| Message ID | 20250417104258.64180-1-vanusuri@mvista.com |
|---|---|
| State | Superseded |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [scarthgap,v2,1/5] libsoup: Fix CVE-2025-32910 | expand |
This seems to be identical to v1. On 4/17/25 12:42, Vijay Anusuri via lists.openembedded.org wrote: > From: Vijay Anusuri <vanusuri@mvista.com> > > Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../libsoup-3.4.4/CVE-2025-32910.patch | 27 +++++++++++++++++++ > meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + > 2 files changed, 28 insertions(+) > create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > new file mode 100644 > index 0000000000..32e0c86e62 > --- /dev/null > +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > @@ -0,0 +1,27 @@ > +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001 > +From: Patrick Griffis <pgriffis@igalia.com> > +Date: Fri, 27 Dec 2024 13:52:52 -0600 > +Subject: [PATCH] auth-digest: Fix leak > + > +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832] > +CVE: CVE-2025-32910 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + libsoup/auth/soup-auth-digest.c | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c > +index 350bfde6..9eb7fa0e 100644 > +--- a/libsoup/auth/soup-auth-digest.c > ++++ b/libsoup/auth/soup-auth-digest.c > +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object) > + g_free (priv->nonce); > + g_free (priv->domain); > + g_free (priv->cnonce); > ++ g_free (priv->opaque); > + > + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); > + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); > +-- > +GitLab > + > diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb > index b2e32b892a..757e6432f7 100644 > --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb > +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb > @@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ > file://CVE-2024-52531-1.patch \ > file://CVE-2024-52531-2.patch \ > file://CVE-2024-52531-3.patch \ > + file://CVE-2025-32910.patch \ > " > SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#215059): https://lists.openembedded.org/g/openembedded-core/message/215059 > Mute This Topic: https://lists.openembedded.org/mt/112311177/6084445 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [skandigraun@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
I have renamed one of the patches in the v2 patch. Thanks & Regards, Vijay On Thu, Apr 17, 2025 at 4:45 PM Gyorgy Sarvari <skandigraun@gmail.com> wrote: > This seems to be identical to v1. > > On 4/17/25 12:42, Vijay Anusuri via lists.openembedded.org wrote: > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > Upstream-Status: Backport from > https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > --- > > .../libsoup-3.4.4/CVE-2025-32910.patch | 27 +++++++++++++++++++ > > meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + > > 2 files changed, 28 insertions(+) > > create mode 100644 > meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > > > diff --git > a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > new file mode 100644 > > index 0000000000..32e0c86e62 > > --- /dev/null > > +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > @@ -0,0 +1,27 @@ > > +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001 > > +From: Patrick Griffis <pgriffis@igalia.com> > > +Date: Fri, 27 Dec 2024 13:52:52 -0600 > > +Subject: [PATCH] auth-digest: Fix leak > > + > > +Upstream-Status: Backport [ > https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 > ] > > +CVE: CVE-2025-32910 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + libsoup/auth/soup-auth-digest.c | 1 + > > + 1 file changed, 1 insertion(+) > > + > > +diff --git a/libsoup/auth/soup-auth-digest.c > b/libsoup/auth/soup-auth-digest.c > > +index 350bfde6..9eb7fa0e 100644 > > +--- a/libsoup/auth/soup-auth-digest.c > > ++++ b/libsoup/auth/soup-auth-digest.c > > +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object) > > + g_free (priv->nonce); > > + g_free (priv->domain); > > + g_free (priv->cnonce); > > ++ g_free (priv->opaque); > > + > > + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); > > + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); > > +-- > > +GitLab > > + > > diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb > b/meta/recipes-support/libsoup/libsoup_3.4.4.bb > > index b2e32b892a..757e6432f7 100644 > > --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb > > +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb > > @@ -18,6 +18,7 @@ SRC_URI = > "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ > > file://CVE-2024-52531-1.patch \ > > file://CVE-2024-52531-2.patch \ > > file://CVE-2024-52531-3.patch \ > > + file://CVE-2025-32910.patch \ > > " > > SRC_URI[sha256sum] = > "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#215059): > https://lists.openembedded.org/g/openembedded-core/message/215059 > > Mute This Topic: https://lists.openembedded.org/mt/112311177/6084445 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > skandigraun@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
Your reply makes me wonder if my feedback from yesterday reached you: https://lists.openembedded.org/g/openembedded-core/message/214981 - don't know if you disagree with it, or maybe you just haven't seen it. On 4/17/25 13:21, Vijay Anusuri wrote: > I have renamed one of the patches in the v2 patch. > > Thanks & Regards, > Vijay > > > On Thu, Apr 17, 2025 at 4:45 PM Gyorgy Sarvari <skandigraun@gmail.com> > wrote: > > This seems to be identical to v1. > > On 4/17/25 12:42, Vijay Anusuri via lists.openembedded.org > <http://lists.openembedded.org> wrote: > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > Upstream-Status: Backport from > https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > --- > > .../libsoup-3.4.4/CVE-2025-32910.patch | 27 > +++++++++++++++++++ > > meta/recipes-support/libsoup/libsoup_3.4.4.bb > <http://libsoup_3.4.4.bb> | 1 + > > 2 files changed, 28 insertions(+) > > create mode 100644 > meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > > > diff --git > a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > new file mode 100644 > > index 0000000000..32e0c86e62 > > --- /dev/null > > +++ > b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > @@ -0,0 +1,27 @@ > > +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 > 00:00:00 2001 > > +From: Patrick Griffis <pgriffis@igalia.com> > > +Date: Fri, 27 Dec 2024 13:52:52 -0600 > > +Subject: [PATCH] auth-digest: Fix leak > > + > > +Upstream-Status: Backport > [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832] > > +CVE: CVE-2025-32910 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + libsoup/auth/soup-auth-digest.c | 1 + > > + 1 file changed, 1 insertion(+) > > + > > +diff --git a/libsoup/auth/soup-auth-digest.c > b/libsoup/auth/soup-auth-digest.c > > +index 350bfde6..9eb7fa0e 100644 > > +--- a/libsoup/auth/soup-auth-digest.c > > ++++ b/libsoup/auth/soup-auth-digest.c > > +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object) > > + g_free (priv->nonce); > > + g_free (priv->domain); > > + g_free (priv->cnonce); > > ++ g_free (priv->opaque); > > + > > + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); > > + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); > > +-- > > +GitLab > > + > > diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb > <http://libsoup_3.4.4.bb> > b/meta/recipes-support/libsoup/libsoup_3.4.4.bb > <http://libsoup_3.4.4.bb> > > index b2e32b892a..757e6432f7 100644 > > --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb > <http://libsoup_3.4.4.bb> > > +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb > <http://libsoup_3.4.4.bb> > > @@ -18,6 +18,7 @@ SRC_URI = > "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ > > file://CVE-2024-52531-1.patch \ > > file://CVE-2024-52531-2.patch \ > > file://CVE-2024-52531-3.patch \ > > + file://CVE-2025-32910.patch \ > > " > > SRC_URI[sha256sum] = > "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#215059): > https://lists.openembedded.org/g/openembedded-core/message/215059 > > Mute This Topic: https://lists.openembedded.org/mt/112311177/6084445 > > Group Owner: openembedded-core+owner@lists.openembedded.org > <mailto:openembedded-core%2Bowner@lists.openembedded.org> > > Unsubscribe: > https://lists.openembedded.org/g/openembedded-core/unsub > [skandigraun@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
