Debian 11: DLA-4140-1 critical: libsoup2.4 buffer overflow issues
debian lts
April 27, 2025
Several security vulnerabilities have been discovered in libsoup2.4, a http client/server library popularly used in GNOME, et.al
Topics Covered
Summary
CVE-2025-2784
The package is vulnerable to a heap buffer over-read when sniffing content
via the skip_insight_whitespace() function. Libsoup clients may read one
byte out-of-bounds in response to a crafted HTTP response by an HTTP
server.
CVE-2025-32050
The libsoup append_param_quoted() function may contain an overflow bug
resulting in a buffer under-read.
CVE-2025-32052
A vulnerability in the sniff_unknown() function may lead to heap buffer
over-read.
CVE-2025-32053
A vulnerability in sniff_feed_or_html() and skip_insignificant_space()
functions may lead to a heap buffer over-read.
CVE-2025-32906
The soup_headers_parse_request() function may be vulnerable to an
out-of-bound read. This flaw allows a malicious user to use a specially
crafted HTTP request to crash the HTTP server.
CVE-2025-32909
SoupContentSniffer may be vulnerable to a NULL pointer dereference in the
sniff_mp4 function. The HTTP server may cause the libsoup client to crash.
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: libsoup2.4
Version: 2.72.0-2+deb11u2
CVE ID: CVE-2025-2784 CVE-2025-32050 CVE-2025-32052 CVE-2025-32053
Debian Bug: 1091502 1102208 1102212 1102214 1102215 1103521 1103517
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!