Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
Control: tags -1 + pending On Sat, 2017-09-23 at 18:24 +0100, Jonathan Wiltshire wrote: > Control: tag -1 confirmed > > On Fri, Aug 18, 2017 at 11:35:09AM +0200, Mattias Ellert wrote: [...] > > diff -Nru gsoap-2.8.35/debian/changelog gsoap- > > 2.8.35/debian/changelog > > --- gsoap-2.8.35/debian/changelog 2016-12-06 > > 09:32:36.0 +0100 > > +++ gsoap-2.8.35/debian/changelog 2017-08-16 > > 11:58:11.0 +0200 > > @@ -1,3 +1,9 @@ > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > > + > > + * Fix for CVE-2017-9765 > > + > > + -- Mattias EllertWed, 16 Aug > > 2017 11:58:11 +0200 > > Please go ahead, but a little more detail in your changelog (what is > CVE-2017-9765 and what changed to fix it?) is always appreciated. > Uploaded and flagged for acceptance. Regards, Adam
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
Hi Jonathan, On Sat, Sep 23, 2017 at 06:24:49PM +0100, Jonathan Wiltshire wrote: > Control: tag -1 confirmed > > On Fri, Aug 18, 2017 at 11:35:09AM +0200, Mattias Ellert wrote: > > fre 2017-08-18 klockan 08:46 +0100 skrev Adam D. Barratt: > > > On 2017-08-18 8:01, Mattias Ellert wrote: > > > > tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt: > > > > > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote: > > > > > > Hi, > > > > > > > > > > > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote: > > > > > > > > > > [...] > > > > > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > > > > > > > + > > > > > > > + * Fix for CVE-2017-9765 (Closes: ) > > > > > > [...] > > > > > Is there actually a Debian bug for the issue? I couldn't find one. > > I've been trying to unpick exactly whether this issue is fixed in unstable > or not. I can only assume so since the security tracker claims it so > (https://security-tracker.debian.org/tracker/CVE-2017-9765) but your > changelog for 2.8.49-1 doesn't mention the CVE. I presume the CVE wasn't > yet public before you fixed it? Yes, the issue was fixed upstream in 2.8.48, cf. https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017). The CVE is not mentioned in upstream changelog, and presumably was as well only assigned later. Regards, Salvatore
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
Control: tag -1 confirmed On Fri, Aug 18, 2017 at 11:35:09AM +0200, Mattias Ellert wrote: > fre 2017-08-18 klockan 08:46 +0100 skrev Adam D. Barratt: > > On 2017-08-18 8:01, Mattias Ellert wrote: > > > tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt: > > > > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote: > > > > > Hi, > > > > > > > > > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote: > > > > > > > > [...] > > > > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > > > > > > + > > > > > > + * Fix for CVE-2017-9765 (Closes: ) > > > > [...] > > > > Is there actually a Debian bug for the issue? I couldn't find one. I've been trying to unpick exactly whether this issue is fixed in unstable or not. I can only assume so since the security tracker claims it so (https://security-tracker.debian.org/tracker/CVE-2017-9765) but your changelog for 2.8.49-1 doesn't mention the CVE. I presume the CVE wasn't yet public before you fixed it? This is why a tracking bug against the package, even after the event, is helpful when someone who has no other connection with the package gets a request to look into it. (Incidentally the fixed versions on #859932 confused me until I realised that you're including previous uploads in your changes every time you upload. You really needn't do that, it just ends up generating lies in the version tracking.) > diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog > --- gsoap-2.8.35/debian/changelog 2016-12-06 09:32:36.0 +0100 > +++ gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200 > @@ -1,3 +1,9 @@ > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > + > + * Fix for CVE-2017-9765 > + > + -- Mattias EllertWed, 16 Aug 2017 11:58:11 > +0200 Please go ahead, but a little more detail in your changelog (what is CVE-2017-9765 and what changed to fix it?) is always appreciated. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
On 2017-08-18 10:35, Mattias Ellert wrote: I am sorry to have upset you, I'm not upset, just confused. Mostly as to why one would default to assuming that an upload to stable is /technically/ a fundamentally different beast to an upload to unstable or experimental. but to me it was obvious the bug should be closed by the update, The release.debian.org bug is tracking a process. That process is complete when your fixed package is in {,old}stable, not simply because you uploaded. and the instruction did not say it should not be. Maybe you could add a sentence stating this in the instructions. Which instructions? https://lists.debian.org/debian-devel-announce/2016/11/msg9.html is the most recent and closest I can think of. While that doesn't explicitly say not to close the release.d.o bug in your upload, it also aims to give positive pointers so the fact that it doesn't say to do so implies that you should not. (The Dev Ref section on stable doesn't specify anything at all in terms of how the package should be structured afaics, so again I'd have assumed that the default was to use the changelog as usual.) Regards, Adam
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
