severity 405197 grave found 405197 2.2.3-2 tag 405197 + security thanks Le lundi 01 janvier 2007 à 18:17 +0100, Roland Lezuo a écrit : > Package: libsoup2.2-8 > Version: 2.2.98-1 > Severity: normal > > There is a segfault in rhythmbox which can be triggered by running > nessus 2.2.8 against a box running rhythmbox with daap plugin. > I've built a debug version of libsoup from debian sources, here is the > trace: > > #0 0x00002b7566eb7d69 in strstr () from /lib/libc.so.6 > #1 0x00002b7562642f76 in soup_headers_parse (str=0x2aaaae5f1800 "GET > /", len=261, dest=0x1296e00) at soup-headers.c:38
Thanks for your detailed report. This is definitely a remote DoS for any
server code using libsoup2.2-8, but it is not remotely exploitable for
anything else than crashing it. The affected code is the following:
key = strstr (str, "\r\n");
key += 2;
/* join continuation headers, using a comma */
while ((key = strstr (key, "\r\n"))) {
I'm attaching a fix. The sarge version is vulnerable as well.
> #2 0x00002b7562643537 in soup_headers_parse_request (str=0x2aaaae5f1800
> "GET /", len=261, dest=0x1296e00, req_method=0xd441a8,
> req_path=0x7fff4976b860, ver=0xd44238)
> at soup-headers.c:160
> #3 0x00002b7562647b3b in parse_request_headers (msg=0xd44190,
> headers=0x2aaaae5f1800 "GET /", headers_len=261,
> encoding=0x2aaaae5b6038, content_len=0x2aaaae5b6058, sock=0x951bb0)
> at soup-message-server-io.c:34
> #4 0x00002b7562646c15 in io_read (sock=0x951bb0, msg=0xd44190)
> at soup-message-io.c:578
> #5 0x00002b75663df479 in g_closure_invoke () from
> /usr/lib/libgobject-2.0.so.0
> #6 0x00002b75663eeae1 in g_signal_chain_from_overridden () from
> /usr/lib/libgobject-2.0.so.0
> #7 0x00002b75663efd95 in g_signal_emit_valist () from
> /usr/lib/libgobject-2.0.so.0
> #8 0x00002b75663eff73 in g_signal_emit () from
> /usr/lib/libgobject-2.0.so.0
> #9 0x00002b75626509a2 in socket_read_watch (chan=<value
> optimized out>, cond=0, user_data=<value optimized out>) at
> soup-socket.c:1073
> #10 0x00002b7566a8bc73 in g_main_context_dispatch () from
> /usr/lib/libglib-2.0.so.0
> #11 0x00002b7566a8eabd in g_main_context_check () from
> /usr/lib/libglib-2.0.so.0
> #12 0x00002b7566a8eda6 in g_main_loop_run () from
> /usr/lib/libglib-2.0.so.0
> #13 0x00002b75643ed6b2 in IA__gtk_main () at gtkmain.c:1003
> #14 0x000000000042e151 in main ()
>
> The problem seems to be caused by a binary 0 in the request, i've
> extracted the following string:
>
> "GET /\0x00.jsp HTTP/1.1\r\n"
> ^^^^^
> binary 0
--
.''`.
: :' : We are debian.org. Lower your prices, surrender your code.
`. `' We will add your hardware and software distinctiveness to
`- our own. Resistance is futile.
--- libsoup/soup-headers.c~ 2006-11-05 22:52:59.000000000 +0100 +++ libsoup/soup-headers.c 2007-01-02 18:29:44.973388500 +0100 @@ -32,6 +32,8 @@ int offset = 0, lws = 0; key = strstr (str, "\r\n"); + if (!key) + return FALSE; key += 2; /* join continuation headers, using a comma */
signature.asc
Description: Ceci est une partie de message numériquement signée
