#21575 closed enhancement (fixed)
Fix several CVEs in libsoup2 (make patch for 12.3 users, and drop)
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 12.4 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
(Thanks to Joe Locash for the report to me privately, more information just became available today so we can now act on this)
Several of the CVEs fixed in libsoup3 are also applicable to libsoup2. I want to drop this package and libgdata at the end of this release cycle unless libgdata gets adapted for libsoup3, but for now we should patch it for users who have libsoup2 installed.
Debian has applied patches at https://sources.debian.org/patches/libsoup2.4/2.74.3-10.1
CVEs include:
- CVE-2024-52530: 7.5 High, HTTP Request Smuggling
- CVE-2024-52531: 8.4 High, remote code execution through a buffer overflow
- CVE-2024-52532: 7.5 High, remotely exploitable denial of service
- CVE-2025-2784: 7.0 High, 1-byte buffer overread, realistically a remotely exploitable denial of service
- CVE-2025-32050: 5.9 Medium, remotely exploitable denial of service
- CVE-2025-32052: 6.5 Medium, remotely exploitable denial of service
- CVE-2025-32053: 6.5 Medium, remotely exploitable denial of service
- CVE-2025-32906: 7.5 High, allows users to remotely crash HTTP servers
- CVE-2025-32909: 6.5 Medium, remotely exploitable denial of service
- CVE-2025-32910: 6.5 Medium, remotely exploitable denial of service
- CVE-2025-32911: 9.0 Critical, remotely exploitable issue that allows for memory corruption
- CVE-2025-32912: 6.5 Medium, remotely exploitable denial of service
- CVE-2025-32914: 7.4 High, remotely exploitable out of bounds read
- CVE-2025-46420: 6.5 Medium, remotely exploitable denial of service due to memory leak
Change History (5)
comment:1 by , 9 months ago
comment:2 by , 9 months ago
| Summary: | Fix several CVEs in libsoup2 → Fix several CVEs in libsoup2 (make patch for 12.3 users, and drop) |
|---|
comment:3 by , 9 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:4 by , 9 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Abiword archived at dc00b707e3cae099ac90603de1d63738bea328ea
uhttpmock (which was only used by libgdata) archived at 1e5421520a1df6ce9a362a35ad57d0e387dfd2b9
libgdata archived at f11ea8f30460c4bb079ffd23f22f246f3f3fa5e9
libsoup2 archived at 2fa076539f8c196ad621e3c8742b21fdb1043863
I did create and test a patch for the security fixes, which will be available to BLFS 12.3 users in the security advisory.
Bruce has suggested dropping libsoup2 completely. This would involve removing the following packages:
and making changes to gst-plugins-bad/good. I think we'll do this, and make the patch available in a security advisory for users who are impacted.