2 files changed, 41 insertions, 1 deletions
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-4476.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-4476.patch
new file mode 100644
index 0000000000..d0b1f12709
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-4476.patch
@@ -0,0 +1,39 @@
+From 71d33e37139fee6216ad2bf4e926f987076a6cff Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 8 May 2025 09:27:01 -0500
+Subject: [PATCH] auth-digest: fix crash in
+ soup_auth_digest_get_protection_space()
+We need to validate the Domain parameter in the WWW-Authenticate header.
+Unfortunately this crash only occurs when listening on default ports 80
+and 443, so there's no good way to test for this. The test would require
+running as root.
+Fixes #440
+CVE: CVE-2025-4476
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/457/diffs?commit_id=e64c221f9c7d09b48b610c5626b3b8c400f0907c]
+Signed-off-by: Changqing Li <changqing.li@windriver.c
+---
+ libsoup/auth/soup-auth-digest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
+index d8bb291..292f204 100644
+--- a/libsoup/auth/soup-auth-digest.c
+++ b/libsoup/auth/soup-auth-digest.c
+@@ -220,7 +220,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, GUri *source_uri)
+                        if (uri &&
+                             g_strcmp0 (g_uri_get_scheme (uri), g_uri_get_scheme (source_uri)) == 0 &&
+                            g_uri_get_port (uri) == g_uri_get_port (source_uri) &&
+-                           !strcmp (g_uri_get_host (uri), g_uri_get_host (source_uri)))
+                           !g_strcmp0 (g_uri_get_host (uri), g_uri_get_host (source_uri)))
+                                dir = g_strdup (g_uri_get_path (uri));
+                        else
+                                dir = NULL;
+-- 
+2.34.1
diff --git a/meta/recipes-support/libsoup/libsoup_3.6.5.bb b/meta/recipes-support/libsoup/libsoup_3.6.5.bb
index 2faf50c223..2bed009e0a 100644
--- a/meta/recipes-support/libsoup/libsoup_3.6.5.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.6.5.bb
@@ -12,7 +12,8 @@ DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl nghttp2"
 SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
-           file://CVE-2025-32914.patch"
+           file://CVE-2025-32914.patch \
+           file://CVE-2025-4476.patch"
 SRC_URI[sha256sum] = "6891765aac3e949017945c3eaebd8cc8216df772456dc9f460976fbdb7ada234"
 PROVIDES = "libsoup-3.0"

diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-4476.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-4476.patch new file mode 100644 index 0000000000..d0b1f12709 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-4476.patch
@@ -0,0 +1,39 @@
		1	From 71d33e37139fee6216ad2bf4e926f987076a6cff Mon Sep 17 00:00:00 2001
		2	From: Michael Catanzaro <mcatanzaro@redhat.com>
		3	Date: Thu, 8 May 2025 09:27:01 -0500
		4	Subject: [PATCH] auth-digest: fix crash in
		5	soup_auth_digest_get_protection_space()
		6
		7	We need to validate the Domain parameter in the WWW-Authenticate header.
		8
		9	Unfortunately this crash only occurs when listening on default ports 80
		10	and 443, so there's no good way to test for this. The test would require
		11	running as root.
		12
		13	Fixes #440
		14
		15	CVE: CVE-2025-4476
		16	Upstream-Status: Backport
		17	[https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/457/diffs?commit_id=e64c221f9c7d09b48b610c5626b3b8c400f0907c]
		18
		19	Signed-off-by: Changqing Li <changqing.li@windriver.c
		20	---
		21	libsoup/auth/soup-auth-digest.c \| 2 +-
		22	1 file changed, 1 insertion(+), 1 deletion(-)
		23
		24	diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
		25	index d8bb291..292f204 100644
		26	--- a/libsoup/auth/soup-auth-digest.c
		27	+++ b/libsoup/auth/soup-auth-digest.c
		28	@@ -220,7 +220,7 @@ soup_auth_digest_get_protection_space (SoupAuth auth, GUri source_uri)
		29	if (uri &&
		30	g_strcmp0 (g_uri_get_scheme (uri), g_uri_get_scheme (source_uri)) == 0 &&
		31	g_uri_get_port (uri) == g_uri_get_port (source_uri) &&
		32	- !strcmp (g_uri_get_host (uri), g_uri_get_host (source_uri)))
		33	+ !g_strcmp0 (g_uri_get_host (uri), g_uri_get_host (source_uri)))
		34	dir = g_strdup (g_uri_get_path (uri));
		35	else
		36	dir = NULL;
		37	--
		38	2.34.1
		39


diff --git a/meta/recipes-support/libsoup/libsoup_3.6.5.bb b/meta/recipes-support/libsoup/libsoup_3.6.5.bb index 2faf50c223..2bed009e0a 100644 --- a/meta/recipes-support/libsoup/libsoup_3.6.5.bb +++ b/meta/recipes-support/libsoup/libsoup_3.6.5.bb
@@ -12,7 +12,8 @@ DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl nghttp2"
12	SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"	12	SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
13		13
14	SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \	14	SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
15	file://CVE-2025-32914.patch"	15	file://CVE-2025-32914.patch \
		16	file://CVE-2025-4476.patch"
16	SRC_URI[sha256sum] = "6891765aac3e949017945c3eaebd8cc8216df772456dc9f460976fbdb7ada234"	17	SRC_URI[sha256sum] = "6891765aac3e949017945c3eaebd8cc8216df772456dc9f460976fbdb7ada234"
17		18
18	PROVIDES = "libsoup-3.0"	19	PROVIDES = "libsoup-3.0"