Bug 720509 (CVE-2011-2524) - CVE-2011-2524 libsoup: SoupServer directory traversal flaw
Summary: CVE-2011-2524 libsoup: SoupServer directory traversal flaw
Alias: CVE-2011-2524
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 723104 723105 726469
Blocks: 720514
TreeView+ depends on / blocked
Reported: 2011-07-11 21:36 UTC by Vincent Danen
Modified: 2019-09-29 12:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-07-10 19:53:57 UTC

Attachments (Terms of Use)
proposed upstream patch (2.43 KB, patch)
2011-07-11 21:46 UTC, Vincent Danen
no flags Details | Diff
test program (1.17 KB, text/plain)
2011-07-12 19:05 UTC, Dan Winship
no flags Details
test program modified for rhel6 (glib < 2.24) (1.23 KB, text/plain)
2011-07-25 08:56 UTC, Huzaifa S. Sidhpurwala
no flags Details
test program modified for rhel6 (glib < 2.24) (1.24 KB, text/plain)
2011-07-25 08:57 UTC, Huzaifa S. Sidhpurwala
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1102 0 normal SHIPPED_LIVE Moderate: libsoup security update 2011-07-28 18:12:33 UTC

Description Vincent Danen 2011-07-11 21:36:47 UTC
It was reported [1] that SoupServer from libsoup did not properly parse '..' in URLs passed to it.  This could allow for some services that use SoupServer to expose unintended files (such as http://localhost/..%2f..%2f..%2fetc/passwd) when it is used to export part of the local filesystem.

This can affect certain applications such as rygel (UPnP/DLNA services), meiga (tool to share selected local directories via the web), libgda (library for writing GNOME database programs), and others that use libsoup's SoupServer functionality in this way.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=653258

Comment 1 Vincent Danen 2011-07-11 21:40:05 UTC
The faulty code was introduced in libsoup 2.4, so versions prior to that are not vulnerable to this flaw; Red Hat Enterprise Linux 4 and 5 are unaffected.

I've assigned the name CVE-2011-2524 to this issue.

Comment 2 Vincent Danen 2011-07-11 21:46:10 UTC
Created attachment 512294 [details]
proposed upstream patch

Comment 4 Dan Winship 2011-07-12 19:05:59 UTC
Created attachment 512504 [details]
test program

test program, compile with

gcc -o test test.c `pkg-config --cflags --libs libsoup-2.4`

run, check exit status (0 = good, 1 = bad)

in theory, if you compiled this under Fedora 9, you could run the same binary on any newer Fedora/RHEL release.

Comment 5 Huzaifa S. Sidhpurwala 2011-07-15 04:43:06 UTC
Would it be possible to copy me on the upstream bug?

Comment 6 Dan Winship 2011-07-15 13:39:41 UTC

Comment 8 Huzaifa S. Sidhpurwala 2011-07-25 08:56:35 UTC
Created attachment 514990 [details]
test program modified for rhel6 (glib < 2.24)

Comment 9 Huzaifa S. Sidhpurwala 2011-07-25 08:57:50 UTC
Created attachment 514991 [details]
test program modified for rhel6 (glib < 2.24)

Comment 12 Vincent Danen 2011-07-28 18:01:26 UTC
Created libsoup tracking bugs for this issue

Affects: fedora-all [bug 726469]

Comment 13 Dan Winship 2011-07-28 18:05:54 UTC
fixed upstream in master (http://git.gnome.org/browse/libsoup/commit/?id=cbeeb7a0f7f0e8b16f2d382157496f9100218dea) and gnome-3-0 branches (http://git.gnome.org/browse/libsoup/commit/?h=gnome-3-0&id=51eb8798c3965b49f3010db82009d36429f28514), and new tarballs now available on ftp.gnome.org (libsoup-2.35.4 for master/unstable, libsoup-2.34.3 for stable)

Comment 14 errata-xmlrpc 2011-07-28 18:12:39 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1102 https://rhn.redhat.com/errata/RHSA-2011-1102.html

Comment 15 Vincent Danen 2011-07-28 21:07:07 UTC
Just noticed that in the libsoup 2.34.3 NEWS file it reads:

Changes in libsoup from 2.34.2 to 2.34.3:

	* CVE-2011-2054: Fixed a security hole that caused some
	  SoupServer users to unintentionally allow accessing the
	  entire local filesystem when they thought they were only
	  providing access to a single directory. [#653258]

This is the wrong CVE name.  Can you fix this?  I don't know if that CVE name has been assigned to anything else, but I did notice that Gentoo picked it up, so we don't want others to use the wrong CVE name for this issue.


Comment 16 Dan Winship 2011-07-28 21:16:43 UTC
fixed in git and I sent a correction to ftp-release-list.

do you think I should put out new tarballs with just a fixed NEWS file?

Comment 17 Vincent Danen 2011-07-29 16:32:52 UTC
If it doesn't take a lot of effort.  SUSE's bugzilla just mentioned the wrong CVE as well, so it might be a good thing to do.

Note You need to log in before you can comment on or make changes to this bug.