Bug 21487 - libsoup CVE-2017-2885: Fixed a chunked decoding buffer overrun that could be exploited against either clients or servers. [#785774]
Summary: libsoup CVE-2017-2885: Fixed a chunked decoding buffer overrun that could be ...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO advisory MGA6-64-OK MGA5-64-OK
Keywords: validated_update
: 21497 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-08-10 18:52 CEST by Olav Vitters
Modified: 2017-08-16 02:01 CEST (History)
6 users (show)

See Also:
Source RPM: libsoup
CVE:
Status comment:


Attachments

Comment 1 David Walser 2017-08-10 18:54:37 CEST
oss-security post with a little more info on this:
http://seclists.org/oss-sec/2017/q3/273

CC: (none) => luigiwalser
Whiteboard: (none) => MGA5TOO

Comment 2 Nicolas Lécureuil 2017-08-10 21:56:48 CEST
pushed in mga5

src.rpm:   libsoup-2.48.1-1.1.mga5

CC: (none) => mageia

Comment 3 Nicolas Lécureuil 2017-08-10 22:00:06 CEST
fixed in mga6 too:
src.rpm 
       - libsoup-2.58.2-1.mga6

Assignee: bugsquad => qa-bugs

Comment 4 David Walser 2017-08-10 23:25:08 CEST
Advisory:
========================

Updated libsoup packages fix security vulnerability:

An exploitable stack based buffer overflow vulnerability exists in the GNOME
libsoup 2.58. A specially crafted HTTP request can cause a stack overflow
resulting in remote code execution. An attacker can send a special HTTP request
to the vulnerable server to trigger this vulnerability (CVE-2017-2885).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2885
https://www.talosintelligence.com/reports/TALOS-2017-0392/
========================

Updated packages in core/updates_testing:
========================
libsoup-i18n-2.48.1-1.1.mga5
libsoup2.4_1-2.48.1-1.1.mga5
libsoup-gir2.4-2.48.1-1.1.mga5
libsoup-devel-2.48.1-1.1.mga5
libsoup-i18n-2.58.2-1.mga6
libsoup2.4_1-2.58.2-1.mga6
libsoup-gir2.4-2.58.2-1.mga6
libsoup-devel-2.58.2-1.mga6

from SRPMS:
libsoup-2.48.1-1.1.mga5.src.rpm
libsoup-2.58.2-1.mga6.src.rpm
Comment 5 David Walser 2017-08-11 01:21:14 CEST
RedHat has issued an advisory for this today (August 10):
https://access.redhat.com/errata/RHSA-2017:2459
Comment 6 Zombie Ryushu 2017-08-11 10:28:34 CEST
*** Bug 21497 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

Comment 7 Zombie Ryushu 2017-08-11 10:29:34 CEST
Debian has this bug as:

https://www.debian.org/security/2017/dsa-3929
Lewis Smith 2017-08-13 10:04:29 CEST

Whiteboard: MGA5TOO => MGA5TOO advisory

Comment 8 Len Lawrence 2017-08-14 02:32:33 CEST
Having a look at this in mga6, x86_64 and struggling.

The TALOS link in the references (comment 4) leads to a possible reproducer command which pipes a long string to "nc", which comes with the package netcat-traditional.

$ perl -e 'print "GET / HTTP/1.0\r\nTransfer-Encoding: chunked\r\n\r\n1\r\n" . "A"x150 . "\r\n \r\n"' | nc
Cmd line: invalid port /

Presumably a server/listener connection can be made on the LAN but it is not apparent how this has anything to do with libsoup.  
$ urpmq --whatrequires-recursive lib64soup2.4_1 | sort -u | grep netcat
comes up empty.

It might be best to forget about the exploit and try out one or some of the packages which do use libsoup.

CC: (none) => tarazed25

Comment 9 Rémi Verschelde 2017-08-15 13:39:42 CEST
Some packages which make use of libsoup:

$ urpmq --whatrequires lib64soup2.4_1 | grep -v lib64
appstream-util
banshee
birdfont
bug-buddy
chezdav
claws-mail-fancy-plugin
corebird
darktable
dleyna-server
empathy
epiphany
evolution
evolution-data-server
evolution-ews
flatpak
flatpak-builder
frogr
geany-plugins-geniuspaste
geany-plugins-updatechecker
geoclue
geoclue1
gmpc
gmpc-wikipedia
gnome-boxes
gnome-builder
gnome-calculator
gnome-calculator
gnome-calendar
gnome-control-center
gnome-online-accounts
gnome-software
gnome-web-photo
grilo-plugins
gssdp
gstreamer0.10-soup
gstreamer1.0-soup
gthumb
gupnp-tools
gvfs
gyachi
hardinfo
homebank
libgda5.0
liferea
midori
nautilus-tracker
ostree
pix
pragha
rhythmbox
rygel
seahorse
seahorse-sharing
shotwell
surf
telepathy-salut
tracker
webkit-gtklauncher
webkit2
webkit2
webkit3-gtklauncher
xfce4-screenshooter
xfce4-weather-plugin
xombrero
yad-gtk3
yelp

----

Did a quick and dirty test that libsoup-using applications still run, e.g.:

- birdfont: loads fine, no warning or error on console related to libsoup

- appstream-util: used one of its libsoup-using features: https://github.com/hughsie/appstream-glib/blob/937db6fb740b1bb125ba2fe7241b741233f7363d/libappstream-glib/as-app-validate.c#L472-L479

$ appstream-util -v validate /usr/share/appdata/redshift-gtk.appdata.xml 
(appstream-util:27616): As-DEBUG: run appstream-util: validate
/usr/share/appdata/redshift-gtk.appdata.xml: (appstream-util:27616): As-DEBUG: Adding tag-missing '<translation> not specified'
(appstream-util:27616): As-DEBUG: checking http://jonls.dk/wp-content/uploads/screenshot1.png
(appstream-util:27616): As-DEBUG: Adding url-not-found '<screenshot> url not found [http://jonls.dk/wp-content/uploads/screenshot1.png]'
(appstream-util:27616): As-DEBUG: Adding style-invalid '<caption> is too long [La fen?tre d'information de Redshift superpose un exemple de l'effet de rougeur.];longest allowed is 50 chars'
(appstream-util:27616): As-DEBUG: Adding style-invalid '<caption> cannot end in '.' [La fen?tre d'information de Redshift superpose un exemple de l'effet de rougeur.]'
(appstream-util:27616): As-DEBUG: Adding tag-missing '<name> is not present'
(appstream-util:27616): As-DEBUG: Adding tag-missing '<summary> is not present'
FAILED:
? tag-missing           : <translation> not specified
? url-not-found         : <screenshot> url not found [http://jonls.dk/wp-content/uploads/screenshot1.png]
? style-invalid         : <caption> is too long [La fen?tre d'information de Redshift superpose un exemple de l'effet de rougeur.];longest allowed is 50 chars
? style-invalid         : <caption> cannot end in '.' [La fen?tre d'information de Redshift superpose un exemple de l'effet de rougeur.]
? tag-missing           : <name> is not present
? tag-missing           : <summary> is not present
Validation of files failed

That's hardly enough to validate the fix itself, but at least there are no obvious compatibility issues.

Whiteboard: MGA5TOO advisory => MGA5TOO advisory MGA6-64-OK

Comment 10 Lewis Smith 2017-08-15 21:25:35 CEST
Trying Mageia 5 64-bit

BEFORE update:
 libsoup-i18n-2.48.1-1.mga5
 lib64soup-gir2.4-2.48.1-1.mga5
 lib64soup2.4_1-2.48.1-1.mga5

Not a lot of luck using the library. The most promising looked like Epiphany=Web, but I could not get it to start on-screen under strace, so could not play with it thus; it ended immediately without ever showing:
 $ strace epiphany 2>&1 | grep soup
open("/lib64/libsoup-2.4.so.1", O_RDONLY|O_CLOEXEC) = 3
read(12, "  /usr/lib64/libsoup-2.4.so.1.7."..., 1024) = 1024
 $

I tried a couple of other applications in vain, but this worked:
 $ strace xfce4-screenshooter 2>&1 | grep soup
open("/lib64/libsoup-2.4.so.1", O_RDONLY|O_CLOEXEC) = 3

AFTER update:
 libsoup-i18n-2.48.1-1.1.mga5
 lib64soup-gir2.4-2.48.1-1.1.mga5
 lib64soup2.4_1-2.48.1-1.1.mga5

Same behaviour as before, so OKing this. And because it already has a Mageia 6 OK, validating it as well, for we are pressed.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO advisory MGA6-64-OK => MGA5TOO advisory MGA6-64-OK MGA5664-OK
CC: (none) => lewyssmith, sysadmin-bugs

Lewis Smith 2017-08-15 21:38:59 CEST

Whiteboard: MGA5TOO advisory MGA6-64-OK MGA5664-OK => MGA5TOO advisory MGA6-64-OK MGA5-64-OK

Comment 11 Mageia Robot 2017-08-16 02:01:59 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0272.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.