Red Hat Bugzilla – Bug 1597980
CVE-2018-12910 libsoup: Crash in soup_cookie_jar.c:get_cookies() on empty hostnames
Last modified: 2018-10-30 03:42:59 EDT
libsoup through version 2.63.2 is vulnerable to a crash in the soup_cookie_jar.c:get_cookies() when handling empty hostnames. Upstream Patch: https://gitlab.gnome.org/GNOME/libsoup/commit/db2b0d5809d5f8226d47312b40992cadbcde439f
Created libsoup tracking bugs for this issue: Affects: fedora-all [bug 1597982] Created mingw-libsoup tracking bugs for this issue: Affects: fedora-all [bug 1597981]
Reference: https://usn.ubuntu.com/3701-1/
Reproduced on f27 with libsoup-2.60.3-1.fc27.x86_64: sh-4.4# gcc -fsanitize=address -g cookies-test.c test-utils.c -I/usr/include/libsoup-2.4/ -I/usr/include/glib-2.0/ -I/usr/lib64/glib-2.0/include/ -lsoup-2.4 -lgio-2.0 -lgobject-2.0 -lglib-2.0 -o CVE-2018-12910 sh-4.4# gdb -q CVE-2018-12910 Reading symbols from CVE-2018-12910...done. (gdb) r Starting program: /builddir/CVE-2018-12910 Missing separate debuginfos, use: dnf debuginfo-install glibc-2.26-28.fc27.x86_64 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". [New Thread 0x7fffe6fe8700 (LWP 114)] /cookies/accept-policy: [New Thread 0x7fffe67e7700 (LWP 115)] OK /cookies/accept-policy-subdomains: ** ERROR:cookies-test.c:122:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 1): (0 == 1) ** ERROR:cookies-test.c:128:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 2): (0 == 2) ** ERROR:cookies-test.c:136:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 2): (0 == 2) ** ERROR:cookies-test.c:144:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 3): (1 == 3) FAIL /cookies/parsing: OK /cookies/parsing/no-path-null-origin: ** ERROR:cookies-test.c:227:do_cookies_parsing_nopath_nullorigin: assertion failed ("/" == soup_cookie_get_path (cookie)): ("/" == NULL) FAIL /cookies/get-cookies/empty-host: ================================================================= ==110==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200005d472 at pc 0x7ffff6e7b00e bp 0x7fffffffe110 sp 0x7fffffffd8b8 READ of size 1 at 0x60200005d472 thread T0 #0 0x7ffff6e7b00d (/lib64/libasan.so.4+0x5b00d) #1 0x7ffff69e514e (/lib64/libsoup-2.4.so.1+0x15714e) #2 0x7ffff69e5345 in soup_cookie_jar_get_cookies (/lib64/libsoup-2.4.so.1+0x157345) #3 0x404a9f in do_get_cookies_empty_host_test /builddir/cookies-test.c:241 #4 0x7ffff5ffe2e9 (/lib64/libglib-2.0.so.0+0x712e9) #5 0x7ffff5ffe21a (/lib64/libglib-2.0.so.0+0x7121a) #6 0x7ffff5ffe21a (/lib64/libglib-2.0.so.0+0x7121a) #7 0x7ffff5ffe4c1 in g_test_run_suite (/lib64/libglib-2.0.so.0+0x714c1) #8 0x7ffff5ffe4e0 in g_test_run (/lib64/libglib-2.0.so.0+0x714e0) #9 0x404c6d in main /builddir/cookies-test.c:272 #10 0x7ffff5bf7f29 in __libc_start_main (/lib64/libc.so.6+0x20f29) #11 0x403c09 in _start (/builddir/CVE-2018-12910+0x403c09) 0x60200005d472 is located 0 bytes to the right of 2-byte region [0x60200005d470,0x60200005d472) allocated by thread T0 here: #0 0x7ffff6efe850 in malloc (/lib64/libasan.so.4+0xde850) #1 0x7ffff5cdcec7 in __GI___vasprintf_chk (/lib64/libc.so.6+0x105ec7) SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.4+0x5b00d) Shadow bytes around the buggy address: 0x0c0480003a30: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c0480003a40: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c0480003a50: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c0480003a60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c0480003a70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa =>0x0c0480003a80: fa fa 05 fa fa fa 01 fa fa fa 00 07 fa fa[02]fa 0x0c0480003a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==110==ABORTING
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3140 https://access.redhat.com/errata/RHSA-2018:3140