Your message dated Thu, 14 Aug 2025 07:58:32 +0200
with message-id <[email protected]>
and subject line Re: Bug#1110607: libsoup3: CVE-2025-8197: out-of-bounds read
in soup_header_name_to_string()
has caused the Debian Bug report #1110607,
regarding libsoup3: CVE-2025-8197: out-of-bounds read in
soup_header_name_to_string()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1110607: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110607
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsoup3
Version: 3.6.5-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libsoup3.
CVE-2025-8197[0]:
| A global buffer overflow vulnerability was found in the
| soup_header_name_to_string function in Libsoup. The
| `soup_header_name_to_string` function does not validate the `name`
| parameter passed in, and directly accesses
| `soup_header_name_strings[name]`. The value of `name` is
| controllable, when `name` exceeds the index range of
| `soup_headr_name_string`, it will cause an out-of-bounds access.
There is only one reference to the Red Hat Bugzilla, and have not
found an upstream issue or a merge request referencing the CVE, can
you double-check?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-8197
https://www.cve.org/CVERecord?id=CVE-2025-8197
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2383525
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Hi Simon,
On Tue, Aug 12, 2025 at 12:51:03PM +0100, Simon McVittie wrote:
> Control: retitle -1 libsoup3: CVE-2025-8197: out-of-bounds read in
> soup_header_name_to_string()
> Control: forwarded -1 https://gitlab.gnome.org/GNOME/libsoup/-/issues/465
> Control: tags -1 + moreinfo
>
> On Sat, 09 Aug 2025 at 11:51:29 +0200, Salvatore Bonaccorso wrote:
> > CVE-2025-8197[0]:
> > | A global buffer overflow vulnerability was found in the
> > | soup_header_name_to_string function in Libsoup. The
> > | `soup_header_name_to_string` function does not validate the `name`
> > | parameter passed in, and directly accesses
> > | `soup_header_name_strings[name]`. The value of `name` is
> > | controllable, when `name` exceeds the index range of
> > | `soup_headr_name_string`, it will cause an out-of-bounds access.
> >
> > There is only one reference to the Red Hat Bugzilla, and have not
> > found an upstream issue or a merge request referencing the CVE, can
> > you double-check?
>
> I couldn't find an upstream issue either, so I opened one. It is not clear
> to me that this is a genuine vulnerability. I think this needs clarification
> from the CNA that allocated a CVE ID for this (which appears to be Red Hat).
>
> At best, it's a misleading description of a genuine vulnerability, something
> like "by doing foo, bar and baz, an attacker can trick libsoup into calling
> soup_header_name_to_string() with an invalid argument, which crashes" - but
> if that's the case, then I think it's the caller of
> soup_header_name_to_string() that should be fixed, and not
> soup_header_name_to_string() itself.
We can close this now, cf
https://gitlab.gnome.org/GNOME/libsoup/-/issues/465#note_2520334 and
followup (and the CVE got rejected fortunately).
Regards,
Salvatore
--- End Message ---
