Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2

To: <submit@bugs.debian.org>
Subject: Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
From: Mattias Ellert <mattias.ellert@physics.uu.se>
Date: Fri, 15 Feb 2019 11:12:43 +0100
Message-id: <[🔎] 75ff4e5b2dd759f4d29af515a233d97d48c22776.camel@physics.uu.se>
Reply-to: Mattias Ellert <mattias.ellert@physics.uu.se>, 922385@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

This is a proposal to fix CVE-2019-7659 in stretch.

The update also addresses one additional advisory published by the
upstream developers.

debdiff is attached.

gsoap (2.8.35-4+deb9u2) stretch; urgency=medium

  * Fix for CVE-2019-7659
    Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a
    denial of service (application abort) or possibly have unspecified other
    impact if a server application is built with the -DWITH_COOKIES flag. This
    affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++
    libraries, as these are built with that flag.
  * Fix issue with DIME protocol receiver and malformed DIME headers
    This patch addresses a critical issue with the DIME protocol receiver that
    may cause the receiver to become unresponsive when a malformed DIME
    protocol message is received. -- https://www.genivia.com/advisory.html

	Mattias Ellert

diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
--- gsoap-2.8.35/debian/changelog	2017-08-16 11:58:11.000000000 +0200
+++ gsoap-2.8.35/debian/changelog	2019-02-14 17:12:12.000000000 +0100
@@ -1,3 +1,18 @@
+gsoap (2.8.35-4+deb9u2) stretch; urgency=medium
+
+  * Fix for CVE-2019-7659
+    Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a
+    denial of service (application abort) or possibly have unspecified other
+    impact if a server application is built with the -DWITH_COOKIES flag. This
+    affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++
+    libraries, as these are built with that flag.
+  * Fix issue with DIME protocol receiver and malformed DIME headers
+    This patch addresses a critical issue with the DIME protocol receiver that
+    may cause the receiver to become unresponsive when a malformed DIME
+    protocol message is received. -- https://www.genivia.com/advisory.html
+
+ -- Mattias Ellert <mattias.ellert@physics.uu.se>  Thu, 14 Feb 2019 17:12:12 +0100
+
 gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
 
   * Fix for CVE-2017-9765
diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch
--- gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch	1970-01-01 01:00:00.000000000 +0100
+++ gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch	2019-02-14 17:12:12.000000000 +0100
@@ -0,0 +1,50 @@
+diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.c gsoap-2.8.35/gsoap/stdsoap2.c
+--- gsoap-2.8.35.orig/gsoap/stdsoap2.c	2016-09-18 10:56:10.000000000 +0200
++++ gsoap-2.8.35/gsoap/stdsoap2.c	2019-02-13 17:21:44.188000000 +0100
+@@ -7037,11 +7037,12 @@
+ 
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++int
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, int len)
+ { int c;
+-  size_t n = len;
++  int n = len;
++  if (n <= 0) return 0;
+   while ((c = *s++) && --n > 0)
+   { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+       *t++ = c;
+diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.cpp gsoap-2.8.35/gsoap/stdsoap2.cpp
+--- gsoap-2.8.35.orig/gsoap/stdsoap2.cpp	2016-09-18 10:56:10.000000000 +0200
++++ gsoap-2.8.35/gsoap/stdsoap2.cpp	2019-02-13 17:21:44.188000000 +0100
+@@ -7037,11 +7037,12 @@
+ 
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++int
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, int len)
+ { int c;
+-  size_t n = len;
++  int n = len;
++  if (n <= 0) return 0;
+   while ((c = *s++) && --n > 0)
+   { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+       *t++ = c;
+diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.h gsoap-2.8.35/gsoap/stdsoap2.h
+--- gsoap-2.8.35.orig/gsoap/stdsoap2.h	2016-09-18 10:56:10.000000000 +0200
++++ gsoap-2.8.35/gsoap/stdsoap2.h	2019-02-13 17:19:31.088000000 +0100
+@@ -3380,7 +3380,7 @@
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url(struct soap *soap, const char*, const char*);
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url_query(struct soap *soap, const char*, const char*);
+ SOAP_FMAC1 void SOAP_FMAC2 soap_url_query(struct soap *soap, const char*, const char*);
+-SOAP_FMAC1 size_t SOAP_FMAC2 soap_encode_url(const char*, char*, size_t);
++SOAP_FMAC1 int SOAP_FMAC2 soap_encode_url(const char*, char*, int);
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_encode_url_string(struct soap*, const char*);
+ #ifdef WITH_COOKIES
+ SOAP_FMAC1 void SOAP_FMAC2 soap_getcookies(struct soap *soap, const char *val);
diff -Nru gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch
--- gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch	1970-01-01 01:00:00.000000000 +0100
+++ gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch	2019-02-13 17:12:41.000000000 +0100
@@ -0,0 +1,22 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c
+--- gsoap-2.8.orig/gsoap/stdsoap2.c	2017-07-11 03:51:16.000000000 +0200
++++ gsoap-2.8/gsoap/stdsoap2.c	2018-04-18 16:09:06.340071192 +0200
+@@ -16965,7 +16965,6 @@
+       return soap->error = SOAP_CHK_EOF;
+     soap_unget(soap, soap_getchar(soap)); /* skip padding and get hdr */
+     DBGLOG(TEST, SOAP_MESSAGE(fdebug, "... From chunked\n"));
+-    return SOAP_OK;
+   }
+   s = (char*)tmp;
+   for (i = 12; i > 0; i--)
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp
+--- gsoap-2.8.orig/gsoap/stdsoap2.cpp	2017-07-11 03:51:16.000000000 +0200
++++ gsoap-2.8/gsoap/stdsoap2.cpp	2018-04-18 16:09:06.340071192 +0200
+@@ -16965,7 +16965,6 @@
+       return soap->error = SOAP_CHK_EOF;
+     soap_unget(soap, soap_getchar(soap)); /* skip padding and get hdr */
+     DBGLOG(TEST, SOAP_MESSAGE(fdebug, "... From chunked\n"));
+-    return SOAP_OK;
+   }
+   s = (char*)tmp;
+   for (i = 12; i > 0; i--)
diff -Nru gsoap-2.8.35/debian/patches/series gsoap-2.8.35/debian/patches/series
--- gsoap-2.8.35/debian/patches/series	2017-08-16 11:57:36.000000000 +0200
+++ gsoap-2.8.35/debian/patches/series	2019-02-14 17:12:12.000000000 +0100
@@ -13,3 +13,9 @@
 
 # CVE-2017-9765
 gsoap-CVE-2017-9765.patch
+
+# Fix issue with DIME protocol receiver and malformed DIME headers
+gsoap-malformed-DIME.patch
+
+# CVE-2019-7659
+gsoap-CVE-2019-7659.patch

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
Next by Date: Bug#922384: marked as done (jessie-pu: package gsoap/2.8.17-1+deb8u2)
Previous by thread: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
Next by thread: Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
Index(es):
- Date
- Thread