[<prev] [next>] [day] [month] [year] [list]
Message-ID: <cc283d3e-5a45-400b-97d6-78dc176fe4bb@oracle.com>
Date: Fri, 18 Apr 2025 11:55:01 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: A bowlful of bugs in GNOME's libsoup
libsoup is an HTTP client/server library for GNOME, hosted at
https://gitlab.gnome.org/GNOME/libsoup
A number of CVE's have recently been recorded against it (due in part to
bug bounty submissions via YesWeHack) - fixes are available in the
libsoup 3.6.x releases for some, but not all of them.
Some fixes that also affect the older 2.x branch have been backported upstream
in https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/449 though upstream
encourages migration to version 3.x instead if possible.
CVE-2025-32049 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/390
Denial of service on libsoup via soup-websocket-connection through
"process_contents" leads to unbounded memory allocation when receiving
fragmented websocket messages
YesWeHack Report ID: #YWH-PGM9867-12
Date Reported on GNOME GitLab: August 21, 2024 (#390)
Date Reported on YesWeHack: November 25, 2024
Date Fixed: Not Fixed
Fix Version: Not Fixed
Fix: Not Fixed
CVE: CVE-2025-32049
CWE: CWE-617: Reachable Assertion, CWE-770: Allocation of Resources Without Limits or Throttling
Discovery Credit: Ignacio Casal Quinteiro
Additional Discovery Credit: Jan Różański
Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency
The websocket protocol allows sending a large message in small
chunks called frames. The problem in libsoup's implementation of
this feature, is that there is no restriction on the total length
of a fragmented message sent through multiple frames. Every time a
message fragment is received, the message_data buffer is
expanded. The problem arises when client never terminates his
message, and keeps sending message fragments. The outcome is that
the receiving process terminates with an error once the buffer's
size gets too big:
(process:26989): GLib-ERROR **: 17:39:20.346: adding 98303 to array would overflow
Trace/breakpoint trap (core dumped)
The issue originates in process_contents function in
soup-websocket-connection.c when dealing with priv->message_data.
Proposed fix (not yet accepted/merged):
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/408
CVE-2025-32050 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/424
Integer overflow in append_param_quoted
YesWeHack Report ID: #YWH-PGM9867-9
Date Reported: October 28, 2024
Date Fixed: November 22, 2024
Fix Version: 3.6.1
Fix: 9bb0a55d
CVE: CVE-2025-32050
CWE: CWE-127: Buffer Under-read, CWE-190: Integer Overflow
Discovery Credit: chamal de silva
Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency
The likely impact of this bug is denial of service. Since there is buffer
under-read, there is also theoretical confidentiality impact. [Triager]
thinks buffer underwrite might also be possible, but is not certain.
The libsoup function append_param_quoted is vulnerable to an Integer
Overflow.
CVE-2025-32051 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/401
Segmentation fault when parsing malformed data URI
YesWeHack Report ID: #YWH-PGM9867-11
Date Reported to YesWeHack: November 21, 2024
Date Fixed: November 22, 2024
Fix Version: 3.6.1
Fix: 0713ba4a and 79cfd65c
CVE: CVE-2025-32051
CWE: NULL Pointer Dereference (CWE-476)
Discovery Credit: Anonymous
Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency
(This anonymous discovery credit is in addition to Ar jun.)
libsoup's soup_uri_decode_data_uri() function, prior to libsoup 3.6.1, may
crash when processing a malformed data URI, resulting in denial of service.
Report summary: Using a custom fuzzing harness, I discovered that these
two payloads both trigger a segmentation fault in
soup_uri_decode_data_uri(uri, NULL): data:.///, data:/.//
CVE-2025-32052 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/425
Heap buffer over-read in soup-content-sniffer.c:sniff_unknown()
Date Reported: November 14, 2024
Date Fixed: November 22, 2024
Fix Version: 3.6.1
Fix: f182429e
CVE: CVE-2025-32052
CWE: CWE-126: Buffer Over-read
Discovery Credit: Ar jun
libsoup prior to version 3.6.1 is vulnerable to a heap buffer over-read
in the content sniffer's sniff_unknown() function. libsoup clients may
read out of bounds in response to a crafted HTTP response sent by an
HTTP server.
CVE-2025-32053 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/426
Heap buffer over-read in soup-content-sniffer.c:sniff_feed_or_html()
and soup-content-sniffer.c:skip_insignificant_space()
Date Reported: November 14, 2024
Date Fixed: November 22, 2024
Fix Version: 3.6.1
Fix: eaed42ca
CVE: CVE-2025-32053
CWE: CWE-126: Buffer Over-read
Discovery Credit: Ar jun
libsoup prior to version 3.6.1 is vulnerable to heap buffer over-reads in
the content sniffer's sniff_feed_or_html() and skip_insignificant_space()
functions. libsoup clients may read out of bounds in response to a
crafted HTTP response sent by an HTTP server.
WARNING: the fix for this issue possibly introduces another security
vulnerability, #422 (closed).
CVE-2025-32906 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/404
Out of bounds reads in soup_headers_parse_request()
Date Reported: November 25, 2024
Date Fixed: February 24, 2025
Fix Version: 3.6.5
Fix: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/440
CVE: CVE-2025-32906
Discovery Credit: Tan Wei Chong
CVE-2025-32907 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/428
Denial of service in server when client requests a large amount of
overlapping ranges with Range header
YesWeHack Report ID: #YWH-PGM9867-13
Date Reported: November 28, 2024
Date Fixed: Not Fixed
Fix Version: Not Fixed
Fix: Not Fixed
CVE: CVE-2025-32907
CWE: CWE-405: Asymmetric Resource Consumption (Amplification)
Discovery Credit: Jan Różański
Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency
libsoup's implementation of HTTP range requests is vulnerable to a
resource consumption attack. A malicious client may request the same
range many times in a single HTTP request, causing the server to use
large amounts of memory.
