Bjørn Lie
d2d47dac33
soup_auth_digest_get_protection_space (boo#1243422 CVE-2025-4476 glgo#GNOME/libsoup!457). - Add libsoup-CVE-2025-4948.patch: verify boundary limits for multipart body (boo#1243332 CVE-2025-4948 glgo#GNOME/libsoup#449). OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/libsoup?expand=0&rev=310
34 lines
1.2 KiB
Diff
34 lines
1.2 KiB
Diff
From e64c221f9c7d09b48b610c5626b3b8c400f0907c Mon Sep 17 00:00:00 2001
|
|
From: Michael Catanzaro <mcatanzaro@redhat.com>
|
|
Date: Thu, 8 May 2025 09:27:01 -0500
|
|
Subject: [PATCH] auth-digest: fix crash in
|
|
soup_auth_digest_get_protection_space()
|
|
|
|
We need to validate the Domain parameter in the WWW-Authenticate header.
|
|
|
|
Unfortunately this crash only occurs when listening on default ports 80
|
|
and 443, so there's no good way to test for this. The test would require
|
|
running as root.
|
|
|
|
Fixes #440
|
|
---
|
|
libsoup/auth/soup-auth-digest.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
|
|
index d8bb2910..292f2045 100644
|
|
--- a/libsoup/auth/soup-auth-digest.c
|
|
+++ b/libsoup/auth/soup-auth-digest.c
|
|
@@ -220,7 +220,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, GUri *source_uri)
|
|
if (uri &&
|
|
g_strcmp0 (g_uri_get_scheme (uri), g_uri_get_scheme (source_uri)) == 0 &&
|
|
g_uri_get_port (uri) == g_uri_get_port (source_uri) &&
|
|
- !strcmp (g_uri_get_host (uri), g_uri_get_host (source_uri)))
|
|
+ !g_strcmp0 (g_uri_get_host (uri), g_uri_get_host (source_uri)))
|
|
dir = g_strdup (g_uri_get_path (uri));
|
|
else
|
|
dir = NULL;
|
|
--
|
|
GitLab
|
|
|