Hello Andreas,
I'd like to ask for your help with backporting the tests for
CVE-2025-46421 to libsoup2.4, given that you had some success with this
for CVE-2025-32910. There are a lot of layers of indirection and I have
not had success determining why the test is failing.
There is an assertion failure deep within the machinery:
not ok /auth/strip-on-crossorigin-redirect - libsoup-FATAL-CRITICAL:
soup_message_get_uri: assertion 'SOUP_IS_MESSAGE (msg)' failed
Could you take a look, please?
The branch is debian/latest on salsa:gnome-team/libsoup.git.
If you edit d/patches/series to uncomment the final two patches you
should be able to reproduce the failure.
I note that Ubuntu decided to go ahead and upload the fix without the
tests. One other possibility is that we use (only) the reporter's
exploit PoC to test this instead, but that's less good for LTS & ELTS
because it's completely manual.
If you don't have time to look at this soon then I'll see about getting
the PoC to compile. Let me know. Thanks!
[1] https://gitlab.gnome.org/GNOME/libsoup/-/issues/439#poc
--
Sean Whitton
Attachment:
signature.asc
Description: PGP signature