Your message dated Tue, 09 Mar 2021 10:43:24 +0000 with message-id <E1lJZpk-0005Pq-UD@respighi.debian.org> and subject line unblock gsoap has caused the Debian Bug report #984837, regarding unblock: gsoap/2.8.104-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 984837: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984837 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: unblock: gsoap/2.8.104-3
- From: Mattias Ellert <mattias.ellert@physics.uu.se>
- Date: Mon, 08 Mar 2021 23:43:33 +0100
- Message-id: <[🔎] 0ac547f5a774a65958e2606c6bf69e60c0947e7c.camel@physics.uu.se>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock I have submitted an update for the gsoap package, back-porting several fixes for CVEs from upstream. It fixes the RC bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983596 Due to the current soft freeze, the migration delay is 10 days, which would mean 18 March. However the hard freeze starts March 12, after which migration requires an explicit unblock. Hence this unblock request. Due to the RC bug, the package is marked for auto-removal, together with many packages that depend on it: Marked for autoremoval on 11 April: #983596 high Version 2.8.104-2 of gsoap is marked for autoremoval from testing on Sun 11 Apr 2021. It is affected by #983596. The removal of gsoap will also cause the removal of (transitive) reverse dependencies: arc-gui- clients, cgsi-gsoap, davix, gfal2, gridsite, lcas-lcmaps-gt4-interface, lcmaps, lcmaps-plugins-basic, lcmaps-plugins-jobrep, lcmaps-plugins- verify-proxy, lcmaps-plugins-voms, myproxy, nordugrid-arc, nordugrid- arc-nagios-plugins, openstack-cluster-installer, srm-ifce, voms, voms- mysql-plugin, xrootd. You should try to prevent the removal by fixing these RC bugs. I hope you will consider unblocking the update. Debdiff attached. Mattiasdiff -Nru gsoap-2.8.104/debian/changelog gsoap-2.8.104/debian/changelog --- gsoap-2.8.104/debian/changelog 2020-07-25 08:30:12.000000000 +0200 +++ gsoap-2.8.104/debian/changelog 2021-03-08 14:06:23.000000000 +0100 @@ -1,3 +1,12 @@ +gsoap (2.8.104-3) unstable; urgency=high + + * Backporting upstream fixes (Closes: #983596) + - Fixes CVE: CVE-2020-13574 CVE-2020-13575 CVE-2020-13577 CVE-2020-13578 + - Fixes CVE: CVE-2020-13576 + * Urgency high due to fixing RC bug + + -- Mattias Ellert <mattias.ellert@physics.uu.se> Mon, 08 Mar 2021 14:06:23 +0100 + gsoap (2.8.104-2) unstable; urgency=medium * Re-upload source only diff -Nru gsoap-2.8.104/debian/control gsoap-2.8.104/debian/control --- gsoap-2.8.104/debian/control 2020-07-22 15:23:55.000000000 +0200 +++ gsoap-2.8.104/debian/control 2021-03-08 14:06:23.000000000 +0100 @@ -13,7 +13,7 @@ Build-Depends-Indep: doxygen, graphviz -Standards-Version: 4.5.0 +Standards-Version: 4.5.1 Section: devel Vcs-Browser: https://salsa.debian.org/ellert/gsoap Vcs-Git: https://salsa.debian.org/ellert/gsoap.git diff -Nru gsoap-2.8.104/debian/copyright gsoap-2.8.104/debian/copyright --- gsoap-2.8.104/debian/copyright 2020-07-22 15:23:55.000000000 +0200 +++ gsoap-2.8.104/debian/copyright 2021-03-08 14:06:23.000000000 +0100 @@ -171,7 +171,7 @@ Files: debian/* Copyright: 2003-2007, Thomas Wana <greuff@debian.org> - 2011-2020, Mattias Ellert <mattias.ellert@physics.uu.se> + 2011-2021, Mattias Ellert <mattias.ellert@physics.uu.se> License: GPL-2+ On Debian systems, the complete text of the GPL version 2 license can be found in '/usr/share/common-licenses/GPL-2'. diff -Nru gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch --- gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch 1970-01-01 01:00:00.000000000 +0100 +++ gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch 2021-03-08 11:28:34.000000000 +0100 @@ -0,0 +1,336 @@ +diff -ur gsoap2-code-r191/gsoap/plugin/httpda.c gsoap2-code-r192/gsoap/plugin/httpda.c +--- gsoap2-code-r191/gsoap/plugin/httpda.c 2020-06-30 21:06:47.000000000 +0200 ++++ gsoap2-code-r192/gsoap/plugin/httpda.c 2020-11-19 19:29:25.000000000 +0100 +@@ -1460,7 +1460,7 @@ + MUTEX_LOCK(http_da_session_lock); + + for (session = http_da_session; session; session = session->next) +- if (!strcmp(session->realm, realm) && !strcmp(session->nonce, nonce) && !strcmp(session->opaque, opaque)) ++ if (session->realm && session->nonce && session->opaque && !strcmp(session->realm, realm) && !strcmp(session->nonce, nonce) && !strcmp(session->opaque, opaque)) + break; + + if (session) +diff -ur gsoap2-code-r191/gsoap/plugin/wsaapi.c gsoap2-code-r192/gsoap/plugin/wsaapi.c +--- gsoap2-code-r191/gsoap/plugin/wsaapi.c 2020-06-30 21:06:47.000000000 +0200 ++++ gsoap2-code-r192/gsoap/plugin/wsaapi.c 2020-11-19 19:29:25.000000000 +0100 +@@ -1056,7 +1056,7 @@ + oldheader->SOAP_WSA(FaultTo)->Address = oldheader->SOAP_WSA(ReplyTo)->Address; + } + /* use FaultTo */ +- if (oldheader && oldheader->SOAP_WSA(FaultTo) && !strcmp(oldheader->SOAP_WSA(FaultTo)->Address, soap_wsa_noneURI)) ++ if (oldheader && oldheader->SOAP_WSA(FaultTo) && oldheader->SOAP_WSA(FaultTo)->Address && !strcmp(oldheader->SOAP_WSA(FaultTo)->Address, soap_wsa_noneURI)) + return soap_send_empty_response(soap, SOAP_OK); /* HTTP ACCEPTED */ + soap->header = NULL; + /* allocate a new header */ +diff -ur gsoap2-code-r191/gsoap/plugin/wsseapi.c gsoap2-code-r192/gsoap/plugin/wsseapi.c +--- gsoap2-code-r191/gsoap/plugin/wsseapi.c 2020-10-16 23:01:09.000000000 +0200 ++++ gsoap2-code-r192/gsoap/plugin/wsseapi.c 2020-11-19 19:29:25.000000000 +0100 +@@ -2957,7 +2957,7 @@ + else + { + /* check password text */ +- if (!strcmp(token->Password->__item, password)) ++ if (token->Password->__item && !strcmp(token->Password->__item, password)) + return SOAP_OK; + } + } +@@ -3119,6 +3119,7 @@ + { + _wsse__BinarySecurityToken *token = soap_wsse_BinarySecurityToken(soap, id); + DBGFUN1("soap_wsse_get_BinarySecurityToken", "id=%s", id?id:""); ++ *data = NULL; + if (token) + { + *valueType = token->ValueType; +@@ -3149,9 +3150,9 @@ + X509 *cert = NULL; + char *valueType = NULL; + #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) +- const unsigned char *data; ++ const unsigned char *data = NULL; + #else +- unsigned char *data; ++ unsigned char *data = NULL; + #endif + int size; + DBGFUN1("soap_wsse_get_BinarySecurityTokenX509", "id=%s", id?id:""); +@@ -3271,7 +3272,7 @@ + SOAP_FMAC2 + soap_wsse_add_SecurityContextToken(struct soap *soap, const char *id, const char *identifier) + { +- char *URI; ++ char *URI = NULL; + size_t l; + _wsse__Security *security = soap_wsse_add_Security(soap); + DBGFUN2("soap_wsse_add_SecurityContextToken", "id=%s", id, "identifier=%s", identifier?identifier:""); +@@ -3653,7 +3654,7 @@ + { + ds__SignatureType *signature = soap_wsse_add_Signature(soap); + const char *method = NULL; +- char *sig; ++ char *sig = NULL; + int siglen; + int err; + const char *c14ninclude = soap->c14ninclude; +@@ -3884,10 +3885,10 @@ + && signature->SignedInfo + && signature->SignatureValue) + { +- char *sig; +- const char *sigval; ++ char *sig = NULL; ++ const char *sigval = NULL; + int method, bits, siglen, sigvallen; +- struct soap_dom_element *elt; ++ struct soap_dom_element *elt = NULL; + /* check that we are using the intended signature algorithm */ + if (soap_wsse_get_SignedInfo_SignatureMethod(soap, &method, &bits)) + return soap->error; +@@ -3944,8 +3945,8 @@ + for (att = prt->atts; att; att = att->next) + { + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "DOM attribute = %s\n", att->name)); +- if (!strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) +- soap_attribute(soap, att->name, att->text); ++ if (att->name && att->text && !strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) ++ (void)soap_attribute(soap, att->name, att->text); + } + } + /* push xmlns="..." */ +@@ -3953,9 +3954,9 @@ + { + for (att = prt->atts; att; att = att->next) + { +- if (!strcmp(att->name, "xmlns")) ++ if (att->name && att->text && !strcmp(att->name, "xmlns")) + { +- soap_attribute(soap, att->name, att->text); ++ (void)soap_attribute(soap, att->name, att->text); + prt = NULL; + break; + } +@@ -4239,17 +4240,17 @@ + for (att = prt->atts; att; att = att->next) + { + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "DOM attribute = %s\n", att->name)); +- if (!strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) +- soap_attribute(soap, att->name, att->text); ++ if (att->name && att->text && !strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) ++ (void)soap_attribute(soap, att->name, att->text); + } + } + for (prt = dom->prnt; prt; prt = prt->prnt) + { + for (att = prt->atts; att; att = att->next) + { +- if (!strcmp(att->name, "xmlns")) ++ if (att->name && att->text && !strcmp(att->name, "xmlns")) + { +- soap_attribute(soap, att->name, att->text); ++ (void)soap_attribute(soap, att->name, att->text); + prt = NULL; + break; + } +@@ -5090,7 +5091,7 @@ + if (elt) + { + att = soap_att_get(elt, NULL, "EncodingType"); +- if (att) ++ if (att && soap_att_get_text(att)) + keybase = !strcmp(soap_att_get_text(att), wsse_Base64BinaryURI); + att = soap_att_get(elt, NULL, "ValueType"); + keytype = soap_att_get_text(att); +@@ -5140,7 +5141,7 @@ + { + int keylen; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "Verify