Bug 5842

Summary:	libsoup possible security issue CVE-2012-2132
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:
Severity:	normal
Priority:	Normal	CC:	dmorganec, fundawang, jani.valimaa, olav, stormi-mageia, sysadmin-bugs, tmb
Version:	1	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/496771/
Whiteboard:	mga1-64-OK mga1-32-OK
Source RPM:	libsoup-2.32.2-4.1.mga1.src.rpm	CVE:
Status comment:

Description David Walser 2012-05-11 01:54:13 CEST

SuSE has issued this advisory today (May 10):
http://lists.opensuse.org/opensuse-updates/2012-05/msg00013.html

From the discussion in the bug:
https://bugzilla.novell.com/show_bug.cgi?id=758431

It sounds like this is a packaging/configuration issue as much as it is a problem with libsoup, so I don't know if we are affected by this or not.

The bug also says the issue is no longer present with libsoup 2.38, so Cauldron is definitely not affected.

David Walser 2012-05-11 01:54:27 CEST

CC: (none) => fundawang

David Walser 2012-05-11 01:54:44 CEST

CC: (none) => olav

David Walser 2012-05-11 01:54:52 CEST

CC: (none) => dmorganec

David Walser 2012-05-11 01:55:38 CEST

CC: (none) => jani.valimaa

Comment 1 David Walser 2012-05-11 03:50:43 CEST

Funda Wang uploaded a patched package.
I'll give CC'd packagers time to comment before assigning to QA.

Advisory:
========================

Updated libsoup packages fix security vulnerability:

libsoup considered all ssl connections as trusted even if no
CA certificates were configured (CVE-2012-2132).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2132
http://lists.opensuse.org/opensuse-updates/2012-05/msg00013.html
========================

Updated packages in core/updates_testing:
========================
libsoup-2.4_1-2.32.2-4.2.mga1
libsoup-2.4-devel-2.32.2-4.2.mga1

from libsoup-2.32.2-4.2.mga1.src.rpm

Comment 2 David Walser 2012-05-28 00:12:28 CEST

Assigning to QA now.  Advisory and SRPM in Comment 1.

Assignee: bugsquad => qa-bugs

Comment 3 claire robinson 2012-06-06 18:27:05 CEST

Testing x86_64

urpmq --whatrequires lib64soup-2.4_1

Shows a long list. Tested under strace with liferea and midori

grep showed them loading /usr/lib64/libsoup2.4.so.1

No noticeable regressions.

Testing complete x86_64


As a matter of interest, I notice mga2 has libsoup2.4_1 where mga1 has libsoup-2.4_1. mga2 has no dash. Is this intentional and properly obsoleted?

Whiteboard: (none) => mga1-64-OK

Comment 4 David Walser 2012-06-06 18:36:07 CEST

(In reply to comment #3)
> As a matter of interest, I notice mga2 has libsoup2.4_1 where mga1 has
> libsoup-2.4_1. mga2 has no dash. Is this intentional and properly obsoleted?

Nice catch.  It appears it is:
$ rpm -qp --obsoletes /home/linux/mageia/distrib/2/i586/media/core/release/libsoup2.4_1-2.38.1-1.mga2.i586.rpm
libsoup-2.4_1 < 2.38.1

Comment 5 claire robinson 2012-06-06 18:46:43 CEST

Thanks for checking David.

Comment 6 Samuel Verschelde 2012-06-22 18:35:10 CEST

testing i586

CC: (none) => stormi

Comment 7 Samuel Verschelde 2012-06-22 18:54:47 CEST

I checked same way as in comment #3

It does not make sure that libsoup performs well because those applications might not use the lib for most operations.

Let's validate this one because I'm quite confident it will not regress, but if someone has an idea to better test this lib (ie make sure SOAP requests are done by the software we are testing, or a simple program that uses libsoup and tests basic operations), please tell!

Whiteboard: mga1-64-OK => mga1-64-OK mga1-32-OK

Comment 8 Samuel Verschelde 2012-06-22 18:56:05 CEST

Update validated.

see comment #1 for advisory and list of packages.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Thomas Backlund 2012-06-27 01:18:38 CEST

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0126

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED