libsoup-2.4: Fix CVE-2025-32910

import patch from debian to fix CVE-2025-32910 Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe & https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a & https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832] Reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417 https://security-tracker.debian.org/tracker/CVE-2025-32910 (From OE-Core rev: 0fc936f23e6f70021acf4e711ef49d3a5cc966fe) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-05-21 15:23:21 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-06-02 07:12:34 -0700
commit: cca757c4619f89bbb7e2de73e93f683c630f1b92 (patch)
tree: 95af872d25700e0c29edbffc0fea000d5054b4dc
parent: a817e2016f3728bfcab9cad041620cc66d77e34b (diff)
download: poky-cca757c4619f89bbb7e2de73e93f683c630f1b92.tar.gz
4 files changed, 274 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
new file mode 100644
index 0000000000..de4faf5380
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
@@ -0,0 +1,97 @@
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Sun, 8 Dec 2024 20:00:35 -0600
+Subject: auth-digest: Handle missing realm in authenticate header
+(cherry picked from commit e40df6d48a1cbab56f5d15016cc861a503423cfe)
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-1.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c |  3 +++
+ tests/auth-test.c          | 50 ++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index e8ba990..263a15a 100644
+--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
+@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+        guint qop_options;
+        gboolean ok = TRUE;
+ 
+        if (!soup_auth_get_realm (auth))
+                return FALSE;
+
+        g_free (priv->domain);
+        g_free (priv->nonce);
+        g_free (priv->opaque);
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index 8295ec3..dfc6b09 100644
+--- a/tests/auth-test.c
+++ b/tests/auth-test.c
+@@ -1549,6 +1549,55 @@ do_cancel_after_retry_test (void)
+         soup_test_session_abort_unref (session);
+ }
+ 
+static void
+on_request_read_for_missing_realm (SoupServer        *server,
+                                   SoupServerMessage *msg,
+                                   gpointer           user_data)
+{
+        SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
+        soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
+}
+
+static void
+do_missing_realm_test (void)
+{
+        SoupSession *session;
+        SoupMessage *msg;
+        SoupServer *server;
+        SoupAuthDomain *digest_auth_domain;
+        gint status;
+        GUri *uri;
+
+        server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+       soup_server_add_handler (server, NULL,
+                                server_callback, NULL, NULL);
+       uri = soup_test_server_get_uri (server, "http", NULL);
+
+       digest_auth_domain = soup_auth_domain_digest_new (
+               "realm", "auth-test",
+               "auth-callback", server_digest_auth_callback,
+               NULL);
+        soup_auth_domain_add_path (digest_auth_domain, "/");
+       soup_server_add_auth_domain (server, digest_auth_domain);
+        g_object_unref (digest_auth_domain);
+
+        g_signal_connect (server, "request-read",
+                          G_CALLBACK (on_request_read_for_missing_realm),
+                          NULL);
+
+        session = soup_test_session_new (NULL);
+        msg = soup_message_new_from_uri ("GET", uri);
+        g_signal_connect (msg, "authenticate",
+                          G_CALLBACK (on_digest_authenticate),
+                          NULL);
+
+        status = soup_test_session_send_message (session, msg);
+
+        g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
+       g_uri_unref (uri);
+       soup_test_server_quit_unref (server);
+}
+
+ int
+ main (int argc, char **argv)
+ {
+@@ -1576,6 +1625,7 @@ main (int argc, char **argv)
+        g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
+        g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
+        g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
+        g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
+ 
+        ret = g_test_run ();
+ 
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
new file mode 100644
index 0000000000..0d72afa1d6
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
@@ -0,0 +1,148 @@
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Thu, 26 Dec 2024 18:18:35 -0600
+Subject: auth-digest: Handle missing nonce
+(cherry picked from commit 405a8a34597a44bd58c4759e7d5e23f02c3b556a)
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-2.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c | 45 +++++++++++++++++++++++++++++++++++----------
+ tests/auth-test.c          | 19 +++++++++++--------
+ 2 files changed, 46 insertions(+), 18 deletions(-)
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index 263a15a..393adb6 100644
+--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
+@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
+        return g_string_free (out, FALSE);
+ }
+ 
+static gboolean
+validate_params (SoupAuthDigest *auth_digest)
+{
+        SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
+
+        if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
+                if (!priv->nonce)
+                        return FALSE;
+        }
+
+        return TRUE;
+}
+
+ static gboolean
+ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+                         GHashTable *auth_params)
+@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+        if (priv->algorithm == -1)
+                ok = FALSE;
+ 
+-       stale = g_hash_table_lookup (auth_params, "stale");
+-       if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+-               recompute_hex_a1 (priv);
+-       else {
+-               g_free (priv->user);
+-               priv->user = NULL;
+-               g_free (priv->cnonce);
+-               priv->cnonce = NULL;
+-               memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+-               memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+        if (!validate_params (auth_digest))
+                ok = FALSE;
+
+        if (ok) {
+                stale = g_hash_table_lookup (auth_params, "stale");
+                if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+                        recompute_hex_a1 (priv);
+                else {
+                        g_free (priv->user);
+                        priv->user = NULL;
+                        g_free (priv->cnonce);
+                        priv->cnonce = NULL;
+                        memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+                        memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+                }
+         }
+ 
+        return ok;
+@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char              *hex_urp,
+ 
+                /* In MD5-sess, A1 is hex_urp:nonce:cnonce */
+ 
+                g_assert (nonce && cnonce);
+
+                checksum = g_checksum_new (G_CHECKSUM_MD5);
+                g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));
+                g_checksum_update (checksum, (guchar *)":", 1);
+@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char        *method,
+        if (qop) {
+                char tmp[9];
+ 
+                g_assert (cnonce);
+
+                g_snprintf (tmp, 9, "%.8x", nc);
+                g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
+                g_checksum_update (checksum, (guchar *)":", 1);
+@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
+        g_return_val_if_fail (uri != NULL, NULL);
+        url = soup_uri_to_string (uri, TRUE);
+ 
+        g_assert (priv->nonce);
+        g_assert (!priv->qop || priv->cnonce);
+
+        soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
+                                           priv->qop, priv->nonce,
+                                           priv->cnonce, priv->nc,
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index dfc6b09..6fb1e4a 100644
+--- a/tests/auth-test.c
+++ b/tests/auth-test.c
+@@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void)
+ }
+ 
+ static void
+-on_request_read_for_missing_realm (SoupServer        *server,
+-                                   SoupServerMessage *msg,
+-                                   gpointer           user_data)
+on_request_read_for_missing_params (SoupServer        *server,
+                                      SoupServerMessage *msg,
+                                      gpointer           user_data)
+ {
+        const char *auth_header = user_data;
+         SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
+-        soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
+        soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
+ }
+ 
+ static void
+-do_missing_realm_test (void)
+do_missing_params_test (gconstpointer auth_header)
+ {
+         SoupSession *session;
+         SoupMessage *msg;
+@@ -1582,8 +1583,8 @@ do_missing_realm_test (void)
+         g_object_unref (digest_auth_domain);
+ 
+         g_signal_connect (server, "request-read",
+-                          G_CALLBACK (on_request_read_for_missing_realm),
+-                          NULL);
+                          G_CALLBACK (on_request_read_for_missing_params),
+                          (gpointer)auth_header);
+ 
+         session = soup_test_session_new (NULL);
+         msg = soup_message_new_from_uri ("GET", uri);
+@@ -1625,7 +1626,9 @@ main (int argc, char **argv)
+        g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
+        g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
+        g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
+-        g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
+        g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
+        g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
+        g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
+ 
+        ret = g_test_run ();
+ 
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
new file mode 100644
index 0000000000..ab0f650804
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
@@ -0,0 +1,26 @@
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Fri, 27 Dec 2024 13:52:52 -0600
+Subject: auth-digest: Fix leak
+(cherry picked from commit ea16eeacb052e423eb5c3b0b705e5eab34b13832)
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-3.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index 393adb6..a1db188 100644
+--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
+@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object)
+        g_free (priv->nonce);
+        g_free (priv->domain);
+        g_free (priv->cnonce);
+        g_free (priv->opaque);
+ 
+        memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+        memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index fa4dece0e9..b27c56895b 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -23,6 +23,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
           file://CVE-2025-32906-2.patch \
           file://CVE-2025-32909.patch \
           file://CVE-2025-46420.patch \
+           file://CVE-2025-32910-1.patch \
+           file://CVE-2025-32910-2.patch \
+           file://CVE-2025-32910-3.patch \
          "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-05-21 15:23:21 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-06-02 07:12:34 -0700
commit	cca757c4619f89bbb7e2de73e93f683c630f1b92 (patch)
tree	95af872d25700e0c29edbffc0fea000d5054b4dc
parent	a817e2016f3728bfcab9cad041620cc66d77e34b (diff)
download	poky-cca757c4619f89bbb7e2de73e93f683c630f1b92.tar.gz

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch new file mode 100644 index 0000000000..de4faf5380 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
@@ -0,0 +1,97 @@
		1	From: Patrick Griffis <pgriffis@igalia.com>
		2	Date: Sun, 8 Dec 2024 20:00:35 -0600
		3	Subject: auth-digest: Handle missing realm in authenticate header
		4
		5	(cherry picked from commit e40df6d48a1cbab56f5d15016cc861a503423cfe)
		6
		7	Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-1.patch?ref_type=heads
		8	Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe]
		9	CVE: CVE-2025-32910
		10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		11	---
		12	libsoup/soup-auth-digest.c \| 3 +++
		13	tests/auth-test.c \| 50 ++++++++++++++++++++++++++++++++++++++++++++++
		14	2 files changed, 53 insertions(+)
		15
		16	diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
		17	index e8ba990..263a15a 100644
		18	--- a/libsoup/soup-auth-digest.c
		19	+++ b/libsoup/soup-auth-digest.c
		20	@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth auth, SoupMessage msg,
		21	guint qop_options;
		22	gboolean ok = TRUE;
		23
		24	+ if (!soup_auth_get_realm (auth))
		25	+ return FALSE;
		26	+
		27	g_free (priv->domain);
		28	g_free (priv->nonce);
		29	g_free (priv->opaque);
		30	diff --git a/tests/auth-test.c b/tests/auth-test.c
		31	index 8295ec3..dfc6b09 100644
		32	--- a/tests/auth-test.c
		33	+++ b/tests/auth-test.c
		34	@@ -1549,6 +1549,55 @@ do_cancel_after_retry_test (void)
		35	soup_test_session_abort_unref (session);
		36	}
		37
		38	+static void
		39	+on_request_read_for_missing_realm (SoupServer *server,
		40	+ SoupServerMessage *msg,
		41	+ gpointer user_data)
		42	+{
		43	+ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
		44	+ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
