Debian Bug report logs - #941912
libsoup2.4: CVE-2019-17266

version graph

Package: src:libsoup2.4; Maintainer for src:libsoup2.4 is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 7 Oct 2019 14:45:02 UTC

Severity: important

Tags: security, upstream

Found in versions libsoup2.4/2.65.91-1, libsoup2.4/2.68.1-2

Fixed in version libsoup2.4/2.68.2-1

Done: Simon McVittie <smcv@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://gitlab.gnome.org/GNOME/libsoup/issues/173

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#941912; Package src:libsoup2.4. (Mon, 07 Oct 2019 14:45:05 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Mon, 07 Oct 2019 14:45:05 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libsoup2.4: CVE-2019-17266
Date: Mon, 07 Oct 2019 16:43:28 +0200
Source: libsoup2.4
Version: 2.68.1-2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libsoup/issues/173

Hi,

The following vulnerability was published for libsoup2.4.

CVE-2019-17266[0]:
| libsoup through 2.68.1 has a heap-based buffer over-read because
| soup_ntlm_parse_challenge() in soup-auth-ntlm.c does not properly
| check an NTLM message's length before proceeding with a memcpy.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-17266
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17266
[1] https://gitlab.gnome.org/GNOME/libsoup/issues/173

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#941912; Package src:libsoup2.4. (Wed, 09 Oct 2019 10:51:03 GMT) (full text, mbox, link).


Acknowledgement sent to Claudio Saavedra <csaavedra@igalia.com>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Wed, 09 Oct 2019 10:51:03 GMT) (full text, mbox, link).


Message #10 received at 941912@bugs.debian.org (full text, mbox, reply):

From: Claudio Saavedra <csaavedra@igalia.com>
To: 941912@bugs.debian.org
Subject: Re: libsoup2.4: CVE-2019-17266
Date: Wed, 09 Oct 2019 13:10:04 +0300
On Mon, 07 Oct 2019 16:43:28 +0200 Salvatore Bonaccorso <
carnil@debian.org> wrote:

> Please adjust the affected versions in the BTS as needed.

I'm the libsoup maintainer. This bug affects libsoup from 2.65.1 until
2.68.1, previous versions are unaffected. I just uploaded upstream new
packages fixing this vulnerability for the 2.66 and 2.68 series (2.66.4
and 2.68.2, respectively).

Claudio




Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#941912. (Wed, 09 Oct 2019 11:21:06 GMT) (full text, mbox, link).


Message #13 received at 941912-submitter@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <noreply@salsa.debian.org>
To: 941912-submitter@bugs.debian.org
Subject: Bug#941912 marked as pending in libsoup
Date: Wed, 09 Oct 2019 11:16:37 +0000
Control: tag -1 pending

Hello,

Bug #941912 in libsoup reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/gnome-team/libsoup/commit/a1dfa0953116346e91d240f7b70fb6dc55393fff

------------------------------------------------------------------------
New upstream release (CVE-2019-17266)

Closes: #941912
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/941912



Added tag(s) pending. Request was from Simon McVittie <noreply@salsa.debian.org> to 941912-submitter@bugs.debian.org. (Wed, 09 Oct 2019 11:21:06 GMT) (full text, mbox, link).


Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Wed, 09 Oct 2019 14:39:15 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 09 Oct 2019 14:39:15 GMT) (full text, mbox, link).


Message #20 received at 941912-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>
To: 941912-close@bugs.debian.org
Subject: Bug#941912: fixed in libsoup2.4 2.68.2-1
Date: Wed, 09 Oct 2019 14:38:04 +0000
Source: libsoup2.4
Source-Version: 2.68.2-1

We believe that the bug you reported is fixed in the latest version of
libsoup2.4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 941912@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated libsoup2.4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 09 Oct 2019 12:23:19 +0100
Source: libsoup2.4
Architecture: source
Version: 2.68.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 941912
Changes:
 libsoup2.4 (2.68.2-1) unstable; urgency=medium
 .
   * Team upload
   * d/gbp.conf: Switch branch to debian/unstable.
     We should upload the fix for CVE-2019-17266 to unstable, but
     the debian/master branch already has a version waiting for NEW
     processing.
   * New upstream release (CVE-2019-17266) (Closes: #941912)
   * libsoup-gnome2.4-dev: Explicitly depend on gir1.2-soup-2.4.
     According to the GIR mini-policy, this is required because
     gir1.2-soup-2.4 contains SoupGNOME-2.4.typelib, corresponding to
     SoupGNOME-2.4.gir in libsoup-gnome2.4-dev. This dependency is not in
     fact strictly necessary, because libsoup-gnome2.4-dev depends on
     libsoup2.4-dev which in turn depends on gir1.2-soup-2.4, but Lintian
     doesn't look at recursive dependencies.
   * libsoup2.4-doc.links: Create symlinks to documentation in /usr/share/doc.
     The actual documentation files remain in /usr/share/gtk-doc/html,
     because they are technically a programmatic interface: other libraries
     that depend on libsoup2.4 and use gtk-doc will use that path to fix
     cross-references in their own documentation.
     There are symlinks in both /u/s/d/libsoup2.4-dev (the "main package"
     in Policy §12.3), and /u/s/d/libsoup2.4-doc (the traditional location
     for documentation).
   * libsoup2.4-doc: Add Recommends: libglib2.0-doc, for the cross-references.
     The libsoup2.4 documentation contains many cross-references to GLib,
     GObject and GIO documentation. Add symlinks in /usr/share/doc so that
     those cross-references can be followed, even in browsers that treat
     symlinks like directories for the purposes of resolving relative paths.
   * d/libsoup2.4-doc.doc-base: Use the symlinks in /usr/share/doc.
     This is functionally equivalent to what we already had, but silences
     a Lintian error.
   * Standards-Version: 4.4.1 (no changes required)
   * d/copyright: Update
   * d/p/xmlrpc-tests-Cope-with-GLib-2.62-TAP-output.patch:
     Add proposed patch to fix test failures with GLib 2.62
   * Explicitly build-depend on libapache2-mod-php, PHP 7 and Python 3.
     The script that checks for the required PHP version is written in
     Python 3 and specifically looks for a php7* module. It seems that in
     practice the dependency resolver used on unstable buildds will always
     select libapache2-mod-php anyway, but the resolver used on
     experimental buildds can select the -cgi or -fpm implementations,
     which are not detected, resulting in the necessary files for some of
     the installed-tests not being installed.
   * Add lintian overrides for the binary package names not precisely
     matching the SONAMEs.
     They're close enough to achieve the goal of the mechanically-generated
     naming convention, and changing them now (other than at the time of an
     upstream SONAME bump) seems like more disruption than it's worth.
Checksums-Sha1: 
 abf53f57a81a7ede3147209fc434142be2befc1c 2954 libsoup2.4_2.68.2-1.dsc
 38e489cf0d37a478a77d1bba278bfd2a47ac249a 1467072 libsoup2.4_2.68.2.orig.tar.xz
 af2f2bc20571c05fc8c3eefe3560bd2be37276c8 21696 libsoup2.4_2.68.2-1.debian.tar.xz
Checksums-Sha256: 
 b4012179156c8a07e8aee3bb2410fa7df6865515d3cfcee6370e17a57fc02fc4 2954 libsoup2.4_2.68.2-1.dsc
 51ad3001a946fe3bcf29b692dc9ffe05cdf702ea6ca0ee8c3099a99a2f4e3933 1467072 libsoup2.4_2.68.2.orig.tar.xz
 e02332d4a2d323affe4644a97adbf5296a0f3b76390ec9b0b7fdda67ae6bafcb 21696 libsoup2.4_2.68.2-1.debian.tar.xz
Files: 
 c8edf5d0332ebc6cb8cdc85e3e5b3dd2 2954 devel optional libsoup2.4_2.68.2-1.dsc
 8e3430458be72547d890d0bf914dd125 1467072 devel optional libsoup2.4_2.68.2.orig.tar.xz
 049eb8da6ebcdb73fbf65c3fe2e806d0 21696 devel optional libsoup2.4_2.68.2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl2d5OYACgkQ4FrhR4+B
TE91+xAAqL/Qf8EB+wIpTAJXGSMBe8MYbXV2AEAk2hMxaP59DPciheu7S/Y1Kcwh
8nBhlYVAksj7xZvMm3XJhbVRMjoMfiWZPc9qQhIaro/nNbD+X8QNXJ/GDaF62dKy
M2AbKkXdQ63DMUpFm2XEfryMvvbfQp7uW+aOY6XS6xFHAVIyfjQdQ3raI09ZAxAN
MI/7mmzsq2pZQXueAtb/VSl7qZxiB0B9YLcZ9exWgzvI14vO270cGhzm485LVaCK
jLFVyEooX+p8Jd5LUOSdG0K8eXpfKRWKkwo1kJeWSdjsPQtXxgDP7aW9Q5fyqSep
GrPKBNhVpGTNwHBwlsO0hhDzVYfK357vwbbeAb+LIjPY8M2Sac5MgxdQt7RZQmgK
9VPBPZCDUUGt+t3dGHmGZIfD6mo1bdnZeqt8IJi/u0m6nmscvLaH4huYwY1uX+ZW
aqXRklupN49txvZfknV/kCFROl+KHug6j6u7qpmn+IgeiY57/MajKXHHULKkp1GN
rQ3aVioRgFKmx6PggW1mHVykRcPUdJvRgnOocShMQQ30BXI+V9w7YMiUodPaP8cV
I/XfmZAHj2j8Nh4ZaWYDgNlOibTl0lZSiiGabJnufSLWi35w1vD6/FN88tYKAf1m
nCBxRXN2oA9H+JO+UPzPd7Jrh2EOFuZbqcb0Zn6RTYt9cB2XlVU=
=Ka2e
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#941912; Package src:libsoup2.4. (Wed, 09 Oct 2019 18:51:03 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Wed, 09 Oct 2019 18:51:03 GMT) (full text, mbox, link).


