Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627466 (CVE-2017-2885) - <net-libs/libsoup-2.56.1: stack based buffer overflow with HTTP Chunked Encoding
Summary: <net-libs/libsoup-2.56.1: stack based buffer overflow with HTTP Chunked Encoding
Alias: CVE-2017-2885
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa cve]
Depends on:
Reported: 2017-08-10 15:43 UTC by Agostino Sarubbo
Modified: 2017-09-26 11:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-08-10 15:43:53 UTC
From ${URL} :

PSA: Please update libsoup with the patch from
or take one of the new releases,  2.58.2 (gnome-3-24), or
2.56.1 (gnome-3-22).

The patch fixes a severe bug which affects libsoup acting as either
client or server when dealing with chunked encoding.

All versions since 2012 are affected.
Credits go to Aleksandar Nikolic of Cisco Talos for finding this issue.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Gilles Dartiguelongue gentoo-dev 2017-08-11 07:30:58 UTC
Hello security, just pushed 2.56.1 it the tree. It is ready for stabilization as it appears to contain no other change to the already stable 2.56.0.
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-11 22:15:05 UTC
ia64 stable
Comment 3 Markus Meier gentoo-dev 2017-08-23 04:59:20 UTC
arm stable
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2017-08-25 21:42:34 UTC
amd64 stable
Comment 5 Thomas Deutschmann gentoo-dev 2017-08-29 20:44:31 UTC
x86 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2017-09-04 10:49:19 UTC
Stable on alpha.
Comment 8 Rolf Eike Beer archtester 2017-09-12 16:37:04 UTC
Since bug 630516 is no regression and 2.56.1 has far less failing tests on sparc than the currently stable 2.56.0 I would suggest marking 2.56.1 stable on sparc.
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-12 21:48:51 UTC
stable for hppa/sparc (thanks to Rolf Eike Beer)
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-24 19:43:55 UTC
ppc64 stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-24 20:05:50 UTC
ppc stable

Last arch is done here.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-24 20:16:00 UTC
Test failures don't block sec bugs.
Comment 13 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-24 21:06:20 UTC
New GLSA Request filed.

@Maintainers please remove vulnerable versions.

Gentoo Security Padawan
Comment 14 Larry the Git Cow gentoo-dev 2017-09-26 09:40:47 UTC
The bug has been referenced in the following commit(s):

commit a3eef0539cac8c5876d9f409e33f095de38ce18c
Author:     Mart Raudsepp <>
AuthorDate: 2017-09-26 09:39:07 +0000
Commit:     Mart Raudsepp <>
CommitDate: 2017-09-26 09:40:30 +0000

    net-libs/libsoup: security cleanup
    Package-Manager: Portage-2.3.8, Repoman-2.3.2

 net-libs/libsoup/Manifest              |  1 -
 net-libs/libsoup/libsoup-2.56.0.ebuild | 88 ----------------------------------
 2 files changed, 89 deletions(-)}
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-09-26 11:31:06 UTC
This issue was resolved and addressed in
 GLSA 201709-26 at
by GLSA coordinator Aaron Bauman (b-man).