Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 488
Alerts This Week
Warning Icon 1 488

Gentoo: GLSA-201709-26 Normal: libsoup Arbitrary Code Execution

gentoo
Calendar Grey September 26, 2017
Dist Gentoo Esm H88
Unauthorized users may infiltrate systems via libsoup; upgrading is advised to address moderate level threats.
A vulnerability in libsoup might allow remote attackers to execute arbitrary code.

Summary

A stack based buffer overflow vulnerability was discovered in libsoup.

Resolution

All libsoup users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/libsoup-2.56.1"
Packages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying some of these packages.

References

[ 1 ] CVE-2017-2885 https://nvd.nist.gov/vuln/detail/CVE-2017-2885

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201709-26
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: libsoup: Arbitrary remote code execution
Date: September 26, 2017
Bugs: #627466
ID: 201709-26

Synopsis

A vulnerability in libsoup might allow remote attackers to execute arbitrary code.

Background

libsoup is an HTTP client/server library for GNOME.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-libs/libsoup < 2.56.1 >= 2.56.1

Impact

===== A remote attacker, by using specially crafted HTTP requests, could execute arbitrary code with the privileges of the process.

Workaround

There is no known workaround at this time.