We have some news to share for the request index beta feature. We’ve added more options to sort your requests, counters to the individual filters and documentation for the search functionality. Checkout the blog post for more details.

Overview

File libsoup-CVE-2025-32912.patch of Package libsoup.42105

From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 14:03:05 -0600
Subject: auth-digest: Handle missing nonce

(cherry picked from commit cd077513f267e43ce4b659eb18a1734d8a369992)
---
 libsoup/soup-auth-digest.c | 2 +-
 tests/auth-test.c          | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index 10615c7..d7d4845 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
 	guint qop_options;
 	gboolean ok = TRUE;
 
-        if (!soup_auth_get_realm (auth))
+        if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
                 return FALSE;
 
 	g_free (priv->domain);
diff --git a/tests/auth-test.c b/tests/auth-test.c
index 88478ee..f582033 100644
--- a/tests/auth-test.c
+++ b/tests/auth-test.c
@@ -1641,6 +1641,7 @@ main (int argc, char **argv)
         g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
         g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
         g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
+        g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test);
 
 	ret = g_test_run ();
 
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sat, 8 Feb 2025 12:30:13 -0600
Subject: digest-auth: Handle NULL nonce

`contains` only handles a missing nonce, `lookup` handles both missing and empty.

(cherry picked from commit 910ebdcd3dd82386717a201c13c834f3a63eed7f)
---
 libsoup/soup-auth-digest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
index d7d4845..fbd216a 100644
--- a/libsoup/soup-auth-digest.c
+++ b/libsoup/soup-auth-digest.c
@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
 	guint qop_options;
 	gboolean ok = TRUE;
 
-        if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
+        if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce"))
                 return FALSE;
 
 	g_free (priv->domain);
openSUSE Build Service is sponsored by
Places