Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 376793 (CVE-2011-2524)

Summary: <net-libs/libsoup-2.34.3: Directory traversal vulnerability in SoupServer (CVE-2011-2524)
Product: Gentoo Security Reporter: Pacho Ramos <pacho>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Pacho Ramos gentoo-dev 2011-07-28 18:42:59 UTC 
From changelog:


        * CVE-2011-2054: Fixed a security hole that caused some
          SoupServer users to unintentionally allow accessing the
          entire local filesystem when they thought they were only
          providing access to a single directory. [#653258]


Reproducible: Always
Comment 1 Pacho Ramos gentoo-dev 2011-07-28 18:44:09 UTC 
Fixed versions were just bumped, but we cannot stabilize them yet due problems with KDE reported in bug 365479, the problem is that we still don't know how to fix it :S
Comment 2 Vincent Danen 2011-07-28 21:09:02 UTC 
Don't mean to but in, but the CVE name referenced here is incorrect (and so is the package actually).  It should be libsoup, not libproxy and the CVE name is CVE-2011-2524, as per:

https://bugzilla.redhat.com/show_bug.cgi?id=720509
http://www.openwall.com/lists/oss-security/2011/07/28/11

I've asked upstream to correct the changelog (found the same in libsoup's 2.34.3 NEWS file).
Comment 3 Pacho Ramos gentoo-dev 2011-07-29 17:35:08 UTC 
Yes, the summary is wrong because I copy it wrongly ;-)
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2011-09-03 20:39:27 UTC 
As discussed in the kde team meeting- please go ahead, we do not know for sure but believe that bug 365479 is fixed (as there have been no real duplicates since the moment when glib-networking-2.28.7 was the only version left in the tree).
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-09-03 22:35:08 UTC 
Ok, thank you.

Arches, please test and mark stable:
=net-libs/libsoup-2.34.3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Comment 6 Agostino Sarubbo gentoo-dev 2011-09-04 10:46:53 UTC 
=net-libs/glib-networking-2.28.7 Is also pulled in.


amd64 ok
Comment 7 Tony Vroon (RETIRED) gentoo-dev 2011-09-04 20:13:12 UTC 
+  04 Sep 2011; Tony Vroon <chainsaw@gentoo.org> glib-networking-2.28.7.ebuild:
+  Marked stable as a dependency of net-libs/libsoup-2.34.3 based on arch
+  testing by Agostino "ago" Sarubbo in bug #376793 filed by Pacho Ramos.

+  04 Sep 2011; Tony Vroon <chainsaw@gentoo.org> libsoup-2.34.3.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in bug
+  #376793 filed by Pacho Ramos.
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2011-09-04 20:20:37 UTC 
Let's hope kde is not needed here anymore. :)
Comment 9 Markus Meier gentoo-dev 2011-09-04 21:07:12 UTC 
arm/x86 stable
Comment 10 Jeff (JD) Horelick (RETIRED) gentoo-dev 2011-09-04 23:33:46 UTC 
=net-libs/libsoup-gnome-2.34.3 also needs to be stabilized as libsoup and libsoup-gnome versions need to match (apparently).

I've archtested libsoup-gnome-2.34.3 on x86 and everything's fine so it should be fine on the other arches if libsoup itself is fine. 

Re-added x86, arm and amd64 to the bug. If I wasn't supposed to/allowed to do this, sorry. :D
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-09-05 00:21:41 UTC 
(In reply to comment #10)
> =net-libs/libsoup-gnome-2.34.3 also needs to be stabilized as libsoup and
> libsoup-gnome versions need to match (apparently).
> 

@gnome, is this correct?
Comment 12 Mart Raudsepp gentoo-dev 2011-09-05 00:32:39 UTC 
(In reply to comment #11)
> (In reply to comment #10)
> > =net-libs/libsoup-gnome-2.34.3 also needs to be stabilized as libsoup and
> > libsoup-gnome versions need to match (apparently).
> > 
> 
> @gnome, is this correct?

Yes, we need the same version of libsoup-gnome at the same visibility level as libsoup, as this is a source level split from gentoo side of what's shipped in the same tarball - two different libraries with libsoup-gnome having extra deps, hence two packages.

Note that the main change encompassing the separate libsoup-gnome library is a complete rewrite of the gnome proxy resolver, basically scrapping all the code inside in favor of directly using GProxyResolver inside glib-networking while requesting the gnome method of it specifically:

	* Added SoupProxyResolverDefault, which uses uses gio's
          GProxyResolver to resolve proxies [#642982, Gustavo Noronha
          Silva]. Despite the "default" in the name, it is not used by
          default, for compatibility reasons, but it is available in
          plain libsoup, not libsoup-gnome. (Of course, it depends on
          having glib-networking installed.)

	* Updated SoupProxyResolverGNOME to be based on
          SoupProxyResolverDefault, but explicitly requesting the
          "gnome" GProxyResolver if it is available [#625898], and
          removed the old code that used GConf and libproxy directly.


In other words, should be good to go as glib-networking has been sorted for net-libs/libsoup package anyhow.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-09-05 01:08:13 UTC 
Ok, great, thanks, Mart. Thanks too, JD, for the heads up.

Arches, the new list is:

=net-libs/libsoup-2.34.3
=net-libs/libsoup-gnome-2.34.3
=net-libs/glib-networking-2.28.7
Comment 14 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-05 08:53:41 UTC 
amd64: pass
Comment 15 Agostino Sarubbo gentoo-dev 2011-09-05 08:54:32 UTC 
=net-libs/libsoup-gnome-2.34.3 is also ok on amd64.
Comment 16 Tony Vroon (RETIRED) gentoo-dev 2011-09-05 09:06:25 UTC 
+  05 Sep 2011; Tony Vroon <chainsaw@gentoo.org> libsoup-gnome-2.34.3.ebuild:
+  Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El
+  Lazkani & Agostino "ago" Sarubbo in security bug #376793 filed by Pacho
+  Ramos.

I am expressing my displeasure at the withheld dependencies. This has been keyworded.
Comment 17 Markus Meier gentoo-dev 2011-09-05 19:13:22 UTC 
arm/x86 stable, thanks JD
Comment 18 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-09 14:31:05 UTC 
Stable for HPPA.
Comment 19 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-12 14:58:08 UTC 
ppc/ppc64 stable
Comment 20 Raúl Porcel (RETIRED) gentoo-dev 2011-09-18 11:38:08 UTC 
alpha/ia64/sh/sparc stable
Comment 21 Tim Sammut (RETIRED) gentoo-dev 2011-09-19 18:42:37 UTC 
Thanks, folks. GLSA Vote: yes.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:39:20 UTC 
CVE-2011-2524 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2524):
  Directory traversal vulnerability in soup-uri.c in SoupServer in libsoup
  before 2.35.4 allows remote attackers to read arbitrary files via a %2e%2e
  (encoded dot dot) in a URI.
Comment 23 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:20:01 UTC 
Vote: YES. New GLSA request filed.
Comment 24 Gilles Dartiguelongue (RETIRED) gentoo-dev 2014-11-04 22:13:20 UTC 
It appears libsoup-2.34.3 left the tree over two years ago (10 Oct 2012), maybe this is not worth a GLSA anymore ?
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:38:26 UTC 
This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).