libsoup through version 2.63.2 is vulnerable to a crash in the soup_cookie_jar.c:get_cookies() when handling empty hostnames. Upstream Patch: https://gitlab.gnome.org/GNOME/libsoup/commit/db2b0d5809d5f8226d47312b40992cadbcde439f
Created libsoup tracking bugs for this issue: Affects: fedora-all [bug 1597982] Created mingw-libsoup tracking bugs for this issue: Affects: fedora-all [bug 1597981]
Reference: https://usn.ubuntu.com/3701-1/
Reproduced on f27 with libsoup-2.60.3-1.fc27.x86_64: sh-4.4# gcc -fsanitize=address -g cookies-test.c test-utils.c -I/usr/include/libsoup-2.4/ -I/usr/include/glib-2.0/ -I/usr/lib64/glib-2.0/include/ -lsoup-2.4 -lgio-2.0 -lgobject-2.0 -lglib-2.0 -o CVE-2018-12910 sh-4.4# gdb -q CVE-2018-12910 Reading symbols from CVE-2018-12910...done. (gdb) r Starting program: /builddir/CVE-2018-12910 Missing separate debuginfos, use: dnf debuginfo-install glibc-2.26-28.fc27.x86_64 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". [New Thread 0x7fffe6fe8700 (LWP 114)] /cookies/accept-policy: [New Thread 0x7fffe67e7700 (LWP 115)] OK /cookies/accept-policy-subdomains: ** ERROR:cookies-test.c:122:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 1): (0 == 1) ** ERROR:cookies-test.c:128:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 2): (0 == 2) ** ERROR:cookies-test.c:136:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 2): (0 == 2) ** ERROR:cookies-test.c:144:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 3): (1 == 3) FAIL /cookies/parsing: OK /cookies/parsing/no-path-null-origin: ** ERROR:cookies-test.c:227:do_cookies_parsing_nopath_nullorigin: assertion failed ("/" == soup_cookie_get_path (cookie)): ("/" == NULL) FAIL /cookies/get-cookies/empty-host: ================================================================= ==110==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200005d472 at pc 0x7ffff6e7b00e bp 0x7fffffffe110 sp 0x7fffffffd8b8 READ of size 1 at 0x60200005d472 thread T0 #0 0x7ffff6e7b00d (/lib64/libasan.so.4+0x5b00d) #1 0x7ffff69e514e (/lib64/libsoup-2.4.so.1+0x15714e) #2 0x7ffff69e5345 in soup_cookie_jar_get_cookies (/lib64/libsoup-2.4.so.1+0x157345) #3 0x404a9f in do_get_cookies_empty_host_test /builddir/cookies-test.c:241 #4 0x7ffff5ffe2e9 (/lib64/libglib-2.0.so.0+0x712e9) #5 0x7ffff5ffe21a (/lib64/libglib-2.0.so.0+0x7121a) #6 0x7ffff5ffe21a (/lib64/libglib-2.0.so.0+0x7121a) #7 0x7ffff5ffe4c1 in g_test_run_suite (/lib64/libglib-2.0.so.0+0x714c1) #8 0x7ffff5ffe4e0 in g_test_run (/lib64/libglib-2.0.so.0+0x714e0) #9 0x404c6d in main /builddir/cookies-test.c:272 #10 0x7ffff5bf7f29 in __libc_start_main (/lib64/libc.so.6+0x20f29) #11 0x403c09 in _start (/builddir/CVE-2018-12910+0x403c09) 0x60200005d472 is located 0 bytes to the right of 2-byte region [0x60200005d470,0x60200005d472) allocated by thread T0 here: #0 0x7ffff6efe850 in malloc (/lib64/libasan.so.4+0xde850) #1 0x7ffff5cdcec7 in __GI___vasprintf_chk (/lib64/libc.so.6+0x105ec7) SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.4+0x5b00d) Shadow bytes around the buggy address: 0x0c0480003a30: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c0480003a40: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c0480003a50: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c0480003a60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c0480003a70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa =>0x0c0480003a80: fa fa 05 fa fa fa 01 fa fa fa 00 07 fa fa[02]fa 0x0c0480003a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480003ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==110==ABORTING
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3140 https://access.redhat.com/errata/RHSA-2018:3140
An attacker who can pass an empty hostname to soup_cookie_jar.c:get_cookies() would only be able to control `cur`, `domain` and `next_domain` variables. `domain` is never used apart from the g_free() function, which results in no wrong behavior. `next_domain` is only used to store the next value of `cur` and, if the hostname is empty, it can be set to the NULL terminator of the `domain` string. After the first iteration, `next_domain` may go out of bounds and read memory that wasn't allocated for the `domain` string. `cur` just follows the `next_domain` value and it is used to lookup existing cookies from an hashtable. This means that an attacker can at most read some memory outside the bounds of `domain` and make the application crash, but he is not able to control anything else that may produce an higher impact for this flaw. Indeed other parts of the code just use objects that were already existing.