		45	+}
		46	+
		47	+static void
		48	+do_missing_realm_test (void)
		49	+{
		50	+ SoupSession *session;
		51	+ SoupMessage *msg;
		52	+ SoupServer *server;
		53	+ SoupAuthDomain *digest_auth_domain;
		54	+ gint status;
		55	+ GUri *uri;
		56	+
		57	+ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
		58	+ soup_server_add_handler (server, NULL,
		59	+ server_callback, NULL, NULL);
		60	+ uri = soup_test_server_get_uri (server, "http", NULL);
		61	+
		62	+ digest_auth_domain = soup_auth_domain_digest_new (
		63	+ "realm", "auth-test",
		64	+ "auth-callback", server_digest_auth_callback,
		65	+ NULL);
		66	+ soup_auth_domain_add_path (digest_auth_domain, "/");
		67	+ soup_server_add_auth_domain (server, digest_auth_domain);
		68	+ g_object_unref (digest_auth_domain);
		69	+
		70	+ g_signal_connect (server, "request-read",
		71	+ G_CALLBACK (on_request_read_for_missing_realm),
		72	+ NULL);
		73	+
		74	+ session = soup_test_session_new (NULL);
		75	+ msg = soup_message_new_from_uri ("GET", uri);
		76	+ g_signal_connect (msg, "authenticate",
		77	+ G_CALLBACK (on_digest_authenticate),
		78	+ NULL);
		79	+
		80	+ status = soup_test_session_send_message (session, msg);
		81	+
		82	+ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
		83	+ g_uri_unref (uri);
		84	+ soup_test_server_quit_unref (server);
		85	+}
		86	+
		87	int
		88	main (int argc, char **argv)
		89	{
		90	@@ -1576,6 +1625,7 @@ main (int argc, char **argv)
		91	g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
		92	g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
		93	g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
		94	+ g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
		95
		96	ret = g_test_run ();
		97


diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch new file mode 100644 index 0000000000..0d72afa1d6 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
@@ -0,0 +1,148 @@
		1	From: Patrick Griffis <pgriffis@igalia.com>
		2	Date: Thu, 26 Dec 2024 18:18:35 -0600
		3	Subject: auth-digest: Handle missing nonce
		4
		5	(cherry picked from commit 405a8a34597a44bd58c4759e7d5e23f02c3b556a)
		6
		7	Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-2.patch?ref_type=heads
		8	Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a]
		9	CVE: CVE-2025-32910
		10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		11	---
		12	libsoup/soup-auth-digest.c \| 45 +++++++++++++++++++++++++++++++++++----------
		13	tests/auth-test.c \| 19 +++++++++++--------
		14	2 files changed, 46 insertions(+), 18 deletions(-)
		15
		16	diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
		17	index 263a15a..393adb6 100644
		18	--- a/libsoup/soup-auth-digest.c
		19	+++ b/libsoup/soup-auth-digest.c
		20	@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
		21	return g_string_free (out, FALSE);
		22	}
		23
		24	+static gboolean
		25	+validate_params (SoupAuthDigest *auth_digest)
		26	+{
		27	+ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
		28	+
		29	+ if (priv->qop \|\| priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
		30	+ if (!priv->nonce)
		31	+ return FALSE;
		32	+ }
		33	+
		34	+ return TRUE;
		35	+}
		36	+
		37	static gboolean
		38	soup_auth_digest_update (SoupAuth auth, SoupMessage msg,
		39	GHashTable *auth_params)
		40	@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth auth, SoupMessage msg,
		41	if (priv->algorithm == -1)
		42	ok = FALSE;
		43
		44	- stale = g_hash_table_lookup (auth_params, "stale");
		45	- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
		46	- recompute_hex_a1 (priv);
		47	- else {
		48	- g_free (priv->user);
		49	- priv->user = NULL;
		50	- g_free (priv->cnonce);
		51	- priv->cnonce = NULL;
		52	- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
		53	- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
		54	+ if (!validate_params (auth_digest))
		55	+ ok = FALSE;
		56	+
		57	+ if (ok) {
		58	+ stale = g_hash_table_lookup (auth_params, "stale");
		59	+ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
		60	+ recompute_hex_a1 (priv);
		61	+ else {
		62	+ g_free (priv->user);
		63	+ priv->user = NULL;
		64	+ g_free (priv->cnonce);
		65	+ priv->cnonce = NULL;
		66	+ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
		67	+ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
		68	+ }
		69	}
		70
		71	return ok;
		72	@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp,
		73
		74	/* In MD5-sess, A1 is hex_urp:nonce:cnonce */
		75
		76	+ g_assert (nonce && cnonce);
		77	+
