Red Hat Bugzilla – Bug 488026
CVE-2009-0585 libsoup: integer overflow in soup_base64_encode()
Last modified: 2016-03-04 05:43:34 EST
Older versions of libsoup are prone to integer overflow in memory requirement computation in the soup_base64_encode() in libsoup/soup-misc.c:
216 char *
217 soup_base64_encode (const char *text, int len)
219 unsigned char *out;
220 int state = 0, outlen, save = 0;
222 out = g_malloc (len * 4 / 3 + 5);
If the large enough untrusted input is passed to the function, insufficient amount of memory is allocated, followed by a heap-based buffer overflow with the Base64 encoded data.
Note: This issue does not affect current upstream versions of libsoup. Newer version in 2.2.x branch implement base64 encoding / decoding functions as thin wrappers around functions provided by glib; 2.4.x branch does not provide base64 encoding / decoding functions any more.
Note: This issue was found during the investigation of glib2's CVE-2008-4316.
Created attachment 333717 [details]
Note: The issue also exists in libsoup version shipped in Red Hat Enterprise Linux 3. However, there's not application using affected function there out of libsoup itself. Inside libsoup, soup_base64_encode() is only used on trusted inputs. Due to that, we currently do not plan to address this flaw on Red Hat Enterprise Linux 3.
Upstream SVN commit that changed base64 functions to glib wrappers:
Fix for glib is now committed in glib's upstream SVN now:
Lifting embargo on this too.
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2009:0344 https://rhn.redhat.com/errata/RHSA-2009-0344.html
This issue was addressed in:
Red Hat Enterprise Linux: