mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-01 13:09:50 +00:00
Code Issues Projects Releases Wiki Activity

libsoup-2.4: fix CVE-2025-4476

Browse Source 
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/440

(From OE-Core rev: 2be01469687f30f33b768164f66916b081cc8c62)

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Changqing Li
2025-06-18 10:59:45 +08:00
committed by Steve Sakoman
parent 09407f375d
commit b4284b3eb2
2 changed files with 39 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4476.patch
+38
View File
@@ -0,0 +1,38 @@
From 52a0f9234d384b9dab368835b22e5a5a01542168 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Fri, 16 May 2025 14:16:10 +0800
Subject: [PATCH] auth-digest: fix crash in
soup_auth_digest_get_protection_space()
We need to validate the Domain parameter in the WWW-Authenticate header.
Unfortunately this crash only occurs when listening on default ports 80
and 443, so there's no good way to test for this. The test would require
running as root.
Fixes #440
CVE: CVE-2025-4476
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c?merge_request_iid=457]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
libsoup/soup-auth-digest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index f1621ec..a2dc560 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -229,7 +229,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, SoupURI *source_uri)
uri = soup_uri_new (d);
if (uri && uri->scheme == source_uri->scheme &&
uri->port == source_uri->port &&
- !strcmp (uri->host, source_uri->host))
+ !g_strcmp0 (uri->host, source_uri->host))
dir = g_strdup (uri->path);
else
dir = NULL;
--
2.34.1
meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+1
View File
@@ -41,6 +41,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32907.patch \ file://CVE-2025-32907.patch \
file://CVE-2025-46421.patch \ file://CVE-2025-46421.patch \
file://CVE-2025-4948.patch \ file://CVE-2025-4948.patch \
file://CVE-2025-4476.patch \
" "
SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159" SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"