Your message dated Fri, 15 Feb 2019 10:33:12 +0000
with message-id <940b78f9e6f926880c3d3418eeebf...@mail.adam-barratt.org.uk>
and subject line Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
has caused the Debian Bug report #922384,
regarding jessie-pu: package gsoap/2.8.17-1+deb8u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
922384: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922384
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
This is a proposal to fix CVE-2019-7659 in jessie.
The update also addresses one additional advisory published by the
upstream developers.
debdiff is attached.
gsoap (2.8.17-1+deb8u2) jessie; urgency=medium
* Fix for CVE-2019-7659
Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a
denial of service (application abort) or possibly have unspecified other
impact if a server application is built with the -DWITH_COOKIES flag. This
affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++
libraries, as these are built with that flag.
* Fix issue with DIME protocol receiver and malformed DIME headers
This patch addresses a critical issue with the DIME protocol receiver that
may cause the receiver to become unresponsive when a malformed DIME
protocol message is received. -- https://www.genivia.com/advisory.html
Mattias Ellert
diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
--- gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.000000000 +0200
+++ gsoap-2.8.17/debian/changelog 2019-02-14 16:59:28.000000000 +0100
@@ -1,3 +1,18 @@
+gsoap (2.8.17-1+deb8u2) jessie; urgency=medium
+
+ * Fix for CVE-2019-7659
+ Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a
+ denial of service (application abort) or possibly have unspecified other
+ impact if a server application is built with the -DWITH_COOKIES flag. This
+ affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++
+ libraries, as these are built with that flag.
+ * Fix issue with DIME protocol receiver and malformed DIME headers
+ This patch addresses a critical issue with the DIME protocol receiver that
+ may cause the receiver to become unresponsive when a malformed DIME
+ protocol message is received. -- https://www.genivia.com/advisory.html
+
+ -- Mattias Ellert <mattias.ell...@physics.uu.se> Thu, 14 Feb 2019 16:59:28 +0100
+
gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
* Fix for CVE-2017-9765
diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch
--- gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch 1970-01-01 01:00:00.000000000 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch 2019-02-14 11:32:59.000000000 +0100
@@ -0,0 +1,50 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c
+--- gsoap-2.8.orig/gsoap/stdsoap2.c 2019-01-18 15:22:36.285318129 +0100
++++ gsoap-2.8/gsoap/stdsoap2.c 2019-01-18 15:26:44.648630944 +0100
+@@ -6199,11 +6199,12 @@
+ /******************************************************************************/
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++int
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, int len)
+ { register int c;
+- register size_t n = len;
++ register int n = len;
++ if (n <= 0) return 0;
+ while ((c = *s++) && --n > 0)
+ { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+ *t++ = c;
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp
+--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2019-01-18 15:22:36.353317393 +0100
++++ gsoap-2.8/gsoap/stdsoap2.cpp 2019-01-18 15:26:44.648630944 +0100
+@@ -6199,11 +6199,12 @@
+ /******************************************************************************/
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++int
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, int len)
+ { register int c;
+- register size_t n = len;
++ register int n = len;
++ if (n <= 0) return 0;
+ while ((c = *s++) && --n > 0)
+ { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+ *t++ = c;
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.h gsoap-2.8/gsoap/stdsoap2.h
+--- gsoap-2.8.orig/gsoap/stdsoap2.h 2019-01-18 15:22:36.256318443 +0100
++++ gsoap-2.8/gsoap/stdsoap2.h 2019-01-18 15:25:20.408542687 +0100
+@@ -2747,7 +2747,7 @@
+ SOAP_FMAC1 void SOAP_FMAC2 soap_clr_attr(struct soap *soap);
+
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_url(struct soap *soap, const char*, const char*);
+-SOAP_FMAC1 size_t SOAP_FMAC2 soap_encode_url(const char*, char*, size_t);
++SOAP_FMAC1 int SOAP_FMAC2 soap_encode_url(const char*, char*, int);
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_encode_url_string(struct soap*, const char*);
+ #ifdef WITH_COOKIES
+ SOAP_FMAC1 void SOAP_FMAC2 soap_getcookies(struct soap *soap, const char *val);
diff -Nru gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch
--- gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch 1970-01-01 01:00:00.000000000 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch 2019-02-14 11:33:00.000000000 +0100
@@ -0,0 +1,22 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c
+--- gsoap-2.8.orig/gsoap/stdsoap2.c 2017-07-11 03:51:16.000000000 +0200
++++ gsoap-2.8/gsoap/stdsoap2.c 2018-04-18 16:09:06.340071192 +0200
+@@ -16965,7 +16965,6 @@
+ return soap->error = SOAP_CHK_EOF;
+ soap_unget(soap, soap_getchar(soap)); /* skip padding and get hdr */
+ DBGLOG(TEST, SOAP_MESSAGE(fdebug, "... From chunked\n"));
+- return SOAP_OK;
+ }
+ s = (char*)tmp;
+ for (i = 12; i > 0; i--)
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp
+--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2017-07-11 03:51:16.000000000 +0200
++++ gsoap-2.8/gsoap/stdsoap2.cpp 2018-04-18 16:09:06.340071192 +0200
+@@ -16965,7 +16965,6 @@
+ return soap->error = SOAP_CHK_EOF;
+ soap_unget(soap, soap_getchar(soap)); /* skip padding and get hdr */
+ DBGLOG(TEST, SOAP_MESSAGE(fdebug, "... From chunked\n"));
+- return SOAP_OK;
+ }
+ s = (char*)tmp;
+ for (i = 12; i > 0; i--)
diff -Nru gsoap-2.8.17/debian/patches/series gsoap-2.8.17/debian/patches/series
--- gsoap-2.8.17/debian/patches/series 2017-08-16 11:28:38.000000000 +0200
+++ gsoap-2.8.17/debian/patches/series 2019-02-14 16:59:13.000000000 +0100
@@ -24,3 +24,9 @@
# CVE-2017-9765
gsoap-CVE-2017-9765.patch
+
+# Fix issue with DIME protocol receiver and malformed DIME headers
+gsoap-malformed-DIME.patch
+
+# CVE-2019-7659
+gsoap-CVE-2019-7659.patch
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
On 2019-02-15 10:12, Mattias Ellert wrote:
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
This is a proposal to fix CVE-2019-7659 in jessie.
The Release Team haven't handled jessie for nearly 9 months now. Please
liaise with the LTS Team - https://wiki.debian.org/LTS/
Regards,
Adam
--- End Message ---