		78	checksum = g_checksum_new (G_CHECKSUM_MD5);
		79	g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));
		80	g_checksum_update (checksum, (guchar *)":", 1);
		81	@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char *method,
		82	if (qop) {
		83	char tmp[9];
		84
		85	+ g_assert (cnonce);
		86	+
		87	g_snprintf (tmp, 9, "%.8x", nc);
		88	g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
		89	g_checksum_update (checksum, (guchar *)":", 1);
		90	@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth auth, SoupMessage msg)
		91	g_return_val_if_fail (uri != NULL, NULL);
		92	url = soup_uri_to_string (uri, TRUE);
		93
		94	+ g_assert (priv->nonce);
		95	+ g_assert (!priv->qop \|\| priv->cnonce);
		96	+
		97	soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
		98	priv->qop, priv->nonce,
		99	priv->cnonce, priv->nc,
		100	diff --git a/tests/auth-test.c b/tests/auth-test.c
		101	index dfc6b09..6fb1e4a 100644
		102	--- a/tests/auth-test.c
		103	+++ b/tests/auth-test.c
		104	@@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void)
		105	}
		106
		107	static void
		108	-on_request_read_for_missing_realm (SoupServer *server,
		109	- SoupServerMessage *msg,
		110	- gpointer user_data)
		111	+on_request_read_for_missing_params (SoupServer *server,
		112	+ SoupServerMessage *msg,
		113	+ gpointer user_data)
		114	{
		115	+ const char *auth_header = user_data;
		116	SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
		117	- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
		118	+ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
		119	}
		120
		121	static void
		122	-do_missing_realm_test (void)
		123	+do_missing_params_test (gconstpointer auth_header)
		124	{
		125	SoupSession *session;
		126	SoupMessage *msg;
		127	@@ -1582,8 +1583,8 @@ do_missing_realm_test (void)
		128	g_object_unref (digest_auth_domain);
		129
		130	g_signal_connect (server, "request-read",
		131	- G_CALLBACK (on_request_read_for_missing_realm),
		132	- NULL);
		133	+ G_CALLBACK (on_request_read_for_missing_params),
		134	+ (gpointer)auth_header);
		135
		136	session = soup_test_session_new (NULL);
		137	msg = soup_message_new_from_uri ("GET", uri);
		138	@@ -1625,7 +1626,9 @@ main (int argc, char **argv)
		139	g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
		140	g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
		141	g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
		142	- g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
		143	+ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
		144	+ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
		145	+ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
		146
		147	ret = g_test_run ();
		148


diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch new file mode 100644 index 0000000000..ab0f650804 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
@@ -0,0 +1,26 @@
		1	From: Patrick Griffis <pgriffis@igalia.com>
		2	Date: Fri, 27 Dec 2024 13:52:52 -0600
		3	Subject: auth-digest: Fix leak
		4
		5	(cherry picked from commit ea16eeacb052e423eb5c3b0b705e5eab34b13832)
		6
		7	Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-3.patch?ref_type=heads
		8	Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
		9	CVE: CVE-2025-32910
		10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		11	---
		12	libsoup/soup-auth-digest.c \| 1 +
		13	1 file changed, 1 insertion(+)
		14
		15	diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
		16	index 393adb6..a1db188 100644
		17	--- a/libsoup/soup-auth-digest.c
		18	+++ b/libsoup/soup-auth-digest.c
		19	@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object)
		20	g_free (priv->nonce);
		21	g_free (priv->domain);
		22	g_free (priv->cnonce);
		23	+ g_free (priv->opaque);
		24
		25	memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
		26	memset (priv->hex_a1, 0, sizeof (priv->hex_a1));


diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index fa4dece0e9..b27c56895b 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -23,6 +23,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
23	file://CVE-2025-32906-2.patch \	23	file://CVE-2025-32906-2.patch \
24	file://CVE-2025-32909.patch \	24	file://CVE-2025-32909.patch \
25	file://CVE-2025-46420.patch \	25	file://CVE-2025-46420.patch \
		26	file://CVE-2025-32910-1.patch \
		27	file://CVE-2025-32910-2.patch \
		28	file://CVE-2025-32910-3.patch \
26	"	29	"
27	SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"	30	SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
28		31