Bug 720509 (CVE-2011-2524)
| Summary: | CVE-2011-2524 libsoup: SoupServer directory traversal flaw | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||||
| Severity: | medium | Docs Contact: | |||||||||||
| Priority: | medium | ||||||||||||
| Version: | unspecified | CC: | danw, mbarnes, security-response-team | ||||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | Linux | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2012-07-10 19:53:57 UTC | Type: | --- | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Bug Depends On: | 723104, 723105, 726469 | ||||||||||||
| Bug Blocks: | 720514 | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Vincent Danen
2011-07-11 21:36:47 UTC
The faulty code was introduced in libsoup 2.4, so versions prior to that are not vulnerable to this flaw; Red Hat Enterprise Linux 4 and 5 are unaffected. I've assigned the name CVE-2011-2524 to this issue. Created attachment 512294 [details]
proposed upstream patch
Created attachment 512504 [details]
test program
test program, compile with
gcc -o test test.c `pkg-config --cflags --libs libsoup-2.4`
run, check exit status (0 = good, 1 = bad)
in theory, if you compiled this under Fedora 9, you could run the same binary on any newer Fedora/RHEL release.
Dan, Would it be possible to copy me on the upstream bug? done Created attachment 514990 [details]
test program modified for rhel6 (glib < 2.24)
Created attachment 514991 [details]
test program modified for rhel6 (glib < 2.24)
Created libsoup tracking bugs for this issue Affects: fedora-all [bug 726469] fixed upstream in master (http://git.gnome.org/browse/libsoup/commit/?id=cbeeb7a0f7f0e8b16f2d382157496f9100218dea) and gnome-3-0 branches (http://git.gnome.org/browse/libsoup/commit/?h=gnome-3-0&id=51eb8798c3965b49f3010db82009d36429f28514), and new tarballs now available on ftp.gnome.org (libsoup-2.35.4 for master/unstable, libsoup-2.34.3 for stable) This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1102 https://rhn.redhat.com/errata/RHSA-2011-1102.html Just noticed that in the libsoup 2.34.3 NEWS file it reads: Changes in libsoup from 2.34.2 to 2.34.3: * CVE-2011-2054: Fixed a security hole that caused some SoupServer users to unintentionally allow accessing the entire local filesystem when they thought they were only providing access to a single directory. [#653258] This is the wrong CVE name. Can you fix this? I don't know if that CVE name has been assigned to anything else, but I did notice that Gentoo picked it up, so we don't want others to use the wrong CVE name for this issue. Thanks. fixed in git and I sent a correction to ftp-release-list. do you think I should put out new tarballs with just a fixed NEWS file? If it doesn't take a lot of effort. SUSE's bugzilla just mentioned the wrong CVE as well, so it might be a good thing to do. |