I haven't seen your yesterday's message : https://lists.openembedded.org/g/openembedded-core/message/214981 Those 2 missing commits were added as part of CVE-2025-32912 patch. Thanks for letting me know. I will rename those patches and will send a v3 patch. Thanks & Regards, Vijay On Thu, Apr 17, 2025 at 4:55 PM Gyorgy Sarvari <skandigraun@gmail.com> wrote: > Your reply makes me wonder if my feedback from yesterday reached you: > https://lists.openembedded.org/g/openembedded-core/message/214981 - > don't know if you disagree with it, or maybe you just haven't seen it. > > On 4/17/25 13:21, Vijay Anusuri wrote: > > I have renamed one of the patches in the v2 patch. > > > > Thanks & Regards, > > Vijay > > > > > > On Thu, Apr 17, 2025 at 4:45 PM Gyorgy Sarvari <skandigraun@gmail.com> > > wrote: > > > > This seems to be identical to v1. > > > > On 4/17/25 12:42, Vijay Anusuri via lists.openembedded.org > > <http://lists.openembedded.org> wrote: > > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > > > Upstream-Status: Backport from > > > https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 > > > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > > --- > > > .../libsoup-3.4.4/CVE-2025-32910.patch | 27 > > +++++++++++++++++++ > > > meta/recipes-support/libsoup/libsoup_3.4.4.bb > > <http://libsoup_3.4.4.bb> | 1 + > > > 2 files changed, 28 insertions(+) > > > create mode 100644 > > meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > > > > > diff --git > > a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > > new file mode 100644 > > > index 0000000000..32e0c86e62 > > > --- /dev/null > > > +++ > > b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > > @@ -0,0 +1,27 @@ > > > +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 > > 00:00:00 2001 > > > +From: Patrick Griffis <pgriffis@igalia.com> > > > +Date: Fri, 27 Dec 2024 13:52:52 -0600 > > > +Subject: [PATCH] auth-digest: Fix leak > > > + > > > +Upstream-Status: Backport > > [ > https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 > ] > > > +CVE: CVE-2025-32910 > > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > > +--- > > > + libsoup/auth/soup-auth-digest.c | 1 + > > > + 1 file changed, 1 insertion(+) > > > + > > > +diff --git a/libsoup/auth/soup-auth-digest.c > > b/libsoup/auth/soup-auth-digest.c > > > +index 350bfde6..9eb7fa0e 100644 > > > +--- a/libsoup/auth/soup-auth-digest.c > > > ++++ b/libsoup/auth/soup-auth-digest.c > > > +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object) > > > + g_free (priv->nonce); > > > + g_free (priv->domain); > > > + g_free (priv->cnonce); > > > ++ g_free (priv->opaque); > > > + > > > + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); > > > + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); > > > +-- > > > +GitLab > > > + > > > diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb > > <http://libsoup_3.4.4.bb> > > b/meta/recipes-support/libsoup/libsoup_3.4.4.bb > > <http://libsoup_3.4.4.bb> > > > index b2e32b892a..757e6432f7 100644 > > > --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb > > <http://libsoup_3.4.4.bb> > > > +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb > > <http://libsoup_3.4.4.bb> > > > @@ -18,6 +18,7 @@ SRC_URI = > > "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ > > > file://CVE-2024-52531-1.patch \ > > > file://CVE-2024-52531-2.patch \ > > > file://CVE-2024-52531-3.patch \ > > > + file://CVE-2025-32910.patch \ > > > " > > > SRC_URI[sha256sum] = > > "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > > Links: You receive all messages sent to this group. > > > View/Reply Online (#215059): > > https://lists.openembedded.org/g/openembedded-core/message/215059 > > > Mute This Topic: > https://lists.openembedded.org/mt/112311177/6084445 > > > Group Owner: openembedded-core+owner@lists.openembedded.org > > <mailto:openembedded-core%2Bowner@lists.openembedded.org> > > > Unsubscribe: > > https://lists.openembedded.org/g/openembedded-core/unsub > > [skandigraun@gmail.com] > > > -=-=-=-=-=-=-=-=-=-=-=- > > > > > >
Ahh, so I was missing something, it fixes multiple CVEs... thanks for the clarification. On 4/17/25 13:45, Vijay Anusuri wrote: > I haven't seen your yesterday's message : > https://lists.openembedded.org/g/openembedded-core/message/214981 > > Those 2 missing commits were added as part of CVE-2025-32912 patch. > > Thanks for letting me know. I will rename those patches and will send > a v3 patch. > > Thanks & Regards, > Vijay > > On Thu, Apr 17, 2025 at 4:55 PM Gyorgy Sarvari <skandigraun@gmail.com> > wrote: > > Your reply makes me wonder if my feedback from yesterday reached you: > https://lists.openembedded.org/g/openembedded-core/message/214981 - > don't know if you disagree with it, or maybe you just haven't seen it. > > On 4/17/25 13:21, Vijay Anusuri wrote: > > I have renamed one of the patches in the v2 patch. > > > > Thanks & Regards, > > Vijay > > > > > > On Thu, Apr 17, 2025 at 4:45 PM Gyorgy Sarvari > <skandigraun@gmail.com> > > wrote: > > > > This seems to be identical to v1. > > > > On 4/17/25 