Bug 1597980 (CVE-2018-12910) - CVE-2018-12910 libsoup: Crash in soup_cookie_jar.c:get_cookies() on empty hostnames
Summary: CVE-2018-12910 libsoup: Crash in soup_cookie_jar.c:get_cookies() on empty hos...
Alias: CVE-2018-12910
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1597981 1597982 1597983 1598838
Blocks: 1597989
TreeView+ depends on / blocked
Reported: 2018-07-04 05:28 UTC by Sam Fowler
Modified: 2019-09-29 14:43 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read has been discovered in libsoup when getting cookies from a URI with empty hostname. An attacker may use this flaw to cause a crash in the application.
Clone Of:
Last Closed: 2019-06-10 10:31:50 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3140 0 None None None 2018-10-30 07:42:58 UTC

Description Sam Fowler 2018-07-04 05:28:05 UTC
libsoup through version 2.63.2 is vulnerable to a crash in the soup_cookie_jar.c:get_cookies() when handling empty hostnames.

Upstream Patch:


Comment 1 Sam Fowler 2018-07-04 05:28:45 UTC
Created libsoup tracking bugs for this issue:

Affects: fedora-all [bug 1597982]

Created mingw-libsoup tracking bugs for this issue:

Affects: fedora-all [bug 1597981]

Comment 3 Sam Fowler 2018-07-04 05:29:12 UTC


Comment 4 Sam Fowler 2018-07-04 05:47:01 UTC
Reproduced on f27 with libsoup-2.60.3-1.fc27.x86_64:

sh-4.4# gcc -fsanitize=address -g cookies-test.c test-utils.c  -I/usr/include/libsoup-2.4/ -I/usr/include/glib-2.0/ -I/usr/lib64/glib-2.0/include/ -lsoup-2.4 -lgio-2.0 -lgobject-2.0 -lglib-2.0 -o CVE-2018-12910
 sh-4.4# gdb -q CVE-2018-12910
Reading symbols from CVE-2018-12910...done.
(gdb) r
Starting program: /builddir/CVE-2018-12910 
Missing separate debuginfos, use: dnf debuginfo-install glibc-2.26-28.fc27.x86_64
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7fffe6fe8700 (LWP 114)]
/cookies/accept-policy: [New Thread 0x7fffe67e7700 (LWP 115)]
/cookies/accept-policy-subdomains: **
ERROR:cookies-test.c:122:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 1): (0 == 1)
ERROR:cookies-test.c:128:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 2): (0 == 2)
ERROR:cookies-test.c:136:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 2): (0 == 2)
ERROR:cookies-test.c:144:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 3): (1 == 3)
/cookies/parsing: OK
/cookies/parsing/no-path-null-origin: **
ERROR:cookies-test.c:227:do_cookies_parsing_nopath_nullorigin: assertion failed ("/" == soup_cookie_get_path (cookie)): ("/" == NULL)
/cookies/get-cookies/empty-host: =================================================================
==110==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200005d472 at pc 0x7ffff6e7b00e bp 0x7fffffffe110 sp 0x7fffffffd8b8
READ of size 1 at 0x60200005d472 thread T0
    #0 0x7ffff6e7b00d  (/lib64/libasan.so.4+0x5b00d)
    #1 0x7ffff69e514e  (/lib64/libsoup-2.4.so.1+0x15714e)
    #2 0x7ffff69e5345 in soup_cookie_jar_get_cookies (/lib64/libsoup-2.4.so.1+0x157345)
    #3 0x404a9f in do_get_cookies_empty_host_test /builddir/cookies-test.c:241
    #4 0x7ffff5ffe2e9  (/lib64/libglib-2.0.so.0+0x712e9)
    #5 0x7ffff5ffe21a  (/lib64/libglib-2.0.so.0+0x7121a)
    #6 0x7ffff5ffe21a  (/lib64/libglib-2.0.so.0+0x7121a)
    #7 0x7ffff5ffe4c1 in g_test_run_suite (/lib64/libglib-2.0.so.0+0x714c1)
    #8 0x7ffff5ffe4e0 in g_test_run (/lib64/libglib-2.0.so.0+0x714e0)
    #9 0x404c6d in main /builddir/cookies-test.c:272
    #10 0x7ffff5bf7f29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
    #11 0x403c09 in _start (/builddir/CVE-2018-12910+0x403c09)

0x60200005d472 is located 0 bytes to the right of 2-byte region [0x60200005d470,0x60200005d472)
allocated by thread T0 here:
    #0 0x7ffff6efe850 in malloc (/lib64/libasan.so.4+0xde850)
    #1 0x7ffff5cdcec7 in __GI___vasprintf_chk (/lib64/libc.so.6+0x105ec7)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.4+0x5b00d) 
Shadow bytes around the buggy address:
  0x0c0480003a30: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c0480003a40: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c0480003a50: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c0480003a60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480003a70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
=>0x0c0480003a80: fa fa 05 fa fa fa 01 fa fa fa 00 07 fa fa[02]fa
  0x0c0480003a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480003aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480003ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480003ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Comment 6 errata-xmlrpc 2018-10-30 07:42:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3140 https://access.redhat.com/errata/RHSA-2018:3140

Comment 7 Riccardo Schirone 2019-01-11 09:31:18 UTC
An attacker who can pass an empty hostname to soup_cookie_jar.c:get_cookies() would only be able to control `cur`, `domain` and `next_domain` variables.

`domain` is never used apart from the g_free() function, which results in no wrong behavior.
`next_domain` is only used to store the next value of `cur` and, if the hostname is empty, it can be set to the NULL terminator of the `domain` string. After the first iteration, `next_domain` may go out of bounds and read memory that wasn't allocated for the `domain` string.
`cur` just follows the `next_domain` value and it is used to lookup existing cookies from an hashtable.

This means that an attacker can at most read some memory outside the bounds of `domain` and make the application crash, but he is not able to control anything else that may produce an higher impact for this flaw. Indeed other parts of the code just use objects that were already existing.

Note You need to log in before you can comment on or make changes to this bug.