[PATCH v3 1/4] glib-networking: backport fix for CVE-2026-2574

[PATCH v3 1/4] glib-networking: backport fix for CVE-2026-2574

[Ross Burton]

CVE-2026-2574:

  Affected versions of this package are vulnerable to Out-of-bounds Read
  via improper handling of certificate authority data in the OpenSSL
  backend. An attacker can cause application crashes and potentially
  disclose limited heap memory by enticing a client to connect to a
  malicious TLS server that advertises a specially crafted client-CA
  list.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 ...of-bounds-read-in-accepted-cas-prope.patch | 48 +++++++++++++++++++
 .../glib-networking/glib-networking_2.80.1.bb |  1 +
 2 files changed, 49 insertions(+)
 create mode 100644 meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch

diff --git a/meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch b/meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch
new file mode 100644
index 00000000000..d3673656ad5
--- /dev/null
+++ b/meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch
@@ -0,0 +1,48 @@
+From be2173eb9b769255df9474a9128e642b60894f10 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Thu, 12 Mar 2026 12:47:00 -0500
+Subject: [PATCH] openssl: fix out of bounds read in accepted-cas property
+ getter
+
+The d2i and i2d functions are quite dangerous because they advance the
+provided pointer, so we have to pass a temporary pointer if we're later
+going to do anything with the original pointer.
+
+I've audited the codebase and found this is our only such mistake.
+
+Fixes #228 (CVE-2026-2574)
+
+Part-of: <https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/269>
+
+
+(cherry picked from commit c3c84b269165f2a312d47fa15c5cbc7f8ead7631)
+
+Co-authored-by: Michael Catanzaro <mcatanzaro@gnome.org>
+
+CVE: CVE-2026-2574
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ tls/openssl/gtlsclientconnection-openssl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
+index e98fb0b..e2ff0d4 100644
+--- a/tls/openssl/gtlsclientconnection-openssl.c
++++ b/tls/openssl/gtlsclientconnection-openssl.c
+@@ -141,9 +141,11 @@ g_tls_client_connection_openssl_get_property (GObject    *object,
+               if (size > 0)
+                 {
+                   unsigned char *ca;
++                  unsigned char *tmp;
+ 
+                   ca = g_malloc (size);
+-                  size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), &ca);
++                  tmp = ca;
++                  size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), &tmp);
+                   if (size > 0)
+                     accepted_cas = g_list_prepend (accepted_cas, g_byte_array_new_take (
+                                                    ca, size));
+-- 
+2.43.0
+
diff --git a/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb b/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb
index 44e3b0c0b3d..3d47e354e28 100644
--- a/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb
+++ b/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb
@@ -32,6 +32,7 @@ inherit gnomebase gettext upstream-version-is-even gio-module-cache ptest-gnome
 SRC_URI += "file://0001-openssl-properly-check-return-value-when-writing-to-.patch \
             file://0002-openssl-check-return-value-of-g_tls_bio_alloc.patch \
             file://0003-openssl-check-return-values-of-BIO_new.patch \
+            file://0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch \
             file://run-ptest"
 
 FILES:${PN} += "\
-- 
2.43.0

[PATCH v3 2/4] libsoup: actually apply patches for CVE-2025-32049 and CVE-2026-1539

[Ross Burton]

The patches were added to SRC_URI before inheriting gnomebase, which
does SRC_URI = "...". This means the patches were never actually part of
SRC_URI, so never applied.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-support/libsoup/libsoup_3.6.6.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/libsoup/libsoup_3.6.6.bb b/meta/recipes-support/libsoup/libsoup_3.6.6.bb
index 981e74d8160..b51368adb64 100644
--- a/meta/recipes-support/libsoup/libsoup_3.6.6.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.6.6.bb
@@ -9,6 +9,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"
 
 DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl nghttp2"
 
+inherit gettext gnomebase upstream-version-is-even gobject-introspection gi-docgen vala
+
 SRC_URI[archive.sha256sum] = "51ed0ae06f9d5a40f401ff459e2e5f652f9a510b7730e1359ee66d14d4872740"
 
 SRC_URI += "file://CVE-2025-32049-1.patch \
@@ -20,8 +22,6 @@ SRC_URI += "file://CVE-2025-32049-1.patch \
 
 PROVIDES = "libsoup-3.0"
 
-inherit gettext gnomebase upstream-version-is-even gobject-introspection gi-docgen vala
-
 GIR_MESON_ENABLE_FLAG = 'enabled'
 GIR_MESON_DISABLE_FLAG = 'disabled'
 
-- 
2.43.0

[PATCH v3 3/4] libsoup: mark CVEs which have been resolved upstream

[Ross Burton]

