Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1

To: Martin Zobel-Helas <zobel@debian.org>, <872442@bugs.debian.org>
Cc: <submit@bugs.debian.org>
Subject: Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
From: Mattias Ellert <mattias.ellert@physics.uu.se>
Date: Fri, 18 Aug 2017 11:35:21 +0200
Message-id: <[🔎] 1503048921.18700.19.camel@physics.uu.se>
Reply-to: Mattias Ellert <mattias.ellert@physics.uu.se>, 872442@bugs.debian.org
In-reply-to: <[🔎] 20170817182139.m5g3pbrmrzfnec7x@ftbfs.de>
References: <[🔎] 1502980710.2609.19.camel@physics.uu.se> <[🔎] 20170817182139.m5g3pbrmrzfnec7x@ftbfs.de> <[🔎] 1502980710.2609.19.camel@physics.uu.se>

tor 2017-08-17 klockan 20:21 +0200 skrev Martin Zobel-Helas:
> Hi, 
> 
> On Thu Aug 17, 2017 at 16:38:30 +0200, Mattias Ellert wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: jessie
> > User: release.debian.org@packages.debian.org
> > Usertags: pu
> > 
> > This is a proposal to fix CVE-2017-9765 in jessie.
> > debdiff is attached.
> > 
> > Mattias Ellert
> > diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
> > --- gsoap-2.8.17/debian/changelog	2014-07-11 13:45:59.000000000 +0200
> > +++ gsoap-2.8.17/debian/changelog	2017-08-16 11:30:40.000000000 +0200
> > @@ -1,3 +1,9 @@
> > +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
> > +
> > +  * Fix for CVE-2017-9765 (Closes: xxxx)
> > +
> > + -- Mattias Ellert <mattias.ellert@physics.uu.se>  Wed, 16 Aug 2017 11:30:40 +0200
> > +
> >  gsoap (2.8.17-1) unstable; urgency=medium
> 
> once this changelog has a proper Closes line with bug-number this patch
> looks sane to me.
> 
> Cheers,
> Martin
> (former stable release manager)
> 

Closes statement removed as requested.
See bug #872441 for the discussion.

	Mattias

diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
--- gsoap-2.8.17/debian/changelog	2014-07-11 13:45:59.000000000 +0200
+++ gsoap-2.8.17/debian/changelog	2017-08-16 11:30:40.000000000 +0200
@@ -1,3 +1,9 @@
+gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
+
+  * Fix for CVE-2017-9765
+
+ -- Mattias Ellert <mattias.ellert@physics.uu.se>  Wed, 16 Aug 2017 11:30:40 +0200
+
 gsoap (2.8.17-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch
--- gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch	1970-01-01 01:00:00.000000000 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch	2017-08-16 09:29:32.000000000 +0200
@@ -0,0 +1,54 @@
+diff -ur gsoap-2.7.orig/gsoap/stdsoap2.c gsoap-2.7/gsoap/stdsoap2.c
+--- gsoap-2.7.orig/gsoap/stdsoap2.c	2010-04-06 18:23:14.000000000 +0200
++++ gsoap-2.7/gsoap/stdsoap2.c	2017-08-01 15:05:03.634309308 +0200
+@@ -1509,17 +1509,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   register char *s = buf;
+-  register int i = sizeof(buf);
+-  register soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  register size_t i = sizeof(buf);
++  register soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for <?xml ... encoding=X ?> */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+     { if (soap_blank(c))
+         c = ' ';
+       *s++ = (char)c;
++      i--;
+     }
+-    c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI <?%s?>\n", buf));
+diff -ur gsoap-2.7.orig/gsoap/stdsoap2.cpp gsoap-2.7/gsoap/stdsoap2.cpp
+--- gsoap-2.7.orig/gsoap/stdsoap2.cpp	2010-04-06 18:23:14.000000000 +0200
++++ gsoap-2.7/gsoap/stdsoap2.cpp	2017-08-01 15:05:03.636309306 +0200
+@@ -1509,17 +1509,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   register char *s = buf;
+-  register int i = sizeof(buf);
+-  register soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  register size_t i = sizeof(buf);
++  register soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for <?xml ... encoding=X ?> */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+     { if (soap_blank(c))
+         c = ' ';
+       *s++ = (char)c;
++      i--;
+     }
+-    c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI <?%s?>\n", buf));
diff -Nru gsoap-2.8.17/debian/patches/series gsoap-2.8.17/debian/patches/series
--- gsoap-2.8.17/debian/patches/series	2014-07-11 20:36:40.000000000 +0200
+++ gsoap-2.8.17/debian/patches/series	2017-08-16 11:28:38.000000000 +0200
@@ -21,3 +21,6 @@
 
 # https://sourceforge.net/p/gsoap2/patches/119/
 gsoap-doxygen-paths.patch
+
+# CVE-2017-9765
+gsoap-CVE-2017-9765.patch

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
  - From: Martin Zobel-Helas <zobel@ftbfs.de>

References:
- Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
  - From: Mattias Ellert <mattias.ellert@physics.uu.se>
- Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
  - From: Martin Zobel-Helas <zobel@debian.org>

Prev by Date: Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
Next by Date: Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
Previous by thread: Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
Next by thread: Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
Index(es):
- Date
- Thread