Hello Andreas, I'd like to ask for your help with backporting the tests for CVE-2025-46421 to libsoup2.4, given that you had some success with this for CVE-2025-32910. There are a lot of layers of indirection and I have not had success determining why the test is failing. There is an assertion failure deep within the machinery: not ok /auth/strip-on-crossorigin-redirect - libsoup-FATAL-CRITICAL: soup_message_get_uri: assertion 'SOUP_IS_MESSAGE (msg)' failed Could you take a look, please? The branch is debian/latest on salsa:gnome-team/libsoup.git. If you edit d/patches/series to uncomment the final two patches you should be able to reproduce the failure. I note that Ubuntu decided to go ahead and upload the fix without the tests. One other possibility is that we use (only) the reporter's exploit PoC to test this instead, but that's less good for LTS & ELTS because it's completely manual. If you don't have time to look at this soon then I'll see about getting the PoC to compile. Let me know. Thanks! [1] https://gitlab.gnome.org/GNOME/libsoup/-/issues/439#poc -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature