https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2885 CVE-2017-2885 https://download.gnome.org/sources/libsoup/2.58/libsoup-2.58.2.tar.xz Remote code execution is possible!!
oss-security post with a little more info on this: http://seclists.org/oss-sec/2017/q3/273
CC: (none) => luigiwalserWhiteboard: (none) => MGA5TOO
pushed in mga5 src.rpm: libsoup-2.48.1-1.1.mga5
CC: (none) => mageia
fixed in mga6 too: src.rpm - libsoup-2.58.2-1.mga6
Assignee: bugsquad => qa-bugs
Advisory: ======================== Updated libsoup packages fix security vulnerability: An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability (CVE-2017-2885). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2885 https://www.talosintelligence.com/reports/TALOS-2017-0392/ ======================== Updated packages in core/updates_testing: ======================== libsoup-i18n-2.48.1-1.1.mga5 libsoup2.4_1-2.48.1-1.1.mga5 libsoup-gir2.4-2.48.1-1.1.mga5 libsoup-devel-2.48.1-1.1.mga5 libsoup-i18n-2.58.2-1.mga6 libsoup2.4_1-2.58.2-1.mga6 libsoup-gir2.4-2.58.2-1.mga6 libsoup-devel-2.58.2-1.mga6 from SRPMS: libsoup-2.48.1-1.1.mga5.src.rpm libsoup-2.58.2-1.mga6.src.rpm
RedHat has issued an advisory for this today (August 10): https://access.redhat.com/errata/RHSA-2017:2459
*** Bug 21497 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu
Debian has this bug as: https://www.debian.org/security/2017/dsa-3929
Whiteboard: MGA5TOO => MGA5TOO advisory
Having a look at this in mga6, x86_64 and struggling. The TALOS link in the references (comment 4) leads to a possible reproducer command which pipes a long string to "nc", which comes with the package netcat-traditional. $ perl -e 'print "GET / HTTP/1.0\r\nTransfer-Encoding: chunked\r\n\r\n1\r\n" . "A"x150 . "\r\n \r\n"' | nc Cmd line: invalid port / Presumably a server/listener connection can be made on the LAN but it is not apparent how this has anything to do with libsoup. $ urpmq --whatrequires-recursive lib64soup2.4_1 | sort -u | grep netcat comes up empty. It might be best to forget about the exploit and try out one or some of the packages which do use libsoup.
CC: (none) => tarazed25
Some packages which make use of libsoup: $ urpmq --whatrequires lib64soup2.4_1 | grep -v lib64 appstream-util banshee birdfont bug-buddy chezdav claws-mail-fancy-plugin corebird darktable dleyna-server empathy epiphany evolution evolution-data-server evolution-ews flatpak flatpak-builder frogr geany-plugins-geniuspaste geany-plugins-updatechecker geoclue geoclue1 gmpc gmpc-wikipedia gnome-boxes gnome-builder gnome-calculator gnome-calculator gnome-calendar gnome-control-center gnome-online-accounts gnome-software gnome-web-photo grilo-plugins gssdp gstreamer0.10-soup gstreamer1.0-soup gthumb gupnp-tools gvfs gyachi hardinfo homebank libgda5.0 liferea midori nautilus-tracker ostree pix pragha rhythmbox rygel seahorse seahorse-sharing shotwell surf telepathy-salut tracker webkit-gtklauncher webkit2 webkit2 webkit3-gtklauncher xfce4-screenshooter xfce4-weather-plugin xombrero yad-gtk3 yelp ---- Did a quick and dirty test that libsoup-using applications still run, e.g.: - birdfont: loads fine, no warning or error on console related to libsoup - appstream-util: used one of its libsoup-using features: https://github.com/hughsie/appstream-glib/blob/937db6fb740b1bb125ba2fe7241b741233f7363d/libappstream-glib/as-app-validate.c#L472-L479 $ appstream-util -v validate /usr/share/appdata/redshift-gtk.appdata.xml (appstream-util:27616): As-DEBUG: run appstream-util: validate /usr/share/appdata/redshift-gtk.appdata.xml: (appstream-util:27616): As-DEBUG: Adding tag-missing '<translation> not specified' (appstream-util:27616): As-DEBUG: checking http://jonls.dk/wp-content/uploads/screenshot1.png (appstream-util:27616): As-DEBUG: Adding url-not-found '<screenshot> url not found [http://jonls.dk/wp-content/uploads/screenshot1.png]' (appstream-util:27616): As-DEBUG: Adding style-invalid '<caption> is too long [La fen?tre d'information de Redshift superpose un exemple de l'effet de rougeur.];longest allowed is 50 chars' (appstream-util:27616): As-DEBUG: Adding style-invalid '<caption> cannot end in '.' [La fen?tre d'information de Redshift superpose un exemple de l'effet de rougeur.]' (appstream-util:27616): As-DEBUG: Adding tag-missing '<name> is not present' (appstream-util:27616): As-DEBUG: Adding tag-missing '<summary> is not present' FAILED: ? tag-missing : <translation> not specified ? url-not-found : <screenshot> url not found [http://jonls.dk/wp-content/uploads/screenshot1.png] ? style-invalid : <caption> is too long [La fen?tre d'information de Redshift superpose un exemple de l'effet de rougeur.];longest allowed is 50 chars ? style-invalid : <caption> cannot end in '.' [La fen?tre d'information de Redshift superpose un exemple de l'effet de rougeur.] ? tag-missing : <name> is not present ? tag-missing : <summary> is not present Validation of files failed That's hardly enough to validate the fix itself, but at least there are no obvious compatibility issues.
Whiteboard: MGA5TOO advisory => MGA5TOO advisory MGA6-64-OK
Trying Mageia 5 64-bit BEFORE update: libsoup-i18n-2.48.1-1.mga5 lib64soup-gir2.4-2.48.1-1.mga5 lib64soup2.4_1-2.48.1-1.mga5 Not a lot of luck using the library. The most promising looked like Epiphany=Web, but I could not get it to start on-screen under strace, so could not play with it thus; it ended immediately without ever showing: $ strace epiphany 2>&1 | grep soup open("/lib64/libsoup-2.4.so.1", O_RDONLY|O_CLOEXEC) = 3 read(12, " /usr/lib64/libsoup-2.4.so.1.7."..., 1024) = 1024 $ I tried a couple of other applications in vain, but this worked: $ strace xfce4-screenshooter 2>&1 | grep soup open("/lib64/libsoup-2.4.so.1", O_RDONLY|O_CLOEXEC) = 3 AFTER update: libsoup-i18n-2.48.1-1.1.mga5 lib64soup-gir2.4-2.48.1-1.1.mga5 lib64soup2.4_1-2.48.1-1.1.mga5 Same behaviour as before, so OKing this. And because it already has a Mageia 6 OK, validating it as well, for we are pressed.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO advisory MGA6-64-OK => MGA5TOO advisory MGA6-64-OK MGA5664-OKCC: (none) => lewyssmith, sysadmin-bugs
Whiteboard: MGA5TOO advisory MGA6-64-OK MGA5664-OK => MGA5TOO advisory MGA6-64-OK MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0272.html
Status: NEW => RESOLVEDResolution: (none) => FIXED