223143 – CVE-2006-5876 libsoup Server code crashes upon receiving malformed GET HTTP header

Bug 223143 - CVE-2006-5876 libsoup Server code crashes upon receiving malformed GET HTTP header

Summary: CVE-2006-5876 libsoup Server code crashes upon receiving malformed GET HTTP h...

Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	libsoup (Show other bugs)
Sub Component:	(Show other bugs)
Version:	5.0
Hardware:	All Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Matthew Barnes
QA Contact:	David Lawrence
Docs Contact:
URL:	http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard:	impact=moderate,source=debian,reporte...
Keywords:	Security
Depends On:
Blocks:	CVE-2006-5876
TreeView+	depends on / blocked

Reported:	2007-01-17 23:17 UTC by Lubomir Kundrak
Modified:	2007-11-30 22:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:	RC
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2007-02-08 02:18:24 UTC
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
GNOME Bugzilla	391970	None	None	None	Never

Description Lubomir Kundrak 2007-01-17 23:17:33 UTC

Description of problem:

Programs using libsoup Server code attempts to dereference NULL
pointer upon receival of a header that looks like this:

"GET something\000something\r\n"

Affected code is used just by Rhythmbox's daap plugin in FC{5,6} and RHEL5
Also you can use seahorse from Extras to reproduce the issue

See the debian bugreport for details.

Steps to Reproduce:
1. Run rhythmbox and enable the daap server
2. echo -e "GET abcd\000efgh" |telnet localhost daap
3. Correct the line above, for I haven't tried it :)
  
Additional info:

Upstream completly rewrote the affected functions. Dunno if debian did
their own patches, but they issued a DSA for that.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405197
http://bugzilla.gnome.org/show_bug.cgi?id=391970

Comment 1 Matthew Barnes 2007-01-18 15:51:09 UTC

This was fixed in libsoup-2.2.99.  I'll backport the upstream changes.

Comment 2 RHEL Product and Program Management 2007-01-18 16:00:49 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 3 Matthew Barnes 2007-01-18 17:45:48 UTC

Upstream changes applied to libsoup-2.2.98-2.el5.

Comment 4 RHEL Product and Program Management 2007-02-08 02:18:25 UTC

A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.

Note You need to log in before you can comment on or make changes to this bug.

TreeView+

- Top of page