From 491d8086df6c0d64befdfa6a132c1d683087fd2b Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@gnome.org>
Date: Mon, 4 May 2026 15:32:09 -0500
Subject: [PATCH] Backport patch for CVE-2026-5119

Resolves: RHEL-167777
---
 CVE-2026-5119.patch | 133 ++++++++++++++++++++++++++++++++++++++++++++
 libsoup.spec        |   7 ++-
 2 files changed, 139 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2026-5119.patch

diff --git a/CVE-2026-5119.patch b/CVE-2026-5119.patch
new file mode 100644
index 0000000..c591530
--- /dev/null
+++ b/CVE-2026-5119.patch
@@ -0,0 +1,133 @@
+From 5212755ea5d43b7dea77f808215c6aec86dd940e Mon Sep 17 00:00:00 2001
+From: Carlos Garcia Campos <cgarcia@igalia.com>
+Date: Fri, 27 Feb 2026 12:03:25 +0100
+Subject: [PATCH] cookies: do not send cookies to a HTTP proxy for a HTTPS
+ request
+
+Closes #502
+---
+ libsoup/soup-cookie-jar.c | 15 +++++++++--
+ tests/proxy-test.c        | 52 +++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 65 insertions(+), 2 deletions(-)
+
+diff --git a/libsoup/soup-cookie-jar.c b/libsoup/soup-cookie-jar.c
+index b2b78909..30fea161 100644
+--- a/libsoup/soup-cookie-jar.c
++++ b/libsoup/soup-cookie-jar.c
+@@ -11,6 +11,7 @@
+ 
+ #include <string.h>
+ 
++#include "soup-connection.h"
+ #include "soup-cookie-jar.h"
+ #include "soup-misc-private.h"
+ #include "soup.h"
+@@ -686,6 +687,13 @@ process_set_cookie_header (SoupMessage *msg, gpointer user_data)
+ 	g_slist_free (new_cookies);
+ }
+ 
++static gboolean
++allow_cookies_for_request (SoupMessage *msg)
++{
++        /* Do not send cookies to a HTTP proxy for a HTTPS request */
++        return msg->method != SOUP_METHOD_CONNECT || !soup_connection_is_tunnelled (soup_message_get_connection (msg));
++}
++
+ static void
+ msg_starting_cb (SoupMessage *msg, gpointer feature)
+ {
+@@ -694,8 +702,10 @@ msg_starting_cb (SoupMessage *msg, gpointer feature)
+ 
+ 	cookies = soup_cookie_jar_get_cookies (jar, soup_message_get_uri (msg), TRUE);
+ 	if (cookies) {
+-		soup_message_headers_replace (msg->request_headers,
+-					      "Cookie", cookies);
++		if (allow_cookies_for_request (msg)) {
++			soup_message_headers_replace (msg->request_headers,
++						      "Cookie", cookies);
++		}
+ 		g_free (cookies);
+ 	} else
+ 		soup_message_headers_remove (msg->request_headers, "Cookie");
+@@ -892,3 +902,4 @@ soup_cookie_jar_is_persistent (SoupCookieJar *jar)
+ 
+ 	return SOUP_COOKIE_JAR_GET_CLASS (jar)->is_persistent (jar);
+ }
++
+diff --git a/tests/proxy-test.c b/tests/proxy-test.c
+index 1d68aa05..6b93847e 100644
+--- a/tests/proxy-test.c
++++ b/tests/proxy-test.c
+@@ -400,6 +400,56 @@ do_proxy_auth_cache_test (void)
+ 	g_object_unref (cache);
+ }
+ 
++static void
++connect_message_wrote_headers_cb (SoupMessage *msg, guint *counter)
++{
++        SoupMessageHeaders *hdrs;
++
++        *counter += 1;
++
++        hdrs = msg->request_headers;
++        if (msg->method == SOUP_METHOD_CONNECT)
++                g_assert_null (soup_message_headers_get_one (hdrs, "Cookie"));
++        else
++                g_assert_nonnull (soup_message_headers_get_one (hdrs, "Cookie"));
++}
++
++static void
++request_queued_cb (SoupSession *session, SoupMessage *msg, guint *counter)
++{
++        g_signal_connect (msg, "wrote-headers", G_CALLBACK (connect_message_wrote_headers_cb), counter);
++}
++
++static void
++do_proxy_secure_cookies_test (void)
++{
++        SoupSession *session;
++        SoupMessage *msg;
++        SoupCookieJar *jar;
++	GInputStream *stream;
++        guint counter = 0;
++
++        SOUP_TEST_SKIP_IF_NO_APACHE;
++        SOUP_TEST_SKIP_IF_NO_TLS;
++
++        session = soup_test_session_new (SOUP_TYPE_SESSION_SYNC, "proxy-resolver", proxy_resolvers[SIMPLE_PROXY], NULL);
++        g_signal_connect (session, "request-queued", G_CALLBACK (request_queued_cb), &counter);
++
++        soup_session_add_feature_by_type (session, SOUP_TYPE_COOKIE_JAR);
++        jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR));
++
++        msg = soup_message_new (SOUP_METHOD_GET, HTTPS_SERVER);
++        soup_cookie_jar_set_cookie (jar, soup_message_get_uri (msg), "user=password; secure");
++        stream = soup_session_send (session, msg, NULL, NULL);
++        soup_test_assert_message_status (msg, SOUP_STATUS_OK);
++        g_assert_cmpuint (counter, ==, 2);
++
++	if (stream)
++		g_object_unref (stream);
++
++        soup_test_session_abort_unref (session);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -434,6 +484,7 @@ main (int argc, char **argv)
+ 	g_test_add_data_func ("/proxy/fragment", base_uri, do_proxy_fragment_test);
+ 	g_test_add_func ("/proxy/redirect", do_proxy_redirect_test);
+ 	g_test_add_func ("/proxy/auth-cache", do_proxy_auth_cache_test);
++        g_test_add_func ("/proxy/secure-cookies", do_proxy_secure_cookies_test);
+ 
+ 	ret = g_test_run ();
+ 
+@@ -445,3 +496,4 @@ main (int argc, char **argv)
+ 	test_cleanup ();
+ 	return ret;
+ }
++
+-- 
+2.54.0
+
diff --git a/libsoup.spec b/libsoup.spec
index 2bfed73..fec61b9 100644
--- a/libsoup.spec
+++ b/libsoup.spec
@@ -2,7 +2,7 @@
 
 Name: libsoup
 Version: 2.62.3
-Release: 13%{?dist}
+Release: 14%{?dist}
 Summary: Soup, an HTTP library implementation
 
 License: LGPLv2
@@ -53,6 +53,8 @@ Patch0025: no-ntlm-in-fips-mode.patch
 Patch0026: CVE-2026-0719.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/496
 Patch0027: CVE-2026-1761.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/516
+Patch0028: CVE-2026-5119.patch
 
 BuildRequires: chrpath
 BuildRequires: glib2-devel >= %{glib2_version}
@@ -127,6 +129,9 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/*.so
 %{_datadir}/vala/vapi/libsoup-2.4.vapi
 
 %changelog
+* Mon May 04 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 2.62.3-14
+- Backport patch for CVE-2026-5119
+
 * Mon Feb 02 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 2.62.3-13
 - Backport patch for CVE-2026-1761