Older versions of libsoup are prone to integer overflow in memory requirement computation in the soup_base64_encode() in libsoup/soup-misc.c: 216 char * 217 soup_base64_encode (const char *text, int len) 218 { 219 unsigned char *out; 220 int state = 0, outlen, save = 0; 221 222 out = g_malloc (len * 4 / 3 + 5); If the large enough untrusted input is passed to the function, insufficient amount of memory is allocated, followed by a heap-based buffer overflow with the Base64 encoded data. Note: This issue does not affect current upstream versions of libsoup. Newer version in 2.2.x branch implement base64 encoding / decoding functions as thin wrappers around functions provided by glib; 2.4.x branch does not provide base64 encoding / decoding functions any more.
Note: This issue was found during the investigation of glib2's CVE-2008-4316.
Created attachment 333717 [details] Possible patch
Note: The issue also exists in libsoup version shipped in Red Hat Enterprise Linux 3. However, there's not application using affected function there out of libsoup itself. Inside libsoup, soup_base64_encode() is only used on trusted inputs. Due to that, we currently do not plan to address this flaw on Red Hat Enterprise Linux 3.
Upstream SVN commit that changed base64 functions to glib wrappers: http://svn.gnome.org/viewvc/libsoup?view=revision&revision=921
Fix for glib is now committed in glib's upstream SVN now: https://bugzilla.redhat.com/show_bug.cgi?id=474770#c17 Lifting embargo on this too.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:0344 https://rhn.redhat.com/errata/RHSA-2009-0344.html
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2009-0344.html