fre 2017-08-18 klockan 08:46 +0100 skrev Adam D. Barratt: > On 2017-08-18 8:01, Mattias Ellert wrote: > > tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt: > > > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote: > > > > Hi, > > > > > > > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote: > > > > > > [...] > > > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > > > > > + > > > > > + * Fix for CVE-2017-9765 (Closes: xxxx) > > [...] > > > Is there actually a Debian bug for the issue? I couldn't find one. > > [...] > > I don't understand the last comment here. > > Apparently not. > > > Of course there is a bug - it is this one. > > > > The reason the debdiff in the request says "Closes: xxxx", is a > > chicken-and-egg problem. You are supposed to attach the debdiff to the > > request, but before you make the request its BTS number does not yet > > exists - so you can't include it in the attachment at creation time. > > After I got the confirmation back with the number I updated the > > changelog with the bug number. > > *NO*. There is no chicken and egg problem here at all. > > The bug number you would close in the changelog relates to a bug filed > _against gsoap_, the same as it would for any other upload. You should > never be closing bugs filed against release.debian.org in an upload of > your package. You're fixing a bug in your package, the release.d.o bug > is a means of tracking that, not a thing fixed in the upload. > > If there is no bug filed against gsoap that relates to the issue, then > there should be no bug closed in the changelog. > > Regards, > > Adam Closes statement removed as requested. I am sorry to have upset you, but to me it was obvious the bug should be closed by the update, and the instruction did not say it should not be. Maybe you could add a sentence stating this in the instructions. Mattias
diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
--- gsoap-2.8.35/debian/changelog 2016-12-06 09:32:36.000000000 +0100
+++ gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.000000000 +0200
@@ -1,3 +1,9 @@
+gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
+
+ * Fix for CVE-2017-9765
+
+ -- Mattias Ellert <mattias.ellert@physics.uu.se> Wed, 16 Aug 2017 11:58:11 +0200
+
gsoap (2.8.35-4) unstable; urgency=medium
* Rebuild for OpenSSL 1.1.0
diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch
--- gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch 1970-01-01 01:00:00.000000000 +0100
+++ gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch 2017-08-16 11:54:02.000000000 +0200
@@ -0,0 +1,54 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c
+--- gsoap-2.8.orig/gsoap/stdsoap2.c 2016-04-03 03:33:31.000000000 +0200
++++ gsoap-2.8/gsoap/stdsoap2.c 2017-08-01 14:51:44.141083499 +0200
+@@ -1711,17 +1711,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+ char *s = buf;
+- int i = sizeof(buf);
+- soap_wchar c = soap_getchar(soap);
+- /* This is a quick way to parse XML PI and we could use a callback instead to
+- * enable applications to intercept processing instructions */
+- while ((int)c != EOF && c != '?')
+- { if (--i > 0)
++ size_t i = sizeof(buf);
++ soap_wchar c;
++ /* Parse the XML PI encoding declaration and look for <?xml ... encoding=X ?> */
++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++ { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+ *s++ = (char)c;
++ i--;
+ }
+- c = soap_getchar(soap);
+ }
+ *s = '\0';
+ DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI <?%s?>\n", buf));
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp
+--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2016-04-03 03:33:31.000000000 +0200
++++ gsoap-2.8/gsoap/stdsoap2.cpp 2017-08-01 14:51:44.143083498 +0200
+@@ -1711,17 +1711,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+ char *s = buf;
+- int i = sizeof(buf);
+- soap_wchar c = soap_getchar(soap);
+- /* This is a quick way to parse XML PI and we could use a callback instead to
+- * enable applications to intercept processing instructions */
+- while ((int)c != EOF && c != '?')
+- { if (--i > 0)
++ size_t i = sizeof(buf);
++ soap_wchar c;
++ /* Parse the XML PI encoding declaration and look for <?xml ... encoding=X ?> */
++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++ { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+ *s++ = (char)c;
++ i--;
+ }
+- c = soap_getchar(soap);
+ }
+ *s = '\0';
+ DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI <?%s?>\n", buf));
diff -Nru gsoap-2.8.35/debian/patches/series gsoap-2.8.35/debian/patches/series
--- gsoap-2.8.35/debian/patches/series 2016-09-26 14:49:01.000000000 +0200
+++ gsoap-2.8.35/debian/patches/series 2017-08-16 11:57:36.000000000 +0200
@@ -10,3 +10,6 @@
# Backport fix from upstream
gsoap-backport.patch
+
+# CVE-2017-9765
+gsoap-CVE-2017-9765.patch
Attachment:
signature.asc
Description: This is a digitally signed message part