USN-7643-1: libsoup vulnerabilities

USN-7643-1: libsoup vulnerabilities
Publication date:17 July 2025
Overview: Several security issues were fixed in libsoup.

Packages

• libsoup2.4 - HTTP client/server library for GNOME
• libsoup3 - HTTP client/server library for GNOME

Details
Jan Różański discovered that libsoup incorrectly handled range headers in
an HTTP request. An attacker could possibly use this issue to cause libsoup
to consume excessive memory, resulting in a denial of service.
(CVE-2025-32907)

Alon Zahavi discovered that libsoup incorrectly handled memory when parsing
HTTP requests. An attacker could possibly use this issue to send a
maliciously crafted HTTP request to the server, causing a denial of service
or obtaining sensitive information. This issue only affected Ubuntu 25.04.
(CVE-2025-32914)

It was discovered that libsoup incorrectly handled memory when parsing
the expiration date of maliciously crafted cookies. An attacker could
possibly use this issue to cause a denial of service. (CVE-2025-4945)

It was discovered that libsoup incorrectly handled integer calculations
when parsing multipart data. An attacker could possibly use this issue to
cause a denial of service. (CVE-2025-4948)

It was discovered that libsoup incorrectly handled buffer reading when
locating boundaries in multipart forms. An attacker could possibly use this
issue to cause a denial of service or obtain sensitive information.
(CVE-2025-4969)

Update instructions
The problem can be corrected by updating your system to the following package versions:

• 25.04 plucky: libsoup-2.4-1 – 2.74.3-10ubuntu0.4
  libsoup-3.0-0 – 3.6.5-1ubuntu0.2
• 24.04 noble: libsoup-2.4-1 – 2.74.3-6ubuntu1.6
  libsoup-3.0-0 – 3.4.4-5ubuntu0.5
• 22.04 jammy: libsoup-3.0-0 – 3.0.7-0ubuntu1+esm5
  libsoup2.4-1 – 2.74.2-3ubuntu0.6
• 20.04 focal: libsoup2.4-1 – 2.70.0-1ubuntu0.5+esm1
• 18.04 bionic: libsoup2.4-1 – 2.62.1-1ubuntu0.4+esm6
• 16.04 xenial: libsoup2.4-1 – 2.52.2-1ubuntu0.3+esm5