meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

From eccfca1074fc485a0b60dfb9c8385429a226bf73 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Fri, 16 May 2025 13:19:38 +0800
Subject: [PATCH] auth-digest: Handle missing nonce

CVE: CVE-2025-32910
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417/diffs?commit_id=405a8a34597a44bd58c4759e7d5e23f02c3b556a]

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 libsoup/soup-auth-digest.c | 45 ++++++++++++++++++++++++++++----------
 1 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 0ab3499..10a8591 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
 	return g_string_free (out, FALSE);
 }
 
+static gboolean
+validate_params (SoupAuthDigest *auth_digest)
+{
+	SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
+
+	if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
+		if (!priv->nonce)
+			return FALSE;
+	}
+
+	return TRUE;
+}
+
 static gboolean
 soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
 			 GHashTable *auth_params)
@@ -169,17 +182,22 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
 	if (priv->algorithm == -1)
 		ok = FALSE;
 
-	stale = g_hash_table_lookup (auth_params, "stale");
-	if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
-		recompute_hex_a1 (priv);
-	else {
-		g_free (priv->user);
-		priv->user = NULL;
-		g_free (priv->cnonce);
-		priv->cnonce = NULL;
-		memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
-		memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
-        }
+	if (!validate_params (auth_digest))
+		ok = FALSE;
+
+	if (ok) {
+		stale = g_hash_table_lookup (auth_params, "stale");
+		if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+			recompute_hex_a1 (priv);
+		else {
+			g_free (priv->user);
+			priv->user = NULL;
+			g_free (priv->cnonce);
+			priv->cnonce = NULL;
+			memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+			memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
+		}
+	}
 
 	return ok;
 }
@@ -359,6 +377,8 @@ soup_auth_digest_compute_response (const char        *method,
 	if (qop) {
 		char tmp[9];
 
+		g_assert (cnonce);
+
 		g_snprintf (tmp, 9, "%.8x", nc);
 		g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
 		g_checksum_update (checksum, (guchar *)":", 1);
@@ -422,6 +442,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
 	g_return_val_if_fail (uri != NULL, NULL);
 	url = soup_uri_to_string (uri, TRUE);
 
+	g_assert (priv->nonce);
+	g_assert (!priv->qop || priv->cnonce);
+
 	soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
 					   priv->qop, priv->nonce,
 					   priv->cnonce, priv->nc,
 
-- 
2.34.1