From: Vijay Anusuri <vanusuri@mvista.com>
Date: Tue, 3 Jun 2025 08:46:38 +0000 (+0530)
Subject: libsoup-2.4: Backport auth tests for CVE-2025-32910
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05d14768b5edf41c89b05725e06fd86b5376e6fd;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git

libsoup-2.4: Backport auth tests for CVE-2025-32910

libsoup-2.74.2/tests/auth-test.c:1554:39: error: unknown type name 'SoupServerMessage'; did you mean 'SoupServerClass'?

Fix auth-test.c compilation failure caused by CVE-2025-32910 patch

Link: https://gitlab.gnome.org/GNOME/libsoup/-/commit/9af7d0fc751f7afcd8b03bc827a4d3af0c4556f8

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch b/meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch
new file mode 100644
index 0000000000..2c23f57ccf
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch
@@ -0,0 +1,76 @@
+From: Andreas Henriksson <andreas@fatal.se>
+Date: Sat, 26 Apr 2025 20:09:29 +0200
+Subject: Backport auth tests for CVE-2025-32910
+
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/Backport-auth-tests-for-CVE-2025-32910.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/9af7d0fc751f7afcd8b03bc827a4d3af0c4556f8]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tests/auth-test.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index 548ac94..f582033 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1549,14 +1549,26 @@ do_cancel_after_retry_test (void)
+         soup_test_session_abort_unref (session);
+ }
+ 
++//from upstream commit 9af7d0fc751f7afcd8b03bc827a4d3af0c4556f8
++static gboolean
++on_digest_authenticate (SoupMessage *msg,
++                        SoupAuth    *auth,
++                        gboolean     retrying,
++                        gpointer     user_data)
++{
++        g_assert_false (retrying);
++        soup_auth_authenticate (auth, "user", "good");
++        return TRUE;
++}
++
+ static void
+ on_request_read_for_missing_params (SoupServer        *server,
+-                                      SoupServerMessage *msg,
++                                      SoupMessage *msg,
++                                      SoupClientContext *client,
+                                       gpointer           user_data)
+ {
+         const char *auth_header = user_data;
+-        SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
+-        soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
++        soup_message_headers_replace (msg->response_headers, "WWW-Authenticate", auth_header);
+ }
+ 
+ static void
+@@ -1567,7 +1579,7 @@ do_missing_params_test (gconstpointer auth_header)
+         SoupServer *server;
+         SoupAuthDomain *digest_auth_domain;
+         gint status;
+-        GUri *uri;
++        SoupURI *uri;
+ 
+         server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+ 	soup_server_add_handler (server, NULL,
+@@ -1586,16 +1598,16 @@ do_missing_params_test (gconstpointer auth_header)
+                           G_CALLBACK (on_request_read_for_missing_params),
+                           (gpointer)auth_header);
+ 
+-        session = soup_test_session_new (NULL);
++        session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL);
+         msg = soup_message_new_from_uri ("GET", uri);
+-        g_signal_connect (msg, "authenticate",
++        g_signal_connect (session, "authenticate",
+                           G_CALLBACK (on_digest_authenticate),
+                           NULL);
+ 
+-        status = soup_test_session_send_message (session, msg);
++        status = soup_session_send_message (session, msg);
+ 
+         g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
+-	g_uri_unref (uri);
++	soup_uri_free (uri);
+ 	soup_test_server_quit_unref (server);
+ }
+ 
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
index 46b9e10ac5..bb15e8b926 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -26,6 +26,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2025-32910-1.patch \
            file://CVE-2025-32910-2.patch \
            file://CVE-2025-32910-3.patch \
+           file://Backport-auth-tests-for-CVE-2025-32910.patch \
            file://CVE-2025-32911_CVE-2025-32913-1.patch \
            file://CVE-2025-32911_CVE-2025-32913-2.patch \
            file://CVE-2025-32912-1.patch \