Bug#872442: marked as done (jessie-pu: package gsoap/2.8.17-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +0000
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #872442,
regarding jessie-pu: package gsoap/2.8.17-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
872442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872442
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

This is a proposal to fix CVE-2017-9765 in jessie.
debdiff is attached.

Mattias Ellert

diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
--- gsoap-2.8.17/debian/changelog	2014-07-11 13:45:59.000000000 +0200
+++ gsoap-2.8.17/debian/changelog	2017-08-16 11:30:40.000000000 +0200
@@ -1,3 +1,9 @@
+gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
+
+  * Fix for CVE-2017-9765 (Closes: xxxx)
+
+ -- Mattias Ellert <mattias.ell...@physics.uu.se>  Wed, 16 Aug 2017 11:30:40 +0200
+
 gsoap (2.8.17-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch
--- gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch	1970-01-01 01:00:00.000000000 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch	2017-08-16 09:29:32.000000000 +0200
@@ -0,0 +1,54 @@
+diff -ur gsoap-2.7.orig/gsoap/stdsoap2.c gsoap-2.7/gsoap/stdsoap2.c
+--- gsoap-2.7.orig/gsoap/stdsoap2.c	2010-04-06 18:23:14.000000000 +0200
++++ gsoap-2.7/gsoap/stdsoap2.c	2017-08-01 15:05:03.634309308 +0200
+@@ -1509,17 +1509,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   register char *s = buf;
+-  register int i = sizeof(buf);
+-  register soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  register size_t i = sizeof(buf);
++  register soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for <?xml ... encoding=X ?> */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+     { if (soap_blank(c))
+         c = ' ';
+       *s++ = (char)c;
++      i--;
+     }
+-    c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI <?%s?>\n", buf));
+diff -ur gsoap-2.7.orig/gsoap/stdsoap2.cpp gsoap-2.7/gsoap/stdsoap2.cpp
+--- gsoap-2.7.orig/gsoap/stdsoap2.cpp	2010-04-06 18:23:14.000000000 +0200
++++ gsoap-2.7/gsoap/stdsoap2.cpp	2017-08-01 15:05:03.636309306 +0200
+@@ -1509,17 +1509,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   register char *s = buf;
+-  register int i = sizeof(buf);
+-  register soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  register size_t i = sizeof(buf);
++  register soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for <?xml ... encoding=X ?> */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+     { if (soap_blank(c))
+         c = ' ';
+       *s++ = (char)c;
++      i--;
+     }
+-    c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI <?%s?>\n", buf));
diff -Nru gsoap-2.8.17/debian/patches/series gsoap-2.8.17/debian/patches/series
--- gsoap-2.8.17/debian/patches/series	2014-07-11 20:36:40.000000000 +0200
+++ gsoap-2.8.17/debian/patches/series	2017-08-16 11:28:38.000000000 +0200
@@ -21,3 +21,6 @@
 
 # https://sourceforge.net/p/gsoap2/patches/119/
 gsoap-doxygen-paths.patch
+
+# CVE-2017-9765
+gsoap-CVE-2017-9765.patch

signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

Version: 8.10

Hi,

Each of the updates referenced in these bugs was included in this
morning's jessie point release. Thanks!

Regards,

Adam

--- End Message ---