Hello community, here is the log from the commit of package libsoup for openSUSE:11.3 checked in at Fri Jul 29 18:08:01 CEST 2011. Patchinfo file has no description Patchinfo file has no description Patchinfo file has no description -------- --- old-versions/11.3/all/libsoup/libsoup.changes 2010-05-03 11:13:46.000000000 +0200 +++ 11.3/libsoup/libsoup.changes 2011-07-29 10:20:41.000000000 +0200 @@ -1,0 +2,9 @@ +Fri Jul 29 10:18:00 CEST 2011 - vuntz@opensuse.org + +- Add libsoup-CVE-2011-2524.patch: Fixed a security hole that + caused some SoupServer users to unintentionally allow accessing + the entire local filesystem when they thought they were only + providing access to a single directory. Fix bnc#706630, + CVE-2011-2524. + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/libsoup Destination is old-versions/11.3/UPDATES/all/libsoup calling whatdependson for 11.3-i586 New: ---- libsoup-CVE-2011-2524.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsoup.spec ++++++ --- /var/tmp/diff_new_pack.jTMmki/_old 2011-07-29 18:07:21.000000000 +0200 +++ /var/tmp/diff_new_pack.jTMmki/_new 2011-07-29 18:07:21.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package libsoup (Version 2.30.1) +# spec file for package libsoup # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -38,9 +38,11 @@ # Summary: HTTP client/server library for GNOME Version: 2.30.1 -Release: 1 +Release: 2.<RELEASE2> Source: ftp://ftp.gnome.org/pub/GNOME/stable/sources/libsoup/2.2/%{name}-%{version}.tar.bz2 Source99: baselibs.conf +# PATCH-FIX-UPSTREAM libsoup-CVE-2011-2524.patch bnc#706630 CVE-2011-2524 vuntz@opensuse.org -- filesystem exposure flaw due to bad parsing of ".." +Patch0: libsoup-CVE-2011-2524.patch Url: http://www.gnome.org BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: %{name}-2_4-1 = %{version} @@ -111,6 +113,7 @@ %prep %setup -q +%patch0 -p1 %build %configure\ ++++++ libsoup-CVE-2011-2524.patch ++++++
From cbeeb7a0f7f0e8b16f2d382157496f9100218dea Mon Sep 17 00:00:00 2001 From: Dan Winship <danw@gnome.org> Date: Wed, 29 Jun 2011 14:04:06 +0000 Subject: SoupServer: fix to not allow smuggling ".." into path
When SoupServer:raw-paths was set (the default), it was possible to sneak ".." segments into the path passed to the SoupServerHandler, which could then end up tricking some handlers into retrieving arbitrary files from the filesystem. Fix that. https://bugzilla.gnome.org/show_bug.cgi?id=653258 --- diff --git a/libsoup/soup-server.c b/libsoup/soup-server.c index d56efd1..7225337 100644 --- a/libsoup/soup-server.c +++ b/libsoup/soup-server.c @@ -779,6 +779,15 @@ got_headers (SoupMessage *req, SoupClientContext *client) uri = soup_message_get_uri (req); decoded_path = soup_uri_decode (uri->path); + + if (strstr (decoded_path, "/../") || + g_str_has_suffix (decoded_path, "/..")) { + /* Introducing new ".." segments is not allowed */ + g_free (decoded_path); + soup_message_set_status (req, SOUP_STATUS_BAD_REQUEST); + return; + } + soup_uri_set_path (uri, decoded_path); g_free (decoded_path); } -- cgit v0.9 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org