MIRRORS/poky
1
0
Fork 0
mirror of git://git.yoctoproject.org/poky.git synced 2025-07-19 12:59:02 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

libsoup-2.4: Fix CVE-2025-32910

Browse Source 
import patch from debian to fix
 CVE-2025-32910

Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads
Upstream commit e40df6d48a
&
405a8a3459
&
ea16eeacb0]

Reference:
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417
https://security-tracker.debian.org/tracker/CVE-2025-32910

(From OE-Core rev: 0fc936f23e6f70021acf4e711ef49d3a5cc966fe)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Vijay Anusuri 2025-05-21 15:23:21 +05:30 committed by Steve Sakoman
parent a817e2016f
commit cca757c461
4 changed files with 274 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch Normal file
View File

@ -0,0 +1,97 @@
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sun, 8 Dec 2024 20:00:35 -0600
Subject: auth-digest: Handle missing realm in authenticate header
(cherry picked from commit e40df6d48a1cbab56f5d15016cc861a503423cfe)
Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-1.patch?ref_type=heads
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe]
CVE: CVE-2025-32910
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-auth-digest.c | 3 +++
tests/auth-test.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 53 insertions(+)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index e8ba990..263a15a 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
guint qop_options;
gboolean ok = TRUE;
+ if (!soup_auth_get_realm (auth))
+ return FALSE;
+
g_free (priv->domain);
g_free (priv->nonce);
g_free (priv->opaque);
diff --git a/tests/auth-test.c b/tests/auth-test.c
index 8295ec3..dfc6b09 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1549,6 +1549,55 @@ do_cancel_after_retry_test (void)
soup_test_session_abort_unref (session);
}
+static void
+on_request_read_for_missing_realm (SoupServer *server,
+ SoupServerMessage *msg,
+ gpointer user_data)
+{
+ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
+ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
+}
+
+static void
+do_missing_realm_test (void)
+{
+ SoupSession *session;
+ SoupMessage *msg;
+ SoupServer *server;
+ SoupAuthDomain *digest_auth_domain;
+ gint status;
+ GUri *uri;
+
+ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+ soup_server_add_handler (server, NULL,
+ server_callback, NULL, NULL);
+ uri = soup_test_server_get_uri (server, "http", NULL);
+
+ digest_auth_domain = soup_auth_domain_digest_new (
+ "realm", "auth-test",
+ "auth-callback", server_digest_auth_callback,
+ NULL);
+ soup_auth_domain_add_path (digest_auth_domain, "/");
+ soup_server_add_auth_domain (server, digest_auth_domain);
+ g_object_unref (digest_auth_domain);
+
+ g_signal_connect (server, "request-read",
+ G_CALLBACK (on_request_read_for_missing_realm),
+ NULL);
+
+ session = soup_test_session_new (NULL);
+ msg = soup_message_new_from_uri ("GET", uri);
+ g_signal_connect (msg, "authenticate",
+ G_CALLBACK (on_digest_authenticate),
+ NULL);
+
+ status = soup_test_session_send_message (session, msg);
+
+ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
+ g_uri_unref (uri);
+ soup_test_server_quit_unref (server);
+}
+
int
main (int argc, char **argv)
{
@@ -1576,6 +1625,7 @@ main (int argc, char **argv)
g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
+ g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
ret = g_test_run ();

148
meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch Normal file
View File

@ -0,0 +1,148 @@
From: Patrick Griffis <pgriffis@igalia.com>
Date: Thu, 26 Dec 2024 18:18:35 -0600
Subject: auth-digest: Handle missing nonce
(cherry picked from commit 405a8a34597a44bd58c4759e7d5e23f02c3b556a)
Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-2.patch?ref_type=heads
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a]
CVE: CVE-2025-32910
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-auth-digest.c | 45 +++++++++++++++++++++++++++++++++++----------
tests/auth-test.c | 19 +++++++++++--------
2 files changed, 46 insertions(+), 18 deletions(-)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 263a15a..393adb6 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
return g_string_free (out, FALSE);
}
+static gboolean
+validate_params (SoupAuthDigest *auth_digest)
+{
+ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
+
+ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
+ if (!priv->nonce)
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
static gboolean
soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
GHashTable *auth_params)
@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
if (priv->algorithm == -1)
ok = FALSE;
- stale = g_hash_table_lookup (auth_params, "stale");
- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
- recompute_hex_a1 (priv);
- else {
- g_free (priv->user);
- priv->user = NULL;
- g_free (priv->cnonce);
- priv->cnonce = NULL;
- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+ if (!validate_params (auth_digest))
+ ok = FALSE;
+
+ if (ok) {
+ stale = g_hash_table_lookup (auth_params, "stale");
+ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+ recompute_hex_a1 (priv);
+ else {
+ g_free (priv->user);
+ priv->user = NULL;
+ g_free (priv->cnonce);
+ priv->cnonce = NULL;
+ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+ }
}
return ok;
@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp,
/* In MD5-sess, A1 is hex_urp:nonce:cnonce */
+ g_assert (nonce && cnonce);
+
checksum = g_checksum_new (G_CHECKSUM_MD5);
g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));
g_checksum_update (checksum, (guchar *)":", 1);
@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char *method,
if (qop) {
char tmp[9];
+ g_assert (cnonce);
+
g_snprintf (tmp, 9, "%.8x", nc);
g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
g_checksum_update (checksum, (guchar *)":", 1);
@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
g_return_val_if_fail (uri != NULL, NULL);
url = soup_uri_to_string (uri, TRUE);
+ g_assert (priv->nonce);
+ g_assert (!priv->qop || priv->cnonce);
+
soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
priv->qop, priv->nonce,
priv->cnonce, priv->nc,
diff --git a/tests/auth-test.c b/tests/auth-test.c
index dfc6b09..6fb1e4a 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void)
}
static void
-on_request_read_for_missing_realm (SoupServer *server,
- SoupServerMessage *msg,
- gpointer user_data)
+on_request_read_for_missing_params (SoupServer *server,
+ SoupServerMessage *msg,
+ gpointer user_data)
{
+ const char *auth_header = user_data;
SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
+ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
}
static void
-do_missing_realm_test (void)
+do_missing_params_test (gconstpointer auth_header)
{
SoupSession *session;
SoupMessage *msg;
@@ -1582,8 +1583,8 @@ do_missing_realm_test (void)
g_object_unref (digest_auth_domain);
g_signal_connect (server, "request-read",
- G_CALLBACK (on_request_read_for_missing_realm),
- NULL);
+ G_CALLBACK (on_request_read_for_missing_params),
+ (gpointer)auth_header);
session = soup_test_session_new (NULL);
msg = soup_message_new_from_uri ("GET", uri);
@@ -1625,7 +1626,9 @@ main (int argc, char **argv)
g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
- g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
+ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
ret = g_test_run ();

26
meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch Normal file
View File

@ -0,0 +1,26 @@
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 13:52:52 -0600
Subject: auth-digest: Fix leak
(cherry picked from commit ea16eeacb052e423eb5c3b0b705e5eab34b13832)
Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-3.patch?ref_type=heads
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
CVE: CVE-2025-32910
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libsoup/soup-auth-digest.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 393adb6..a1db188 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object)
g_free (priv->nonce);
g_free (priv->domain);
g_free (priv->cnonce);
+ g_free (priv->opaque);
memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
memset (priv->hex_a1, 0, sizeof (priv->hex_a1));

3
meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
View File

@ -23,6 +23,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32906-2.patch \
file://CVE-2025-32909.patch \
file://CVE-2025-46420.patch \
file://CVE-2025-32910-1.patch \
file://CVE-2025-32910-2.patch \
file://CVE-2025-32910-3.patch \
"
SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"