CVE-2025-32908 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/429
Denial of service on libsoup through
server/http2/soup-server-message-io-http2.c via "on_frame_recv_callback"
due to assertion failure when client sends certain values in
pseudo-headers in a HEADERS frame
YesWeHack Report ID: #YWH-PGM9867-14
Date Reported: December 1, 2024
Date Fixed: Not Fixed
Fix Version: Not Fixed
Fix: Not Fixed
CVE: CVE-2025-32908
CWE: CWE-617: Reachable Assertion
Discovery Credit: Jan Różański
Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency
libsoup's HTTP/2 server doesn't fully validate the values of the
pseudo-headers :scheme, :authority, and :path.
A client may crash the server by sending a malicious HTTP request.
CVE-2025-32909 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/431
NULL Pointer Dereference on libsoup through function "sniff_mp4"
in soup-content-sniffer.c
YesWeHack Report ID: #YWH-PGM9867-15
Date Reported: December 2, 2024
Date Fixed: January 8, 2025
Fix Version: 3.6.2
Fix: ba4c3a6f
CVE: CVE-2025-32909
CWE-476: NULL Pointer Dereference
Discovery Credit: Alon Zahavi
Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency
libsoup's SoupContentSniffer, prior to version 3.6.2, is vulnerable to
a null pointer dereference in its sniff_mp4 function. A malicious HTTP
server may cause the libsoup client to crash.
CVE-2025-32910 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/432
Null pointer deference on libsoup via /auth/soup-auth-digest.c through
"soup_auth_digest_authenticate" on client when server omits the "realm"
parameter in an Unauthorized response with Digest authentication
esWeHack Report ID: #YWH-PGM9867-17
Date Reported: December 8, 2024
Date Fixed: January 10, 2025
Fix Version: 3.6.3
Fix: !417 (merged)
CVE: CVE-2025-32910
CWE-476: NULL Pointer Dereference
Discovery Credit: Jan Różański
Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency
libsoup prior to version 3.6.3 is vulnerable to a null pointer dereference
in soup_auth_digest_authenticate(). A malicious HTTP server may cause the
libsoup client to crash.
CVE-2025-32911 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/433
Double free on soup_message_headers_get_content_disposition() through
"soup-message-headers.c" via "params" GHashTable value
YesWeHack Report ID: #YWH-PGM9867-19
Date Reported: December 8, 2024
Date Fixed: January 8, 2025
Fix Version: 3.6.3
Fix: !422 (merged)
CVE: CVE-2025-32911
CWE-590: Free of Memory Not on the Heap
Discovery Credit: Anonymous
Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency
libsoup prior to version 3.6.3 is vulnerable to a free of memory not on
the heap in soup_message_headers_get_content_disposition(). A malicious
HTTP client may induce memory corruption in the libsoup server.
Michael's note: theoretically this could result in remote code execution,
so this is particularly not good.
CVE-2025-32912 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/434
NULL pointer dereference in client when server omits the "nonce"
parameter in an Unauthorized response with Digest authentication
YesWeHack Report ID: #YWH-PGM9867-20
Date Reported: December 9, 2024
Date Fixed: February 8, 2025
Fix Version: 3.6.5
Fix: !417 (merged) and !434 (merged) and 910ebdcd
CVE: CVE-2025-32912
CWE-476: NULL Pointer Dereference
Discovery Credit: Jan Różański
Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency
libsoup prior to 3.6.5 is vulnerable to a null pointer dereference in
SoupAuthDigest. A malicious HTTP server may cause the libsoup client to
crash.
CVE-2025-32913 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/435
NULL pointer dereference in soup_message_headers_get_content_disposition
when "filename" parameter is present, but has no value in
Content-Disposition header
YesWeHack Report ID: #YWH-PGM9867-21
Date Reported: December 9, 2024
Date Fixed: January 8, 2025
Fix Version: 3.6.2
Fix: !422 (merged)
CVE: CVE-2025-32913
CWE-476: NULL Pointer Dereference
Discovery Credit: Jan Różański
Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency
libsoup prior to 3.6.2 is vulnerable to a null pointer dereference in
soup_message_headers_get_content_disposition() . A malicious HTTP peer
may crash a libsoup client or server that uses this function.
CVE-2025-32914 - https://gitlab.gnome.org/GNOME/libsoup/-/issues/436
OOB Read on libsoup through function "soup_multipart_new_from_message"
in soup-multipart.c leads to crash or exit of process
YesWeHack Report ID: #YWH-PGM9867-23
Date Reported: April 9, 2025
Date Fixed: Not Fixed
Fix Version: Not Fixed
Fix: Not Fixed
CVE: CVE-2025-32914
CWE: Out-of-bounds Read (CWE-125)
Discovery Credit: Alon Zahavi
Additional Thanks: Sovereign Tech Resilience program of the Sovereign Tech Agency
libsoup is vulnerable to an out of bounds read in
soup_multipart_new_from_message(). A malicious HTTP client may
induce the libsoup server to read out of bounds.
--
-Alan Coopersmith- alan.coopersmith@...cle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
