* [OE-core][scarthgap][PATCH] libsoup: Fix CVE-2026-5119
@ 2026-04-06 15:32 Ashish Sharma
0 siblings, 0 replies; only message in thread
From: Ashish Sharma @ 2026-04-06 15:32 UTC (permalink / raw)
To: openembedded-core; +Cc: ashissh7, Ashish Sharma
The msg_starting_cb() function in libsoup/soup-cookie-jar.c added
cookies to all outgoing messages unconditionally, including HTTP
CONNECT requests used for proxy tunnel establishment. Since CONNECT
messages are sent in cleartext to the proxy, this exposed session
cookies (including Secure-flagged cookies) to the proxy, enabling
potential session hijacking.
Fix by adding an early return in msg_starting_cb() when the request
method is SOUP_METHOD_CONNECT, preventing cookies from being sent
to an HTTP proxy during HTTPS tunnel setup.
Backport of commit 781b08c1b9093626dda077450c46d07d7220984e from
libsoup 3.x.
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/781b08c1b9093626dda077450c46d07d7220984e]
CVE: CVE-2026-5119
Signed-off-by: Ashish Sharma <pahaditechie@gmail.com>
---
.../libsoup/libsoup-2.4/CVE-2026-5119.patch | 37 +++++++++++++++++++
.../libsoup/libsoup-2.4_2.74.3.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch
new file mode 100644
index 0000000000..311380bfff
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch
@@ -0,0 +1,37 @@
+From 781b08c1b9093626dda077450c46d07d7220984e Mon Sep 17 00:00:00 2001
+From: Carlos Garcia Campos <carlosgc@gnome.org>
+Date: Thu, 27 Feb 2026 11:05:00 +0000
+Subject: [PATCH] cookies: do not send cookies to a HTTP proxy for a HTTPS request
+
+When tunneling HTTPS through an HTTP proxy, libsoup's cookie jar
+attaches cookies to the initial HTTP CONNECT request sent to the proxy.
+This leaks session cookies (including Secure-flagged cookies) in
+cleartext to the proxy, enabling session hijacking.
+
+The fix skips cookie injection for CONNECT-method messages, which are
+only used for proxy tunnel establishment to HTTPS destinations.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/781b08c1b9093626dda077450c46d07d7220984e]
+CVE: CVE-2026-5119
+Signed-off-by: Ashish Sharma <pahaditechie@gmail.com>
+---
+ libsoup/soup-cookie-jar.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libsoup/soup-cookie-jar.c b/libsoup/soup-cookie-jar.c
+--- a/libsoup/soup-cookie-jar.c
++++ b/libsoup/soup-cookie-jar.c
+@@ -824,6 +824,10 @@
+ SoupCookieJar *jar = SOUP_COOKIE_JAR (feature);
+ GSList *cookies;
+
++ /* Do not send cookies to a HTTP proxy for a HTTPS request */
++ if (msg->method == SOUP_METHOD_CONNECT)
++ return;
++
+ cookies = soup_cookie_jar_get_cookie_list_with_same_site_info (jar, soup_message_get_uri (msg),
+ soup_message_get_first_party (msg),
+ soup_message_get_site_for_cookies (msg),
+ TRUE,
+--
+2.25.1
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index 7e00cd678a..364e8ec391 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -41,6 +41,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-4476.patch \
file://CVE-2025-2784.patch \
file://CVE-2025-4945.patch \
+ file://CVE-2026-5119.patch \
"
SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
--
2.35.6
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-04-06 15:32 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-06 15:32 [OE-core][scarthgap][PATCH] libsoup: Fix CVE-2026-5119 Ashish Sharma
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox