After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 391970 - CVE-2006-5876 Remote DoS in rhythmbox (and anything using libsoup for a server)
CVE-2006-5876 Remote DoS in rhythmbox (and anything using libsoup for a server)
Status: RESOLVED FIXED
Product: libsoup
Classification: Core
Component: HTTP Transport
2.2.x
Other Linux
: Normal critical
: ---
Assigned To: Dan Winship
Dan Winship
Depends on:
Blocks:
 
 
Reported: 2007-01-02 17:39 UTC by Josselin Mouette
Modified: 2007-01-16 21:01 UTC
See Also:
GNOME target: ---
GNOME version: 2.15/2.16

Attachments
Fix for libsoup 2.2.98 (296 bytes, patch)
2007-01-02 17:40 UTC, Josselin Mouette 		none Details | Review
alternate patch, with regression tests (17.02 KB, patch)
2007-01-05 23:21 UTC, Dan Winship 		none Details | Review
zero error counts before adding to them (544 bytes, patch)
2007-01-16 19:22 UTC, Michael Wolf 		none Details | Review

Description Josselin Mouette 2007-01-02 17:39:21 UTC 
[ forwarded from http://bugs.debian.org/405197 ]

There is a segfault in rhythmbox which can be triggered by running
nessus 2.2.8 against a box running rhythmbox with daap plugin.
I've built a debug version of libsoup from debian sources, here is the
trace:

+ Trace 98776

  • #0 strstr
    from /lib/libc.so.6
  • #1 soup_headers_parse
    at soup-headers.c line 38
  • #2 soup_headers_parse_request
    at soup-headers.c line 160
  • #3 parse_request_headers
    at soup-message-server-io.c line 34
  • #4 io_read
    at soup-message-io.c line 578
  • #5 g_closure_invoke
  • #6 g_signal_chain_from_overridden
  • #7 g_signal_emit_valist
  • #8 g_signal_emit
  • #9 socket_read_watch
    at soup-socket.c line 1073
  • #10 g_main_context_dispatch
  • #11 g_main_context_check
  • #12 g_main_loop_run
  • #13 IA__gtk_main
    at gtkmain.c line 1003
  • #14 main 

The problem seems to be caused by a binary 0 in the request, i've
extracted the following string:

"GET /\0x00.jsp HTTP/1.1\r\n"
      ^^^^^
      binary 0
Comment 1 Josselin Mouette 2007-01-02 17:40:34 UTC 
Created attachment 79200 [details] [review]
Fix for libsoup 2.2.98

The soup_headers_parse function is missing a check after calling strstr. Here is a trivial fix.
Comment 2 Loïc Minier 2007-01-05 13:43:53 UTC 
Josselin, did the Debian security team provide a CVE id?
Comment 3 Josselin Mouette 2007-01-05 13:46:18 UTC 
Nope, I haven't received any input from them yet.
Comment 4 Dan Winship 2007-01-05 23:21:15 UTC 
Created attachment 79491 [details] [review]
alternate patch, with regression tests

Here's the patch I'll probably commit (with a new regression test to prove that it works, and in fact works better than the old code in several other cases too). If you could test that nessus can't come up with any other exploits against it that would be cool...

This will probably go out on Monday, for GNOME 2.17.5
Comment 5 Dan Winship 2007-01-06 19:26:14 UTC 
committed. thanks for the bug report
Comment 6 Loïc Minier 2007-01-11 19:58:35 UTC 
Martin Schulze from the Debian Security Team assigned CVE-2006-5876.
Comment 7 Michael Wolf 2007-01-16 19:22:07 UTC 
Created attachment 80423 [details] [review]
zero error counts before adding to them
Comment 8 Michael Wolf 2007-01-16 19:23:14 UTC 
The preceeding patch fixes the regression test, which didn't set its error counts to 0 before using them.
Comment 9 Dan Winship 2007-01-16 21:01:10 UTC 
sigh. you'd think regression tests would be nice enough to fail when you
write them wrong.

fixed in svn