These issues have all been fixed in the 3.6.6 release that we have, but
the CPEs are unversioned. I've contacted NIST to update the database but
until that happens we can mark them as fixed.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-support/libsoup/libsoup_3.6.6.bb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/recipes-support/libsoup/libsoup_3.6.6.bb b/meta/recipes-support/libsoup/libsoup_3.6.6.bb
index b51368adb64..9bc3f2f86fb 100644
--- a/meta/recipes-support/libsoup/libsoup_3.6.6.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.6.6.bb
@@ -58,3 +58,8 @@ DEBIAN_NOAUTONAME:${PN} = "1"
 RRECOMMENDS:${PN} = "glib-networking"
 
 BBCLASSEXTEND = "native nativesdk"
+
+CVE_STATUS[CVE-2026-1467] = "fixed-version: fixed in 3.6.6"
+CVE_STATUS[CVE-2026-1536] = "fixed-version: fixed in 3.6.6"
+CVE_STATUS[CVE-2026-1801] = "fixed-version: fixed in 3.6.6"
+CVE_STATUS[CVE-2026-2443] = "fixed-version: fixed in 3.6.6"
-- 
2.43.0

[PATCH v3 4/4] python3-requests: backport fix for CVE-2026-25645

[Ross Burton]

When unpacking zip files requests uses predictable paths. Backport a fix
to use randomly generated pathnames to mitigate injection attacks.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 .../python3-requests/CVE-2026-25645.patch     | 46 +++++++++++++++++++
 .../python/python3-requests_2.32.5.bb         |  7 ++-
 2 files changed, 49 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python3-requests/CVE-2026-25645.patch

diff --git a/meta/recipes-devtools/python/python3-requests/CVE-2026-25645.patch b/meta/recipes-devtools/python/python3-requests/CVE-2026-25645.patch
new file mode 100644
index 00000000000..3bebba65726
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-requests/CVE-2026-25645.patch
@@ -0,0 +1,46 @@
+From 66d21cb07bd6255b1280291c4fafb71803cdb3b7 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Wed, 25 Mar 2026 08:57:56 -0600
+Subject: [PATCH] Merge commit from fork
+
+Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function
+uses a predictable filename when extracting files from zip archives into the system
+temporary directory. If the target file already exists, it is reused without validation.
+A local attacker with write access to the temp directory could pre-create a malicious
+file that would be loaded in place of the legitimate one. Standard usage of the Requests
+library is not affected by this vulnerability. Only applications that call
+`extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library
+extracts files to a non-deterministic location. If developers are unable to upgrade,
+they can set `TMPDIR` in their environment to a directory with restricted write access.
+
+CVE: CVE-2026-25645
+Upstream-Status: Backport [https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ src/requests/utils.py | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/src/requests/utils.py b/src/requests/utils.py
+index d8803e6e91..54959bb8ab 100644
+--- a/src/requests/utils.py
++++ b/src/requests/utils.py
+@@ -282,12 +282,13 @@ def extract_zipped_paths(path):
+         return path
+ 
+     # we have a valid zip archive and a valid member of that archive
+-    tmp = tempfile.gettempdir()
+-    extracted_path = os.path.join(tmp, member.split("/")[-1])
+-    if not os.path.exists(extracted_path):
+-        # use read + write to avoid the creating nested folders, we only want the file, avoids mkdir racing condition
+-        with atomic_open(extracted_path) as file_handler:
+-            file_handler.write(zip_file.read(member))
++    suffix = os.path.splitext(member.split("/")[-1])[-1]
++    fd, extracted_path = tempfile.mkstemp(suffix=suffix)
++    try:
++        os.write(fd, zip_file.read(member))
++    finally:
++        os.close(fd)
++
+     return extracted_path
+ 
+ 
diff --git a/meta/recipes-devtools/python/python3-requests_2.32.5.bb b/meta/recipes-devtools/python/python3-requests_2.32.5.bb
index 43b63e32b1f..0eb9765b633 100644
--- a/meta/recipes-devtools/python/python3-requests_2.32.5.bb
+++ b/meta/recipes-devtools/python/python3-requests_2.32.5.bb
@@ -3,13 +3,12 @@ HOMEPAGE = "https://requests.readthedocs.io"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658"
 
-SRC_URI:append:class-nativesdk = " \
-           file://environment.d-python3-requests.sh \
-"
+inherit pypi python_setuptools_build_meta
 
 SRC_URI[sha256sum] = "dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf"
 
-inherit pypi python_setuptools_build_meta
+SRC_URI += "file://CVE-2026-25645.patch"
+SRC_URI:append:class-nativesdk = " file://environment.d-python3-requests.sh"
 
 do_install:append:class-nativesdk() {
 	mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
-- 
2.43.0