Bug 706630 (CVE-2011-2524) - VUL-0: CVE-2011-2524: libsoup: filesystem exposure flaw due to bad parsing of ".."
Summary: VUL-0: CVE-2011-2524: libsoup: filesystem exposure flaw due to bad parsing of...
Status: RESOLVED FIXED
: 709167 (view as bug list)
Alias: CVE-2011-2524
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Deadline: 2011-08-02
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard: maint:released:11.3:42430 maint:relea...
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-19 07:20 UTC by Sebastian Krahmer
Modified: 2021-08-11 09:35 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
The patch from the mail (1.77 KB, patch)
2011-07-19 07:24 UTC, Sebastian Krahmer 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2011-07-19 07:20:57 UTC 
A flaw in parsing of ".." sequences has been found in libsoup and has been
reported via linux-distros [at] vs.openwall.org by RedHat.

CVE-2011-2524 has been assigned.

Original report and patch follows.
Comment 2 Sebastian Krahmer 2011-07-19 07:22:25 UTC 
EMBARGOED CVE-2011-2524 libsoup: filesystem exposure flaw due to bad parsing of ".."

It was reported that SoupServer from libsoup did not properly parse '..' in
URLs passed to it.  This could allow for some services that use SoupServer to
expose unintended files (such as http://localhost/..%2f..%2f..%2fetc/passwd)
when it is used to export part of the local filesystem.

Reference:
https://bugzilla.gnome.org/show_bug.cgi?id=653258
Comment 3 Sebastian Krahmer 2011-07-19 07:24:52 UTC 
Created attachment 440770 [details]
The patch from the mail

...
Comment 4 Swamp Workflow Management 2011-07-19 07:45:25 UTC 
The SWAMPID for this issue is 42263.
This issue was rated as moderate.
Please submit fixed packages until 2011-08-02.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 Vincent Untz 2011-07-19 07:51:44 UTC 
FWIW, the fix part of the patch (without the test) should apply to all libsoup versions, starting with 2.22.x. It's unclear to me at the moment if SLE9/SLE10 are affected.
Comment 7 Vincent Untz 2011-07-28 13:38:12 UTC 
Has 28-July-2011 been confirmed as CRD? (ie, can I start submitting fixes in OBS?)
Comment 8 Vincent Untz 2011-07-29 09:34:58 UTC 
Upstream released a new tarball with the fix, so I assume it's fine to push things.

Submitted to SLE11-SP1: 13858
Submitted to openSUSE 11.3: 77412
Submitted to openSUSE 11.4: 77413
Submitted to openSUSE 11.1 Evergreen: 77410
Submitted to openSUSE 11.2 Evergreen: 77411

Scott: can you make sure it gets integrated in SP2?

I'm still looking at SLE9 and SLE10.
Comment 9 Vincent Untz 2011-07-29 09:53:29 UTC 
I don't believe SLE9 and SLE10 are affected since the issue is caused by decoding "..%2f..%2f..%2f" late, and in the versions in libsoup there, the decoding is done at the very beginning. So there, it's like passing "../../../" directly.
Comment 10 Thomas Biege 2011-07-29 12:19:20 UTC 
*** Bug 709167 has been marked as a duplicate of this bug. ***
Comment 11 Scott Reeves 2011-07-29 23:27:56 UTC 
(In reply to comment #8)
> Submitted to SLE11-SP1: 13858
> Scott: can you make sure it gets integrated in SP2?
> 

We have not generally cut over from sp1:update:test yet and libsoup has not been individually branched for sp2 yet so the submission to sp1 should still flow into sp2. I will check that in B3 and make sure though.
Comment 12 Swamp Workflow Management 2011-08-05 08:47:07 UTC 
Update released for: libsoup-2_4-1
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 13 Thomas Biege 2011-08-05 08:48:24 UTC 
released