Bug 161887 - net-libs/libsoup <=2.2.3, <=2.2.98 missing input sanitizing Denial of Service (CVE-2006-5876)
Bug#: 161887 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: aetius@gentoo.org
Component: Vulnerabilities
URL:  http://seclists.org/fulldisclosure/2007/Jan/0254.html
Summary: net-libs/libsoup <=2.2.3, <=2.2.98 missing input sanitizing Denial of Service (CVE-2006-5876)
Keywords:  
Status Whiteboard: B3 [noglsa] aetius
Opened: 2007-01-13 12:26 0000
Description:   Opened: 2007-01-13 12:26 0000 
http://bugzilla.gnome.org/show_bug.cgi?id=391970
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405197

See the gnome bug for the patch.

libsoup is missing some input sanitizing when parsing HTTP headers - in this
case a binary 0 (\0x00) causes a crash.  Debian says the bug is not exploitable
for anything other than a crash - initial discovery was via rhythmbox using the
daap plugin.

------- Comment #1 From Matt Drew 2007-01-13 12:29:11 0000 ------- 
setting status and cc'ing herd.

------- Comment #2 From Mart Raudsepp 2007-01-14 07:59:51 0000 ------- 
libsoup-2.2.99 is in the tree now as ~arch, which includes the fix for upstream
bug 391970 as linked above.

If this bug is considered a security fix that should get quick stabilization,
please CC arches yourself or let me know to do that.

------- Comment #3 From Matt Drew 2007-01-14 17:24:49 0000 ------- 
@comment #2 - 

Do we want to stabilize a patch on any of the lower versions?  I recall
something about 2.2.9x being a development branch?

------- Comment #4 From Mart Raudsepp 2007-01-14 17:37:55 0000 ------- 
2.2.9x versions have been the minimum for GNOME since GNOME-2.14 -
ftp://ftp.gnome.org/pub/GNOME/teams/releng/2.14.0/versions
We have 2.16 stable now.
So apparently upstream considers it stable. Plus many of the (stabilized)
libsoup users in the tree demand at least 2.2.90.

As for SLOT=0 (1.99.28), I hope to get rid of that completely very soon, though
users will have to notice to uninstall it themselves, as nothing would force an
unmerge through a block.

------- Comment #5 From Matt Drew 2007-01-14 20:42:24 0000 ------- 
Understood.  Arches, please test and mark stable:

net-libs/libsoup-2.2.99

KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 ppc sparc x86"

------- Comment #6 From Luis Medinas (RETIRED) 2007-01-15 00:14:01 0000 ------- 
amd64 stable first and the best!
thanks

------- Comment #7 From Markus Rothe 2007-01-15 07:53:20 0000 ------- 
ppc64 stable

------- Comment #8 From Bryan Østergaard (RETIRED) 2007-01-15 15:20:58 0000 ------- 
Created an attachment (id=107068) [details]
Test errors on Alpha

I get arather impressive amount of test errors (537212952 to be precise :) on
alpha using 2.2.99. 2.2.94 passes tests with no errors. I've attached test part
of the emerge log.

Any ideas what could cause this?

------- Comment #9 From Tobias Scherbaum 2007-01-15 18:33:02 0000 ------- 
ppc stable

------- Comment #10 From Jason Wever (RETIRED) 2007-01-16 00:52:50 0000 ------- 
SPARC is seeing the same failures when it comes to testing as Alpha is in
comment #8

------- Comment #11 From Jeroen Roovers 2007-01-16 04:52:43 0000 ------- 
Stable for HPPA with precisely 1076425976 test errors.

------- Comment #12 From Christian Faulhammer 2007-01-16 08:56:24 0000 ------- 
A negative amount failed on x86.  header-parsing is a new test introduced with
.99, as the ones also available in .98 pass successfully.

-156140 errors
FAIL: header-parsing

------- Comment #13 From Christian Faulhammer 2007-01-17 07:57:34 0000 ------- 
x86 stable, as the software works with libsoup...damn tests.

------- Comment #14 From Gustavo Zacarias (RETIRED) 2007-01-18 18:21:06 0000 ------- 
So? Should we ignore the testsuite?
How about we start using RESTRICT="test" for known failures?

------- Comment #15 From Gustavo Zacarias (RETIRED) 2007-01-23 14:13:17 0000 ------- 
sparc stable and disabled tests in the ebuild since they're known broken.

------- Comment #16 From Bryan Østergaard (RETIRED) 2007-01-23 22:11:04 0000 ------- 
Stable on Alpha and IA64.

------- Comment #17 From Matthias Geerdsen 2007-01-24 20:05:10 0000 ------- 
glsa or no glsa?

------- Comment #18 From Matt Drew 2007-01-25 13:02:22 0000 ------- 
/vote no, it's a client DoS.

------- Comment #19 From Vic Fryzel (shellsage) (RETIRED) 2007-01-26 01:05:59 0000 ------- 
I vote no.

------- Comment #20 From Vic Fryzel (shellsage) (RETIRED) 2007-01-27 21:34:22 0000 ------- 
I vote yes.

------- Comment #21 From Sune Kloppenborg Jeppesen 2007-01-27 22:48:48 0000 ------- 
Another NO vote.

------- Comment #22 From Vic Fryzel (shellsage) (RETIRED) 2007-01-28 03:31:55 0000 ------- 
I don't know how I voted twice, with conflicting votes, but I really did mean
to vote no.

------- Comment #23 From Raphael Marichez 2007-02-10 22:26:51 0000 ------- 
noglsa feel free to reopen if you disagree