Message #25 received at 941912@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Claudio Saavedra <csaavedra@igalia.com>, 941912@bugs.debian.org
Subject: Re: Bug#941912: libsoup2.4: CVE-2019-17266
Date: Wed, 9 Oct 2019 20:48:31 +0200
Hi Claudio,

On Wed, Oct 09, 2019 at 01:10:04PM +0300, Claudio Saavedra wrote:
> On Mon, 07 Oct 2019 16:43:28 +0200 Salvatore Bonaccorso <
> carnil@debian.org> wrote:
> 
> > Please adjust the affected versions in the BTS as needed.
> 
> I'm the libsoup maintainer. This bug affects libsoup from 2.65.1 until
> 2.68.1, previous versions are unaffected. I just uploaded upstream new
> packages fixing this vulnerability for the 2.66 and 2.68 series (2.66.4
> and 2.68.2, respectively).

Thanks for this information, so I'm updating the tracker information.
While at it, I'm pretty sure
https://gitlab.gnome.org/GNOME/libsoup/issues/173 was previously
accessible, but now it is not anymore (I was wondering about the
reason).

Regards,
Salvatore



Marked as found in versions libsoup2.4/2.65.91-1. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Wed, 09 Oct 2019 19:03:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#941912; Package src:libsoup2.4. (Thu, 10 Oct 2019 07:51:03 GMT) (full text, mbox, link).


Acknowledgement sent to Claudio Saavedra <csaavedra@igalia.com>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Thu, 10 Oct 2019 07:51:03 GMT) (full text, mbox, link).


Message #32 received at 941912@bugs.debian.org (full text, mbox, reply):

From: Claudio Saavedra <csaavedra@igalia.com>
To: Salvatore Bonaccorso <carnil@debian.org>, 941912@bugs.debian.org
Subject: Re: Bug#941912: libsoup2.4: CVE-2019-17266
Date: Thu, 10 Oct 2019 10:47:44 +0300
On Wed, 2019-10-09 at 20:48 +0200, Salvatore Bonaccorso wrote:
> 
> Thanks for this information, so I'm updating the tracker information.

Thank you.

> While at it, I'm pretty sure
> https://gitlab.gnome.org/GNOME/libsoup/issues/173 was previously
> accessible, but now it is not anymore (I was wondering about the
> reason).

I decided to mark it confidential considering the nature of the issue.
Feel free to contact me privately if you want/need to access it.

Claudio





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 10 Nov 2019 07:25:25 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 05:11:01 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.