Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock I have submitted an update for the gsoap package, back-porting several fixes for CVEs from upstream. It fixes the RC bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983596 Due to the current soft freeze, the migration delay is 10 days, which would mean 18 March. However the hard freeze starts March 12, after which migration requires an explicit unblock. Hence this unblock request. Due to the RC bug, the package is marked for auto-removal, together with many packages that depend on it: Marked for autoremoval on 11 April: #983596 high Version 2.8.104-2 of gsoap is marked for autoremoval from testing on Sun 11 Apr 2021. It is affected by #983596. The removal of gsoap will also cause the removal of (transitive) reverse dependencies: arc-gui- clients, cgsi-gsoap, davix, gfal2, gridsite, lcas-lcmaps-gt4-interface, lcmaps, lcmaps-plugins-basic, lcmaps-plugins-jobrep, lcmaps-plugins- verify-proxy, lcmaps-plugins-voms, myproxy, nordugrid-arc, nordugrid- arc-nagios-plugins, openstack-cluster-installer, srm-ifce, voms, voms- mysql-plugin, xrootd. You should try to prevent the removal by fixing these RC bugs. I hope you will consider unblocking the update. Debdiff attached. Mattias
diff -Nru gsoap-2.8.104/debian/changelog gsoap-2.8.104/debian/changelog --- gsoap-2.8.104/debian/changelog 2020-07-25 08:30:12.000000000 +0200 +++ gsoap-2.8.104/debian/changelog 2021-03-08 14:06:23.000000000 +0100 @@ -1,3 +1,12 @@ +gsoap (2.8.104-3) unstable; urgency=high + + * Backporting upstream fixes (Closes: #983596) + - Fixes CVE: CVE-2020-13574 CVE-2020-13575 CVE-2020-13577 CVE-2020-13578 + - Fixes CVE: CVE-2020-13576 + * Urgency high due to fixing RC bug + + -- Mattias Ellert <mattias.ellert@physics.uu.se> Mon, 08 Mar 2021 14:06:23 +0100 + gsoap (2.8.104-2) unstable; urgency=medium * Re-upload source only diff -Nru gsoap-2.8.104/debian/control gsoap-2.8.104/debian/control --- gsoap-2.8.104/debian/control 2020-07-22 15:23:55.000000000 +0200 +++ gsoap-2.8.104/debian/control 2021-03-08 14:06:23.000000000 +0100 @@ -13,7 +13,7 @@ Build-Depends-Indep: doxygen, graphviz -Standards-Version: 4.5.0 +Standards-Version: 4.5.1 Section: devel Vcs-Browser: https://salsa.debian.org/ellert/gsoap Vcs-Git: https://salsa.debian.org/ellert/gsoap.git diff -Nru gsoap-2.8.104/debian/copyright gsoap-2.8.104/debian/copyright --- gsoap-2.8.104/debian/copyright 2020-07-22 15:23:55.000000000 +0200 +++ gsoap-2.8.104/debian/copyright 2021-03-08 14:06:23.000000000 +0100 @@ -171,7 +171,7 @@ Files: debian/* Copyright: 2003-2007, Thomas Wana <greuff@debian.org> - 2011-2020, Mattias Ellert <mattias.ellert@physics.uu.se> + 2011-2021, Mattias Ellert <mattias.ellert@physics.uu.se> License: GPL-2+ On Debian systems, the complete text of the GPL version 2 license can be found in '/usr/share/common-licenses/GPL-2'. diff -Nru gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch --- gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch 1970-01-01 01:00:00.000000000 +0100 +++ gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch 2021-03-08 11:28:34.000000000 +0100 @@ -0,0 +1,336 @@ +diff -ur gsoap2-code-r191/gsoap/plugin/httpda.c gsoap2-code-r192/gsoap/plugin/httpda.c +--- gsoap2-code-r191/gsoap/plugin/httpda.c 2020-06-30 21:06:47.000000000 +0200 ++++ gsoap2-code-r192/gsoap/plugin/httpda.c 2020-11-19 19:29:25.000000000 +0100 +@@ -1460,7 +1460,7 @@ + MUTEX_LOCK(http_da_session_lock); + + for (session = http_da_session; session; session = session->next) +- if (!strcmp(session->realm, realm) && !strcmp(session->nonce, nonce) && !strcmp(session->opaque, opaque)) ++ if (session->realm && session->nonce && session->opaque && !strcmp(session->realm, realm) && !strcmp(session->nonce, nonce) && !strcmp(session->opaque, opaque)) + break; + + if (session) +diff -ur gsoap2-code-r191/gsoap/plugin/wsaapi.c gsoap2-code-r192/gsoap/plugin/wsaapi.c +--- gsoap2-code-r191/gsoap/plugin/wsaapi.c 2020-06-30 21:06:47.000000000 +0200 ++++ gsoap2-code-r192/gsoap/plugin/wsaapi.c 2020-11-19 19:29:25.000000000 +0100 +@@ -1056,7 +1056,7 @@ + oldheader->SOAP_WSA(FaultTo)->Address = oldheader->SOAP_WSA(ReplyTo)->Address; + } + /* use FaultTo */ +- if (oldheader && oldheader->SOAP_WSA(FaultTo) && !strcmp(oldheader->SOAP_WSA(FaultTo)->Address, soap_wsa_noneURI)) ++ if (oldheader && oldheader->SOAP_WSA(FaultTo) && oldheader->SOAP_WSA(FaultTo)->Address && !strcmp(oldheader->SOAP_WSA(FaultTo)->Address, soap_wsa_noneURI)) + return soap_send_empty_response(soap, SOAP_OK); /* HTTP ACCEPTED */ + soap->header = NULL; + /* allocate a new header */ +diff -ur gsoap2-code-r191/gsoap/plugin/wsseapi.c gsoap2-code-r192/gsoap/plugin/wsseapi.c +--- gsoap2-code-r191/gsoap/plugin/wsseapi.c 2020-10-16 23:01:09.000000000 +0200 ++++ gsoap2-code-r192/gsoap/plugin/wsseapi.c 2020-11-19 19:29:25.000000000 +0100 +@@ -2957,7 +2957,7 @@ + else + { + /* check password text */ +- if (!strcmp(token->Password->__item, password)) ++ if (token->Password->__item && !strcmp(token->Password->__item, password)) + return SOAP_OK; + } + } +@@ -3119,6 +3119,7 @@ + { + _wsse__BinarySecurityToken *token = soap_wsse_BinarySecurityToken(soap, id); + DBGFUN1("soap_wsse_get_BinarySecurityToken", "id=%s", id?id:""); ++ *data = NULL; + if (token) + { + *valueType = token->ValueType; +@@ -3149,9 +3150,9 @@ + X509 *cert = NULL; + char *valueType = NULL; + #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) +- const unsigned char *data; ++ const unsigned char *data = NULL; + #else +- unsigned char *data; ++ unsigned char *data = NULL; + #endif + int size; + DBGFUN1("soap_wsse_get_BinarySecurityTokenX509", "id=%s", id?id:""); +@@ -3271,7 +3272,7 @@ + SOAP_FMAC2 + soap_wsse_add_SecurityContextToken(struct soap *soap, const char *id, const char *identifier) + { +- char *URI; ++ char *URI = NULL; + size_t l; + _wsse__Security *security = soap_wsse_add_Security(soap); + DBGFUN2("soap_wsse_add_SecurityContextToken", "id=%s", id, "identifier=%s", identifier?identifier:""); +@@ -3653,7 +3654,7 @@ + { + ds__SignatureType *signature = soap_wsse_add_Signature(soap); + const char *method = NULL; +- char *sig; ++ char *sig = NULL; + int siglen; + int err; + const char *c14ninclude = soap->c14ninclude; +@@ -3884,10 +3885,10 @@ + && signature->SignedInfo + && signature->SignatureValue) + { +- char *sig; +- const char *sigval; ++ char *sig = NULL; ++ const char *sigval = NULL; + int method, bits, siglen, sigvallen; +- struct soap_dom_element *elt; ++ struct soap_dom_element *elt = NULL; + /* check that we are using the intended signature algorithm */ + if (soap_wsse_get_SignedInfo_SignatureMethod(soap, &method, &bits)) + return soap->error; +@@ -3944,8 +3945,8 @@ + for (att = prt->atts; att; att = att->next) + { + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "DOM attribute = %s\n", att->name)); +- if (!strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) +- soap_attribute(soap, att->name, att->text); ++ if (att->name && att->text && !strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) ++ (void)soap_attribute(soap, att->name, att->text); + } + } + /* push xmlns="..." */ +@@ -3953,9 +3954,9 @@ + { + for (att = prt->atts; att; att = att->next) + { +- if (!strcmp(att->name, "xmlns")) ++ if (att->name && att->text && !strcmp(att->name, "xmlns")) + { +- soap_attribute(soap, att->name, att->text); ++ (void)soap_attribute(soap, att->name, att->text); + prt = NULL; + break; + } +@@ -4239,17 +4240,17 @@ + for (att = prt->atts; att; att = att->next) + { + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "DOM attribute = %s\n", att->name)); +- if (!strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) +- soap_attribute(soap, att->name, att->text); ++ if (att->name && att->text && !strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) ++ (void)soap_attribute(soap, att->name, att->text); + } + } + for (prt = dom->prnt; prt; prt = prt->prnt) + { + for (att = prt->atts; att; att = att->next) + { +- if (!strcmp(att->name, "xmlns")) ++ if (att->name && att->text && !strcmp(att->name, "xmlns")) + { +- soap_attribute(soap, att->name, att->text); ++ (void)soap_attribute(soap, att->name, att->text); + prt = NULL; + break; + } +@@ -5090,7 +5091,7 @@ + if (elt) + { + att = soap_att_get(elt, NULL, "EncodingType"); +- if (att) ++ if (att && soap_att_get_text(att)) + keybase = !strcmp(soap_att_get_text(att), wsse_Base64BinaryURI); + att = soap_att_get(elt, NULL, "ValueType"); + keytype = soap_att_get_text(att); +@@ -5140,7 +5141,7 @@ + { + int keylen; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "Verify EncryptedKey %s alg=%x\n", keyalgo, data->deco_alg)); +- if (keydata) ++ if (keytype && keydata) + { + if (!strcmp(keytype, wsse_X509v3URI)) + { +@@ -6111,9 +6112,8 @@ + */ + static int soap_p_hash(struct soap *soap, const char *hmac_key, size_t hmac_key_len, const char *secret, size_t secretlen, int alg, char HA[], size_t HA_len, char temp[], char *phash, size_t phashlen) + { +- char *buffer; + size_t i; +- buffer = (char*)SOAP_MALLOC(soap, HA_len + secretlen); ++ char *buffer = (char*)SOAP_MALLOC(soap, HA_len + secretlen); + if (!buffer) + return soap->error = SOAP_EOM; + i = 0; +@@ -7351,7 +7351,7 @@ + soap_strcpy(URI + 1, l + 1, Id); + } + #endif +- if (!strcmp(tag, "SOAP-ENV:Body")) ++ if (tag && !strcmp(tag, "SOAP-ENV:Body")) + { + if (soap_element(soap, tag, id, type) + || soap_element_start_end_out(soap, NULL)) +@@ -7401,7 +7401,7 @@ + } + if (data && (!data->encid || soap_tagsearch(data->encid, tag))) + { +- if (!strcmp(tag, "SOAP-ENV:Body")) ++ if (tag && !strcmp(tag, "SOAP-ENV:Body")) + { + if (soap_wsse_encrypt_end(soap)) + return soap->error; +diff -ur gsoap2-code-r191/gsoap/plugin/wsseapi.cpp gsoap2-code-r192/gsoap/plugin/wsseapi.cpp +--- gsoap2-code-r191/gsoap/plugin/wsseapi.cpp 2020-10-16 23:01:09.000000000 +0200 ++++ gsoap2-code-r192/gsoap/plugin/wsseapi.cpp 2020-11-19 19:29:25.000000000 +0100 +@@ -2957,7 +2957,7 @@ + else + { + /* check password text */ +- if (!strcmp(token->Password->__item, password)) ++ if (token->Password->__item && !strcmp(token->Password->__item, password)) + return SOAP_OK; + } + } +@@ -3119,6 +3119,7 @@ + { + _wsse__BinarySecurityToken *token = soap_wsse_BinarySecurityToken(soap, id); + DBGFUN1("soap_wsse_get_BinarySecurityToken", "id=%s", id?id:""); ++ *data = NULL; + if (token) + { + *valueType = token->ValueType; +@@ -3149,9 +3150,9 @@ + X509 *cert = NULL; + char *valueType = NULL; + #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) +- const unsigned char *data; ++ const unsigned char *data = NULL; + #else +- unsigned char *data; ++ unsigned char *data = NULL; + #endif + int size; + DBGFUN1("soap_wsse_get_BinarySecurityTokenX509", "id=%s", id?id:""); +@@ -3271,7 +3272,7 @@ + SOAP_FMAC2 + soap_wsse_add_SecurityContextToken(struct soap *soap, const char *id, const char *identifier) + { +- char *URI; ++ char *URI = NULL; + size_t l; + _wsse__Security *security = soap_wsse_add_Security(soap); + DBGFUN2("soap_wsse_add_SecurityContextToken", "id=%s", id, "identifier=%s", identifier?identifier:""); +@@ -3653,7 +3654,7 @@ + { + ds__SignatureType *signature = soap_wsse_add_Signature(soap); + const char *method = NULL; +- char *sig; ++ char *sig = NULL; + int siglen; + int err; + const char *c14ninclude = soap->c14ninclude; +@@ -3884,10 +3885,10 @@ + && signature->SignedInfo + && signature->SignatureValue) + { +- char *sig; +- const char *sigval; ++ char *sig = NULL; ++ const char *sigval = NULL; + int method, bits, siglen, sigvallen; +- struct soap_dom_element *elt; ++ struct soap_dom_element *elt = NULL; + /* check that we are using the intended signature algorithm */ + if (soap_wsse_get_SignedInfo_SignatureMethod(soap, &method, &bits)) + return soap->error; +@@ -3944,8 +3945,8 @@ + for (att = prt->atts; att; att = att->next) + { + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "DOM attribute = %s\n", att->name)); +- if (!strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) +- soap_attribute(soap, att->name, att->text); ++ if (att->name && att->text && !strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) ++ (void)soap_attribute(soap, att->name, att->text); + } + } + /* push xmlns="..." */ +@@ -3953,9 +3954,9 @@ + { + for (att = prt->atts; att; att = att->next) + { +- if (!strcmp(att->name, "xmlns")) ++ if (att->name && att->text && !strcmp(att->name, "xmlns")) + { +- soap_attribute(soap, att->name, att->text); ++ (void)soap_attribute(soap, att->name, att->text); + prt = NULL; + break; + } +@@ -4239,17 +4240,17 @@ + for (att = prt->atts; att; att = att->next) + { + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "DOM attribute = %s\n", att->name)); +- if (!strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) +- soap_attribute(soap, att->name, att->text); ++ if (att->name && att->text && !strncmp(att->name, "xmlns:", 6) && !soap_lookup_ns(soap, att->name + 6, strlen(att->name + 6))) ++ (void)soap_attribute(soap, att->name, att->text); + } + } + for (prt = dom->prnt; prt; prt = prt->prnt) + { + for (att = prt->atts; att; att = att->next) + { +- if (!strcmp(att->name, "xmlns")) ++ if (att->name && att->text && !strcmp(att->name, "xmlns")) + { +- soap_attribute(soap, att->name, att->text); ++ (void)soap_attribute(soap, att->name, att->text); + prt = NULL; + break; + } +@@ -5090,7 +5091,7 @@ + if (elt) + { + att = soap_att_get(elt, NULL, "EncodingType"); +- if (att) ++ if (att && soap_att_get_text(att)) + keybase = !strcmp(soap_att_get_text(att), wsse_Base64BinaryURI); + att = soap_att_get(elt, NULL, "ValueType"); + keytype = soap_att_get_text(att); +@@ -5140,7 +5141,7 @@ + { + int keylen; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "Verify EncryptedKey %s alg=%x\n", keyalgo, data->deco_alg)); +- if (keydata) ++ if (keytype && keydata) + { + if (!strcmp(keytype, wsse_X509v3URI)) + { +@@ -6111,9 +6112,8 @@ + */ + static int soap_p_hash(struct soap *soap, const char *hmac_key, size_t hmac_key_len, const char *secret, size_t secretlen, int alg, char HA[], size_t HA_len, char temp[], char *phash, size_t phashlen) + { +- char *buffer; + size_t i; +- buffer = (char*)SOAP_MALLOC(soap, HA_len + secretlen); ++ char *buffer = (char*)SOAP_MALLOC(soap, HA_len + secretlen); + if (!buffer) + return soap->error = SOAP_EOM; + i = 0; +@@ -7351,7 +7351,7 @@ + soap_strcpy(URI + 1, l + 1, Id); + } + #endif +- if (!strcmp(tag, "SOAP-ENV:Body")) ++ if (tag && !strcmp(tag, "SOAP-ENV:Body")) + { + if (soap_element(soap, tag, id, type) + || soap_element_start_end_out(soap, NULL)) +@@ -7401,7 +7401,7 @@ + } + if (data && (!data->encid || soap_tagsearch(data->encid, tag))) + { +- if (!strcmp(tag, "SOAP-ENV:Body")) ++ if (tag && !strcmp(tag, "SOAP-ENV:Body")) + { + if (soap_wsse_encrypt_end(soap)) + return soap->error; diff -Nru gsoap-2.8.104/debian/patches/gsoap-url-parse-hardening.patch gsoap-2.8.104/debian/patches/gsoap-url-parse-hardening.patch --- gsoap-2.8.104/debian/patches/gsoap-url-parse-hardening.patch 1970-01-01 01:00:00.000000000 +0100 +++ gsoap-2.8.104/debian/patches/gsoap-url-parse-hardening.patch 2021-03-08 13:16:01.000000000 +0100 @@ -0,0 +1,36 @@ +diffdiff -ur gsoap2-code-r193/gsoap/samples/calc_vs2005/calc_vs2005/stdsoap2.cpp gsoap2-code-r194/gsoap/samples/calc_vs2005/calc_vs2005/stdsoap2.cpp +--- gsoap2-code-r193/gsoap/samples/calc_vs2005/calc_vs2005/stdsoap2.cpp 2021-01-17 20:13:51.000000000 +0100 ++++ gsoap2-code-r194/gsoap/samples/calc_vs2005/calc_vs2005/stdsoap2.cpp 2021-01-22 23:49:26.000000000 +0100 +@@ -21246,7 +21243,7 @@ + if (*s == ':') + { + s++; +- if (*s != '@') ++ if (*s != '@' && s < t) + { + l = t - s + 1; + r = r + strlen(r) + 1; +diff -ur gsoap2-code-r193/gsoap/stdsoap2.c gsoap2-code-r194/gsoap/stdsoap2.c +--- gsoap2-code-r193/gsoap/stdsoap2.c 2021-01-17 20:13:51.000000000 +0100 ++++ gsoap2-code-r194/gsoap/stdsoap2.c 2021-01-22 23:49:26.000000000 +0100 +@@ -21246,7 +21243,7 @@ + if (*s == ':') + { + s++; +- if (*s != '@') ++ if (*s != '@' && s < t) + { + l = t - s + 1; + r = r + strlen(r) + 1; +diff -ur gsoap2-code-r193/gsoap/stdsoap2.cpp gsoap2-code-r194/gsoap/stdsoap2.cpp +--- gsoap2-code-r193/gsoap/stdsoap2.cpp 2021-01-17 20:13:51.000000000 +0100 ++++ gsoap2-code-r194/gsoap/stdsoap2.cpp 2021-01-22 23:49:26.000000000 +0100 +@@ -21246,7 +21243,7 @@ + if (*s == ':') + { + s++; +- if (*s != '@') ++ if (*s != '@' && s < t) + { + l = t - s + 1; + r = r + strlen(r) + 1; diff -Nru gsoap-2.8.104/debian/patches/gsoap-wsse.patch gsoap-2.8.104/debian/patches/gsoap-wsse.patch --- gsoap-2.8.104/debian/patches/gsoap-wsse.patch 1970-01-01 01:00:00.000000000 +0100 +++ gsoap-2.8.104/debian/patches/gsoap-wsse.patch 2021-03-08 13:43:18.000000000 +0100 @@ -0,0 +1,94 @@ +diff -ur gsoap2-code-r187/gsoap/plugin/wsseapi.c gsoap2-code-r188/gsoap/plugin/wsseapi.c +--- gsoap2-code-r187/gsoap/plugin/wsseapi.c 2020-06-30 21:06:47.000000000 +0200 ++++ gsoap2-code-r188/gsoap/plugin/wsseapi.c 2020-07-22 22:20:04.000000000 +0200 +@@ -3956,9 +3956,12 @@ + if (!strcmp(att->name, "xmlns")) + { + soap_attribute(soap, att->name, att->text); ++ prt = NULL; + break; + } + } ++ if (!prt) ++ break; + } + } + else +@@ -4247,9 +4250,12 @@ + if (!strcmp(att->name, "xmlns")) + { + soap_attribute(soap, att->name, att->text); ++ prt = NULL; + break; + } + } ++ if (!prt) ++ break; + } + } + else +@@ -4984,7 +4990,7 @@ + if (soap_tagsearch(data->encid, "ds:Signature")) + { + /* support ds:Signature encryption only with HTTP chunking, otherwise content length is incorrect */ +- if ((soap->omode & SOAP_IO) == SOAP_IO_BUFFER) ++ if ((soap->omode & SOAP_IO) == SOAP_IO_BUFFER || (soap->omode & SOAP_IO) == SOAP_IO_FLUSH) + soap->omode = (soap->omode & ~SOAP_IO) | SOAP_IO_CHUNK; + } + } +@@ -7573,6 +7579,8 @@ + soap->c14ninclude = NULL; /* but do not render inclusive namespaces */ + if ((soap->mode & SOAP_XML_INDENT)) + soap->count += 5; /* correction for soap->ns = 0: add \n+indent */ ++ if ((soap->mode & SOAP_XML_DEFAULTNS)) ++ soap->count -= 2*(9 + strlen(ds_URI)); /* correct for xmlns="http://www.w3.org/2000/09/xmldsig#" added to SignedInfo and ds:SignatureValue */ + } + soap_out_ds__SignedInfoType(soap, "ds:SignedInfo", 0, signature->SignedInfo, NULL); + soap_out__ds__SignatureValue(soap, "ds:SignatureValue", 0, &signature->SignatureValue, NULL); +diff -ur gsoap2-code-r187/gsoap/plugin/wsseapi.cpp gsoap2-code-r188/gsoap/plugin/wsseapi.cpp +--- gsoap2-code-r187/gsoap/plugin/wsseapi.cpp 2020-06-30 21:06:47.000000000 +0200 ++++ gsoap2-code-r188/gsoap/plugin/wsseapi.cpp 2020-07-22 22:20:04.000000000 +0200 +@@ -3956,9 +3956,12 @@ + if (!strcmp(att->name, "xmlns")) + { + soap_attribute(soap, att->name, att->text); ++ prt = NULL; + break; + } + } ++ if (!prt) ++ break; + } + } + else +@@ -4247,9 +4250,12 @@ + if (!strcmp(att->name, "xmlns")) + { + soap_attribute(soap, att->name, att->text); ++ prt = NULL; + break; + } + } ++ if (!prt) ++ break; + } + } + else +@@ -4984,7 +4990,7 @@ + if (soap_tagsearch(data->encid, "ds:Signature")) + { + /* support ds:Signature encryption only with HTTP chunking, otherwise content length is incorrect */ +- if ((soap->omode & SOAP_IO) == SOAP_IO_BUFFER) ++ if ((soap->omode & SOAP_IO) == SOAP_IO_BUFFER || (soap->omode & SOAP_IO) == SOAP_IO_FLUSH) + soap->omode = (soap->omode & ~SOAP_IO) | SOAP_IO_CHUNK; + } + } +@@ -7573,6 +7579,8 @@ + soap->c14ninclude = NULL; /* but do not render inclusive namespaces */ + if ((soap->mode & SOAP_XML_INDENT)) + soap->count += 5; /* correction for soap->ns = 0: add \n+indent */ ++ if ((soap->mode & SOAP_XML_DEFAULTNS)) ++ soap->count -= 2*(9 + strlen(ds_URI)); /* correct for xmlns="http://www.w3.org/2000/09/xmldsig#" added to SignedInfo and ds:SignatureValue */ + } + soap_out_ds__SignedInfoType(soap, "ds:SignedInfo", 0, signature->SignedInfo, NULL); + soap_out__ds__SignatureValue(soap, "ds:SignatureValue", 0, &signature->SignatureValue, NULL); diff -Nru gsoap-2.8.104/debian/patches/series gsoap-2.8.104/debian/patches/series --- gsoap-2.8.104/debian/patches/series 2020-07-22 15:23:55.000000000 +0200 +++ gsoap-2.8.104/debian/patches/series 2021-03-08 14:06:23.000000000 +0100 @@ -10,3 +10,15 @@ # The custom tabs css does not work with newer doxygen - use default version gsoap-doxygen-tabs.patch + +# Backport from gsoap 2.8.105 +# Included so that the following security fix applies cleanly +gsoap-wsse.patch + +# Backport from gsoap 2.8.109 +# Fixes CVE: CVE-2020-13574 CVE-2020-13575 CVE-2020-13577 CVE-2020-13578 +gsoap-plugins-hardening.patch + +# Backport from gsoap 2.8.111 +# Fixes CVE: CVE-2020-13576 +gsoap-url-parse-hardening.patch
Attachment:
signature.asc
Description: This is a digitally signed message part