* [Buildroot] [PATCH] libsoup: add patch to fix CVE-2011-2054
@ 2011-07-31 20:18 Sven Neumann
2011-08-04 19:28 ` Peter Korsgaard
0 siblings, 1 reply; 2+ messages in thread
From: Sven Neumann @ 2011-07-31 20:18 UTC (permalink / raw)
To: buildroot
Fixes a security hole that caused some SoupServer users to
unintentionally allow accessing the entire local filesystem when
they thought they were only providing access to a single directory.
This is the change from libsoup-2.34.3 backported to 2.32.2. It
doesn't include the changes to the test suite though.
Signed-off-by: Sven Neumann <s.neumann@raumfeld.com>
---
package/libsoup/libsoup-CVE-2011-2054.patch | 32 +++++++++++++++++++++++++++
1 files changed, 32 insertions(+), 0 deletions(-)
create mode 100644 package/libsoup/libsoup-CVE-2011-2054.patch
diff --git a/package/libsoup/libsoup-CVE-2011-2054.patch b/package/libsoup/libsoup-CVE-2011-2054.patch
new file mode 100644
index 0000000..0dc5ecc
--- /dev/null
+++ b/package/libsoup/libsoup-CVE-2011-2054.patch
@@ -0,0 +1,32 @@
+From 4617b6ef6dd21931a0153070c5b5ff7ef21b46f8 Mon Sep 17 00:00:00 2001
+From: Dan Winship <danw@gnome.org>
+Date: Wed, 29 Jun 2011 10:04:06 -0400
+Subject: [PATCH] SoupServer: fix to not allow smuggling ".." into path
+
+When SoupServer:raw-paths was set (the default), it was possible to
+sneak ".." segments into the path passed to the SoupServerHandler,
+which could then end up tricking some handlers into retrieving
+arbitrary files from the filesystem. Fix that.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=653258
+
+diff --git a/libsoup/soup-server.c b/libsoup/soup-server.c
+index d56efd1..7225337 100644
+--- a/libsoup/soup-server.c
++++ b/libsoup/soup-server.c
+@@ -779,6 +779,15 @@ got_headers (SoupMessage *req, SoupClientContext *client)
+
+ uri = soup_message_get_uri (req);
+ decoded_path = soup_uri_decode (uri->path);
++
++ if (strstr (decoded_path, "/../") ||
++ g_str_has_suffix (decoded_path, "/..")) {
++ /* Introducing new ".." segments is not allowed */
++ g_free (decoded_path);
++ soup_message_set_status (req, SOUP_STATUS_BAD_REQUEST);
++ return;
++ }
++
+ soup_uri_set_path (uri, decoded_path);
+ g_free (decoded_path);
+ }
--
1.7.4.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [Buildroot] [PATCH] libsoup: add patch to fix CVE-2011-2054
2011-07-31 20:18 [Buildroot] [PATCH] libsoup: add patch to fix CVE-2011-2054 Sven Neumann
@ 2011-08-04 19:28 ` Peter Korsgaard
0 siblings, 0 replies; 2+ messages in thread
From: Peter Korsgaard @ 2011-08-04 19:28 UTC (permalink / raw)
To: buildroot
>>>>> "Sven" == Sven Neumann <s.neumann@raumfeld.com> writes:
Sven> Fixes a security hole that caused some SoupServer users to
Sven> unintentionally allow accessing the entire local filesystem when
Sven> they thought they were only providing access to a single directory.
Sven> This is the change from libsoup-2.34.3 backported to 2.32.2. It
Sven> doesn't include the changes to the test suite though.
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-08-04 19:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-31 20:18 [Buildroot] [PATCH] libsoup: add patch to fix CVE-2011-2054 Sven Neumann
2011-08-04 19:28 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox