2 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch b/meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch
new file mode 100644
index 0000000000..2c23f57ccf
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch
@@ -0,0 +1,76 @@
+From: Andreas Henriksson <andreas@fatal.se>
+Date: Sat, 26 Apr 2025 20:09:29 +0200
+Subject: Backport auth tests for CVE-2025-32910
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/Backport-auth-tests-for-CVE-2025-32910.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/9af7d0fc751f7afcd8b03bc827a4d3af0c4556f8]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tests/auth-test.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index 548ac94..f582033 100644
+--- a/tests/auth-test.c
+++ b/tests/auth-test.c
+@@ -1549,14 +1549,26 @@ do_cancel_after_retry_test (void)
+         soup_test_session_abort_unref (session);
+ }
+ 
+//from upstream commit 9af7d0fc751f7afcd8b03bc827a4d3af0c4556f8
+static gboolean
+on_digest_authenticate (SoupMessage *msg,
+                        SoupAuth    *auth,
+                        gboolean     retrying,
+                        gpointer     user_data)
+{
+        g_assert_false (retrying);
+        soup_auth_authenticate (auth, "user", "good");
+        return TRUE;
+}
+
+ static void
+ on_request_read_for_missing_params (SoupServer        *server,
+-                                      SoupServerMessage *msg,
+                                      SoupMessage *msg,
+                                      SoupClientContext *client,
+                                       gpointer           user_data)
+ {
+         const char *auth_header = user_data;
+-        SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
+-        soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
+        soup_message_headers_replace (msg->response_headers, "WWW-Authenticate", auth_header);
+ }
+ 
+ static void
+@@ -1567,7 +1579,7 @@ do_missing_params_test (gconstpointer auth_header)
+         SoupServer *server;
+         SoupAuthDomain *digest_auth_domain;
+         gint status;
+-        GUri *uri;
+        SoupURI *uri;
+ 
+         server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
+        soup_server_add_handler (server, NULL,
+@@ -1586,16 +1598,16 @@ do_missing_params_test (gconstpointer auth_header)
+                           G_CALLBACK (on_request_read_for_missing_params),
+                           (gpointer)auth_header);
+ 
+-        session = soup_test_session_new (NULL);
+        session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL);
+         msg = soup_message_new_from_uri ("GET", uri);
+-        g_signal_connect (msg, "authenticate",
+        g_signal_connect (session, "authenticate",
+                           G_CALLBACK (on_digest_authenticate),
+                           NULL);
+ 
+-        status = soup_test_session_send_message (session, msg);
+        status = soup_session_send_message (session, msg);
+ 
+         g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
+-       g_uri_unref (uri);
+       soup_uri_free (uri);
+        soup_test_server_quit_unref (server);
+ }
+ 
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
index 46b9e10ac5..bb15e8b926 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -26,6 +26,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
           file://CVE-2025-32910-1.patch \
           file://CVE-2025-32910-2.patch \
           file://CVE-2025-32910-3.patch \
+           file://Backport-auth-tests-for-CVE-2025-32910.patch \
           file://CVE-2025-32911_CVE-2025-32913-1.patch \
           file://CVE-2025-32911_CVE-2025-32913-2.patch \
           file://CVE-2025-32912-1.patch \

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch b/meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch new file mode 100644 index 0000000000..2c23f57ccf --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch
@@ -0,0 +1,76 @@
		1	From: Andreas Henriksson <andreas@fatal.se>
		2	Date: Sat, 26 Apr 2025 20:09:29 +0200
		3	Subject: Backport auth tests for CVE-2025-32910
		4
		5	Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/Backport-auth-tests-for-CVE-2025-32910.patch?ref_type=heads
		6	Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/9af7d0fc751f7afcd8b03bc827a4d3af0c4556f8]
		7	CVE: CVE-2025-32910
		8	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		9	---
		10	tests/auth-test.c \| 28 ++++++++++++++++++++--------
		11	1 file changed, 20 insertions(+), 8 deletions(-)
		12
		13	diff --git a/tests/auth-test.c b/tests/auth-test.c
		14	index 548ac94..f582033 100644
		15	--- a/tests/auth-test.c
		16	+++ b/tests/auth-test.c
		17	@@ -1549,14 +1549,26 @@ do_cancel_after_retry_test (void)
		18	soup_test_session_abort_unref (session);
		19	}
		20
		21	+//from upstream commit 9af7d0fc751f7afcd8b03bc827a4d3af0c4556f8
		22	+static gboolean
		23	+on_digest_authenticate (SoupMessage *msg,
		24	+ SoupAuth *auth,
		25	+ gboolean retrying,
		26	+ gpointer user_data)
		27	+{
		28	+ g_assert_false (retrying);
		29	+ soup_auth_authenticate (auth, "user", "good");
		30	+ return TRUE;
		31	+}
		32	+
		33	static void
		34	on_request_read_for_missing_params (SoupServer *server,
		35	- SoupServerMessage *msg,
		36	+ SoupMessage *msg,
		37	+ SoupClientContext *client,
		38	gpointer user_data)
		39	{
		40	const char *auth_header = user_data;
		41	- SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
		42	- soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
		43	+ soup_message_headers_replace (msg->response_headers, "WWW-Authenticate", auth_header);
		44	}
		45
		46	static void
		47	@@ -1567,7 +1579,7 @@ do_missing_params_test (gconstpointer auth_header)
		48	SoupServer *server;
		49	SoupAuthDomain *digest_auth_domain;
		50	gint status;
		51	- GUri *uri;
		52	+ SoupURI *uri;
		53
		54	server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
		55	soup_server_add_handler (server, NULL,
		56	@@ -1586,16 +1598,16 @@ do_missing_params_test (gconstpointer auth_header)
		57	G_CALLBACK (on_request_read_for_missing_params),
		58	(gpointer)auth_header);
		59
		60	- session = soup_test_session_new (NULL);
		61	+ session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL);
		62	msg = soup_message_new_from_uri ("GET", uri);
		63	- g_signal_connect (msg, "authenticate",
		64	+ g_signal_connect (session, "authenticate",
		65	G_CALLBACK (on_digest_authenticate),
		66	NULL);
		67
		68	- status = soup_test_session_send_message (session, msg);
		69	+ status = soup_session_send_message (session, msg);
		70
		71	g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
		72	- g_uri_unref (uri);
		73	+ soup_uri_free (uri);
		74	soup_test_server_quit_unref (server);
		75	}
		76


diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb index 46b9e10ac5..bb15e8b926 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -26,6 +26,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
26	file://CVE-2025-32910-1.patch \	26	file://CVE-2025-32910-1.patch \
27	file://CVE-2025-32910-2.patch \	27	file://CVE-2025-32910-2.patch \
28	file://CVE-2025-32910-3.patch \	28	file://CVE-2025-32910-3.patch \
		29	file://Backport-auth-tests-for-CVE-2025-32910.patch \
29	file://CVE-2025-32911_CVE-2025-32913-1.patch \	30	file://CVE-2025-32911_CVE-2025-32913-1.patch \
30	file://CVE-2025-32911_CVE-2025-32913-2.patch \	31	file://CVE-2025-32911_CVE-2025-32913-2.patch \
31	file://CVE-2025-32912-1.patch \	32	file://CVE-2025-32912-1.patch \