From patchwork Wed Apr 23 13:20:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 61748 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1B9FC369D1 for ; Wed, 23 Apr 2025 13:20:36 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.web10.8316.1745414435905342646 for ; Wed, 23 Apr 2025 06:20:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=1AAGEfYG; spf=softfail (domain: sakoman.com, ip: 209.85.210.171, mailfrom: steve@sakoman.com) Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-736ad42dfd6so5584349b3a.3 for ; Wed, 23 Apr 2025 06:20:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745414435; x=1746019235; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=cuMKSiS3DEOkKbbPJ9J7M4z51k3ur80XyvwbGqj2lS0=; b=1AAGEfYG+AnZvjBVGPVJId29vXJquRF7DL1QLB4dj400Yv5ZpTSo4sn2v1XAoHV4Au KgcA4mhmPEk8GWYxFuOSStwjTmXxBG0VEwQjabxPrjG38NZEtJcV+QdBQfA0mL+Redt0 ljtTCOFQvx2JdCkFx/iHtQgHpwdnC50RE6hwo2lm5kfXRDnjctDEKAweFVzVbh4RGJmE 8RFf73D+/j3efup5JYPh5SmuZ+3B7R7awsEHD5337wEPlIVt1qyt6GDkggQZBedb2F19 fYzhi1WB6ROfQaUI51zVY8xcTyBiyGhIVzFmaVOYhmAl4e10tmiLrn8apO8+RrgZWwsk ueLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745414435; x=1746019235; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cuMKSiS3DEOkKbbPJ9J7M4z51k3ur80XyvwbGqj2lS0=; b=DpRq/D7A1Aq+dwzv/1Jb4H2Czw/K2PqkMrGfPHfqF+fRTnLcOSx/ny66vhSbdJW8kD 55mvD2xaKFoPHpSAO5j+IPOYi6U+ddFjl4rYqckqH1s6K9/0EwAmxFfUw1b6i1eGu7r9 f4/1eCPdEgDvrXxUrAsn8hvx2eLrbBAP7TPVu3Khj3OpG9PyB82QGYTjEYR2/bhyKzCb MMgR7drccmnp+NaGrlXx9bg7NEJ2jT20p+jHYxvlHh1RpDAm+1aq/ec0kH3cQitPKNyW OQkUB/YbrNLWuYRuWg3WZRpohBGH/BMlT7FSp+++tcs5F03RuWI+kgU2ilWQ6LheUyBc jgOA== X-Gm-Message-State: AOJu0YwroK+EVVLO1UnNj+gh2nfrTpWNJ6d0CYe+c/bC6HA/ruzpaaHu xkVkrXWC4ETHGb7lBnY/KhVhvv7MpKGQDaRGRIaPbvhK1hN92Ghjm12R0Ya9u44nHI3+tMjxckp z X-Gm-Gg: ASbGncvwaxH90m5GStmHdxf4/1KH6eMi2ZPqtohbypYvyu6DXVieKx09jBSvSUT7GsO 5sdJP3Y/7821G4eRL8XdvFIYwuwaOgSGp+cPIuUk22QSw/zRDA8LWB8FimFM+DggFon21KvnQz7 7L+ntUFTg6WtX7o8HjkYk7GEGYrQOHAgD2RwffrLGDwX1R6cI6WOgwq4o6JoQa2Rui4c+JKExJe tpVdTwn2jFcoKCzmA5Aj1yPFvZqJm5aZ5oQFF65DaC+bmAPcDo16ROrK2az6w94qsItdiDi/mgg 8WPwNlpZKNXIddp0h7b62wa7yN7Kow8= X-Google-Smtp-Source: AGHT+IGuXDRWMMZaLaF8ZJzOsvPpHjtEbIUPeJJbXHsNMWSyzbHwRddWsPw2+3xPIolAjFXp3qaLiw== X-Received: by 2002:a05:6a00:2284:b0:739:4a93:a5df with SMTP id d2e1a72fcca58-73dc14e09femr26886739b3a.12.1745414433799; Wed, 23 Apr 2025 06:20:33 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:371e:10cb:f3ce:33f]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-73dbf8e510bsm10898037b3a.66.2025.04.23.06.20.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Apr 2025 06:20:33 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 01/14] libsoup: Fix CVE-2025-32910 Date: Wed, 23 Apr 2025 06:20:12 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 23 Apr 2025 13:20:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215294 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe & https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a & https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libsoup-3.4.4/CVE-2025-32910-1.patch | 98 ++++++++++++ .../libsoup-3.4.4/CVE-2025-32910-2.patch | 149 ++++++++++++++++++ .../libsoup-3.4.4/CVE-2025-32910-3.patch | 27 ++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 3 + 4 files changed, 277 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-2.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-3.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-1.patch new file mode 100644 index 0000000000..27011f587f --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-1.patch @@ -0,0 +1,98 @@ +From e40df6d48a1cbab56f5d15016cc861a503423cfe Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sun, 8 Dec 2024 20:00:35 -0600 +Subject: [PATCH] auth-digest: Handle missing realm in authenticate header + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri +--- + libsoup/auth/soup-auth-digest.c | 3 ++ + tests/auth-test.c | 50 +++++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 2e81849af..4f12e87a5 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -148,6 +148,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + ++ if (!soup_auth_get_realm (auth)) ++ return FALSE; ++ + g_free (priv->domain); + g_free (priv->nonce); + g_free (priv->opaque); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 158fdac10..3066e904a 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1866,6 +1866,55 @@ do_multiple_digest_algorithms (void) + soup_test_server_quit_unref (server); + } + ++static void ++on_request_read_for_missing_realm (SoupServer *server, ++ SoupServerMessage *msg, ++ gpointer user_data) ++{ ++ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); ++ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); ++} ++ ++static void ++do_missing_realm_test (void) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ SoupServer *server; ++ SoupAuthDomain *digest_auth_domain; ++ gint status; ++ GUri *uri; ++ ++ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ soup_server_add_handler (server, NULL, ++ server_callback, NULL, NULL); ++ uri = soup_test_server_get_uri (server, "http", NULL); ++ ++ digest_auth_domain = soup_auth_domain_digest_new ( ++ "realm", "auth-test", ++ "auth-callback", server_digest_auth_callback, ++ NULL); ++ soup_auth_domain_add_path (digest_auth_domain, "/"); ++ soup_server_add_auth_domain (server, digest_auth_domain); ++ g_object_unref (digest_auth_domain); ++ ++ g_signal_connect (server, "request-read", ++ G_CALLBACK (on_request_read_for_missing_realm), ++ NULL); ++ ++ session = soup_test_session_new (NULL); ++ msg = soup_message_new_from_uri ("GET", uri); ++ g_signal_connect (msg, "authenticate", ++ G_CALLBACK (on_digest_authenticate), ++ NULL); ++ ++ status = soup_test_session_send_message (session, msg); ++ ++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED); ++ g_uri_unref (uri); ++ soup_test_server_quit_unref (server); ++} ++ + int + main (int argc, char **argv) + { +@@ -1899,6 +1948,7 @@ main (int argc, char **argv) + g_test_add_func ("/auth/auth-uri", do_auth_uri_test); + g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate); + g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms); ++ g_test_add_func ("/auth/missing-realm", do_missing_realm_test); + + ret = g_test_run (); + +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-2.patch new file mode 100644 index 0000000000..b62e09cbdb --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-2.patch @@ -0,0 +1,149 @@ +From 405a8a34597a44bd58c4759e7d5e23f02c3b556a Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Thu, 26 Dec 2024 18:18:35 -0600 +Subject: [PATCH] auth-digest: Handle missing nonce + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri +--- + libsoup/auth/soup-auth-digest.c | 45 +++++++++++++++++++++++++-------- + tests/auth-test.c | 19 ++++++++------ + 2 files changed, 46 insertions(+), 18 deletions(-) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 4f12e87a..350bfde6 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -138,6 +138,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop) + return g_string_free (out, FALSE); + } + ++static gboolean ++validate_params (SoupAuthDigest *auth_digest) ++{ ++ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest); ++ ++ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) { ++ if (!priv->nonce) ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ + static gboolean + soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + GHashTable *auth_params) +@@ -175,16 +188,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + if (priv->algorithm == -1) + ok = FALSE; + +- stale = g_hash_table_lookup (auth_params, "stale"); +- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) +- recompute_hex_a1 (priv); +- else { +- g_free (priv->user); +- priv->user = NULL; +- g_free (priv->cnonce); +- priv->cnonce = NULL; +- memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); +- memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ if (!validate_params (auth_digest)) ++ ok = FALSE; ++ ++ if (ok) { ++ stale = g_hash_table_lookup (auth_params, "stale"); ++ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) ++ recompute_hex_a1 (priv); ++ else { ++ g_free (priv->user); ++ priv->user = NULL; ++ g_free (priv->cnonce); ++ priv->cnonce = NULL; ++ memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); ++ memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ } + } + + return ok; +@@ -276,6 +294,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp, + + /* In MD5-sess, A1 is hex_urp:nonce:cnonce */ + ++ g_assert (nonce && cnonce); ++ + checksum = g_checksum_new (G_CHECKSUM_MD5); + g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -366,6 +386,8 @@ soup_auth_digest_compute_response (const char *method, + if (qop) { + char tmp[9]; + ++ g_assert (cnonce); ++ + g_snprintf (tmp, 9, "%.8x", nc); + g_checksum_update (checksum, (guchar *)tmp, strlen (tmp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -429,6 +451,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg) + g_return_val_if_fail (uri != NULL, NULL); + url = soup_uri_get_path_and_query (uri); + ++ g_assert (priv->nonce); ++ g_assert (!priv->qop || priv->cnonce); ++ + soup_auth_digest_compute_response (soup_message_get_method (msg), url, priv->hex_a1, + priv->qop, priv->nonce, + priv->cnonce, priv->nc, +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 3066e904..c651c7cd 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1867,16 +1867,17 @@ do_multiple_digest_algorithms (void) + } + + static void +-on_request_read_for_missing_realm (SoupServer *server, +- SoupServerMessage *msg, +- gpointer user_data) ++on_request_read_for_missing_params (SoupServer *server, ++ SoupServerMessage *msg, ++ gpointer user_data) + { ++ const char *auth_header = user_data; + SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); +- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); ++ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header); + } + + static void +-do_missing_realm_test (void) ++do_missing_params_test (gconstpointer auth_header) + { + SoupSession *session; + SoupMessage *msg; +@@ -1899,8 +1900,8 @@ do_missing_realm_test (void) + g_object_unref (digest_auth_domain); + + g_signal_connect (server, "request-read", +- G_CALLBACK (on_request_read_for_missing_realm), +- NULL); ++ G_CALLBACK (on_request_read_for_missing_params), ++ (gpointer)auth_header); + + session = soup_test_session_new (NULL); + msg = soup_message_new_from_uri ("GET", uri); +@@ -1948,7 +1949,9 @@ main (int argc, char **argv) + g_test_add_func ("/auth/auth-uri", do_auth_uri_test); + g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate); + g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms); +- g_test_add_func ("/auth/missing-realm", do_missing_realm_test); ++ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); + + ret = g_test_run (); + +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-3.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-3.patch new file mode 100644 index 0000000000..32e0c86e62 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32910-3.patch @@ -0,0 +1,27 @@ +From ea16eeacb052e423eb5c3b0b705e5eab34b13832 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 13:52:52 -0600 +Subject: [PATCH] auth-digest: Fix leak + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri +--- + libsoup/auth/soup-auth-digest.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index 350bfde6..9eb7fa0e 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -72,6 +72,7 @@ soup_auth_digest_finalize (GObject *object) + g_free (priv->nonce); + g_free (priv->domain); + g_free (priv->cnonce); ++ g_free (priv->opaque); + + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index b2e32b892a..80cbbdf8ea 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -18,6 +18,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2024-52531-1.patch \ file://CVE-2024-52531-2.patch \ file://CVE-2024-52531-3.patch \ + file://CVE-2025-32910-1.patch \ + file://CVE-2025-32910-2.patch \ + file://CVE-2025-32910-3.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"