https://gitlab.gnome.org/Teams/Releng/security/-/wikis/home lists four security vulnerabilities reported against libsoup since June 2024, none of which have CVE id's listed as being assigned. (For those not familiar with it, libsoup is an HTTP client/server library for the GNOME desktop.)
1) Request smuggling via stripping of null bytes from the ends of header names https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 "When Libsoup parses HTTP headers, it ignores null bytes at the ends of header names. Thus, 'Transfer-Encoding: chunked' is equivalent to 'Transfer-Encoding\x00: chunked'. This allows for request smuggling when Libsoup is used in a service that's behind a reverse proxy that forwards null bytes without stripping them." This is marked as fixed in libsoup 3.6.0 (released August 25) by https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/402 . 2) headers: Be more robust against invalid input when parsing params https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407 "If you pass invalid input to a function such as soup_header_parse_param_list_strict() it can cause an overflow if it decodes the input to UTF-8. This should never happen with valid UTF-8 input which the API requires currently. This is not possible to happen with network data as all headers are decoded before this point." This is marked as fixed in the not-yet-released libsoup 3.6.1 by https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407 3) Infinite loop while reading websocket data https://gitlab.gnome.org/GNOME/libsoup/-/issues/391 "Start a websocket server with libsoup and then run the following test case: stall.c" [attached to bug report at above URL] "libsoup will enter into a busy loop and use all the memory of the system until it crashes." This is marked as fixed in the not-yet-released libsoup 3.6.1 by https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/410 4) https://gitlab.gnome.org/GNOME/libsoup/-/issues/390 is listed, but is not publicly visible yet, it has a disclosure date listed of November 19, 2024, and is marked as not yet fixed. -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