12:42, Vijay Anusuri via lists.openembedded.org > <http://lists.openembedded.org> > > <http://lists.openembedded.org> wrote: > > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > > > Upstream-Status: Backport from > > > https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 > > > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > > --- > > > .../libsoup-3.4.4/CVE-2025-32910.patch | 27 > > +++++++++++++++++++ > > > meta/recipes-support/libsoup/libsoup_3.4.4.bb > <http://libsoup_3.4.4.bb> > > <http://libsoup_3.4.4.bb> | 1 + > > > 2 files changed, 28 insertions(+) > > > create mode 100644 > > meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > > > > > diff --git > > > a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > > b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > > new file mode 100644 > > > index 0000000000..32e0c86e62 > > > --- /dev/null > > > +++ > > > b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch > > > @@ -0,0 +1,27 @@ > > > +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 > > 00:00:00 2001 > > > +From: Patrick Griffis <pgriffis@igalia.com> > > > +Date: Fri, 27 Dec 2024 13:52:52 -0600 > > > +Subject: [PATCH] auth-digest: Fix leak > > > + > > > +Upstream-Status: Backport > > > [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832] > > > +CVE: CVE-2025-32910 > > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > > +--- > > > + libsoup/auth/soup-auth-digest.c | 1 + > > > + 1 file changed, 1 insertion(+) > > > + > > > +diff --git a/libsoup/auth/soup-auth-digest.c > > b/libsoup/auth/soup-auth-digest.c > > > +index 350bfde6..9eb7fa0e 100644 > > > +--- a/libsoup/auth/soup-auth-digest.c > > > ++++ b/libsoup/auth/soup-auth-digest.c > > > +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object) > > > + g_free (priv->nonce); > > > + g_free (priv->domain); > > > + g_free (priv->cnonce); > > > ++ g_free (priv->opaque); > > > + > > > + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); > > > + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); > > > +-- > > > +GitLab > > > + > > > diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb > <http://libsoup_3.4.4.bb> > > <http://libsoup_3.4.4.bb> > > b/meta/recipes-support/libsoup/libsoup_3.4.4.bb > <http://libsoup_3.4.4.bb> > > <http://libsoup_3.4.4.bb> > > > index b2e32b892a..757e6432f7 100644 > > > --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb > <http://libsoup_3.4.4.bb> > > <http://libsoup_3.4.4.bb> > > > +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb > <http://libsoup_3.4.4.bb> > > <http://libsoup_3.4.4.bb> > > > @@ -18,6 +18,7 @@ SRC_URI = > > "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ > > > file://CVE-2024-52531-1.patch \ > > > file://CVE-2024-52531-2.patch \ > > > file://CVE-2024-52531-3.patch \ > > > + file://CVE-2025-32910.patch \ > > > " > > > SRC_URI[sha256sum] = > > > "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > > Links: You receive all messages sent to this group. > > > View/Reply Online (#215059): > > > https://lists.openembedded.org/g/openembedded-core/message/215059 > > > Mute This Topic: > https://lists.openembedded.org/mt/112311177/6084445 > > > Group Owner: > openembedded-core+owner@lists.openembedded.org > <mailto:openembedded-core%2Bowner@lists.openembedded.org> > > <mailto:openembedded-core%2Bowner@lists.openembedded.org > <mailto:openembedded-core%252Bowner@lists.openembedded.org>> > > > Unsubscribe: > > https://lists.openembedded.org/g/openembedded-core/unsub > > [skandigraun@gmail.com] > > > -=-=-=-=-=-=-=-=-=-=-=- > > > > > >
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch new file mode 100644 index 0000000000..32e0c86e62 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910.patch @@ -0,0 +1,27 @@ +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis <pgriffis@igalia.com> +Date: Fri, 27 Dec 2024 13:52:52 -0600 +Subject: [PATCH] auth-digest: Fix leak + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libsoup/auth/soup-auth-digest.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 350bfde6..9eb7fa0e 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object) + g_free (priv->nonce); + g_free (priv->domain); + g_free (priv->cnonce); ++ g_free (priv->opaque); + + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index b2e32b892a..757e6432f7 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52531-1.patch \ file://CVE-2024-52531-2.patch \ file://CVE-2024-52531-3.patch \ + file://CVE-2025-32910.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"