[ASA-201708-5] libsoup: arbitrary code execution

2017-08-10T00:00:00
ID ASA-201708-5
Type archlinux
Reporter ArchLinux
Modified 2017-08-10T00:00:00

Description

Arch Linux Security Advisory ASA-201708-5

Severity: Critical Date : 2017-08-10 CVE-ID : CVE-2017-2885 Package : libsoup Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-376

Summary

The package libsoup before version 2.58.2-1 is vulnerable to arbitrary code execution.

Resolution

Upgrade to 2.58.2-1.

pacman -Syu "libsoup>=2.58.2-1"

The problem has been fixed upstream in version 2.58.2.

Workaround

None.

Description

A stack based buffer overflow has been found in libsoup <= 2.58.1. A specially crafted HTTP request with chunked encoding can cause a stack overflow resulting in remote code execution.

Impact

A remote attacker can execute arbitrary code on the affected host via a crafted HTTP request.

References

https://bugzilla.gnome.org/show_bug.cgi?id=785774 https://security.archlinux.org/CVE-2017-2885