4 files changed, 157 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
new file mode 100644
index 0000000000..c1dc6860f2
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
@@ -0,0 +1,32 @@
+From a7e711d0f162c6edc8acad2a96981d4890784ea3 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Mon, 12 May 2025 17:02:55 +0800
+Subject: [PATCH] auth-digest: Handle missing realm/nonce in authenticate
+ header
+CVE: CVE-2025-32910
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=e40df6d48a1cbab56f5d15016cc861a503423cfe]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-auth-digest.c |  3 +++
+ 1 files changed, 3 insertions(+)
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index e8ba990..0ab3499 100644
+--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
+@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+        guint qop_options;
+        gboolean ok = TRUE;
+ 
+        if (!soup_auth_get_realm (auth))
+               return FALSE;
+
+        g_free (priv->domain);
+        g_free (priv->nonce);
+        g_free (priv->opaque);
+ 
+-- 
+2.34.1
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
new file mode 100644
index 0000000000..019a35e3be
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
@@ -0,0 +1,94 @@
+From eccfca1074fc485a0b60dfb9c8385429a226bf73 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Fri, 16 May 2025 13:19:38 +0800
+Subject: [PATCH] auth-digest: Handle missing nonce
+CVE: CVE-2025-32910
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=405a8a34597a44bd58c4759e7d5e23f02c3b556a]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-auth-digest.c | 45 ++++++++++++++++++++++++++++----------
+ 1 files changed, 28 insertions(+), 10 deletions(-)
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index 0ab3499..10a8591 100644
+--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
+@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
+        return g_string_free (out, FALSE);
+ }
+ 
+static gboolean
+validate_params (SoupAuthDigest *auth_digest)
+{
+       SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
+
+       if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
+               if (!priv->nonce)
+                       return FALSE;
+       }
+
+       return TRUE;
+}
+
+ static gboolean
+ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+                         GHashTable *auth_params)
+@@ -169,17 +182,22 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+        if (priv->algorithm == -1)
+                ok = FALSE;
+ 
+-       stale = g_hash_table_lookup (auth_params, "stale");
+-       if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+-               recompute_hex_a1 (priv);
+-       else {
+-               g_free (priv->user);
+-               priv->user = NULL;
+-               g_free (priv->cnonce);
+-               priv->cnonce = NULL;
+-               memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+-               memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+-        }
+       if (!validate_params (auth_digest))
+               ok = FALSE;
+
+       if (ok) {
+               stale = g_hash_table_lookup (auth_params, "stale");
+               if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+                       recompute_hex_a1 (priv);
+               else {
+                       g_free (priv->user);
+                       priv->user = NULL;
+                       g_free (priv->cnonce);
+                       priv->cnonce = NULL;
+                       memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+                       memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+               }
+       }
+ 
+        return ok;
+ }
+@@ -359,6 +377,8 @@ soup_auth_digest_compute_response (const char        *method,
+        if (qop) {
+                char tmp[9];
+ 
+               g_assert (cnonce);
+
+                g_snprintf (tmp, 9, "%.8x", nc);
+                g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
+                g_checksum_update (checksum, (guchar *)":", 1);
+@@ -422,6 +442,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
+        g_return_val_if_fail (uri != NULL, NULL);
+        url = soup_uri_to_string (uri, TRUE);
+ 
+       g_assert (priv->nonce);
+       g_assert (!priv->qop || priv->cnonce);
+
+        soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
+                                           priv->qop, priv->nonce,
+                                           priv->cnonce, priv->nc,
+ 
+-- 
+2.34.1
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
new file mode 100644
index 0000000000..bdf4d64ca3
--- /dev/null
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
@@ -0,0 +1,28 @@
+From 74c95d54fe42041fe161cb74c76d942ffd37a5dd Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Fri, 16 May 2025 13:21:43 +0800
+Subject: [PATCH] auth-digest: Fix leak
+CVE: CVE-2025-32910
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=ea16eeacb052e423eb5c3b0b705e5eab34b13832]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-auth-digest.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index 10a8591..6d965d2 100644
+--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
+@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object)
+        g_free (priv->nonce);
+        g_free (priv->domain);
+        g_free (priv->cnonce);
+       g_free (priv->opaque);
+ 
+        memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+        memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+-- 
+2.34.1
diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index 6d6a6420d2..3e4a8e14d4 100644
--- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -29,6 +29,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
           file://CVE-2025-32050.patch \
           file://CVE-2025-32052.patch \
           file://CVE-2025-32909.patch \
+           file://CVE-2025-32910-1.patch \
+           file://CVE-2025-32910-2.patch \
+           file://CVE-2025-32910-3.patch \
 "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"

diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch new file mode 100644 index 0000000000..c1dc6860f2 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
@@ -0,0 +1,32 @@
		1	From a7e711d0f162c6edc8acad2a96981d4890784ea3 Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Mon, 12 May 2025 17:02:55 +0800
		4	Subject: [PATCH] auth-digest: Handle missing realm/nonce in authenticate
		5	header
		6
		7	CVE: CVE-2025-32910
		8	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=e40df6d48a1cbab56f5d15016cc861a503423cfe]
		9
		10	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		11	---
		12	libsoup/soup-auth-digest.c \| 3 +++
		13	1 files changed, 3 insertions(+)
		14
		15	diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
		16	index e8ba990..0ab3499 100644
		17	--- a/libsoup/soup-auth-digest.c
		18	+++ b/libsoup/soup-auth-digest.c
		19	@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth auth, SoupMessage msg,
		20	guint qop_options;
		21	gboolean ok = TRUE;
		22
		23	+ if (!soup_auth_get_realm (auth))
		24	+ return FALSE;
		25	+
		26	g_free (priv->domain);
		27	g_free (priv->nonce);
		28	g_free (priv->opaque);
		29
		30	--
		31	2.34.1
		32


diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch new file mode 100644 index 0000000000..019a35e3be --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
@@ -0,0 +1,94 @@
		1	From eccfca1074fc485a0b60dfb9c8385429a226bf73 Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Fri, 16 May 2025 13:19:38 +0800
		4	Subject: [PATCH] auth-digest: Handle missing nonce
		5
		6	CVE: CVE-2025-32910
		7	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=405a8a34597a44bd58c4759e7d5e23f02c3b556a]
		8
		9	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		10	---
		11	libsoup/soup-auth-digest.c \| 45 ++++++++++++++++++++++++++++----------
		12	1 files changed, 28 insertions(+), 10 deletions(-)
		13
		14	diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
		15	index 0ab3499..10a8591 100644
		16	--- a/libsoup/soup-auth-digest.c
		17	+++ b/libsoup/soup-auth-digest.c
		18	@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
		19	return g_string_free (out, FALSE);
		20	}
		21
		22	+static gboolean
		23	+validate_params (SoupAuthDigest *auth_digest)
		24	+{
		25	+ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
		26	+
		27	+ if (priv->qop \|\| priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
		28	+ if (!priv->nonce)
		29	+ return FALSE;
		30	+ }
		31	+
		32	+ return TRUE;
		33	+}
		34	+
		35	static gboolean
		36	soup_auth_digest_update (SoupAuth auth, SoupMessage msg,
		37	GHashTable *auth_params)
		38	@@ -169,17 +182,22 @@ soup_auth_digest_update (SoupAuth auth, SoupMessage msg,
		39	if (priv->algorithm == -1)
		40	ok = FALSE;
		41
		42	- stale = g_hash_table_lookup (auth_params, "stale");
		43	- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
		44	- recompute_hex_a1 (priv);
		45	- else {
		46	- g_free (priv->user);
		47	- priv->user = NULL;
		48	- g_free (priv->cnonce);
		49	- priv->cnonce = NULL;
		50	- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
		51	- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
		52	- }
		53	+ if (!validate_params (auth_digest))
		54	+ ok = FALSE;
		55	+
		56	+ if (ok) {
		57	+ stale = g_hash_table_lookup (auth_params, "stale");
		58	+ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
		59	+ recompute_hex_a1 (priv);
		60	+ else {
		61	+ g_free (priv->user);
		62	+ priv->user = NULL;
		63	+ g_free (priv->cnonce);
		64	+ priv->cnonce = NULL;
		65	+ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
		66	+ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
		67	+ }
		68	+ }
		69
		70	return ok;
		71	}
		72	@@ -359,6 +377,8 @@ soup_auth_digest_compute_response (const char *method,
		73	if (qop) {
		74	char tmp[9];
		75
		76	+ g_assert (cnonce);
		77	+
		78	g_snprintf (tmp, 9, "%.8x", nc);
		79	g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
		80	g_checksum_update (checksum, (guchar *)":", 1);
		81	@@ -422,6 +442,9 @@ soup_auth_digest_get_authorization (SoupAuth auth, SoupMessage msg)
		82	g_return_val_if_fail (uri != NULL, NULL);
		83	url = soup_uri_to_string (uri, TRUE);
		84
		85	+ g_assert (priv->nonce);
		86	+ g_assert (!priv->qop \|\| priv->cnonce);
		87	+
		88	soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
		89	priv->qop, priv->nonce,
		90	priv->cnonce, priv->nc,
		91
		92	--
		93	2.34.1
		94


diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch new file mode 100644 index 0000000000..bdf4d64ca3 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
@@ -0,0 +1,28 @@
		1	From 74c95d54fe42041fe161cb74c76d942ffd37a5dd Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Fri, 16 May 2025 13:21:43 +0800
		4	Subject: [PATCH] auth-digest: Fix leak
		5
		6	CVE: CVE-2025-32910
		7	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=ea16eeacb052e423eb5c3b0b705e5eab34b13832]
		8
		9	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		10	---
		11	libsoup/soup-auth-digest.c \| 1 +
		12	1 file changed, 1 insertion(+)
		13
		14	diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
		15	index 10a8591..6d965d2 100644
		16	--- a/libsoup/soup-auth-digest.c
		17	+++ b/libsoup/soup-auth-digest.c
		18	@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object)
		19	g_free (priv->nonce);
		20	g_free (priv->domain);
		21	g_free (priv->cnonce);
		22	+ g_free (priv->opaque);
		23
		24	memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
		25	memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
		26	--
		27	2.34.1
		28


diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 6d6a6420d2..3e4a8e14d4 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -29,6 +29,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
29	file://CVE-2025-32050.patch \	29	file://CVE-2025-32050.patch \
30	file://CVE-2025-32052.patch \	30	file://CVE-2025-32052.patch \
31	file://CVE-2025-32909.patch \	31	file://CVE-2025-32909.patch \
		32	file://CVE-2025-32910-1.patch \
		33	file://CVE-2025-32910-2.patch \
		34	file://CVE-2025-32910-3.patch \
32	"	35	"
33	SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"	36	SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
34		37