Bugzilla – Bug 1100097
VUL-1: CVE-2018-12910: libsoup: Crash in soup_cookie_jar.c:get_cookies() on empty hostnames
Last modified: 2024-05-08 11:03:32 UTC
rh#1597980 libsoup through version 2.63.2 is vulnerable to a crash in the soup_cookie_jar.c:get_cookies() when handling empty hostnames. Upstream Patch: https://gitlab.gnome.org/GNOME/libsoup/commit/db2b0d5809d5f8226d47312b40992cadbcde439f All codestreams affected References: https://bugzilla.redhat.com/show_bug.cgi?id=1597980 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12910
SUSE-SU-2018:2204-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1052916,1086036,1100097 CVE References: CVE-2017-2885,CVE-2018-12910 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libsoup-2.62.2-5.7.1 SUSE Linux Enterprise Server 12-SP3 (src): libsoup-2.62.2-5.7.1 SUSE Linux Enterprise Desktop 12-SP3 (src): libsoup-2.62.2-5.7.1
openSUSE-SU-2018:2296-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1052916,1086036,1100097 CVE References: CVE-2017-2885,CVE-2018-12910 Sources used: openSUSE Leap 42.3 (src): libsoup-2.62.2-8.1
SUSE-SU-2018:2204-2: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1052916,1086036,1100097 CVE References: CVE-2017-2885,CVE-2018-12910 Sources used: SUSE OpenStack Cloud 7 (src): libsoup-2.62.2-5.7.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): libsoup-2.62.2-5.7.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): libsoup-2.62.2-5.7.1 SUSE Enterprise Storage 4 (src): libsoup-2.62.2-5.7.1
I'm testing S:M:8130:186368, I found that the bug might not have been fixed. The validation method is as follows: testing environment: OS: sles-modules-15-x86_64 software version: libsoup-2_4-1 : 2.62.2-3.3.32 libsoup-devel : 2.62.2-3.3.32 libsoup-lang : 2.62.2-3.3.32 typelib-1_0-Soup-2_4 : 2.62.2-3.3.32 1. wget https://gitlab.gnome.org/GNOME/libsoup/blob/master/tests/cookies-test.c This cookies-test.c file is added to the test code for cookies_empty_host_test on the upstream. We did not add these test codes in our own cookies-test.c file, the issues may not be tested. 2. gcc -fsanitize=address -g cookies-test.c test-utils.c -I/usr/include/libsoup-2.4/ -I/usr/include/glib-2.0/ -I/usr/lib64/glib-2.0/include/ -lsoup-2.4 -lgio-2.0 -lgobject-2.0 -lglib-2.0 -o CVE-2018-12910 3. gdb -r CVE-2018-12910 4. Reading symbols from CVE-2018-12910...expanding to full symbols...done. (gdb) r Starting program: /usr/src/packages/BUILD/libsoup-2.62.2/tests/CVE-2018-12910 Missing separate debuginfo for /usr/lib64/libsoup-2.4.so.1 Try: zypper install -C "debuginfo(build-id)=06b6104a4e58138628a24c1dee7c130583fa9ec4" [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". ==6915==AddressSanitizer: failed to intercept '__isoc99_printf' ==6915==AddressSanitizer: failed to intercept '__isoc99_sprintf' ==6915==AddressSanitizer: failed to intercept '__isoc99_snprintf' ==6915==AddressSanitizer: failed to intercept '__isoc99_fprintf' ==6915==AddressSanitizer: failed to intercept '__isoc99_vprintf' ==6915==AddressSanitizer: failed to intercept '__isoc99_vsprintf' ==6915==AddressSanitizer: failed to intercept '__isoc99_vsnprintf' ==6915==AddressSanitizer: failed to intercept '__isoc99_vfprintf' ==6915==AddressSanitizer: libc interceptors initialized || `[0x10007fff8000, 0x7fffffffffff]` || HighMem || || `[0x02008fff7000, 0x10007fff7fff]` || HighShadow || || `[0x00008fff7000, 0x02008fff6fff]` || ShadowGap || || `[0x00007fff8000, 0x00008fff6fff]` || LowShadow || || `[0x000000000000, 0x00007fff7fff]` || LowMem || MemToShadow(shadow): 0x00008fff7000 0x000091ff6dff 0x004091ff6e00 0x02008fff6fff redzone=16 max_redzone=2048 quarantine_size_mb=256M malloc_context_size=30 SHADOW_SCALE: 3 SHADOW_GRANULARITY: 8 SHADOW_OFFSET: 0x7fff8000 ==6915==Installed the sigaction for signal 11 ==6915==Installed the sigaction for signal 7 ==6915==Installed the sigaction for signal 8 ==6915==T0: stack [0x7fffff7ff000,0x7ffffffff000) size 0x800000; local=0x7fffffffe0ec ==6915==LeakSanitizer: Dynamic linker not found. TLS will not be handled correctly. ==6915==AddressSanitizer Init done [New Thread 0x7fffee334700 (LWP 6919)] ==6915==T1: stack [0x7fffedb35000,0x7fffee333e00) size 0x7fee00; local=0x7fffee333d1c /cookies/accept-policy: [New Thread 0x7fffedb33700 (LWP 6920)] ==6915==T2: stack [0x7fffed334000,0x7fffedb32e00) size 0x7fee00; local=0x7fffedb32d1c OK /cookies/accept-policy-subdomains: ** ERROR:cookies-test.c:203:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 5): (6 == 5) FAIL /cookies/parsing: OK /cookies/remove-feature: (CVE-2018-12910:6915): GLib-GObject-WARNING **: invalid unclassed pointer in cast to 'SoupCookieJar' Thread 1 "CVE-2018-12910" received signal SIGTRAP, Trace/breakpoint trap. _g_log_abort (breakpoint=breakpoint@entry=1) at gmessages.c:554 554 } 5. make check PASS: cookies-test 1 /cookies/accept-policy FAIL: cookies-test 2 /cookies/accept-policy-subdomains PASS: cookies-test 3 /cookies/parsing ERROR: cookies-test - too few tests run (expected 6, got 3) ERROR: cookies-test - exited with status 133 (terminated by signal 5?) ... This test result also exists in SLES12-SP3.
(In reply to ming li from comment #6) > I'm testing S:M:8130:186368, I found that the bug might not have been fixed. > The validation method is as follows: Well and is the output before update applied same or different?
(In reply to Martin Pluskal from comment #7) > (In reply to ming li from comment #6) > > I'm testing S:M:8130:186368, I found that the bug might not have been fixed. > > The validation method is as follows: > Well and is the output before update applied same or different? Following my instructions, the output before and after is the same.
What should I do next with this S:M:8130:186368 update? Reject or wait for feedback?
The testcase as downloaded does not match the sources we are using. I used the testcase from the libsoup we are testing and that works fine. So I think we can proceed.
openSUSE-SU-2019:1310-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1100097 CVE References: CVE-2018-12910 Sources used: openSUSE Leap 15.0 (src): libsoup-2.62.2-lp150.2.3.1
Is this still outstanding, or has the update been released?
we resolved it ... the testcase and the library was not in sync. it was released meanwhile. we are still tracking it for libsoup on SUSE:SLE-10-SP3:Update SUSE:SLE-11-SP1:Update SUSE:SLE-11-SP2:Update can you check if we need it there?