Bug 33765 - libsoup new security issues CVE-2024-5253[0-2] and another one without CVE for the moment
Summary: libsoup new security issues CVE-2024-5253[0-2] and another one without CVE fo...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-11-14 09:20 CET by Nicolas Salguero
Modified: 2024-11-30 00:37 CET (History)
3 users (show)

See Also:
Source RPM: libsoup3-3.4.2-1.mga9.src.rpm, libsoup-2.74.3-1.mga9.src.rpm
CVE: CVE-2024-52530, CVE-2024-52531, CVE-2024-52532
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2024-11-14 09:34:55 CET

Status comment: (none) => Fixed upstream in future 3.6.1 and patches available from upstream
CVE: (none) => CVE-2024-52530, CVE-2024-52531, CVE-2024-52532
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => libsoup-3.6.0-1.mga10.src.rpm, libsoup-2.74.3-1.mga9.src.rpm

Comment 1 Lewis Smith 2024-11-14 21:57:00 CET 
https://wiki.gnome.org/Projects/libsoup says "This site has been retired. For up to date information, see handbook.gnome.org or gitlab.gnome.org."

lib64soup2.4_1
lib64soup3.0_0
https://download.gnome.org/sources/libsoup/    shows:
3.6/                                               25-Aug-2024
No sign of any patch here; nor from the openwall CVEs.

https://libsoup.gnome.org/libsoup-3.0/index.html
looks promising, but its website link is dead and the source link loops.

Have to assign this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-11-28 11:27:11 CET 
Ubuntu has issued advisories on November 27:
https://ubuntu.com/security/notices/USN-7126-1 (libsoup2.4)
https://ubuntu.com/security/notices/USN-7127-1 (libsoup3)

Source RPM: libsoup-3.6.0-1.mga10.src.rpm, libsoup-2.74.3-1.mga9.src.rpm => libsoup-3.6.0-1.mga10.src.rpm, libsoup2.4-2.74.3-2.mga10.src.rpm, libsoup3-3.4.2-1.mga9.src.rpm, libsoup-2.74.3-1.mga9.src.rpm
Status comment: Fixed upstream in future 3.6.1 and patches available from upstream => Fixed upstream in future 3.6.1 and patches available from upstream and Ubuntu

Comment 3 Nicolas Salguero 2024-11-28 11:51:18 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header. (CVE-2024-52530)

GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. Input received over the network cannot trigger this. (CVE-2024-52531)

GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption. during the reading of certain patterns of WebSocket data from clients. (CVE-2024-52532)

References:
https://www.openwall.com/lists/oss-security/2024/11/09/2
https://www.openwall.com/lists/oss-security/2024/11/12/8
https://ubuntu.com/security/notices/USN-7126-1
https://ubuntu.com/security/notices/USN-7127-1
========================

Updated packages in core/updates_testing:
========================
lib(64)soup2.4_1-2.74.3-1.1.mga9
lib(64)soup-devel-2.74.3-1.1.mga9
lib(64)soup-gir2.4-2.74.3-1.1.mga9
libsoup-i18n-2.74.3-1.1.mga9

lib(64)soup3.0_0-3.4.2-1.1.mga9
lib(64)soup3-devel-3.4.2-1.1.mga9
lib(64)soup-gir3.0-3.4.2-1.1.mga9
libsoup3-i18n-3.4.2-1.1.mga9

from SRPMS:
libsoup-2.74.3-1.1.mga9.src.rpm
libsoup3-3.4.2-1.1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in future 3.6.1 and patches available from upstream and Ubuntu => (none)
Version: Cauldron => 9
Source RPM: libsoup-3.6.0-1.mga10.src.rpm, libsoup2.4-2.74.3-2.mga10.src.rpm, libsoup3-3.4.2-1.mga9.src.rpm, libsoup-2.74.3-1.mga9.src.rpm => libsoup3-3.4.2-1.mga9.src.rpm, libsoup-2.74.3-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED

Comment 4 Herman Viaene 2024-11-28 17:13:12 CET 
Hmmmm, Bermuda fish chowder, delicious, mouthwatering .....

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2024-11-28 17:28:01 CET 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Checked previous update 25642, but found out that previous dependency on shotwell is not listed anymore in
# urpmq --whatrequires lib64soup2.4_1
So picked out hardinfo and run it under trace
$ strace -o soup.txt hardinfo 
and trace file shows
openat(AT_FDCWD, "/lib64/libsoup-2.4.so.1", O_RDONLY|O_CLOEXEC) = 3

Note: hardinfo seems a quite interesting little tool!!
Good to go AFAICS.

Whiteboard: (none) => MGA9-64-OK

katnatek 2024-11-28 18:12:16 CET

Keywords: (none) => advisory

Comment 6 katnatek 2024-11-28 18:23:46 CET 
(In reply to Herman Viaene from comment #5)
> MGA9-64 Plasma Wayland on Compaq H000SB
> No installation issues.
> Checked previous update 25642, but found out that previous dependency on
> shotwell is not listed anymore in
> # urpmq --whatrequires lib64soup2.4_1
But is in urpmq --whatrequires lib64soup3.0_0

installing lib64soup-gir3.0-3.4.2-1.1.mga9.x86_64.rpm libsoup-i18n-2.74.3-1.1.mga9.noarch.rpm lib64soup2.4_1-2.74.3-1.1.mga9.x86_64.rpm lib64soup3.0_0-3.4.2-1.1.mga9.x86_64.rpm libsoup3-i18n-3.4.2-1.1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/5: libsoup3-i18n         ##################################################################################################
      2/5: lib64soup3.0_0        ##################################################################################################
      3/5: libsoup-i18n          ##################################################################################################
      4/5: lib64soup2.4_1        ##################################################################################################
      5/5: lib64soup-gir3.0      ##################################################################################################
      1/5: removing lib64soup-gir3.0-3.4.2-1.mga9.x86_64
                                 ##################################################################################################
      2/5: removing lib64soup3.0_0-3.4.2-1.mga9.x86_64
                                 ##################################################################################################
      3/5: removing lib64soup2.4_1-2.74.3-1.mga9.x86_64
                                 ##################################################################################################
      4/5: removing libsoup-i18n-2.74.3-1.mga9.noarch
                                 ##################################################################################################
      5/5: removing libsoup3-i18n-3.4.2-1.mga9.noarch
                                 ##################################################################################################

strace gnome-boxes shows
openat(AT_FDCWD, "/lib64/libsoup-3.0.so.0", O_RDONLY|O_CLOEXEC) = 3

keep the OK

CC: (none) => andrewsfarm

Comment 7 Thomas Andrews 2024-11-29 17:08:51 CET 
@Herman: Hardinfo is indeed an interesting tool.

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2024-11-30 00:37:02 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0382.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.