libsoup: fix CVE-2025-46421

Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/439 (From OE-Core rev: 388453296c32759623ed35a8142c6af2df7f30b0) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Changqing Li <changqing.li@windriver.com> 2025-06-18 10:59:39 +0800
committer: Steve Sakoman <steve@sakoman.com> 2025-06-25 08:11:57 -0700
commit: f9f25b4fd6bb05a9609c364a783e3674d3d6e072 (patch)
tree: 1ce01b62fed835bc9bba384704fe7f8f50d6f5d5
parent: f9ae7a93d407c2755ecc7b4e9e68eef8ab02020f (diff)
download: poky-f9f25b4fd6bb05a9609c364a783e3674d3d6e072.tar.gz
2 files changed, 140 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-46421.patch
new file mode 100644
index 0000000000..72683d8fce
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-46421.patch
@@ -0,0 +1,139 @@
+From 85c5227eef7370832044eb918e8a99c0bcbab86f Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 5 Feb 2025 16:18:10 -0600
+Subject: [PATCH] session: Strip authentication credentails on cross-origin
+ redirect
+This should match the behavior of Firefox and Safari but not of Chromium.
+CVE: CVE-2025-46421
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-session.c |  6 ++++
+ tests/auth-test.c      | 77 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 83 insertions(+)
+diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
+index 631bec0..9f00b05 100644
+--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
+@@ -1230,6 +1230,12 @@ soup_session_redirect_message (SoupSession *session,
+                                                   SOUP_ENCODING_NONE);
+        }
+ 
+        /* Strip all credentials on cross-origin redirect. */
+        if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
+                soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION);
+                soup_message_set_auth (msg, NULL);
+        }
+
+         soup_message_set_request_host_from_uri (msg, new_uri);
+        soup_message_set_uri (msg, new_uri);
+        g_uri_unref (new_uri);
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index 484097f..7c3b551 100644
+--- a/tests/auth-test.c
+++ b/tests/auth-test.c
+@@ -1,6 +1,7 @@
+ /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
+ 
+ #include "test-utils.h"
+#include "soup-uri-utils-private.h"
+ 
+ static const char *base_uri;
+ static GMainLoop *loop;
+@@ -1916,6 +1917,81 @@ do_missing_params_test (gconstpointer auth_header)
+        soup_test_server_quit_unref (server);
+ }
+ 
+static void
+redirect_server_callback (SoupServer        *server,
+                          SoupServerMessage *msg,
+                          const char        *path,
+                          GHashTable        *query,
+                          gpointer           user_data)
+{
+    static gboolean redirected = FALSE;
+
+    if (!redirected) {
+        char *redirect_uri = g_uri_to_string (user_data);
+        soup_server_message_set_redirect (msg, SOUP_STATUS_MOVED_PERMANENTLY, redirect_uri);
+        g_free (redirect_uri);
+        redirected = TRUE;
+        return;
+    }
+
+    g_assert_not_reached ();
+}
+
+static gboolean
+auth_for_redirect_callback (SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer user_data)
+{
+    GUri *known_server_uri = user_data;
+
+    if (!soup_uri_host_equal (known_server_uri, soup_message_get_uri (msg)))
+        return FALSE;
+
+    soup_auth_authenticate (auth, "user", "good-basic");
+
+    return TRUE;
+}
+
+static void
+do_strip_on_crossorigin_redirect (void)
+{
+    SoupSession *session;
+    SoupMessage *msg;
+    SoupServer *server1, *server2;
+    SoupAuthDomain *auth_domain;
+    GUri *uri;
+    gint status;
+
+    server1 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+    server2 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+
+    /* Both servers have the same credentials. */
+    auth_domain = soup_auth_domain_basic_new ("realm", "auth-test", "auth-callback", server_basic_auth_callback, NULL);
+    soup_auth_domain_add_path (auth_domain, "/");
+    soup_server_add_auth_domain (server1, auth_domain);
+    soup_server_add_auth_domain (server2, auth_domain);
+    g_object_unref (auth_domain);
+
+    /* Server 1 asks for auth, then redirects to Server 2. */
