Bug 1479281 – CVE-2017-2885 libsoup: Stack based buffer overflow with HTTP Chunked Encoding

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1479281 - (CVE-2017-2885) CVE-2017-2885 libsoup: Stack based buffer overflow with HTTP Chunked Encoding

Summary:	CVE-2017-2885 libsoup: Stack based buffer overflow with HTTP Chunked Encoding

Status:	CLOSED ERRATA

Aliases:	CVE-2017-2885

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20170810,repo...
Keywords:	Security

Depends On:	1479321 1479322 1480239 1480240 1480241
Blocks:	1479282
	Show dependency tree / graph

Reported:	2017-08-08 04:56 EDT by Andrej Nemec
Modified:	2017-08-16 04:34 EDT (History)
CC List:	11 users (show)

See Also:
Fixed In Version:	libsoup 2.59.90.1, libsoup 2.58.2, libsoup 2.56.1
Doc Type:	If docs needed, set a value
Doc Text:	A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-08-16 04:34:41 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
GNOME Bugzilla	785774	None	None	None	2017-08-08 09:39 EDT
Red Hat Product Errata	RHSA-2017:2459	normal	SHIPPED_LIVE	Important: libsoup security update	2017-08-10 15:39:01 EDT

Groups: None (edit)

Description Andrej Nemec 2017-08-08 04:56:54 EDT

A stack based buffer overflow vulnerability has been reported in GNOME libsoup 2.58. The flaw is caused due to a boundary error within the "soup_filter_input_stream_read_until()" function when parsing chunk encoded HTTP traffic and affects both the server and client functionality of libsoup.

A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality.

Please note that the libsoup packages as shipped with Red Hat Enterprise Linux 7 contain a "stack smashing protection" mitigation for the relevant function, which makes exploitation significantly harder. Thus, in most cases an exploitation attempt should be mitigated to a mere crash. However, successful exploitation to execute arbitrary code can't be ruled out entirely.

Comment 1 Andrej Nemec 2017-08-08 04:56:58 EDT

Acknowledgments:

Name: Aleksandar Nikolic (Cisco Talos)

Comment 6 Stefan Cornelius 2017-08-10 09:02:57 EDT

Statement:

This issue affects the libsoup packages as shipped with Red Hat Enterprise Linux 7. However, these packages have been compiled with additional security mitigation techniques ("stack smashing protection"), which makes exploitation significantly harder. Thus, in most cases an exploitation attempt should be mitigated to a mere crash. However, successful exploitation to execute arbitrary code can't be ruled out entirely.

Comment 7 Stefan Cornelius 2017-08-10 09:12:33 EDT

Public via: https://bugzilla.gnome.org/show_bug.cgi?id=785774

Comment 8 Stefan Cornelius 2017-08-10 09:16:30 EDT

Created libsoup tracking bugs for this issue:

Affects: fedora-all [bug 1480241]


Created mingw-libsoup tracking bugs for this issue:

Affects: epel-7 [bug 1480239]
Affects: fedora-all [bug 1480240]

Comment 9 errata-xmlrpc 2017-08-10 11:40:34 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2459 https://access.redhat.com/errata/RHSA-2017:2459

Comment 10 Adam Mariš 2017-08-10 12:00:38 EDT

Upstream patch:

https://git.gnome.org/browse/libsoup/commit/?id=03c91c76daf70ee227f38304c5e45a155f45073d

Comment 11 Adam Mariš 2017-08-11 10:28:59 EDT

External References:

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0392

Note You need to log in before you can comment on or make changes to this bug.