Bug 1100097 - (CVE-2018-12910) VUL-1: CVE-2018-12910: libsoup: Crash in soup_cookie_jar.c:get_cookies() on empty hostnames
(CVE-2018-12910)
VUL-1: CVE-2018-12910: libsoup: Crash in soup_cookie_jar.c:get_cookies() on e...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/209444/
CVSSv3:SUSE:CVE-2018-12910:5.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-04 09:44 UTC by Johannes Segitz
Modified: 2021-10-21 14:35 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2018-07-04 09:44:39 UTC
rh#1597980

libsoup through version 2.63.2 is vulnerable to a crash in the soup_cookie_jar.c:get_cookies() when handling empty hostnames.

Upstream Patch: https://gitlab.gnome.org/GNOME/libsoup/commit/db2b0d5809d5f8226d47312b40992cadbcde439f

All codestreams affected 

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1597980
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12910
Comment 3 Swamp Workflow Management 2018-08-06 13:09:06 UTC
SUSE-SU-2018:2204-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1052916,1086036,1100097
CVE References: CVE-2017-2885,CVE-2018-12910
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libsoup-2.62.2-5.7.1
SUSE Linux Enterprise Server 12-SP3 (src):    libsoup-2.62.2-5.7.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libsoup-2.62.2-5.7.1
Comment 4 Swamp Workflow Management 2018-08-10 01:16:53 UTC
openSUSE-SU-2018:2296-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1052916,1086036,1100097
CVE References: CVE-2017-2885,CVE-2018-12910
Sources used:
openSUSE Leap 42.3 (src):    libsoup-2.62.2-8.1
Comment 5 Swamp Workflow Management 2019-01-08 14:09:45 UTC
SUSE-SU-2018:2204-2: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1052916,1086036,1100097
CVE References: CVE-2017-2885,CVE-2018-12910
Sources used:
SUSE OpenStack Cloud 7 (src):    libsoup-2.62.2-5.7.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libsoup-2.62.2-5.7.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libsoup-2.62.2-5.7.1
SUSE Enterprise Storage 4 (src):    libsoup-2.62.2-5.7.1
Comment 6 ming li 2019-03-14 10:27:34 UTC
I'm testing S:M:8130:186368, I found that the bug might not have been fixed. The validation method is as follows:

testing environment:
OS: sles-modules-15-x86_64

software version:
libsoup-2_4-1                 : 2.62.2-3.3.32
libsoup-devel                 : 2.62.2-3.3.32
libsoup-lang                  : 2.62.2-3.3.32
typelib-1_0-Soup-2_4          : 2.62.2-3.3.32

1. wget https://gitlab.gnome.org/GNOME/libsoup/blob/master/tests/cookies-test.c
This cookies-test.c file is added to the test code for cookies_empty_host_test on the upstream. We did not add these test codes in our own cookies-test.c file, the issues may not be tested.

2. gcc -fsanitize=address -g cookies-test.c test-utils.c -I/usr/include/libsoup-2.4/ -I/usr/include/glib-2.0/ -I/usr/lib64/glib-2.0/include/ -lsoup-2.4 -lgio-2.0 -lgobject-2.0 -lglib-2.0 -o CVE-2018-12910

