Hello community, here is the log from the commit of package libsoup for openSUSE:11.4 checked in at Fri Jul 29 18:12:28 CEST 2011.
Patchinfo file has no description Patchinfo file has no description Patchinfo file has no description -------- --- old-versions/11.4/all/libsoup/libsoup.changes 2010-11-30 10:36:16.000000000 +0100 +++ 11.4/libsoup/libsoup.changes 2011-07-29 10:21:22.000000000 +0200 @@ -1,0 +2,9 @@ +Fri Jul 29 10:18:00 CEST 2011 - vu...@opensuse.org + +- Add libsoup-CVE-2011-2524.patch: Fixed a security hole that + caused some SoupServer users to unintentionally allow accessing + the entire local filesystem when they thought they were only + providing access to a single directory. Fix bnc#706630, + CVE-2011-2524. + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/libsoup Destination is old-versions/11.4/UPDATES/all/libsoup calling whatdependson for 11.4-i586 New: ---- libsoup-CVE-2011-2524.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsoup.spec ++++++ --- /var/tmp/diff_new_pack.qpY9I8/_old 2011-07-29 18:12:05.000000000 +0200 +++ /var/tmp/diff_new_pack.qpY9I8/_new 2011-07-29 18:12:05.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package libsoup (Version 2.32.2) +# spec file for package libsoup # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ Name: libsoup Summary: HTTP client/server library for GNOME Version: 2.32.2 -Release: 1 +Release: 3.<RELEASE4> License: LGPLv2.1+ Group: Development/Libraries/GNOME Url: http://www.gnome.org @@ -29,6 +29,8 @@ Source99: baselibs.conf # PATCH-FIX-OPENSUSE libsoup-gnutls-allow-tls.patch bnc#634040 vu...@opensuse.org -- Allow TLS usage instead of being SSL 3.0-only. Upstream does not want this, and rewriting a lot of code is needed to fix this correctly. However, the openSUSE security team wants TLS to be used if possible. This might lead to some websites being not accessible with libsoup. Patch0: libsoup-gnutls-allow-tls.patch +# PATCH-FIX-UPSTREAM libsoup-CVE-2011-2524.patch bnc#706630 CVE-2011-2524 vu...@opensuse.org -- filesystem exposure flaw due to bad parsing of ".." +Patch1: libsoup-CVE-2011-2524.patch BuildRequires: gconf2-devel BuildRequires: glib2-devel BuildRequires: gnutls-devel @@ -115,6 +117,7 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 %build %configure\ ++++++ libsoup-CVE-2011-2524.patch ++++++ >From cbeeb7a0f7f0e8b16f2d382157496f9100218dea Mon Sep 17 00:00:00 2001 From: Dan Winship <d...@gnome.org> Date: Wed, 29 Jun 2011 14:04:06 +0000 Subject: SoupServer: fix to not allow smuggling ".." into path When SoupServer:raw-paths was set (the default), it was possible to sneak ".." segments into the path passed to the SoupServerHandler, which could then end up tricking some handlers into retrieving arbitrary files from the filesystem. Fix that. https://bugzilla.gnome.org/show_bug.cgi?id=653258 --- diff --git a/libsoup/soup-server.c b/libsoup/soup-server.c index d56efd1..7225337 100644 --- a/libsoup/soup-server.c +++ b/libsoup/soup-server.c @@ -779,6 +779,15 @@ got_headers (SoupMessage *req, SoupClientContext *client) uri = soup_message_get_uri (req); decoded_path = soup_uri_decode (uri->path); + + if (strstr (decoded_path, "/../") || + g_str_has_suffix (decoded_path, "/..")) { + /* Introducing new ".." segments is not allowed */ + g_free (decoded_path); + soup_message_set_status (req, SOUP_STATUS_BAD_REQUEST); + return; + } + soup_uri_set_path (uri, decoded_path); g_free (decoded_path); } -- cgit v0.9 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org