Hello Sean, On Mon, May 19, 2025 at 11:14:31AM +0100, Sean Whitton wrote: > Hello Andreas, > > I'd like to ask for your help with backporting the tests for > CVE-2025-46421 to libsoup2.4, given that you had some success with this > for CVE-2025-32910. There are a lot of layers of indirection and I have > not had success determining why the test is failing. > There is an assertion failure deep within the machinery: > > not ok /auth/strip-on-crossorigin-redirect - libsoup-FATAL-CRITICAL: > soup_message_get_uri: assertion 'SOUP_IS_MESSAGE (msg)' failed > > Could you take a look, please? > The branch is debian/latest on salsa:gnome-team/libsoup.git. > If you edit d/patches/series to uncomment the final two patches you > should be able to reproduce the failure. > > I note that Ubuntu decided to go ahead and upload the fix without the > tests. One other possibility is that we use (only) the reporter's > exploit PoC to test this instead, but that's less good for LTS & ELTS > because it's completely manual. > > If you don't have time to look at this soon then I'll see about getting > the PoC to compile. Let me know. Thanks!
I've been extremely overloaded this month and had almost no time for any (E)LTS or Debian work at all. Please don't hold your breath waiting for me, it might be a while. In general since libsoup2.4 has been abandoned for many years, I'm completely fine with doing whatever that keeps it afloat in the already shipped releases until we can hopefully completely remove it in forky. Manually testing it might be better than trying to backport the tests. (Please also feel free to tell people to steal my LTS and ELTS hours this month, if extra pool is running low. I've started poking at mercurial for ELTS and have one upload in the pending state, but probably won't have time to finish and will probably end up reporting 0 hours this month.) > > [1] https://gitlab.gnome.org/GNOME/libsoup/-/issues/439#poc > > -- > Sean Whitton Regards, Andreas Henriksson
