diff mbox series

[scarthgap] libsoup: Fix CVE-2026-5119

Message ID 20260406153247.660851-1-pahaditechie@gmail.com
State New
Headers show
Series [scarthgap] libsoup: Fix CVE-2026-5119 | expand

Commit Message

Ashish Sharma April 6, 2026, 3:32 p.m. UTC 
The msg_starting_cb() function in libsoup/soup-cookie-jar.c added
cookies to all outgoing messages unconditionally, including HTTP
CONNECT requests used for proxy tunnel establishment. Since CONNECT
messages are sent in cleartext to the proxy, this exposed session
cookies (including Secure-flagged cookies) to the proxy, enabling
potential session hijacking.

Fix by adding an early return in msg_starting_cb() when the request
method is SOUP_METHOD_CONNECT, preventing cookies from being sent
to an HTTP proxy during HTTPS tunnel setup.

Backport of commit 781b08c1b9093626dda077450c46d07d7220984e from
libsoup 3.x.

Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/781b08c1b9093626dda077450c46d07d7220984e]
CVE: CVE-2026-5119
Signed-off-by: Ashish Sharma <pahaditechie@gmail.com>
---
 .../libsoup/libsoup-2.4/CVE-2026-5119.patch   | 37 +++++++++++++++++++
 .../libsoup/libsoup-2.4_2.74.3.bb             |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch
diff mbox series

Patch

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch
new file mode 100644
index 0000000000..311380bfff
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch
@@ -0,0 +1,37 @@ 
+From 781b08c1b9093626dda077450c46d07d7220984e Mon Sep 17 00:00:00 2001
+From: Carlos Garcia Campos <carlosgc@gnome.org>
+Date: Thu, 27 Feb 2026 11:05:00 +0000
+Subject: [PATCH] cookies: do not send cookies to a HTTP proxy for a HTTPS request
+
+When tunneling HTTPS through an HTTP proxy, libsoup's cookie jar
+attaches cookies to the initial HTTP CONNECT request sent to the proxy.
+This leaks session cookies (including Secure-flagged cookies) in
+cleartext to the proxy, enabling session hijacking.
+
+The fix skips cookie injection for CONNECT-method messages, which are
+only used for proxy tunnel establishment to HTTPS destinations.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/781b08c1b9093626dda077450c46d07d7220984e]
+CVE: CVE-2026-5119
+Signed-off-by: Ashish Sharma <pahaditechie@gmail.com>
+---
+ libsoup/soup-cookie-jar.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libsoup/soup-cookie-jar.c b/libsoup/soup-cookie-jar.c
+--- a/libsoup/soup-cookie-jar.c
++++ b/libsoup/soup-cookie-jar.c
+@@ -824,6 +824,10 @@
+ 	SoupCookieJar *jar = SOUP_COOKIE_JAR (feature);
+ 	GSList *cookies;
+ 
++	/* Do not send cookies to a HTTP proxy for a HTTPS request */
++	if (msg->method == SOUP_METHOD_CONNECT)
++		return;
++
+ 	cookies = soup_cookie_jar_get_cookie_list_with_same_site_info (jar, soup_message_get_uri (msg),
+ 	                                                               soup_message_get_first_party (msg),
+							               soup_message_get_site_for_cookies (msg),
+								       TRUE,
+-- 
+2.25.1
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index 7e00cd678a..364e8ec391 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -41,6 +41,7 @@  SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2025-4476.patch \
            file://CVE-2025-2784.patch \
            file://CVE-2025-4945.patch \
+           file://CVE-2026-5119.patch \
 "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"