Bug 2367552 (CVE-2025-4969)

Summary: CVE-2025-4969 libsoup: Off-by-One Out-of-Bounds Read in find_boundary() in soup-multipart.c
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in the libsoup package. This flaw stems from its failure to correctly verify the termination of multipart HTTP messages. This can allow a remote attacker to send a specially crafted multipart HTTP body, causing the libsoup-consuming server to read beyond its allocated memory boundaries (out-of-bounds read).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2367553, 2367554, 2367556, 2367557, 2367555, 2367558    
Bug Blocks:    

Description OSIDB Bzimport 2025-05-20 16:27:11 UTC 
In libsoup's soup-form.c, the function find_boundary() is vulnerable to a buffer under-read issue when the function attempts to locate the boundary in a multipart form. If a malicious client submits a malformed multipart body, the function will attempt to read out of bonds.