3. gdb -r CVE-2018-12910

4. 
Reading symbols from CVE-2018-12910...expanding to full symbols...done.
(gdb) r
Starting program: /usr/src/packages/BUILD/libsoup-2.62.2/tests/CVE-2018-12910 
Missing separate debuginfo for /usr/lib64/libsoup-2.4.so.1
Try: zypper install -C "debuginfo(build-id)=06b6104a4e58138628a24c1dee7c130583fa9ec4"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
==6915==AddressSanitizer: failed to intercept '__isoc99_printf'
==6915==AddressSanitizer: failed to intercept '__isoc99_sprintf'
==6915==AddressSanitizer: failed to intercept '__isoc99_snprintf'
==6915==AddressSanitizer: failed to intercept '__isoc99_fprintf'
==6915==AddressSanitizer: failed to intercept '__isoc99_vprintf'
==6915==AddressSanitizer: failed to intercept '__isoc99_vsprintf'
==6915==AddressSanitizer: failed to intercept '__isoc99_vsnprintf'
==6915==AddressSanitizer: failed to intercept '__isoc99_vfprintf'
==6915==AddressSanitizer: libc interceptors initialized
|| `[0x10007fff8000, 0x7fffffffffff]` || HighMem    ||
|| `[0x02008fff7000, 0x10007fff7fff]` || HighShadow ||
|| `[0x00008fff7000, 0x02008fff6fff]` || ShadowGap  ||
|| `[0x00007fff8000, 0x00008fff6fff]` || LowShadow  ||
|| `[0x000000000000, 0x00007fff7fff]` || LowMem     ||
MemToShadow(shadow): 0x00008fff7000 0x000091ff6dff 0x004091ff6e00 0x02008fff6fff
redzone=16
max_redzone=2048
quarantine_size_mb=256M
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x7fff8000
==6915==Installed the sigaction for signal 11
==6915==Installed the sigaction for signal 7
==6915==Installed the sigaction for signal 8
==6915==T0: stack [0x7fffff7ff000,0x7ffffffff000) size 0x800000; local=0x7fffffffe0ec
==6915==LeakSanitizer: Dynamic linker not found. TLS will not be handled correctly.
==6915==AddressSanitizer Init done
[New Thread 0x7fffee334700 (LWP 6919)]
==6915==T1: stack [0x7fffedb35000,0x7fffee333e00) size 0x7fee00; local=0x7fffee333d1c
/cookies/accept-policy: [New Thread 0x7fffedb33700 (LWP 6920)]
==6915==T2: stack [0x7fffed334000,0x7fffedb32e00) size 0x7fee00; local=0x7fffedb32d1c
OK
/cookies/accept-policy-subdomains: **
ERROR:cookies-test.c:203:do_cookies_subdomain_policy_test: assertion failed (g_slist_length (cookies) == 5): (6 == 5)
FAIL
/cookies/parsing: OK
/cookies/remove-feature: 
(CVE-2018-12910:6915): GLib-GObject-WARNING **: invalid unclassed pointer in cast to 'SoupCookieJar'

Thread 1 "CVE-2018-12910" received signal SIGTRAP, Trace/breakpoint trap.
_g_log_abort (breakpoint=breakpoint@entry=1) at gmessages.c:554
554	}

5. make check
PASS: cookies-test 1 /cookies/accept-policy
FAIL: cookies-test 2 /cookies/accept-policy-subdomains
PASS: cookies-test 3 /cookies/parsing
ERROR: cookies-test - too few tests run (expected 6, got 3)
ERROR: cookies-test - exited with status 133 (terminated by signal 5?)
...

This test result also exists in SLES12-SP3.
Comment 7 Martin Pluskal 2019-04-11 10:03:29 UTC
(In reply to ming li from comment #6)
> I'm testing S:M:8130:186368, I found that the bug might not have been fixed.
> The validation method is as follows:
Well and is the output before update applied same or different?
Comment 9 ming li 2019-04-12 02:51:57 UTC
(In reply to Martin Pluskal from comment #7)
> (In reply to ming li from comment #6)
> > I'm testing S:M:8130:186368, I found that the bug might not have been fixed.
> > The validation method is as follows:
> Well and is the output before update applied same or different?

Following my instructions, the output before and after is the same.
Comment 10 ming li 2019-04-12 05:25:57 UTC
What should I do next with this S:M:8130:186368 update? Reject or wait for feedback?
Comment 12 Marcus Meissner 2019-04-19 18:05:46 UTC
The testcase as downloaded does not match the sources we are using.

I used the testcase from the libsoup we are testing and that works fine.



So I think we can proceed.
Comment 13 Swamp Workflow Management 2019-05-02 22:11:06 UTC
openSUSE-SU-2019:1310-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1100097
CVE References: CVE-2018-12910
Sources used:
openSUSE Leap 15.0 (src):    libsoup-2.62.2-lp150.2.3.1
Comment 14 Michael Gorse 2019-05-22 18:32:22 UTC
Is this still outstanding, or has the update been released?
Comment 15 Marcus Meissner 2019-05-23 09:12:20 UTC
we resolved it ... the testcase and the library was not in sync.

it was released meanwhile.

we are still tracking it for 

libsoup on
SUSE:SLE-10-SP3:Update
SUSE:SLE-11-SP1:Update
SUSE:SLE-11-SP2:Update 

can you check if we need it there?