From: "Yoann Congal" <yoann.congal@smile.fr>
To: <pahaditechie@gmail.com>, <openembedded-core@lists.openembedded.org>
Cc: <ashissh7@cisco.com>
Subject: Re: [OE-core][scarthgap][PATCH] libsoup: Fix CVE-2026-5119
Date: Thu, 23 Apr 2026 18:31:38 +0200 [thread overview]
Message-ID: <DI0OF6SCE4JM.18FLPYAGD4YIQ@smile.fr> (raw)
In-Reply-To: <20260406153247.660851-1-pahaditechie@gmail.com>
On Mon Apr 6, 2026 at 5:32 PM CEST, Ashish Sharma via lists.openembedded.org wrote:
> The msg_starting_cb() function in libsoup/soup-cookie-jar.c added
> cookies to all outgoing messages unconditionally, including HTTP
> CONNECT requests used for proxy tunnel establishment. Since CONNECT
> messages are sent in cleartext to the proxy, this exposed session
> cookies (including Secure-flagged cookies) to the proxy, enabling
> potential session hijacking.
>
> Fix by adding an early return in msg_starting_cb() when the request
> method is SOUP_METHOD_CONNECT, preventing cookies from being sent
> to an HTTP proxy during HTTPS tunnel setup.
>
> Backport of commit 781b08c1b9093626dda077450c46d07d7220984e from
> libsoup 3.x.
Hello,
Please add a justification in the commit message as to why you think
this is the proper patch to handle this CVE (In this case, it look like
upstream says so and we can use that)
> Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/781b08c1b9093626dda077450c46d07d7220984e]
> CVE: CVE-2026-5119
^ These 2 lines are not used here. While the CVE: line don't bother me,
the Upstream-Status: one should only be applied to the added patch so
please remove it from here.
> Signed-off-by: Ashish Sharma <pahaditechie@gmail.com>
> ---
> .../libsoup/libsoup-2.4/CVE-2026-5119.patch | 37 +++++++++++++++++++
> .../libsoup/libsoup-2.4_2.74.3.bb | 1 +
> 2 files changed, 38 insertions(+)
> create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch
>
> diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch
> new file mode 100644
> index 0000000000..311380bfff
> --- /dev/null
> +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch
> @@ -0,0 +1,37 @@
> +From 781b08c1b9093626dda077450c46d07d7220984e Mon Sep 17 00:00:00 2001
> +From: Carlos Garcia Campos <carlosgc@gnome.org>
> +Date: Thu, 27 Feb 2026 11:05:00 +0000
> +Subject: [PATCH] cookies: do not send cookies to a HTTP proxy for a HTTPS request
> +
> +When tunneling HTTPS through an HTTP proxy, libsoup's cookie jar
> +attaches cookies to the initial HTTP CONNECT request sent to the proxy.
> +This leaks session cookies (including Secure-flagged cookies) in
> +cleartext to the proxy, enabling session hijacking.
> +
> +The fix skips cookie injection for CONNECT-method messages, which are
> +only used for proxy tunnel establishment to HTTPS destinations.
> +
> +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/781b08c1b9093626dda077450c46d07d7220984e]
That commit was not merged in a branch? Maybe it was rebased during
merge. In this case, please use the merged commit URL.
Thanks!
> +CVE: CVE-2026-5119
> +Signed-off-by: Ashish Sharma <pahaditechie@gmail.com>
> +---
> + libsoup/soup-cookie-jar.c | 4 ++++
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/libsoup/soup-cookie-jar.c b/libsoup/soup-cookie-jar.c
> +--- a/libsoup/soup-cookie-jar.c
> ++++ b/libsoup/soup-cookie-jar.c
> +@@ -824,6 +824,10 @@
> + SoupCookieJar *jar = SOUP_COOKIE_JAR (feature);
> + GSList *cookies;
> +
> ++ /* Do not send cookies to a HTTP proxy for a HTTPS request */
> ++ if (msg->method == SOUP_METHOD_CONNECT)
> ++ return;
> ++
> + cookies = soup_cookie_jar_get_cookie_list_with_same_site_info (jar, soup_message_get_uri (msg),
> + soup_message_get_first_party (msg),
> + soup_message_get_site_for_cookies (msg),
> + TRUE,
> +--
> +2.25.1
> diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
> index 7e00cd678a..364e8ec391 100644
> --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
> +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
> @@ -41,6 +41,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
> file://CVE-2025-4476.patch \
> file://CVE-2025-2784.patch \
> file://CVE-2025-4945.patch \
> + file://CVE-2026-5119.patch \
> "
> SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
>
--
Yoann Congal
Smile ECS
prev parent reply other threads:[~2026-04-23 16:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-06 15:32 [OE-core][scarthgap][PATCH] libsoup: Fix CVE-2026-5119 Ashish Sharma
2026-04-23 16:31 ` Yoann Congal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DI0OF6SCE4JM.18FLPYAGD4YIQ@smile.fr \
--to=yoann.congal@smile.fr \
--cc=ashissh7@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=pahaditechie@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox