sources/poky/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch

From: Patrick Griffis <pgriffis@igalia.com>
Date: Sun, 8 Dec 2024 20:00:35 -0600
Subject: auth-digest: Handle missing realm in authenticate header

(cherry picked from commit e40df6d48a1cbab56f5d15016cc861a503423cfe)

Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-1.patch?ref_type=heads
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe]
CVE: CVE-2025-32910
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>

Remove test code for fixing do_compile failure of libsoup-2.4, test codes include
new type added in 3.x version
../libsoup-2.74.3/tests/auth-test.c:1554:39: error: unknown type name 'SoupServerMessage'; did you mean 'SoupServerClass'?
 1554 |                                       SoupServerMessage *msg,
      |                                       ^~~~~~~~~~~~~~~~~

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 libsoup/soup-auth-digest.c |  3 +++
 1 files changed, 3 insertions(+)

diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index e8ba990..263a15a 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
 	guint qop_options;
 	gboolean ok = TRUE;
 
+        if (!soup_auth_get_realm (auth))
+                return FALSE;
+
 	g_free (priv->domain);
 	g_free (priv->nonce);
 	g_free (priv->opaque);
Complete Yocto mirror with license table for TQMa6UL (2038-compliance) - 264 license table entries with exact download URLs (224/264 resolved) - Complete sources/ directory with all BitBake recipes - Build configuration: tqma6ul-multi-mba6ulx, spaetzle (musl) - Full traceability for Softwarefreigabeantrag - GCC 13.4.0, Linux 6.6.102, U-Boot 2023.04, musl 1.2.4 - License distribution: GPL-2.0 (24), MIT (23), GPL-2.0+ (18), BSD-3 (16) 2026-03-01 20:58:18 +00:00			`From: Patrick Griffis <pgriffis@igalia.com>`
			`Date: Sun, 8 Dec 2024 20:00:35 -0600`
			`Subject: auth-digest: Handle missing realm in authenticate header`

			`(cherry picked from commit e40df6d48a1cbab56f5d15016cc861a503423cfe)`

			`Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-1.patch?ref_type=heads`
			`Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe]`
			`CVE: CVE-2025-32910`
			`Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>`

			`Remove test code for fixing do_compile failure of libsoup-2.4, test codes include`
			`new type added in 3.x version`
			`../libsoup-2.74.3/tests/auth-test.c:1554:39: error: unknown type name 'SoupServerMessage'; did you mean 'SoupServerClass'?`
			`1554 \| SoupServerMessage *msg,`
			`\| ^~~~~~~~~~~~~~~~~`

			`Signed-off-by: Changqing Li <changqing.li@windriver.com>`
			`---`
			`libsoup/soup-auth-digest.c \| 3 +++`
			`1 files changed, 3 insertions(+)`

			`diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c`
			`index e8ba990..263a15a 100644`
			`--- a/libsoup/soup-auth-digest.c`
			`+++ b/libsoup/soup-auth-digest.c`
			`@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth auth, SoupMessage msg,`
			`guint qop_options;`
			`gboolean ok = TRUE;`

			`+ if (!soup_auth_get_realm (auth))`
			`+ return FALSE;`
			`+`
			`g_free (priv->domain);`
			`g_free (priv->nonce);`
			`g_free (priv->opaque);`