EncryptedKey %s alg=%x\n", keyalgo, data->deco_alg)); +- if (keydata) ++ if (keytype && keydata) + { + if (!strcmp(keytype, wsse_X509v3URI)) + { +@@ -6111,9 +6112,8 @@ + */ + static int soap_p_hash(struct soap *soap, const char *hmac_key, size_t hmac_key_len, const char *secret, size_t secretlen, int alg, char HA[], size_t HA_len, char temp[], char *phash, size_t phashlen) + { +- char *buffer; + size_t i; +- buffer = (char*)SOAP_MALLOC(soap, HA_len + secretlen); ++ char *buffer = (char*)SOAP_MALLOC(soap, HA_len + secretlen); + if (!buffer) + return soap->error = SOAP_EOM; + i = 0; +@@ -7351,7 +7351,7 @@ + soap_strcpy(URI + 1, l + 1, Id); + } + #endif +- if (!strcmp(tag, "SOAP-ENV:Body")) ++ if (tag && !strcmp(tag, "SOAP-ENV:Body")) + { + if (soap_element(soap, tag, id, type) + || soap_element_start_end_out(soap, NULL)) +@@ -7401,7 +7401,7 @@ + } + if (data && (!data->encid || soap_tagsearch(data->encid, tag))) + { +- if (!strcmp(tag, "SOAP-ENV:Body")) ++ if (tag && !strcmp(tag, "SOAP-ENV:Body")) + { + if (soap_wsse_encrypt_end(soap)) + return soap->error; +diff -ur gsoap2-code-r191/gsoap/plugin/wsseapi.cpp gsoap2-code-r192/gsoap/plugin/wsseapi.cpp +--- gsoap2-code-r191/gsoap/plugin/wsseapi.cpp 2020-10-16 23:01:09.000000000 +0200 ++++ gsoap2-code-r192/gsoap/plugin/wsseapi.cpp 2020-11-19 19:29:25.000000000 +0100 +@@ -2957,7 +2957,7 @@ + else + { + /* check password text */ +- if (!strcmp(token->Password->__item, password)) ++ if (token->Password->__item && !strcmp(token->Password->__item, password)) + return SOAP_OK; + } + } +@@ -3119,6 +3119,7 @@ + { + _wsse__BinarySecurityToken *token = soap_wsse_BinarySecurityToken(soap, id); + DBGFUN1("soap_wsse_get_BinarySecurityToken", "id=%s", id?id:""); ++ *data = NULL; + if (token) + { + *valueType = token->ValueType; +@@ -3149,9 +3150,9 @@ + X509 *cert = NULL; + char *valueType = NULL; + #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) +- const unsigned char *data; ++ const unsigned char *data = NULL; + #else +- unsigned char *data; ++ unsigned char *data = NULL; + #endif + int size; + DBGFUN1("soap_wsse_get_BinarySecurityTokenX509", "id=%s", id?id:""); +@@ -3271,7 +3272,7 @@ + SOAP_FMAC2 + soap_wsse_add_SecurityContextToken(struct soap *soap, const char *id, const char *identifier) + { +- char *URI; ++ char *URI = NULL; + size_t l; + _wsse__Security *security = soap_wsse_add_Security(soap); + DBGFUN2("soap_wsse_add_SecurityContextToken", "id=%s", id, "identifier=%s", identifier?identifier:""); +@@ -3653,7 +3654,7 @@ + { + ds__SignatureType *signature = soap_wsse_add_Signature(soap); + const char *method = NULL; +- char *sig; ++ char *sig = NULL; + int siglen; + int err; + const char *c14ninclude = soap->c14ninclude; +@@ -3884,10 +3885,10 @@ + && signature->SignedInfo + && signature->SignatureValue) + { +- char *sig; +- const char *sigval; ++ char *sig = NULL; ++ const char *sigval = NULL; + int method, bits, siglen, sigvallen; +- struct soap_dom_element *elt; ++ struct soap_dom_element *elt = NULL; + /* check that we are using the intended signature algorithm */ + if (soap_wsse_get_SignedInfo_SignatureMethod(soap, &method, &bits)) + return soap->error; +@@ -3944,8 +3945,8 @@ + for (att = prt->atts; att; att = att->next) + { + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "DOM attribute = %s\n", att->name)); +- if (!strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) +- soap_attribute(soap, att->name, att->text); ++ if (att->name && att->text && !strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) ++ (void)soap_attribute(soap, att->name, att->text); + } + } + /* push xmlns="..." */ +@@ -3953,9 +3954,9 @@ + { + for (att = prt->atts; att; att = att->next) + { +- if (!strcmp(att->name, "xmlns")) ++ if (att->name && att->text && !strcmp(att->name, "xmlns")) + { +- soap_attribute(soap, att->name, att->text); ++ (void)soap_attribute(soap, att->name, att->text); + prt = NULL; + break; + } +@@ -4239,17 +4240,17 @@ + for (att = prt->atts; att; att = att->next) + { + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "DOM attribute = %s\n", att->name)); +- if (!strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) +- soap_attribute(soap, att->name, att->text); ++ if (att->name && att->text && !strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) ++ (void)soap_attribute(soap, att->name, att->text); + } + } + for (prt = dom->prnt; prt; prt = prt->prnt) + { + for (att = prt->atts; att; att = att->next) + { +- if (!strcmp(att->name, "xmlns")) ++ if (att->name && att->text && !strcmp(att->name, "xmlns")) + { +- soap_attribute(soap, att->name, att->text); ++ (void)soap_attribute(soap, att->name, att->text); + prt = NULL; + break; + } +@@ -5090,7 +5091,7 @@ + if (elt) + { + att = soap_att_get(elt, NULL, "EncodingType"); +- if (att) ++ if (att && soap_att_get_text(att)) + keybase = !strcmp(soap_att_get_text(att), wsse_Base64BinaryURI); + att = soap_att_get(elt, NULL, "ValueType"); + keytype = soap_att_get_text(att); +@@ -5140,7 +5141,7 @@ + { + int keylen; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "Verify EncryptedKey %s alg=%x\n", keyalgo, data->deco_alg)); +- if (keydata) ++ if (keytype && keydata) + { + if (!strcmp(keytype, wsse_X509v3URI)) + { +@@ -6111,9 +6112,8 @@ + */ + static int soap_p_hash(struct soap *soap, const char *hmac_key, size_t hmac_key_len, const char *secret, size_t secretlen, int alg, char HA[], size_t HA_len, char temp[], char *phash, size_t phashlen) + { +- char *buffer; + size_t i; +- buffer = (char*)SOAP_MALLOC(soap, HA_len + secretlen); ++ char *buffer = (char*)SOAP_MALLOC(soap, HA_len + secretlen); + if (!buffer) + return soap->error = SOAP_EOM; + i = 0; +@@ -7351,7 +7351,7 @@ + soap_strcpy(URI + 1, l + 1, Id); + } + #endif +- if (!strcmp(tag, "SOAP-ENV:Body")) ++ if (tag && !strcmp(tag, "SOAP-ENV:Body")) + { + if (soap_element(soap, tag, id, type) + || soap_element_start_end_out(soap, NULL)) +@@ -7401,7 +7401,7 @@ + } + if (data && (!data->encid || soap_tagsearch(data->encid, tag))) + { +- if (!strcmp(tag, "SOAP-ENV:Body")) ++ if (tag && !strcmp(tag, "SOAP-ENV:Body")) + { + if (soap_wsse_encrypt_end(soap)) + return soap->error; diff -Nru gsoap-2.8.104/debian/patches/gsoap-url-parse-hardening.patch gsoap-2.8.104/debian/patches/gsoap-url-parse-hardening.patch --- gsoap-2.8.104/debian/patches/gsoap-url-parse-hardening.patch 1970-01-01 01:00:00.000000000 +0100 +++ gsoap-2.8.104/debian/patches/gsoap-url-parse-hardening.patch 2021-03-08 13:16:01.000000000 +0100 @@ -0,0 +1,36 @@ +diffdiff -ur gsoap2-code-r193/gsoap/samples/calc_vs2005/calc_vs2005/stdsoap2.cpp gsoap2-code-r194/gsoap/samples/calc_vs2005/calc_vs2005/stdsoap2.cpp +--- gsoap2-code-r193/gsoap/samples/calc_vs2005/calc_vs2005/stdsoap2.cpp 2021-01-17 20:13:51.000000000 +0100 ++++ gsoap2-code-r194/gsoap/samples/calc_vs2005/calc_vs2005/stdsoap2.cpp 2021-01-22 23:49:26.000000000 +0100 +@@ -21246,7 +21243,7 @@ + if (*s == ':') + { + s++; +- if (*s != '@') ++ if (*s != '@' && s < t) + { + l = t - s + 1; + r = r + strlen(r) + 1; +diff -ur gsoap2-code-r193/gsoap/stdsoap2.c gsoap2-code-r194/gsoap/stdsoap2.c +--- gsoap2-code-r193/gsoap/stdsoap2.c 2021-01-17 20:13:51.000000000 +0100 ++++ gsoap2-code-r194/gsoap/stdsoap2.c 2021-01-22 23:49:26.000000000 +0100 +@@ -21246,7 +21243,7 @@ + if (*s == ':') + { + s++; +- if (*s != '@') ++ if (*s != '@' && s < t) + { + l = t - s + 1; + r = r + strlen(r) + 1; +diff -ur gsoap2-code-r193/gsoap/stdsoap2.cpp gsoap2-code-r194/gsoap/stdsoap2.cpp +--- gsoap2-code-r193/gsoap/stdsoap2.cpp 2021-01-17 20:13:51.000000000 +0100 ++++ gsoap2-code-r194/gsoap/stdsoap2.cpp 2021-01-22 23:49:26.000000000 +0100 +@@ -21246,7 +21243,7 @@ + if (*s == ':') + { + s++; +- if (*s != '@') ++ if (*s != '@' && s < t) + { + l = t - s + 1; + r = r + strlen(r) + 1; diff -Nru gsoap-2.8.104/debian/patches/gsoap-wsse.patch gsoap-2.8.104/debian/patches/gsoap-wsse.patch --- gsoap-2.8.104/debian/patches/gsoap-wsse.patch 1970-01-01 01:00:00.000000000 +0100 +++ gsoap-2.8.104/debian/patches/gsoap-wsse.patch 2021-03-08 13:43:18.000000000 +0100 @@ -0,0 +1,94 @@ +diff -ur gsoap2-code-r187/gsoap/plugin/wsseapi.c gsoap2-code-r188/gsoap/plugin/wsseapi.c +--- gsoap2-code-r187/gsoap/plugin/wsseapi.c 2020-06-30 21:06:47.000000000 +0200 ++++ gsoap2-code-r188/gsoap/plugin/wsseapi.c 2020-07-22 22:20:04.000000000 +0200 +@@ -3956,9 +3956,12 @@ + if (!strcmp(att->name, "xmlns")) + { + soap_attribute(soap, att->name, att->text); ++ prt = NULL; + break; + } + } ++ if (!prt) ++ break; + } + } + else +@@ -4247,9 +4250,12 @@ + if (!strcmp(att->name, "xmlns")) + { + soap_attribute(soap, att->name, att->text); ++ prt = NULL; + break; + } + } ++ if (!prt) ++ break; + } + } + else +@@ -4984,7 +4990,7 @@ + if (soap_tagsearch(data->encid, "ds:Signature")) + { + /* support ds:Signature encryption only with HTTP chunking, otherwise content length is incorrect */ +- if ((soap->omode & SOAP_IO) == SOAP_IO_BUFFER) ++ if ((soap->omode & SOAP_IO) == SOAP_IO_BUFFER || (soap->omode & SOAP_IO) == SOAP_IO_FLUSH) + soap->omode = (soap->omode & ~SOAP_IO) | SOAP_IO_CHUNK; + } + } +@@ -7573,6 +7579,8 @@ + soap->c14ninclude = NULL; /* but do not render inclusive namespaces */ + if ((soap->mode & SOAP_XML_INDENT)) + soap->count += 5; /* correction for soap->ns = 0: add \n+indent */ ++ if ((soap->mode & SOAP_XML_DEFAULTNS)) ++ soap->count -= 2*(9 + strlen(ds_URI)); /* correct for xmlns="http://www.w3.org/2000/09/xmldsig#" added to SignedInfo and ds:SignatureValue */ + } + soap_out_ds__SignedInfoType(soap, "ds:SignedInfo", 0, signature->SignedInfo, NULL); + soap_out__ds__SignatureValue(soap, "ds:SignatureValue", 0, &signature->SignatureValue, NULL); +diff -ur gsoap2-code-r187/gsoap/plugin/wsseapi.cpp gsoap2-code-r188/gsoap/plugin/wsseapi.cpp +--- gsoap2-code-r187/gsoap/plugin/wsseapi.cpp 2020-06-30 21:06:47.000000000 +0200 ++++ gsoap2-code-r188/gsoap/plugin/wsseapi.cpp 2020-07-22 22:20:04.000000000 +0200 +@@ -3956,9 +3956,12 @@ + if (!strcmp(att->name, "xmlns")) + { + soap_attribute(soap, att->name, att->text); ++ prt = NULL; + break; + } + } ++ if (!prt) ++ break; + } + } + else +@@ -4247,9 +4250,12 @@ + if (!strcmp(att->name, "xmlns")) + { + soap_attribute(soap, att->name, att->text); ++ prt = NULL; + break; + } + } ++ if (!prt) ++ break; + } + } + else +@@ -4984,7 +4990,7 @@ + if (soap_tagsearch(data->encid, "ds:Signature")) + { + /* support ds:Signature encryption only with HTTP chunking, otherwise content length is incorrect */ +- if ((soap->omode & SOAP_IO) == SOAP_IO_BUFFER) ++ if ((soap->omode & SOAP_IO) == SOAP_IO_BUFFER || (soap->omode & SOAP_IO) == SOAP_IO_FLUSH) + soap->omode = (soap->omode & ~SOAP_IO) | SOAP_IO_CHUNK; + } + } +@@ -7573,6 +7579,8 @@ + soap->c14ninclude = NULL; /* but do not render inclusive namespaces */ + if ((soap->mode & SOAP_XML_INDENT)) + soap->count += 5; /* correction for soap->ns = 0: add \n+indent */ ++ if ((soap->mode & SOAP_XML_DEFAULTNS)) ++ soap->count -= 2*(9 + strlen(ds_URI)); /* correct for xmlns="http://www.w3.org/2000/09/xmldsig#" added to SignedInfo and ds:SignatureValue */ + } + soap_out_ds__SignedInfoType(soap, "ds:SignedInfo", 0, signature->SignedInfo, NULL); + soap_out__ds__SignatureValue(soap, "ds:SignatureValue", 0, &signature->SignatureValue, NULL); diff -Nru gsoap-2.8.104/debian/patches/series gsoap-2.8.104/debian/patches/series --- gsoap-2.8.104/debian/patches/series 2020-07-22 15:23:55.000000000 +0200 +++ gsoap-2.8.104/debian/patches/series 2021-03-08 14:06:23.000000000 +0100 @@ -10,3 +10,15 @@ # The custom tabs css does not work with newer doxygen - use default version gsoap-doxygen-tabs.patch + +# Backport from gsoap 2.8.105 +# Included so that the following security fix applies cleanly +gsoap-wsse.patch + +# Backport from gsoap 2.8.109 +# Fixes CVE: CVE-2020-13574 CVE-2020-13575 CVE-2020-13577 CVE-2020-13578 +gsoap-plugins-hardening.patch + +# Backport from gsoap 2.8.111 +# Fixes CVE: CVE-2020-13576 +gsoap-url-parse-hardening.patchAttachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
- To: 984837-done@bugs.debian.org
- Subject: unblock gsoap
- From: Sebastian Ramacher <sramacher@respighi.debian.org>
- Date: Tue, 09 Mar 2021 10:43:24 +0000
- Message-id: <E1lJZpk-0005Pq-UD@respighi.debian.org>
Unblocked.
--- End Message ---