Debian Bug report logs -
#871650
libsoup2.4: CVE-2017-2885: stack based buffer overflow with HTTP Chunked Encoding
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#871650; Package src:libsoup2.4.
(Thu, 10 Aug 2017 12:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Thu, 10 Aug 2017 12:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libsoup2.4
Version: 2.48.0-1
Severity: grave
Tags: security patch upstream
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=785774
Control: fixed -1 2.48.0-1+deb8u1
Control: fixed -1 2.56.0-2+deb9u1
Hi,
the following vulnerability was published for libsoup2.4.
CVE-2017-2885[0]:
stack based buffer overflow with HTTP Chunked Encoding
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2885
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2885
[1] https://bugzilla.gnome.org/show_bug.cgi?id=785774
[2] https://git.gnome.org/browse/libsoup/commit/?id=03c91c76daf70ee227f38304c5e45a155f45073d
Regards,
Salvatore
Marked as fixed in versions libsoup2.4/2.48.0-1+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 10 Aug 2017 12:39:05 GMT) (full text, mbox, link).
Marked as fixed in versions libsoup2.4/2.56.0-2+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 10 Aug 2017 12:39:05 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 Aug 2017 12:42:06 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Emilio Pozuelo Monfort <pochu@debian.org>
to control@bugs.debian.org.
(Thu, 10 Aug 2017 16:33:10 GMT) (full text, mbox, link).
Reply sent
to Emilio Pozuelo Monfort <pochu@debian.org>:
You have taken responsibility.
(Thu, 10 Aug 2017 16:54:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 10 Aug 2017 16:54:04 GMT) (full text, mbox, link).
Message #18 received at 871650-close@bugs.debian.org (full text, mbox, reply):
Source: libsoup2.4
Source-Version: 2.56.1-1
We believe that the bug you reported is fixed in the latest version of
libsoup2.4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 871650@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated libsoup2.4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 10 Aug 2017 18:29:43 +0200
Source: libsoup2.4
Binary: libsoup2.4-dev libsoup2.4-1 libsoup-gnome2.4-1 libsoup-gnome2.4-dev libsoup2.4-doc gir1.2-soup-2.4
Architecture: source
Version: 2.56.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Description:
gir1.2-soup-2.4 - GObject introspection data for the libsoup HTTP library
libsoup-gnome2.4-1 - HTTP library implementation in C -- GNOME support library
libsoup-gnome2.4-dev - HTTP library implementation in C -- GNOME support development fil
libsoup2.4-1 - HTTP library implementation in C -- Shared library
libsoup2.4-dev - HTTP library implementation in C -- Development files
libsoup2.4-doc - HTTP library implementation in C -- API Reference
Closes: 871650
Changes:
libsoup2.4 (2.56.1-1) unstable; urgency=high
.
* New upstream release.
+ CVE-2017-2885: Fixed a chunked decoding buffer overrun that
could be exploited against either clients or servers.
Closes: #871650.
Checksums-Sha1:
20a79357f4d646d383a127cd391d5fe2affb26f8 2706 libsoup2.4_2.56.1-1.dsc
097fb1ad0b30e88b8fc9b924917c9344be2f48a3 1806416 libsoup2.4_2.56.1.orig.tar.xz
5d2e8170c45b0761f179f6bb04789d78194310d1 19044 libsoup2.4_2.56.1-1.debian.tar.xz
778cf401e3eef7a480db6e8c0c5f5cc28be392be 9686 libsoup2.4_2.56.1-1_source.buildinfo
Checksums-Sha256:
0d641a3940842381e7de5a6ed6dc3956a60ac2e3b78d05ab9d215f1e7a0e8df9 2706 libsoup2.4_2.56.1-1.dsc
c32a46d77b4da433b51d8fd09a57a44b198e03bdc93e5219afcc687c7948eac3 1806416 libsoup2.4_2.56.1.orig.tar.xz
7b007ac21c78e0f1d47f2d95bb3fd253cd60c5b4d9301fb7a6a44d07e9b0d592 19044 libsoup2.4_2.56.1-1.debian.tar.xz
ba125c252e878dcf7aacbeeff466d71c5bd7a7965473eff5ea3e495f4c0c7e7d 9686 libsoup2.4_2.56.1-1_source.buildinfo
Files:
aee185a0877d1ed9ec251a3a7067b83c 2706 devel optional libsoup2.4_2.56.1-1.dsc
e8ac8967e9a57296688739021aa71b9b 1806416 devel optional libsoup2.4_2.56.1.orig.tar.xz
2a48dca2b0452ee4fa2d99aca9d69e95 19044 devel optional libsoup2.4_2.56.1-1.debian.tar.xz
efd2648f8feb3068ecaaec38ffa76a8e 9686 devel optional libsoup2.4_2.56.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlmMiigACgkQnUbEiOQ2
gwJWqQ/9Gyg3mhIbJWyCNYIBosJ3HZ2+q4uU1VrAcSXZOIcdvluNh6MdS70HJ9IP
b3QXILZxvwA2QCMYj3qSIT2BGJq1lREZp9HZ8b8U93u7qndYy535JAIUkDuOpm8C
SAeFPKb9S6ivallfLsCpC2KomatrLWkOy6htA2TLSj5J4m0dq3iAOGKnTIUvqVzx
311ctgqd6hpQvShNxKRNu4t8zGie7ZYzCXUU+EZH6v/193rKPgc7PZtAaDMqlzHT
ir04lsOiO2I2U03Tc7Wj9x4H5ujtGMxQPo42Xfkp9X+FkMSsQLtfO0JoO9tl9RBD
a53fxS2c1AhsypDOk4JC1P4rlUSkXe1yxJ5mVJtX8ffDxedBNMp2BLCR3AfzBVwS
qQnitzXBgw7M4yo2567KRysE1by+NE84MugTBoDWVFM6uA6rgHP4Pfy5+HFotDlu
vZe1iNw/XX8tXKjAdr863x8SeCPsCqVpo//UPnJiQytNXWtzyQpPJRnjnYKoxatb
+gg5mZsSfZqCMsRlrCGyg+3uUU+2gDxVtZftx/vRJqow0BVPUdIbVaIrfnfs1Ut/
TrEDnvv1zeXI0EnVPVxGSgtIAGWookvdSnER+owMWSosMXXMSX3A+MzglIYypUWB
//WKrnynEFSsT2mosYu+s2R4ZHeHNHPbBLTzfG+ojRc1exDmodo=
=Ikzm
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Oct 2017 07:27:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:33:29 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon