The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of libsoup: denial of service via a GET

Synthesis of the vulnerability 

An attacker can use a malformed query in order to generate a denial of service on softwares compiled with libsoup.
Vulnerable products: Debian, Fedora, Mandriva Linux, Unix (platform) ~ not comprehensive.
Severity of this weakness: 2/4.
Creation date: 15/01/2007.
Références of this bulletin: 405197, BID-22034, CVE-2006-5876, DSA-1248-1, FEDORA-2007-109, MDKSA-2007:029, VIGILANCE-VUL-6468.

Description of the vulnerability 

The libsoup library implements the HTTP protocol.

A HTTP query of GET type has the following general syntax:
  GET /file HTTP/version

When filename contains a null character, libsoup incorrectly computes size of data, which generates an error.

A remote attacker can thus stop applications compiled with libsoup to provide a web service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability alert impacts software or systems such as Debian, Fedora, Mandriva Linux, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this computer weakness alert is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability.

Solutions for this threat 

libsoup: version 2.2.99.
Version 2.2.99 is corrected:
  http://ftp.gnome.org/pub/gnome/sources/libsoup/2.2/

Debian: new libsoup packages.
New packages are available:
  AMD64 architecture:
    http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-7_2.2.3-2sarge1_amd64.deb
      Size/MD5 checksum: 109672 d36f765bcd4bf336f9dfd3efa93aca01
    http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.3-2sarge1_amd64.deb
      Size/MD5 checksum: 137628 48e8ae141d696f82c38a8e4464da7624
  Intel IA-32 architecture:
    http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-7_2.2.3-2sarge1_i386.deb
      Size/MD5 checksum: 103256 cc59e5bfe0236843a9f035e21084472e
    http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.3-2sarge1_i386.deb
      Size/MD5 checksum: 124718 1a9f5949d15ee315df06dd7d4f030bad
  Intel IA-64 architecture:
    http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-7_2.2.3-2sarge1_ia64.deb
      Size/MD5 checksum: 137120 3036044195764214e74f6e94e557f373
    http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.3-2sarge1_ia64.deb
      Size/MD5 checksum: 180256 48c1f4958dd773f963228874cf3b0493

Fedora Core 6: new libsoup packages.
New packages are available:
    http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/
0292f492c61347dca39abc1c7421769fab342e99 SRPMS/libsoup-2.2.99-1.fc6.src.rpm
0292f492c61347dca39abc1c7421769fab342e99 noarch/libsoup-2.2.99-1.fc6.src.rpm
18fcdcd35970e1ab685bfdf6afa32489b1716d27 ppc/debug/libsoup-debuginfo-2.2.99-1.fc6.ppc.rpm
56063cbe73f6285a9eb7c2a765fb8fd71c1620e6 ppc/libsoup-devel-2.2.99-1.fc6.ppc.rpm
a8bfbf47d8954856debc33b9a757cd50f79cd69e ppc/libsoup-2.2.99-1.fc6.ppc.rpm
6d2f5352a739d11a29e8da1c1b25d543526c14bc x86_64/debug/libsoup-debuginfo-2.2.99-1.fc6.x86_64.rpm
1fb2eec4951fc3fd446ddce4ff127da5effaec9d x86_64/libsoup-2.2.99-1.fc6.x86_64.rpm
9b29f9df2eead6490c38ae483b613506f8b90969 x86_64/libsoup-devel-2.2.99-1.fc6.x86_64.rpm
47eddf389e40d23e152f62ade508e725fc457b94 i386/libsoup-devel-2.2.99-1.fc6.i386.rpm
4f82391dbb51da98dabe68ac28e4e9e87c22fc5f i386/libsoup-2.2.99-1.fc6.i386.rpm
13fd5c05b2370afc8df214ff8cbd4b54ef4d634f i386/debug/libsoup-debuginfo-2.2.99-1.fc6.i386.rpm

Mandriva: new libsoup packages.
New packages are available:
 
 Mandriva Linux 2006.0:
 4f2b5a0d73c7a7a8d44c993a7d5aa0c2 2006.0/i586/libsoup-2.2_7-2.2.3-2.1.20060mdk.i586.rpm
 b908d651b283f7aad2914cc45621779d 2006.0/i586/libsoup-2.2_7-devel-2.2.3-2.1.20060mdk.i586.rpm
 fa63dfce230031c179c38c2d4dfef3c0 2006.0/SRPMS/libsoup-2.2.3-2.1.20060mdk.src.rpm
 Mandriva Linux 2006.0/X86_64:
 f0fc3b38d4da6d0f852df61a58fa14e9 2006.0/x86_64/lib64soup-2.2_7-2.2.3-2.1.20060mdk.x86_64.rpm
 e37aa16dcb0904d3d2bb6c16c192ce31 2006.0/x86_64/lib64soup-2.2_7-devel-2.2.3-2.1.20060mdk.x86_64.rpm
 fa63dfce230031c179c38c2d4dfef3c0 2006.0/SRPMS/libsoup-2.2.3-2.1.20060mdk.src.rpm
 Mandriva Linux 2007.0:
 361254f9fc671c76de0c5b932ef59fbf 2007.0/i586/libsoup-2.2_8-2.2.96-1.1mdv2007.0.i586.rpm
 31b044996c030de2563d4cd73c9f53c3 2007.0/i586/libsoup-2.2_8-devel-2.2.96-1.1mdv2007.0.i586.rpm
 78e22b0c5511c6bcd1db2618ad824603 2007.0/SRPMS/libsoup-2.2.96-1.1mdv2007.0.src.rpm
 Mandriva Linux 2007.0/X86_64:
 fc917532647266dc40b4ea5c9c0032c4 2007.0/x86_64/lib64soup-2.2_8-2.2.96-1.1mdv2007.0.x86_64.rpm
 e169e51e44a32987e02f78d9b3773011 2007.0/x86_64/lib64soup-2.2_8-devel-2.2.96-1.1mdv2007.0.x86_64.rpm
 78e22b0c5511c6bcd1db2618ad824603 2007.0/SRPMS/libsoup-2.2.96-1.1mdv2007.0.src.rpm
 Corporate 3.0:
 60c23eb5f8875a2438dc8e8c7a5a51c3 corporate/3.0/i586/libsoup-1.99.28-1.1.C30mdk.i586.rpm
 7107ef4818fbddbe892043bf273c8286 corporate/3.0/i586/libsoup-2.0_0-1.99.28-1.1.C30mdk.i586.rpm
 fd8a36bef1ac3e441f1636d5fb2a29e0 corporate/3.0/i586/libsoup-2.0_0-devel-1.99.28-1.1.C30mdk.i586.rpm
 90e23de46abc7f6ddddb9d3d489f4d52 corporate/3.0/SRPMS/libsoup-1.99.28-1.1.C30mdk.src.rpm
 Corporate 3.0/X86_64:
 8ef5d3702721442e8eafd7ff3be5a5f2 corporate/3.0/x86_64/lib64soup-2.0_0-1.99.28-1.1.C30mdk.x86_64.rpm
 a39fcf606ebf0c1b5a96283de9f4441f corporate/3.0/x86_64/lib64soup-2.0_0-devel-1.99.28-1.1.C30mdk.x86_64.rpm
 ec4dc1c6a94e2954a350d0fc25d10d89 corporate/3.0/x86_64/libsoup-1.99.28-1.1.C30mdk.x86_64.rpm
 90e23de46abc7f6ddddb9d3d489f4d52 corporate/3.0/SRPMS/libsoup-1.99.28-1.1.C30mdk.src.rpm
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides cybersecurity bulletins. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.