Control: retitle -1 libsoup3: CVE-2025-32049: denial of service via memory
exhaustion with large fragmented WebSocket messages
Control: found -1 3.0.4-1
On Fri, 04 Apr 2025 at 15:00:10 +0200, Salvatore Bonaccorso wrote:
The following vulnerability was published for libsoup3.
CVE-2025-32049[0]:
| A flaw was found in libsoup. The SoupWebsocketConnection may accept
| a large WebSocket message, which may cause libsoup to allocate
| memory and lead to a denial of service (DoS).
I suspect that all versions are vulnerable to this, so I'm marking this
as found in the oldest upload of libsoup3 to Debian.
A mitigation has been proposed upstream but it takes the form of an
arbitrary limit, and the default is "no limit" due to compatibility
concerns: upstream wrote "We're not sure about the compatibility
implications of having a default size limit for clients". As a result,
applications that use libsoup will still be vulnerable to this (if they
use WebSockets) even after the proposed mitigation is merged, unless
they explicitly set a limit.
The merge request is also not suitable for merge because it contains
conflicts vs. subsequent upstream changes.
I suspect that upstream is not intending to fix this in 3.6.x at all,
only in 3.7.x via the addition of new API. I don't think we should rush
to address this in trixie, and definitely not in bookworm. The LTS team
seem to have come to a similar conclusion: they tried to backport the
proposed mitigation, but then reverted that change.
smcv
(a GNOME team member but not a libsoup expert)
