right. I will fix this in V3. //Changqing > >> ++ soup_message_set_auth (msg, NULL); >> ++ } >> ++ >> + soup_message_set_uri (msg, new_uri); >> + soup_uri_free (new_uri); >> + >> + soup_session_requeue_message (session, msg); >> + return TRUE; >> +-} >> ++} >> + >> + static void >> + redirect_handler (SoupMessage *msg, gpointer user_data) >> + >> +-- >> +2.34.1 >> + >> diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb >> index 3f66099361..d37b553a92 100644 >> --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb >> +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb >> @@ -35,6 +35,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ >> file://CVE-2025-32053.patch \ >> file://CVE-2025-32052.patch \ >> file://CVE-2025-32050.patch \ >> +file://CVE-2025-46421.patch \ >> " >> SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#217933):https://lists.openembedded.org/g/openembedded-core/message/217933 >> Mute This Topic:https://lists.openembedded.org/mt/113464308/6084445 >> Group Owner:openembedded-core+owner@lists.openembedded.org >> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [skandigraun@gmail.com] >> -=-=-=-=-=-=-=-=-=-=-=- >>
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch new file mode 100644 index 0000000000..64706f43aa --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch @@ -0,0 +1,48 @@ +From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001 +From: Patrick Griffis <pgriffis@igalia.com> +Date: Wed, 5 Feb 2025 16:18:10 -0600 +Subject: [PATCH] session: Strip authentication credentails on + cross-origin redirect + +This should match the behavior of Firefox and Safari but not of Chromium. + +CVE: CVE-2025-46421 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b] + +Test code not added since it included some headers not in version 2.74.3 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + libsoup/soup-session.c | 8 ++++- + tests/auth-test.c | 78 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 85 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c +index 83421ef..8d6ac61 100644 +--- a/libsoup/soup-session.c ++++ b/libsoup/soup-session.c +@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg) + SOUP_ENCODING_NONE); + } + ++ /* Strip all credentials on cross-origin redirect. */ ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { ++ //soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION); ++ soup_message_set_auth (msg, NULL); ++ } ++ + soup_message_set_uri (msg, new_uri); + soup_uri_free (new_uri); + + soup_session_requeue_message (session, msg); + return TRUE; +-} ++} + + static void + redirect_handler (SoupMessage *msg, gpointer user_data) + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 3f66099361..d37b553a92 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -35,6 +35,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32053.patch \ file://CVE-2025-32052.patch \ file://CVE-2025-32050.patch \ + file://CVE-2025-46421.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"