Backport patch for CVE-2026-5119

Resolves: RHEL-167787
2026-05-04 14:51:51 -05:00 · 2026-05-04 14:51:51 -05:00 · 6420b618dc
commit 6420b618dc
parent ff968502ec
2 changed files with 144 additions and 1 deletions
--- a/CVE-2026-5119.patch
+++ b/CVE-2026-5119.patch
@ -0,0 +1,138 @@
+From 51acb71b10741cc37630e1c1d7fbc00d4d739d47 Mon Sep 17 00:00:00 2001
+From: Carlos Garcia Campos <cgarcia@igalia.com>
+Date: Fri, 27 Feb 2026 12:03:25 +0100
+Subject: [PATCH] cookies: do not send cookies to a HTTP proxy for a HTTPS
+ request
+
+Closes #502
+---
+ libsoup/soup-cookie-jar.c | 26 +++++++++++++++------
+ tests/proxy-test.c        | 48 +++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 67 insertions(+), 7 deletions(-)
+
+diff --git a/libsoup/soup-cookie-jar.c b/libsoup/soup-cookie-jar.c
+index c8231f0e..b68af64a 100644
+--- a/libsoup/soup-cookie-jar.c
+++ b/libsoup/soup-cookie-jar.c
+@@ -11,6 +11,7 @@
+ 
+ #include <string.h>
+ 
+#include "soup-connection.h"
+ #include "soup-cookie-jar.h"
+ #include "soup-message-private.h"
+ #include "soup-misc-private.h"
+@@ -818,18 +819,28 @@ process_set_cookie_header (SoupMessage *msg, gpointer user_data)
+ 	g_slist_free (new_cookies);
+ }
+ 
+static gboolean
+allow_cookies_for_request (SoupMessage *msg)
+{
+        /* Do not send cookies to a HTTP proxy for a HTTPS request */
+        return msg->method != SOUP_METHOD_CONNECT || !soup_connection_is_tunnelled (soup_message_get_connection (msg));
+}
+
+ static void
+ msg_starting_cb (SoupMessage *msg, gpointer feature)
+ {
+ 	SoupCookieJar *jar = SOUP_COOKIE_JAR (feature);
+-	GSList *cookies;
+	GSList *cookies = NULL;
+
+        if (allow_cookies_for_request (msg)) {
+		cookies = soup_cookie_jar_get_cookie_list_with_same_site_info (jar, soup_message_get_uri (msg),
+			                                                       soup_message_get_first_party (msg),
+									       soup_message_get_site_for_cookies (msg),
+									       TRUE,
+									       SOUP_METHOD_IS_SAFE (msg->method),
+									       soup_message_get_is_top_level_navigation (msg));
+        }
+ 
+-	cookies = soup_cookie_jar_get_cookie_list_with_same_site_info (jar, soup_message_get_uri (msg),
+-	                                                               soup_message_get_first_party (msg),
+-							               soup_message_get_site_for_cookies (msg),
+-								       TRUE,
+-							               SOUP_METHOD_IS_SAFE (msg->method),
+-							               soup_message_get_is_top_level_navigation (msg));
+ 	if (cookies != NULL) {
+ 		char *cookie_header = soup_cookies_to_cookie_header (cookies);
+ 		soup_message_headers_replace (msg->request_headers, "Cookie", cookie_header);
+@@ -1048,3 +1059,4 @@ soup_cookie_jar_is_persistent (SoupCookieJar *jar)
+ 
+ 	return SOUP_COOKIE_JAR_GET_CLASS (jar)->is_persistent (jar);
+ }
+
+diff --git a/tests/proxy-test.c b/tests/proxy-test.c
+index 1d68aa05..df4d6cc7 100644
+--- a/tests/proxy-test.c
+++ b/tests/proxy-test.c
+@@ -400,6 +400,52 @@ do_proxy_auth_cache_test (void)
+ 	g_object_unref (cache);
+ }
+ 
+static void
+connect_message_wrote_headers_cb (SoupMessage *msg, guint *counter)
+{
+        SoupMessageHeaders *hdrs;
+
+        *counter += 1;
+
+        hdrs = soup_message_get_request_headers (msg);
+        if (soup_message_get_method (msg) == SOUP_METHOD_CONNECT)
+                g_assert_null (soup_message_headers_get_one (hdrs, "Cookie"));
+        else
+                g_assert_nonnull (soup_message_headers_get_one (hdrs, "Cookie"));
+}
+
+static void
+request_queued_cb (SoupSession *session, SoupMessage *msg, guint *counter)
+{
+        g_signal_connect (msg, "wrote-headers", G_CALLBACK (connect_message_wrote_headers_cb), counter);
+}
+
+static void
+do_proxy_secure_cookies_test (void)
+{
+        SoupSession *session;
+        SoupMessage *msg;
+        SoupCookieJar *jar;
+        guint counter = 0;
+
+        SOUP_TEST_SKIP_IF_NO_APACHE;
+        SOUP_TEST_SKIP_IF_NO_TLS;
+
+        session = soup_test_session_new ("proxy-resolver", proxy_resolvers[SIMPLE_PROXY], NULL);
+        g_signal_connect (session, "request-queued", G_CALLBACK (request_queued_cb), &counter);
+
+        soup_session_add_feature_by_type (session, SOUP_TYPE_COOKIE_JAR);
+        jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR));
+
+        msg = soup_message_new (SOUP_METHOD_GET, HTTPS_SERVER);
+        soup_cookie_jar_set_cookie (jar, soup_message_get_uri (msg), "user=password; secure");
+        soup_test_session_send_message (session, msg);
+        soup_test_assert_message_status (msg, SOUP_STATUS_OK);
+        g_assert_cmpuint (counter, ==, 2);
+
+        soup_test_session_abort_unref (session);
+}
+
+ int
+ main (int argc, char **argv)
+ {
+@@ -434,6 +480,7 @@ main (int argc, char **argv)
+ 	g_test_add_data_func ("/proxy/fragment", base_uri, do_proxy_fragment_test);
+ 	g_test_add_func ("/proxy/redirect", do_proxy_redirect_test);
+ 	g_test_add_func ("/proxy/auth-cache", do_proxy_auth_cache_test);
+        g_test_add_func ("/proxy/secure-cookies", do_proxy_secure_cookies_test);
+ 
+ 	ret = g_test_run ();
+ 
+@@ -445,3 +492,4 @@ main (int argc, char **argv)
+ 	test_cleanup ();
+ 	return ret;
+ }
+
+-- 
+2.54.0
+
--- a/libsoup.spec
+++ b/libsoup.spec
@ -5,7 +5,7 @@

 Name: libsoup
 Version: 2.72.0
-Release: 16%{?dist}
+Release: 17%{?dist}
 Summary: Soup, an HTTP library implementation

 License: LGPLv2
@ -61,6 +61,8 @@ Patch: CVE-2025-14523.patch
 Patch: CVE-2026-0719.patch
 # https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/496
 Patch: CVE-2026-1761.patch
+# https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/516
+Patch: CVE-2026-5119.patch

 BuildRequires: gettext
 BuildRequires: glib2-devel >= %{glib2_version}
@ -165,6 +167,9 @@ This package contains developer documentation for %{name}.
 %endif

 %changelog
+* Mon May 04 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 2.72.0-17
+- Backport patch for CVE-2026-5119
+
 * Mon Feb 02 2026 Michael Catanzaro <mcatanzaro@redhat.com> - 2.72.0-16
 - Backport patch for CVE-2026-1761