]> git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commitdiff
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 563a34f)
libsoup-2.4: fix CVE-2025-46421
authorChangqing Li <changqing.li@windriver.com>
Fri, 6 Jun 2025 06:49:57 +0000 (14:49 +0800)
committerSteve Sakoman <steve@sakoman.com>
Fri, 6 Jun 2025 16:32:30 +0000 (09:32 -0700)
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/439

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch [new file with mode: 0644] patch | blob
meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb patch | blob | blame | history

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch
new file mode 100644 (file)
index 0000000..26067c4
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46421.patch
@@ -0,0 +1,47 @@
+From 5eb225f02bb35de56cfeedd87bde716bf1cb750b Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 5 Feb 2025 16:18:10 -0600
+Subject: [PATCH] session: Strip authentication credentails on
+ cross-origin redirect
+
+This should match the behavior of Firefox and Safari but not of Chromium.
+
+CVE: CVE-2025-46421
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b]
+
+Test code not added since it included some headers not in version 2.74.3
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-session.c |  8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
+index 83421ef..8d6ac61 100644
+--- a/libsoup/soup-session.c
++++ b/libsoup/soup-session.c
+@@ -1189,12 +1189,18 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg)
+                                                  SOUP_ENCODING_NONE);
+       }
++      /* Strip all credentials on cross-origin redirect. */
++      if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
++              soup_message_headers_remove (msg->request_headers, "Authorization");
++              soup_message_set_auth (msg, NULL);
++      }
++
+       soup_message_set_uri (msg, new_uri);
+       soup_uri_free (new_uri);
+       soup_session_requeue_message (session, msg);
+       return TRUE;
+-}
++}
+ static void
+ redirect_handler (SoupMessage *msg, gpointer user_data)
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index a4a8a031522c3becfc830ffed9b608cc65d425aa..4a00dafe4709eed60d864d0310d670c4bc943c9d 100644 (file)
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -36,6 +36,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2025-32053.patch \
            file://CVE-2025-32052.patch \
            file://CVE-2025-32050.patch \
+           file://CVE-2025-46421.patch \
 "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
 
Mirror of git://git.openembedded.org/openembedded-core-contrib