USN-7126-1: libsoup vulnerabilities

Releases

• Ubuntu 24.10
• Ubuntu 24.04 LTS
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM

Packages

• libsoup2.4 - HTTP client/server library for GNOME

Details

It was discovered that libsoup ignored certain characters at the end of
header names. A remote attacker could possibly use this issue to perform
a HTTP request smuggling attack. (CVE-2024-52530)

It was discovered that libsoup did not correctly handle memory while
performing UTF-8 conversions. An attacker could possibly use this issue
to cause a denial of service or execute arbitrary code. (CVE-2024-52531)

It was discovered that libsoup could enter an infinite loop when reading
certain websocket data. An attacker could possibly use this issue to
cause a denial of service. (CVE-2024-52532)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 24.10

• libsoup-2.4-1 - 2.74.3-7ubuntu0.1

Ubuntu 24.04

• libsoup-2.4-1 - 2.74.3-6ubuntu1.1

Ubuntu 22.04

• libsoup2.4-1 - 2.74.2-3ubuntu0.1

Ubuntu 20.04

• libsoup2.4-1 - 2.70.0-1ubuntu0.1

Ubuntu 18.04

• libsoup2.4-1 - 2.62.1-1ubuntu0.4+esm1
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

• CVE-2024-52530
• CVE-2024-52531
• CVE-2024-52532

Related notices

• USN-7127-1: libsoup-3.0-tests, libsoup3, gir1.2-soup-3.0, libsoup-3.0-0, libsoup-3.0-dev, libsoup-3.0-doc, libsoup-3.0-common