| Message ID | 20250604113426.464818-7-changqing.li@windriver.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | fix several CVE for libsoup/libsoup-2.4 | expand |
On 6/4/25 13:34, Changqing Li via lists.openembedded.org wrote: > From: Changqing Li <changqing.li@windriver.com> > > Refer: > https://gitlab.gnome.org/GNOME/libsoup/-/issues/439 > > Signed-off-by: Changqing Li <changqing.li@windriver.com> > --- > .../libsoup/libsoup-2.4/CVE-2025-46421.patch | 48 +++++++++++++++++++ > .../libsoup/libsoup-2.4_2.74.3.bb | 1 + > 2 files changed, 49 insertions(+) > create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch > > diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch > new file mode 100644 > index 0000000000..64706f43aa > --- /dev/null > +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch > @@ -0,0 +1,48 @@ > +From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001 > +From: Patrick Griffis <pgriffis@igalia.com> > +Date: Wed, 5 Feb 2025 16:18:10 -0600 > +Subject: [PATCH] session: Strip authentication credentails on > + cross-origin redirect > + > +This should match the behavior of Firefox and Safari but not of Chromium. > + > +CVE: CVE-2025-46421 > +Upstream-Status: Backport > +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b] > + > +Test code not added since it included some headers not in version 2.74.3 > + > +Signed-off-by: Changqing Li <changqing.li@windriver.com> > +--- > + libsoup/soup-session.c | 8 ++++- > + tests/auth-test.c | 78 ++++++++++++++++++++++++++++++++++++++++++ > + 2 files changed, 85 insertions(+), 1 deletion(-) > + > +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c > +index 83421ef..8d6ac61 100644 > +--- a/libsoup/soup-session.c > ++++ b/libsoup/soup-session.c > +@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg) > + SOUP_ENCODING_NONE); > + } > + > ++ /* Strip all credentials on cross-origin redirect. */ > ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { > ++ //soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION); I think for libsoup-2.4 this would be something along the lines of soup_message_headers_remove(msg->request_headers, "Authorization"); or wouldn't it? > ++ soup_message_set_auth (msg, NULL); > ++ } > ++ > + soup_message_set_uri (msg, new_uri); > + soup_uri_free (new_uri); > + > + soup_session_requeue_message (session, msg); > + return TRUE; > +-} > ++} > + > + static void > + redirect_handler (SoupMessage *msg, gpointer user_data) > + > +-- > +2.34.1 > + > diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb > index 3f66099361..d37b553a92 100644 > --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb > +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb > @@ -35,6 +35,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ > file://CVE-2025-32053.patch \ > file://CVE-2025-32052.patch \ > file://CVE-2025-32050.patch \ > + file://CVE-2025-46421.patch \ > " > SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#217933): https://lists.openembedded.org/g/openembedded-core/message/217933 > Mute This Topic: https://lists.openembedded.org/mt/113464308/6084445 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [skandigraun@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch new file mode 100644 index 0000000000..64706f43aa --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch @@ -0,0 +1,48 @@ +From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001 +From: Patrick Griffis <pgriffis@igalia.com> +Date: Wed, 5 Feb 2025 16:18:10 -0600 +Subject: [PATCH] session: Strip authentication credentails on + cross-origin redirect + +This should match the behavior of Firefox and Safari but not of Chromium. + +CVE: CVE-2025-46421 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b] + +Test code not added since it included some headers not in version 2.74.3 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + libsoup/soup-session.c | 8 ++++- + tests/auth-test.c | 78 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 85 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c +index 83421ef..8d6ac61 100644 +--- a/libsoup/soup-session.c ++++ b/libsoup/soup-session.c +@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg) + SOUP_ENCODING_NONE); + } + ++ /* Strip all credentials on cross-origin redirect. */ ++ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { ++ //soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION); ++ soup_message_set_auth (msg, NULL); ++ } ++ + soup_message_set_uri (msg, new_uri); + soup_uri_free (new_uri); + + soup_session_requeue_message (session, msg); + return TRUE; +-} ++} + + static void + redirect_handler (SoupMessage *msg, gpointer user_data) + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 3f66099361..d37b553a92 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -35,6 +35,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32053.patch \ file://CVE-2025-32052.patch \ file://CVE-2025-32050.patch \ + file://CVE-2025-46421.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"