262550 – (CVE-2009-0585) <net-libs/libsoup-{2.2.x,2.24} Integer overflow (CVE-2009-0585)

Bug 262550 (CVE-2009-0585) - <net-libs/libsoup-{2.2.x,2.24} Integer overflow (CVE-2009-0585)

Summary: <net-libs/libsoup-{2.2.x,2.24} Integer overflow (CVE-2009-0585)

Status:	RESOLVED INVALID

Alias:	CVE-2009-0585

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:	http://ocert.org/patches/2008-015/lib...
Whiteboard:	B2 [ebuild?]
Keywords:

Depends on:
Blocks:

Reported:	2009-03-15 11:37 UTC by Stefan Behte (RETIRED)
Modified:	2009-03-15 22:46 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2009-03-15 11:37:56 UTC

CVE-2009-0585 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0585):
  Integer overflow in the soup_base64_encode function in soup-misc.c in
  libsoup 2.x.x before 2.2.x, and 2.x before 2.24, allows
  context-dependent attackers to execute arbitrary code via a long
  string that is converted to a base64 representation.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2009-03-15 13:31:51 UTC

Those versions are long gone (2005'ish).

Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev

2009-03-15 21:00:53 UTC

the summary sounded strange so I read the cve report, it is talking about <2.2:2.2 and <2.4:2.4 so we are indeed ok.

Comment 3 Stefan Behte (RETIRED) gentoo-dev

2009-03-15 22:05:59 UTC

Sorry, 2.4.1 sounded smaller than 2.24, and I didn't investigate... :/

Comment 4 Gilles Dartiguelongue (RETIRED) gentoo-dev

2009-03-15 22:46:00 UTC

no problem better be aware of something that could have been a problem than not of one that is :).