+    soup_server_add_handler (server1, NULL,
+                    redirect_server_callback,
+                   soup_test_server_get_uri (server2, "http", NULL), (GDestroyNotify)g_uri_unref);
+    /* Server 2 requires auth. */
+    soup_server_add_handler (server2, NULL, server_callback, NULL, NULL);
+
+    session = soup_test_session_new (NULL);
+    uri = soup_test_server_get_uri (server1, "http", NULL);
+    msg = soup_message_new_from_uri ("GET", uri);
+    /* The client only sends credentials for the host it knows. */
+    g_signal_connect (msg, "authenticate", G_CALLBACK (auth_for_redirect_callback), uri);
+
+    status = soup_test_session_send_message (session, msg);
+
+    g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
+
+    g_uri_unref (uri);
+    soup_test_server_quit_unref (server1);
+    soup_test_server_quit_unref (server2);
+}
+
+ int
+ main (int argc, char **argv)
+ {
+@@ -1949,6 +2025,7 @@ main (int argc, char **argv)
+        g_test_add_func ("/auth/auth-uri", do_auth_uri_test);
+         g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate);
+         g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms);
+        g_test_add_func ("/auth/strip-on-crossorigin-redirect", do_strip_on_crossorigin_redirect);
+         g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
+         g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
+         g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
+-- 
+2.34.1
diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
index be29ff0e5d..49aa28964c 100644
--- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
@@ -42,6 +42,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
           file://CVE-2025-32907-2.patch \
           file://CVE-2025-32051-1.patch \
           file://CVE-2025-32051-2.patch \
+           file://CVE-2025-46421.patch \
          "
 SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8"
author	Changqing Li <changqing.li@windriver.com>	2025-06-18 10:59:39 +0800
committer	Steve Sakoman <steve@sakoman.com>	2025-06-25 08:11:57 -0700
commit	f9f25b4fd6bb05a9609c364a783e3674d3d6e072 (patch)
tree	1ce01b62fed835bc9bba384704fe7f8f50d6f5d5
parent	f9ae7a93d407c2755ecc7b4e9e68eef8ab02020f (diff)
download	poky-f9f25b4fd6bb05a9609c364a783e3674d3d6e072.tar.gz

diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-46421.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-46421.patch new file mode 100644 index 0000000000..72683d8fce --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-46421.patch
@@ -0,0 +1,139 @@
		1	From 85c5227eef7370832044eb918e8a99c0bcbab86f Mon Sep 17 00:00:00 2001
		2	From: Patrick Griffis <pgriffis@igalia.com>
		3	Date: Wed, 5 Feb 2025 16:18:10 -0600
		4	Subject: [PATCH] session: Strip authentication credentails on cross-origin
		5	redirect
		6
		7	This should match the behavior of Firefox and Safari but not of Chromium.
		8
		9	CVE: CVE-2025-46421
		10	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436/diffs?commit_id=3e5c26415811f19e7737238bb23305ffaf96f66b]
		11
		12	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		13	---
		14	libsoup/soup-session.c \| 6 ++++
		15	tests/auth-test.c \| 77 ++++++++++++++++++++++++++++++++++++++++++
		16	2 files changed, 83 insertions(+)
		17
		18	diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
		19	index 631bec0..9f00b05 100644
		20	--- a/libsoup/soup-session.c
		21	+++ b/libsoup/soup-session.c
		22	@@ -1230,6 +1230,12 @@ soup_session_redirect_message (SoupSession *session,
		23	SOUP_ENCODING_NONE);
		24	}
		25
		26	+ /* Strip all credentials on cross-origin redirect. */
		27	+ if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
		28	+ soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION);
		29	+ soup_message_set_auth (msg, NULL);
		30	+ }
		31	+
		32	soup_message_set_request_host_from_uri (msg, new_uri);
		33	soup_message_set_uri (msg, new_uri);
		34	g_uri_unref (new_uri);
		35	diff --git a/tests/auth-test.c b/tests/auth-test.c
		36	index 484097f..7c3b551 100644
		37	--- a/tests/auth-test.c
		38	+++ b/tests/auth-test.c
		39	@@ -1,6 +1,7 @@
		40	/* -- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -- */
		41
		42	#include "test-utils.h"
		43	+#include "soup-uri-utils-private.h"
		44
		45	static const char *base_uri;
		46	static GMainLoop *loop;
		47	@@ -1916,6 +1917,81 @@ do_missing_params_test (gconstpointer auth_header)
		48	soup_test_server_quit_unref (server);
		49	}
		50
		51	+static void
		52	+redirect_server_callback (SoupServer *server,
		53	+ SoupServerMessage *msg,
		54	+ const char *path,
		55	+ GHashTable *query,
		56	+ gpointer user_data)
		57	+{
		58	+ static gboolean redirected = FALSE;
		59	+
		60	+ if (!redirected) {
		61	+ char *redirect_uri = g_uri_to_string (user_data);
		62	+ soup_server_message_set_redirect (msg, SOUP_STATUS_MOVED_PERMANENTLY, redirect_uri);
		63	+ g_free (redirect_uri);
		64	+ redirected = TRUE;
		65	+ return;
		66	+ }
		67	+
		68	+ g_assert_not_reached ();
		69	+}
		70	+
		71	+static gboolean
		72	+auth_for_redirect_callback (SoupMessage msg, SoupAuth auth, gboolean retrying, gpointer user_data)
		73	+{
		74	+ GUri *known_server_uri = user_data;
		75	+
		76	+ if (!soup_uri_host_equal (known_server_uri, soup_message_get_uri (msg)))
		77	+ return FALSE;
		78	+
		79	+ soup_auth_authenticate (auth, "user", "good-basic");
		80	+
		81	+ return TRUE;
		82	+}
		83	+
		84	+static void
		85	+do_strip_on_crossorigin_redirect (void)
		86	+{
		87	+ SoupSession *session;
		88	+ SoupMessage *msg;
		89	+ SoupServer server1, server2;
		90	+ SoupAuthDomain *auth_domain;
		91	+ GUri *uri;
		92	+ gint status;
		93	+
		94	+ server1 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
		95	+ server2 = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
		96	+
		97	+ /* Both servers have the same credentials. */
		98	+ auth_domain = soup_auth_domain_basic_new ("realm", "auth-test", "auth-callback", server_basic_auth_callback, NULL);
		99	+ soup_auth_domain_add_path (auth_domain, "/");
		100	+ soup_server_add_auth_domain (server1, auth_domain);
		101	+ soup_server_add_auth_domain (server2, auth_domain);
		102	+ g_object_unref (auth_domain);
		103	+
		104	+ /* Server 1 asks for auth, then redirects to Server 2. */
		105	+ soup_server_add_handler (server1, NULL,
		106	+ redirect_server_callback,
		107	+ soup_test_server_get_uri (server2, "http", NULL), (GDestroyNotify)g_uri_unref);
		108	+ /* Server 2 requires auth. */
		109	+ soup_server_add_handler (server2, NULL, server_callback, NULL, NULL);
		110	+
		111	+ session = soup_test_session_new (NULL);
		112	+ uri = soup_test_server_get_uri (server1, "http", NULL);
		113	+ msg = soup_message_new_from_uri ("GET", uri);
		114	+ /* The client only sends credentials for the host it knows. */
		115	+ g_signal_connect (msg, "authenticate", G_CALLBACK (auth_for_redirect_callback), uri);
		116	+
		117	+ status = soup_test_session_send_message (session, msg);
		118	+
		119	+ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
		120	+
		121	+ g_uri_unref (uri);
		122	+ soup_test_server_quit_unref (server1);
		123	+ soup_test_server_quit_unref (server2);
		124	+}
		125	+
		126	int
		127	main (int argc, char **argv)
		128	{
		129	@@ -1949,6 +2025,7 @@ main (int argc, char **argv)
		130	g_test_add_func ("/auth/auth-uri", do_auth_uri_test);
		131	g_test_add_func ("/auth/cancel-request-on-authenticate", do_cancel_request_on_authenticate);
		132	g_test_add_func ("/auth/multiple-algorithms", do_multiple_digest_algorithms);
		133	+ g_test_add_func ("/auth/strip-on-crossorigin-redirect", do_strip_on_crossorigin_redirect);
		134	g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
		135	g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
		136	g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
		137	--
		138	2.34.1
		139


diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb index be29ff0e5d..49aa28964c 100644 --- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb +++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb
@@ -42,6 +42,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
42	file://CVE-2025-32907-2.patch \	42	file://CVE-2025-32907-2.patch \
43	file://CVE-2025-32051-1.patch \	43	file://CVE-2025-32051-1.patch \
44	file://CVE-2025-32051-2.patch \	44	file://CVE-2025-32051-2.patch \
		45	file://CVE-2025-46421.patch \
45	"	46	"
46	SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8"	47	SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8"
47		48