Control: retitle -1 libsoup3: CVE-2025-4035: public suffix protection bypass
via non-canonicalized domains
On Tue, 29 Apr 2025 at 21:56:42 +0200, Salvatore Bonaccorso wrote:
The following vulnerability was published for libsoup.
CVE-2025-4035[0]:
| A flaw was found in libsoup. When handling cookies, libsoup clients
| mistakenly allow cookies to be set for public suffix domains if the
| domain contains at least two components and includes an uppercase
| character. This bypasses public suffix protections and could allow a
| malicious website to set cookies for domains it does not own,
| potentially leading to integrity issues such as session fixation.
A fix is being developed on
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/448 but it
doesn't seem to be quite there yet. I'm sure upstream would appreciate
help if someone can provide it, but I don't have relevant expertise.
smcv
