It was reported [1] that SoupServer from libsoup did not properly parse '..' in URLs passed to it. This could allow for some services that use SoupServer to expose unintended files (such as http://localhost/..%2f..%2f..%2fetc/passwd) when it is used to export part of the local filesystem. This can affect certain applications such as rygel (UPnP/DLNA services), meiga (tool to share selected local directories via the web), libgda (library for writing GNOME database programs), and others that use libsoup's SoupServer functionality in this way. [1] https://bugzilla.gnome.org/show_bug.cgi?id=653258
The faulty code was introduced in libsoup 2.4, so versions prior to that are not vulnerable to this flaw; Red Hat Enterprise Linux 4 and 5 are unaffected. I've assigned the name CVE-2011-2524 to this issue.
Created attachment 512294 [details] proposed upstream patch
Created attachment 512504 [details] test program test program, compile with gcc -o test test.c `pkg-config --cflags --libs libsoup-2.4` run, check exit status (0 = good, 1 = bad) in theory, if you compiled this under Fedora 9, you could run the same binary on any newer Fedora/RHEL release.
Dan, Would it be possible to copy me on the upstream bug?
done
Created attachment 514990 [details] test program modified for rhel6 (glib < 2.24)
Created attachment 514991 [details] test program modified for rhel6 (glib < 2.24)
Created libsoup tracking bugs for this issue Affects: fedora-all [bug 726469]
fixed upstream in master (http://git.gnome.org/browse/libsoup/commit/?id=cbeeb7a0f7f0e8b16f2d382157496f9100218dea) and gnome-3-0 branches (http://git.gnome.org/browse/libsoup/commit/?h=gnome-3-0&id=51eb8798c3965b49f3010db82009d36429f28514), and new tarballs now available on ftp.gnome.org (libsoup-2.35.4 for master/unstable, libsoup-2.34.3 for stable)
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1102 https://rhn.redhat.com/errata/RHSA-2011-1102.html
Just noticed that in the libsoup 2.34.3 NEWS file it reads: Changes in libsoup from 2.34.2 to 2.34.3: * CVE-2011-2054: Fixed a security hole that caused some SoupServer users to unintentionally allow accessing the entire local filesystem when they thought they were only providing access to a single directory. [#653258] This is the wrong CVE name. Can you fix this? I don't know if that CVE name has been assigned to anything else, but I did notice that Gentoo picked it up, so we don't want others to use the wrong CVE name for this issue. Thanks.
fixed in git and I sent a correction to ftp-release-list. do you think I should put out new tarballs with just a fixed NEWS file?
If it doesn't take a lot of effort. SUSE's bugzilla just mentioned the wrong CVE as well, so it might be a good thing to do.