Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1

[Mattias Ellert <mattias.ellert@physics.uu.se>]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

This is a proposal to fix CVE-2017-9765 in stretch.
debdiff is attached.

Mattias Ellert

diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
--- gsoap-2.8.35/debian/changelog	2016-12-06 09:32:36.000000000 +0100
+++ gsoap-2.8.35/debian/changelog	2017-08-16 11:58:11.000000000 +0200
@@ -1,3 +1,9 @@
+gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
+
+  * Fix for CVE-2017-9765 (Closes: xxxx)
+
+ -- Mattias Ellert <mattias.ellert@physics.uu.se>  Wed, 16 Aug 2017 11:58:11 +0200
+
 gsoap (2.8.35-4) unstable; urgency=medium
 
   * Rebuild for OpenSSL 1.1.0
diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch
--- gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch	1970-01-01 01:00:00.000000000 +0100
+++ gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch	2017-08-16 11:54:02.000000000 +0200
@@ -0,0 +1,54 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c
+--- gsoap-2.8.orig/gsoap/stdsoap2.c	2016-04-03 03:33:31.000000000 +0200
++++ gsoap-2.8/gsoap/stdsoap2.c	2017-08-01 14:51:44.141083499 +0200
+@@ -1711,17 +1711,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   char *s = buf;
+-  int i = sizeof(buf);
+-  soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  size_t i = sizeof(buf);
++  soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for <?xml ... encoding=X ?> */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+     { if (soap_blank(c))
+         c = ' ';
+       *s++ = (char)c;
++      i--;
+     }
+-    c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI <?%s?>\n", buf));
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp
+--- gsoap-2.8.orig/gsoap/stdsoap2.cpp	2016-04-03 03:33:31.000000000 +0200
++++ gsoap-2.8/gsoap/stdsoap2.cpp	2017-08-01 14:51:44.143083498 +0200
+@@ -1711,17 +1711,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   char *s = buf;
+-  int i = sizeof(buf);
+-  soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  size_t i = sizeof(buf);
++  soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for <?xml ... encoding=X ?> */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+     { if (soap_blank(c))
+         c = ' ';
+       *s++ = (char)c;
++      i--;
+     }
+-    c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI <?%s?>\n", buf));
diff -Nru gsoap-2.8.35/debian/patches/series gsoap-2.8.35/debian/patches/series
--- gsoap-2.8.35/debian/patches/series	2016-09-26 14:49:01.000000000 +0200
+++ gsoap-2.8.35/debian/patches/series	2017-08-16 11:57:36.000000000 +0200
@@ -10,3 +10,6 @@
 
 # Backport fix from upstream
 gsoap-backport.patch
+
+# CVE-2017-9765
+gsoap-CVE-2017-9765.patch

Attachment: signature.asc
Description: This is a digitally signed message part