Bug 720509 - (CVE-2011-2524) CVE-2011-2524 libsoup: SoupServer directory traversal flaw
CVE-2011-2524 libsoup: SoupServer directory traversal flaw
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 723104 723105 726469
Blocks: 720514
  Show dependency treegraph
Reported: 2011-07-11 17:36 EDT by Vincent Danen
Modified: 2015-11-24 09:39 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-07-10 15:53:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
proposed upstream patch (2.43 KB, patch)
2011-07-11 17:46 EDT, Vincent Danen
no flags Details | Diff
test program (1.17 KB, text/plain)
2011-07-12 15:05 EDT, Dan Winship
no flags Details
test program modified for rhel6 (glib < 2.24) (1.23 KB, text/plain)
2011-07-25 04:56 EDT, Huzaifa S. Sidhpurwala
no flags Details
test program modified for rhel6 (glib < 2.24) (1.24 KB, text/plain)
2011-07-25 04:57 EDT, Huzaifa S. Sidhpurwala
no flags Details

  None (edit)
Description Vincent Danen 2011-07-11 17:36:47 EDT
It was reported [1] that SoupServer from libsoup did not properly parse '..' in URLs passed to it.  This could allow for some services that use SoupServer to expose unintended files (such as http://localhost/..%2f..%2f..%2fetc/passwd) when it is used to export part of the local filesystem.

This can affect certain applications such as rygel (UPnP/DLNA services), meiga (tool to share selected local directories via the web), libgda (library for writing GNOME database programs), and others that use libsoup's SoupServer functionality in this way.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=653258
Comment 1 Vincent Danen 2011-07-11 17:40:05 EDT
The faulty code was introduced in libsoup 2.4, so versions prior to that are not vulnerable to this flaw; Red Hat Enterprise Linux 4 and 5 are unaffected.

I've assigned the name CVE-2011-2524 to this issue.
Comment 2 Vincent Danen 2011-07-11 17:46:10 EDT
Created attachment 512294 [details]
proposed upstream patch
Comment 4 Dan Winship 2011-07-12 15:05:59 EDT
Created attachment 512504 [details]
test program

test program, compile with

gcc -o test test.c `pkg-config --cflags --libs libsoup-2.4`

run, check exit status (0 = good, 1 = bad)

in theory, if you compiled this under Fedora 9, you could run the same binary on any newer Fedora/RHEL release.
Comment 5 Huzaifa S. Sidhpurwala 2011-07-15 00:43:06 EDT
Would it be possible to copy me on the upstream bug?
Comment 6 Dan Winship 2011-07-15 09:39:41 EDT
Comment 8 Huzaifa S. Sidhpurwala 2011-07-25 04:56:35 EDT
Created attachment 514990 [details]
test program modified for rhel6 (glib < 2.24)
Comment 9 Huzaifa S. Sidhpurwala 2011-07-25 04:57:50 EDT
Created attachment 514991 [details]
test program modified for rhel6 (glib < 2.24)
Comment 12 Vincent Danen 2011-07-28 14:01:26 EDT
Created libsoup tracking bugs for this issue

Affects: fedora-all [bug 726469]
Comment 13 Dan Winship 2011-07-28 14:05:54 EDT
fixed upstream in master (http://git.gnome.org/browse/libsoup/commit/?id=cbeeb7a0f7f0e8b16f2d382157496f9100218dea) and gnome-3-0 branches (http://git.gnome.org/browse/libsoup/commit/?h=gnome-3-0&id=51eb8798c3965b49f3010db82009d36429f28514), and new tarballs now available on ftp.gnome.org (libsoup-2.35.4 for master/unstable, libsoup-2.34.3 for stable)
Comment 14 errata-xmlrpc 2011-07-28 14:12:39 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1102 https://rhn.redhat.com/errata/RHSA-2011-1102.html
Comment 15 Vincent Danen 2011-07-28 17:07:07 EDT
Just noticed that in the libsoup 2.34.3 NEWS file it reads:

Changes in libsoup from 2.34.2 to 2.34.3:

	* CVE-2011-2054: Fixed a security hole that caused some
	  SoupServer users to unintentionally allow accessing the
	  entire local filesystem when they thought they were only
	  providing access to a single directory. [#653258]

This is the wrong CVE name.  Can you fix this?  I don't know if that CVE name has been assigned to anything else, but I did notice that Gentoo picked it up, so we don't want others to use the wrong CVE name for this issue.

Comment 16 Dan Winship 2011-07-28 17:16:43 EDT
fixed in git and I sent a correction to ftp-release-list@gnome.org.

do you think I should put out new tarballs with just a fixed NEWS file?
Comment 17 Vincent Danen 2011-07-29 12:32:52 EDT
If it doesn't take a lot of effort.  SUSE's bugzilla just mentioned the wrong CVE as well, so it might be a good thing to do.

Note You need to log in before you can comment on or make changes to this bug.