Debian Bug report logs - #1088812
libsoup2.4: CVE-2024-52530

version graph

Package: src:libsoup2.4; Maintainer for src:libsoup2.4 is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Sun, 1 Dec 2024 16:48:01 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version 2.74.3-8

Fixed in versions libsoup2.4/2.74.3-8.1, libsoup2.4/2.74.3-1+deb12u1

Done: Sean Whitton <spwhitton@spwhitton.name>

Bug is archived. No further changes may be made.

Forwarded to https://gitlab.gnome.org/GNOME/libsoup/-/issues/377

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#1088812; Package src:libsoup2.4. (Sun, 01 Dec 2024 16:48:02 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Sun, 01 Dec 2024 16:48:02 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: libsoup2.4: CVE-2024-52530
Date: Sun, 1 Dec 2024 17:44:49 +0100
Source: libsoup2.4
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for libsoup2.4.

CVE-2024-52530[0]:
| GNOME libsoup before 3.6.0 allows HTTP request smuggling in some
| configurations because '\0' characters at the end of header names
| are ignored, i.e., a "Transfer-Encoding\0: chunked" header is
| treated the same as a "Transfer-Encoding: chunked" header.

https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b (3.5.2)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-52530
    https://www.cve.org/CVERecord?id=CVE-2024-52530

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 01 Dec 2024 17:27:05 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://gitlab.gnome.org/GNOME/libsoup/-/issues/377'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 01 Dec 2024 17:27:05 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 05 Dec 2024 17:39:09 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#1088812; Package src:libsoup2.4. (Tue, 10 Dec 2024 05:42:02 GMT) (full text, mbox, link).

Acknowledgement sent to Sean Whitton <spwhitton@spwhitton.name>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Tue, 10 Dec 2024 05:42:02 GMT) (full text, mbox, link).

Message #16 received at 1088812@bugs.debian.org (full text, mbox, reply):

From: Sean Whitton <spwhitton@spwhitton.name>
To: 1088812@bugs.debian.org, 1089240@bugs.debian.org, 1089238@bugs.debian.org
Subject: libsoup2.4: diff for NMU version 2.74.3-8.1
Date: Tue, 10 Dec 2024 13:39:29 +0800
[Message part 1 (text/plain, inline)]
Package: libsoup2.4
Version: 2.74.3-8
Severity: normal
Tags: patch  pending

Dear maintainer,

I've prepared an NMU for libsoup2.4 (versioned as 2.74.3-8.1) and uploaded it
to DELAYED/5. Please feel free to tell me if I should delay it longer.

You can also pull my branch and debian/ tag from
<https://salsa.debian.org/lts-team/packages/libsoup2.4>.

Regards.


-- 
Sean Whitton

[libsoup2.4-2.74.3-8.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending and patch. Request was from Sean Whitton <spwhitton@spwhitton.name> to control@bugs.debian.org. (Tue, 10 Dec 2024 05:45:02 GMT) (full text, mbox, link).

Reply sent to Sean Whitton <spwhitton@spwhitton.name>:
You have taken responsibility. (Tue, 10 Dec 2024 05:54:02 GMT) (full text, mbox, link).

Notification sent to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Tue, 10 Dec 2024 05:54:02 GMT) (full text, mbox, link).

Message #23 received at 1088812-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1088812-close@bugs.debian.org
Subject: Bug#1088812: fixed in libsoup2.4 2.74.3-8.1
Date: Tue, 10 Dec 2024 05:49:00 +0000
[Message part 1 (text/plain, inline)]
Source: libsoup2.4
Source-Version: 2.74.3-8.1
Done: Sean Whitton <spwhitton@spwhitton.name>

