Your message dated Sat, 12 Apr 2025 19:50:58 +0000
with message-id <[email protected]>
and subject line Bug#1102208: fixed in libsoup2.4 2.74.3-10
has caused the Debian Bug report #1102208,
regarding libsoup2.4: CVE-2025-2784
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1102208: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102208
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsoup2.4
Version: 2.74.3-9
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libsoup/-/issues/422
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libsoup2.4.
CVE-2025-2784[0]:
| A flaw was found in libsoup. The package is vulnerable to a heap
| buffer over-read when sniffing content via the
| skip_insight_whitespace() function. Libsoup clients may read one
| byte out-of-bounds in response to a crafted HTTP response by an HTTP
| server.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-2784
https://www.cve.org/CVERecord?id=CVE-2025-2784
[1] https://gitlab.gnome.org/GNOME/libsoup/-/issues/422
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.16-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: libsoup2.4
Source-Version: 2.74.3-10
Done: Jeremy Bícha <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libsoup2.4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bícha <[email protected]> (supplier of updated libsoup2.4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 12 Apr 2025 15:15:11 -0400
Source: libsoup2.4
Built-For-Profiles: noudeb
Architecture: source
Version: 2.74.3-10
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Jeremy Bícha <[email protected]>
Closes: 1102208 1102212 1102214 1102215
Launchpad-Bugs-Fixed: 2107263
Changes:
libsoup2.4 (2.74.3-10) unstable; urgency=high
.
[ Fabian Toepfer ]
* SECURITY UPDATE: out-of-bounds read
- debian/patches/CVE-2025-2784-1.patch: Fix potential overflow
- debian/patches/CVE-2025-2784-2.patch: Add better coverage of
skip_insignificant_space()
- CVE-2025-2784 (Closes: #1102208) (LP: #2107263)
* SECURITY UPDATE: out-of-bounds read
- debian/patches/CVE-2025-32050.patch: Fix using int instead of
size_t for strcspn return
- CVE-2025-32050 (Closes: #1102212)
* SECURITY UPDATE: out-of-bounds read
- debian/patches/CVE-2025-32052.patch: Fix heap buffer overflow in
soup_content_sniffer_sniff
- CVE-2025-32052 (Closes: #1102214)
* SECURITY UPDATE: out-of-bounds read
- debian/patches/CVE-2025-32053.patch: Fix heap buffer overflow in
sniff_feed_or_html()
- CVE-2025-32053 (Closes: #1102215)
Checksums-Sha1:
4fde94ca1ee2d946606b1dfd6fdadd83afa065be 3374 libsoup2.4_2.74.3-10.dsc
dcfc60c75ea2a0b51c2c1347663f2a29b398b586 34944
libsoup2.4_2.74.3-10.debian.tar.xz
f3b3aa08e65fba5881b936999c9adf081e9a5539 13992
libsoup2.4_2.74.3-10_source.buildinfo
Checksums-Sha256:
623d6be3bdfc1d0b974fc0121d49118ff61cd95ff8e8304803b20a4bcab609f9 3374
libsoup2.4_2.74.3-10.dsc
88050934e7943dea52820b1f6d904e1a96e31db48cf6899f4d6d413ad61163bd 34944
libsoup2.4_2.74.3-10.debian.tar.xz
21c005f10a00295f7934b8d887dc7d9e9729f35f6b93c2eb27751c8b98e40097 13992
libsoup2.4_2.74.3-10_source.buildinfo
Files:
15d2998630b888ed2e9a05580243ab0b 3374 oldlibs optional libsoup2.4_2.74.3-10.dsc
b4edea6b706ec3e5380cd392785ab511 34944 oldlibs optional
libsoup2.4_2.74.3-10.debian.tar.xz
0e6447ea5ce4a1057e784e68d73e5803 13992 oldlibs optional
libsoup2.4_2.74.3-10_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmf6vX8ACgkQ5mx3Wuv+
bH2yTg//WJY28kQDX2DQg7E3/TCKjf6unraYQ5neawPBNunzl1vvxSkH2WRr9pOF
cycQK6tZPnLcbM1I9aWPVcIRBYGJJf0/Qfc4uriM400UC9oESuGNEQ+LVZ21BLx3
8wobKydBBEB7X/P/MqPxqqSYzeTtd7JWLyA9tqSohnVkqAeEbCvUa2clUK+E/9I1
CvTV6ZXBTe721ADQgCsXArUrWzSxJPvWquIiz0L8d8tYVn0NkBfnZT2UozK8BMdi
7tzasUGkL3FALXhzQon11hq3YJ//pmCVpU4bQVXcYxZn9b9VJAo+Crt67oYlA5xe
Y3WsgWQiD4YQ8zggWwYHnZpDiEjjxIr/VZE305fxlMfjECWysVBGMPDlOb/S8yaM
xmdV++dwarZw88QnfdXKR6G9yMbq5yjQrAv9PGkryOeXL5NrrKrdnI5x8Oj2mU9x
m5kxQZWy/8n02HnOM4tj/vAqbk5UiC9qETBYp7PomlQc8S/dbZeOuSZnB7wjPb3v
CBUTwbK9Lsn5yc0e9Uw4BVvh1r+DP7ZNXkiYgZpHhDQ2/zaFMuP88fbajkJq2RJI
joHOI0dv03XvevxS09FdnhA+h55HCBXYooyzbYO05uTsk4GB1Yq9h2DzhR9KuzQe
MflEXJ/8Ce7J+1szj5A7nVyj+k7sYNlmWQZu3rOJTvR+VZD+IZA=
=HKru
-----END PGP SIGNATURE-----
pgpbfZkBBoKDb.pgp
Description: PGP signature
--- End Message ---
