Bug 223143

Summary: CVE-2006-5876 libsoup Server code crashes upon receiving malformed GET HTTP header
Product: Red Hat Enterprise Linux 5 Reporter: Lubomir Kundrak <lkundrak>
Component: libsoupAssignee: Matthew Barnes <mbarnes>
Status: CLOSED CURRENTRELEASE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: alexl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405197
Whiteboard: impact=moderate,source=debian,reported=20070116,public=20071111
Fixed In Version: RC Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-08 02:18:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 223144    

Description Lubomir Kundrak 2007-01-17 23:17:33 UTC
Description of problem:

Programs using libsoup Server code attempts to dereference NULL
pointer upon receival of a header that looks like this:

"GET something\000something\r\n"

Affected code is used just by Rhythmbox's daap plugin in FC{5,6} and RHEL5
Also you can use seahorse from Extras to reproduce the issue

See the debian bugreport for details.

Steps to Reproduce:
1. Run rhythmbox and enable the daap server
2. echo -e "GET abcd\000efgh" |telnet localhost daap
3. Correct the line above, for I haven't tried it :)
Additional info:

Upstream completly rewrote the affected functions. Dunno if debian did
their own patches, but they issued a DSA for that.


Comment 1 Matthew Barnes 2007-01-18 15:51:09 UTC
This was fixed in libsoup-2.2.99.  I'll backport the upstream changes.

Comment 2 RHEL Product and Program Management 2007-01-18 16:00:49 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for

Comment 3 Matthew Barnes 2007-01-18 17:45:48 UTC
Upstream changes applied to libsoup-2.2.98-2.el5.

Comment 4 RHEL Product and Program Management 2007-02-08 02:18:25 UTC
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.