[SECURITY] [DLA 4140-1] libsoup2.4 security update

————————————————————————-
Debian LTS Advisory DLA-4140-1 [email protected]
https://www.debian.org/lts/security/ Andreas Henriksson
April 27, 2025 https://wiki.debian.org/LTS
————————————————————————-

Package : libsoup2.4
Version : 2.72.0-2+deb11u2
CVE ID : CVE-2025-2784 CVE-2025-32050 CVE-2025-32052 CVE-2025-32053
CVE-2025-32906 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911
CVE-2025-32912 CVE-2025-32913 CVE-2025-32914
Debian Bug : 1091502 1102208 1102212 1102214 1102215 1103521 1103517
1103516 1103515 1103267 1103512

Several security vulnerabilities have been discovered in libsoup2.4, a http
client/server library popularly used in GNOME, et.al.

CVE-2025-2784

The package is vulnerable to a heap buffer over-read when sniffing content
via the skip_insight_whitespace() function. Libsoup clients may read one
byte out-of-bounds in response to a crafted HTTP response by an HTTP
server.

CVE-2025-32050

The libsoup append_param_quoted() function may contain an overflow bug
resulting in a buffer under-read.

CVE-2025-32052

A vulnerability in the sniff_unknown() function may lead to heap buffer
over-read.

CVE-2025-32053

A vulnerability in sniff_feed_or_html() and skip_insignificant_space()
functions may lead to a heap buffer over-read.

CVE-2025-32906

The soup_headers_parse_request() function may be vulnerable to an
out-of-bound read. This flaw allows a malicious user to use a specially
crafted HTTP request to crash the HTTP server.

CVE-2025-32909

SoupContentSniffer may be vulnerable to a NULL pointer dereference in the
sniff_mp4 function. The HTTP server may cause the libsoup client to crash.

CVE-2025-32910

A flaw was found in libsoup, where soup_auth_digest_authenticate() is
vulnerable to a NULL pointer dereference. This issue may cause the libsoup
client to crash.

CVE-2025-32911

Vulnerable to a use-after-free memory issue not on the heap in the
soup_message_headers_get_content_disposition() function.
This flaw allows a malicious HTTP client to cause memory corruption in the
libsoup server.

CVE-2025-32912

SoupAuthDigest is vulnerable to a NULL pointer dereference. The HTTP server
may cause the libsoup client to crash.

CVE-2025-32913

The soup_message_headers_get_content_disposition() function is vulnerable
to a NULL pointer dereference. This flaw allows a malicious HTTP peer to
crash a libsoup client or server that uses this function.

CVE-2025-32914

The soup_multipart_new_from_message() function is vulnerable to an
out-of-bounds read. This flaw allows a malicious HTTP client to induce the
libsoup server to read out of bounds.

Additionally this update also includes a fix to extend the lifetime
of a certificate used by the test-suite during build to avoid
expiring soon.

Note that this update does *not* yet address CVE-2025-32907 and CVE-2025-32049
which are still being discussed.

For Debian 11 bullseye, these problems have been fixed in version
2.72.0-2+deb11u2.

We recommend that you upgrade your libsoup2.4 packages.

For the detailed security status of libsoup2.4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libsoup2.4

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature