fre 2019-02-15 klockan 17:56 +0100 skrev Chris Lamb: > Ben Hutchings wrote: > > > > Given the reference to cookies in the upstream advisory, I think the > > actual bug is > > […] > > Thanks for looking into this. For the avoidance of doubt I will not > proceed with an upload. > > With my "front desk" hat on, I've also added a link in the data/ > CVE/list to this thread as it discusses the merits of the patch: > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/f9c0c26172f864a9fb70c332d61dabd72b47a56e > > > Regards, > Thank you for your comments. The patch was based on the suggested fix from upstream which uses int. But I agree ssize_t is a better choice. Updated debdiff attatched. Mattias
diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
--- gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.000000000 +0200
+++ gsoap-2.8.17/debian/changelog 2019-02-14 16:59:28.000000000 +0100
@@ -1,3 +1,18 @@
+gsoap (2.8.17-1+deb8u2) jessie; urgency=medium
+
+ * Fix for CVE-2019-7659
+ Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a
+ denial of service (application abort) or possibly have unspecified other
+ impact if a server application is built with the -DWITH_COOKIES flag. This
+ affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++
+ libraries, as these are built with that flag.
+ * Fix issue with DIME protocol receiver and malformed DIME headers
+ This patch addresses a critical issue with the DIME protocol receiver that
+ may cause the receiver to become unresponsive when a malformed DIME
+ protocol message is received. -- https://www.genivia.com/advisory.html
+
+ -- Mattias Ellert <mattias.ellert@physics.uu.se> Thu, 14 Feb 2019 16:59:28 +0100
+
gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
* Fix for CVE-2017-9765
diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch
--- gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch 1970-01-01 01:00:00.000000000 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch 2019-02-14 16:59:28.000000000 +0100
@@ -0,0 +1,50 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c
+--- gsoap-2.8.orig/gsoap/stdsoap2.c 2019-01-18 15:22:36.285318129 +0100
++++ gsoap-2.8/gsoap/stdsoap2.c 2019-01-18 15:26:44.648630944 +0100
+@@ -6199,11 +6199,12 @@
+ /******************************************************************************/
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++ssize_t
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, ssize_t len)
+ { register int c;
+- register size_t n = len;
++ register ssize_t n = len;
++ if (n <= 0) return 0;
+ while ((c = *s++) && --n > 0)
+ { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+ *t++ = c;
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp
+--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2019-01-18 15:22:36.353317393 +0100
++++ gsoap-2.8/gsoap/stdsoap2.cpp 2019-01-18 15:26:44.648630944 +0100
+@@ -6199,11 +6199,12 @@
+ /******************************************************************************/
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++ssize_t
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, ssize_t len)
+ { register int c;
+- register size_t n = len;
++ register ssize_t n = len;
++ if (n <= 0) return 0;
+ while ((c = *s++) && --n > 0)
+ { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+ *t++ = c;
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.h gsoap-2.8/gsoap/stdsoap2.h
+--- gsoap-2.8.orig/gsoap/stdsoap2.h 2019-01-18 15:22:36.256318443 +0100
++++ gsoap-2.8/gsoap/stdsoap2.h 2019-01-18 15:25:20.408542687 +0100
+@@ -2747,7 +2747,7 @@
+ SOAP_FMAC1 void SOAP_FMAC2 soap_clr_attr(struct soap *soap);
+
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_url(struct soap *soap, const char*, const char*);
+-SOAP_FMAC1 size_t SOAP_FMAC2 soap_encode_url(const char*, char*, size_t);
++SOAP_FMAC1 ssize_t SOAP_FMAC2 soap_encode_url(const char*, char*, ssize_t);
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_encode_url_string(struct soap*, const char*);
+ #ifdef WITH_COOKIES
+ SOAP_FMAC1 void SOAP_FMAC2 soap_getcookies(struct soap *soap, const char *val);
diff -Nru gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch
--- gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch 1970-01-01 01:00:00.000000000 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch 2019-02-14 11:33:00.000000000 +0100
@@ -0,0 +1,22 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c
+--- gsoap-2.8.orig/gsoap/stdsoap2.c 2017-07-11 03:51:16.000000000 +0200
++++ gsoap-2.8/gsoap/stdsoap2.c 2018-04-18 16:09:06.340071192 +0200
+@@ -16965,7 +16965,6 @@
+ return soap->error = SOAP_CHK_EOF;
+ soap_unget(soap, soap_getchar(soap)); /* skip padding and get hdr */
+ DBGLOG(TEST, SOAP_MESSAGE(fdebug, "... From chunked\n"));
+- return SOAP_OK;
+ }
+ s = (char*)tmp;
+ for (i = 12; i > 0; i--)
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp
+--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2017-07-11 03:51:16.000000000 +0200
++++ gsoap-2.8/gsoap/stdsoap2.cpp 2018-04-18 16:09:06.340071192 +0200
+@@ -16965,7 +16965,6 @@
+ return soap->error = SOAP_CHK_EOF;
+ soap_unget(soap, soap_getchar(soap)); /* skip padding and get hdr */
+ DBGLOG(TEST, SOAP_MESSAGE(fdebug, "... From chunked\n"));
+- return SOAP_OK;
+ }
+ s = (char*)tmp;
+ for (i = 12; i > 0; i--)
diff -Nru gsoap-2.8.17/debian/patches/series gsoap-2.8.17/debian/patches/series
--- gsoap-2.8.17/debian/patches/series 2017-08-16 11:28:38.000000000 +0200
+++ gsoap-2.8.17/debian/patches/series 2019-02-14 16:59:13.000000000 +0100
@@ -24,3 +24,9 @@
# CVE-2017-9765
gsoap-CVE-2017-9765.patch
+
+# Fix issue with DIME protocol receiver and malformed DIME headers
+gsoap-malformed-DIME.patch
+
+# CVE-2019-7659
+gsoap-CVE-2019-7659.patch
Attachment:
smime.p7s
Description: S/MIME cryptographic signature