Bug 1597980 (CVE-2018-12910)
Summary: | CVE-2018-12910 libsoup: Crash in soup_cookie_jar.c:get_cookies() on empty hostnames | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | alexl, danw, erik-fedora, john.j5live, klember, mclasen, mcrha, rhughes, rjones, rstrode, sandmann, sfowler, tpopela |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
An out-of-bounds read has been discovered in libsoup when getting cookies from a URI with empty hostname. An attacker may use this flaw to cause a crash in the application.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:31:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1597981, 1597982, 1597983, 1598838 | ||
Bug Blocks: | 1597989 |
Description
Sam Fowler
2018-07-04 05:28:05 UTC
Created libsoup tracking bugs for this issue: Affects: fedora-all [bug 1597982] Created mingw-libsoup tracking bugs for this issue: Affects: fedora-all [bug 1597981] Reference: https://usn.ubuntu.com/3701-1/ Reproduced on f27 with libsoup-2.60.3-1.fc27.x86_64: sh-4.4# gcc -fsanitize=address -g cookies-test.c test-utils.c -I/usr/include/libsoup-2.4/ -I/usr/include/glib-2.0/ -I/usr/lib64/glib-2.0/include/ -lsoup-2.4 -lgio-2.0 -lgobject-2.0 -lglib-2.0 -o CVE-2018-12910 sh-4.4# gdb -q CVE-2018-12910 Reading symbols from CVE-2018-12910...done. (gdb) r Starting program: /builddir/CVE-2018-12910 Missing separate debuginfos, use: dnf debuginfo-install glibc-2.26-28.fc27.x86_64 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". [New Thread 0x7fffe6fe8700 (LWP 114)] /cookies/accept-policy: [New Thread 0x7fffe67e7700 (LWP 115)] OK /cookies/accept-policy-subdomains: ** ERROR:cookies-test.c:122:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 1): (0 == 1) ** ERROR:cookies-test.c:128:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 2): (0 == 2) ** ERROR:cookies-test.c:136:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 2): (0 == 2) ** ERROR:cookies-test.c:144:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 3): (1 == 3) FAIL /cookies/parsing: OK /cookies/parsing/no-path-null-origin: ** ERROR:cookies-test.c:227:do_cookies_parsing_nopath_nullorigin: assertion failed ("/" == soup_cookie_get_path (cookie)): ("/" == NULL) FAIL /cookies/get-cookies/empty-host: ================================================================= ==110==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200005d472 at pc 0x7ffff6e7b00e bp 0x7fffffffe110 sp 0x7fffffffd8b8 READ of size 1 at 0x60200005d472 thread T0 #0 0x7ffff6e7b00d (/lib64/libasan.so.4+0x5b00d) #1 0x7ffff69e514e (/lib64/libsoup-2.4.so.1+0x15714e) #2 0x7ffff69e5345 in soup_cookie_jar_get_cookies (/lib64/libsoup-2.4.so.1+0x157345) #3 0x404a9f in do_get_cookies_empty_host_test /builddir/cookies-test.c:241 #4 0x7ffff5ffe2e9 (/lib64/libglib-2.0.so.0+0x712e9) #5 0x7ffff5ffe21a (/lib64/libglib-2.0.so.0+0x7121a) #6 0x7ffff5ffe21a (/lib64/libglib-2.0.so.0+0x7121a) #7 0x7ffff5ffe4c1 in g_test_run_suite (/lib64/libglib-2.0.so.0+0x714c1) #8 0x7ffff5ffe4e0 in g_test_run (/lib64/libglib-2.0.so.0+0x714e0) #9 0x404c6d in main /builddir/cookies-test.c:272 #10 0x7ffff5bf7f29 in __libc_start_main (/lib64/libc.so.6+0x20f29) #11 0x403c09 in _start (/builddir/CVE-2018-12910+0x403c09) 0x60200005d472 is located 0 bytes to the right of 2-byte region [0x60200005d470,0x60200005d472) allocated by thread T0 here: #0 0x7ffff6efe850 in malloc (/lib64/libasan.so.4+0xde850) #1 0x7ffff5cdcec7 in __GI___vasprintf_chk (/lib64/libc.so.6+0x105ec7) SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.4+0x5b00d) Shadow bytes around the buggy address: 0x0c0480003a30: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c0480003a40: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c0480003a50: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c0480003a60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c0480003a70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa =>0x0c0480003a80: fa fa 05 fa fa fa 01 fa fa fa 00 07 fa fa[02]fa 0x0c0480003a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==110==ABORTING This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3140 https://access.redhat.com/errata/RHSA-2018:3140 An attacker who can pass an empty hostname to soup_cookie_jar.c:get_cookies() would only be able to control `cur`, `domain` and `next_domain` variables. `domain` is never used apart from the g_free() function, which results in no wrong behavior. `next_domain` is only used to store the next value of `cur` and, if the hostname is empty, it can be set to the NULL terminator of the `domain` string. After the first iteration, `next_domain` may go out of bounds and read memory that wasn't allocated for the `domain` string. `cur` just follows the `next_domain` value and it is used to lookup existing cookies from an hashtable. This means that an attacker can at most read some memory outside the bounds of `domain` and make the application crash, but he is not able to control anything else that may produce an higher impact for this flaw. Indeed other parts of the code just use objects that were already existing. |