We believe that the bug you reported is fixed in the latest version of
libsoup2.4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1088812@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sean Whitton <spwhitton@spwhitton.name> (supplier of updated libsoup2.4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 10 Dec 2024 13:17:25 +0800
Source: libsoup2.4
Architecture: source
Version: 2.74.3-8.1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Sean Whitton <spwhitton@spwhitton.name>
Closes: 1088812 1089238 1089240
Changes:
 libsoup2.4 (2.74.3-8.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Backport upstream fixes for
     - CVE-2024-52530: HTTP request smuggling with null bytes at the end of
       header names (Closes: #1088812)
     - CVE-2024-52531: buffer overflow in soup_header_parse_param_list_strict
       (Closes: #1089240)
     - CVE-2024-52532: infinite loop / potential DoS in reading certain
       data from WebSocket clients (Closes: #1089238).
Checksums-Sha1:
 b294f867224cb49bd18b82cd00b49a5d945acb40 3497 libsoup2.4_2.74.3-8.1.dsc
 cc123495342082013ac74d08da6472f6adfa8025 31156 libsoup2.4_2.74.3-8.1.debian.tar.xz
Checksums-Sha256:
 e67ed6389d45bddee817d3dcfa3ae595471c1de9cd335ea9226345af766e6ff4 3497 libsoup2.4_2.74.3-8.1.dsc
 55ad94945e031d010d42ee51fda23d7506cc88517f5db276e9f58866720b450c 31156 libsoup2.4_2.74.3-8.1.debian.tar.xz
Files:
 410a9719c109cba4525d645b9d0de0a8 3497 oldlibs optional libsoup2.4_2.74.3-8.1.dsc
 ddbfc61735c771cb2534de6016fad99e 31156 oldlibs optional libsoup2.4_2.74.3-8.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmdX0rsACgkQaVt65L8G
YkBniw/9ERwuk0hVsWXh3E3NduK/kKosYOP7I97DjkvJ0nAFfiiO0EKgX98udSuv
E9l/jF67LEkvK5qzOVw5XLnxYG/f/JKJULTHxAZviGkqvve2uxp4GXLOTvAtom60
Ht1jcCFL+Cac3VzW5Bib/w8pJtck4JSzuYa8YYnIPJ06fD/lA7Y2PAyyL3nNeyP3
7UTNTF9cBHkNgO2peACA/nSuwHbWGFj+lpCz8WCiTCHrRBzo6PC9b8pamCjgwuMC
l2HtaDvEImdUngPgyz0/gfZSNOD/7HoA4pOpvuuCaBKCKPKJbEVCwVVDxp3o6NWV
W8+Tbg90F4K4V6s/GO6gb3/wqYin2gN6dfDep4MSo9A7NSYu5RqE7emIpCvkJnWZ
24E68ximzCUYcktH/2An1w/noMTDnGyBEQWewLZ3aTV3x9jE8oS6Qdx5e38wFcjq
Fu8GZvI/hCG6Rf76z3CE9hZmI/ETdf2vCpq2pq/JkAum8WTh2EqPAymCEYmL8xdK
NH2o4H5AV4snav4mhKISySL8GhZTmHIyaExhWx3zG5TRyhJn/4JKxOim2ebVqcJX
spAqDhCzl2Vpxy/+6GZYRROrZUFuoOpRLV7fXBIILs6vy41DQTeayuXuDTyBD7G+
J4fK4Q5OJg2c1rLUJ8kUKaI2pdJ2mAUREDfYGVPYKgDwFALWCGw=
=2Jb5
-----END PGP SIGNATURE-----


[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#1088812; Package src:libsoup2.4. (Tue, 10 Dec 2024 09:03:02 GMT) (full text, mbox, link).

Acknowledgement sent to Sean Whitton <spwhitton@spwhitton.name>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Tue, 10 Dec 2024 09:03:02 GMT) (full text, mbox, link).

Message #28 received at 1088812@bugs.debian.org (full text, mbox, reply):

From: Sean Whitton <spwhitton@spwhitton.name>
To: 1088812@bugs.debian.org, 1089240@bugs.debian.org, 1089238@bugs.debian.org
Subject: Re: libsoup2.4: diff for NMU version 2.74.3-8.1
Date: Tue, 10 Dec 2024 17:01:19 +0800
Hello,

On Tue 10 Dec 2024 at 01:39pm +08, Sean Whitton wrote:

> Package: libsoup2.4
> Version: 2.74.3-8
> Severity: normal
> Tags: patch  pending
>
> Dear maintainer,
>
> I've prepared an NMU for libsoup2.4 (versioned as 2.74.3-8.1) and uploaded it
> to DELAYED/5. Please feel free to tell me if I should delay it longer.
>
> You can also pull my branch and debian/ tag from
> <https://salsa.debian.org/lts-team/packages/libsoup2.4>.

Well, my shell history has 'dgit push-source --gbp --delayed=5', but it
looks like the upload has already hit unstable :\

I think possibly there is something wrong with my dput-ng config, or
dgit is mishandling it.  My apologies for this.

-- 
Sean Whitton

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#1088812; Package src:libsoup2.4. (Tue, 10 Dec 2024 12:27:01 GMT) (full text, mbox, link).

Acknowledgement sent to Sean Whitton <spwhitton@spwhitton.name>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Tue, 10 Dec 2024 12:27:01 GMT) (full text, mbox, link).

Message #33 received at 1088812@bugs.debian.org (full text, mbox, reply):

From: Sean Whitton <spwhitton@spwhitton.name>
To: 1088812@bugs.debian.org, 1089240@bugs.debian.org, 1089238@bugs.debian.org
Subject: Re: libsoup2.4: diff for NMU version 2.74.3-8.1
Date: Tue, 10 Dec 2024 20:24:32 +0800
Hello,

On Tue 10 Dec 2024 at 05:01pm +08, Sean Whitton wrote:

> Well, my shell history has 'dgit push-source --gbp --delayed=5', but it
> looks like the upload has already hit unstable :\
>
> I think possibly there is something wrong with my dput-ng config, or
> dgit is mishandling it.  My apologies for this.

Confirmed dgit bug, #1089632, won't be in trixie :)

-- 
Sean Whitton

Reply sent to Sean Whitton <spwhitton@spwhitton.name>:
You have taken responsibility. (Sat, 21 Dec 2024 17:21:05 GMT) (full text, mbox, link).

Notification sent to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sat, 21 Dec 2024 17:21:05 GMT) (full text, mbox, link).

Message #38 received at 1088812-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1088812-close@bugs.debian.org
Subject: Bug#1088812: fixed in libsoup2.4 2.74.3-1+deb12u1
Date: Sat, 21 Dec 2024 17:17:09 +0000
[Message part 1 (text/plain, inline)]
Source: libsoup2.4
Source-Version: 2.74.3-1+deb12u1
Done: Sean Whitton <spwhitton@spwhitton.name>

We believe that the bug you reported is fixed in the latest version of
libsoup2.4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1088812@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sean Whitton <spwhitton@spwhitton.name> (supplier of updated libsoup2.4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Dec 2024 10:52:05 +0800
Source: libsoup2.4
Architecture: source
Version: 2.74.3-1+deb12u1
Distribution: bookworm
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Sean Whitton <spwhitton@spwhitton.name>
Closes: 1088812 1089238 1089240
Changes:
 libsoup2.4 (2.74.3-1+deb12u1) bookworm; urgency=high
 .
   * Backport upstream fixes for
     - CVE-2024-52530: HTTP request smuggling with null bytes at the end of
       header names (Closes: #1088812)
     - CVE-2024-52531: buffer overflow in soup_header_parse_param_list_strict
       (Closes: #1089240)
     - CVE-2024-52532: infinite loop / potential DoS in reading certain
       data from WebSocket clients (Closes: #1089238).
Checksums-Sha1:
 ad8a4e23ff73a84e5d6436bc65c8ce7e90711f90 3452 libsoup2.4_2.74.3-1+deb12u1.dsc
 43e0dfcd57e8a52f69a01c6d38bfda0ab85a378c 30640 libsoup2.4_2.74.3-1+deb12u1.debian.tar.xz
Checksums-Sha256:
 e093290083dfde935215b00758a5e92132118f93b92b513fe3152140675491cd 3452 libsoup2.4_2.74.3-1+deb12u1.dsc
 c953dd7b7c4f208305909df0c48bfdb58a134d03a9ef20802981951c939b7b51 30640 libsoup2.4_2.74.3-1+deb12u1.debian.tar.xz
Files:
 23b39a83c74e1a8c879353cc820bd766 3452 devel optional libsoup2.4_2.74.3-1+deb12u1.dsc
 0e89635a3bcd872e1d69ffecae9998f6 30640 devel optional libsoup2.4_2.74.3-1+deb12u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmdZYs8ACgkQaVt65L8G
YkD9sRAAvAX8LUtLW0PbxvL8XPQlO2Xtl/3lY66Nb5/9iyfwZ9Rl5dBP4evm2S9Q
Y019O7ihawCCEGm7SNZMg7fnbc9VauJ2EKMN7sAd25VTf5aQmE65i2YToiNiiJow
hX+3uR1GqPwmyZN3MIby0/CLTYa9MTC4h5KmmOi1k1ujkYQnXmzfvknMUuuKjv8j
02ZWHOs2QdkBOsn+TBW0BhkgMPHsKf+2IAPiRShHJIO5+om5N0+FT/CtXb+pUwj0
s9jPXUlfCOHrcWruOay69Y49PITlxr7EOcqGKj5B2Dq2a++SGOWinciDlz85Ui5o
iTTN18EaIHu84QjERsatH63/swo3IJTXA8yC0ii+9CyfzWQK/51K/myk09XoVry3
Vg6mtpqSz/c0zDiqHHa27ir4/MbHciiTlw6alGRED8k4jnbZz33LhojBR3W69ioj
AHlPHjaknLQ2PrDJkPCQk5MfNP28EOyc4HGdVUdiVwykCR30Hj9OZ1jA2F/zDbDA
LcL/3qQFxFIvB2d7qOekutQFq2rgZgin7xxaFzD/EdW1X3J5UZDS8pbhvNZwOlws
JxvFSR5Fi4Z5+RbbrHfvRo4E/jf0+cPCPMNdsBjG6oUGMMUdbGkgch2BHfYwZRoW
Zgg4X7RwoUgzt2GsBkqN2xPBSOv+czA/QZoPhKj85VovIMJogcs=
=NuFo
-----END PGP SIGNATURE-----


[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 19 Jan 2025 07:24:32 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 23 19:34:31 2026; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.