fre 2017-08-18 klockan 08:46 +0100 skrev Adam D. Barratt: > On 2017-08-18 8:01, Mattias Ellert wrote: > > tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt: > > > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote: > > > > Hi, > > > > > > > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote: > > > > > > [...] > > > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > > > > > + > > > > > + * Fix for CVE-2017-9765 (Closes: ) > > [...] > > > Is there actually a Debian bug for the issue? I couldn't find one. > > [...] > > I don't understand the last comment here. > > Apparently not. > > > Of course there is a bug - it is this one. > > > > The reason the debdiff in the request says "Closes: ", is a > > chicken-and-egg problem. You are supposed to attach the debdiff to the > > request, but before you make the request its BTS number does not yet > > exists - so you can't include it in the attachment at creation time. > > After I got the confirmation back with the number I updated the > > changelog with the bug number. > > *NO*. There is no chicken and egg problem here at all. > > The bug number you would close in the changelog relates to a bug filed > _against gsoap_, the same as it would for any other upload. You should > never be closing bugs filed against release.debian.org in an upload of > your package. You're fixing a bug in your package, the release.d.o bug > is a means of tracking that, not a thing fixed in the upload. > > If there is no bug filed against gsoap that relates to the issue, then > there should be no bug closed in the changelog. > > Regards, > > Adam Closes statement removed as requested. I am sorry to have upset you, but to me it was obvious the bug should be closed by the update, and the instruction did not say it should not be. Maybe you could add a sentence stating this in the instructions. Mattias diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog --- gsoap-2.8.35/debian/changelog 2016-12-06 09:32:36.0 +0100 +++ gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200 @@ -1,3 +1,9 @@ +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium + + * Fix for CVE-2017-9765 + + -- Mattias EllertWed, 16 Aug 2017 11:58:11 +0200 + gsoap (2.8.35-4) unstable; urgency=medium * Rebuild for OpenSSL 1.1.0 diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch --- gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch 2017-08-16 11:54:02.0 +0200 @@ -0,0 +1,54 @@ +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c +--- gsoap-2.8.orig/gsoap/stdsoap2.c 2016-04-03 03:33:31.0 +0200 gsoap-2.8/gsoap/stdsoap2.c 2017-08-01 14:51:44.141083499 +0200 +@@ -1711,17 +1711,16 @@ + soap_get_pi(struct soap *soap) + { char buf[64]; + char *s = buf; +- int i = sizeof(buf); +- soap_wchar c = soap_getchar(soap); +- /* This is a quick way to parse XML PI and we could use a callback instead to +- * enable applications to intercept processing instructions */ +- while ((int)c != EOF && c != '?') +- { if (--i > 0) ++ size_t i = sizeof(buf); ++ soap_wchar c; ++ /* Parse the XML PI encoding declaration and look for */ ++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') ++ { if (i > 1) + { if (soap_blank(c)) + c = ' '; + *s++ = (char)c; ++ i--; + } +-c = soap_getchar(soap); + } + *s = '\0'; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf)); +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp +--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2016-04-03 03:33:31.0 +0200 gsoap-2.8/gsoap/stdsoap2.cpp 2017-08-01 14:51:44.143083498 +0200 +@@ -1711,17 +1711,16 @@ + soap_get_pi(struct soap *soap) + { char buf[64]; + char *s = buf; +- int i = sizeof(buf); +- soap_wchar c = soap_getchar(soap); +- /* This is a quick way to parse XML PI and we could use a callback instead to +- * enable applications to intercept processing instructions */ +- while ((int)c != EOF && c != '?') +- { if (--i > 0) ++ size_t i = sizeof(buf); ++ soap_wchar c; ++ /* Parse the XML PI encoding declaration and look for */ ++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') ++ { if (i > 1) + { if (soap_blank(c)) + c = ' '; + *s++ = (char)c; ++ i--; + } +-c = soap_getchar(soap); + } + *s = '\0'; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf)); diff -Nru gsoap-2.8.35/debian/patches/series gsoap-2.8.35/debian/patches/series --- gsoap-2.8.35/debian/patches/series 2016-09-26 14:49:01.0 +0200 +++ gsoap-2.8.35/debian/patches/series 2017-08-16 11:57:36.0 +0200 @@ -10,3 +10,6 @@ # Backport fix from upstream gsoap-backport.patch + +# CVE-2017-9765 +gsoap-CVE-2017-9765.patch signature.asc
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
On 2017-08-18 8:01, Mattias Ellert wrote: tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt: On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote: > Hi, > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote: [...] > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > > + > > + * Fix for CVE-2017-9765 (Closes: ) [...] Is there actually a Debian bug for the issue? I couldn't find one. [...] I don't understand the last comment here. Apparently not. Of course there is a bug - it is this one. The reason the debdiff in the request says "Closes: ", is a chicken-and-egg problem. You are supposed to attach the debdiff to the request, but before you make the request its BTS number does not yet exists - so you can't include it in the attachment at creation time. After I got the confirmation back with the number I updated the changelog with the bug number. *NO*. There is no chicken and egg problem here at all. The bug number you would close in the changelog relates to a bug filed _against gsoap_, the same as it would for any other upload. You should never be closing bugs filed against release.debian.org in an upload of your package. You're fixing a bug in your package, the release.d.o bug is a means of tracking that, not a thing fixed in the upload. If there is no bug filed against gsoap that relates to the issue, then there should be no bug closed in the changelog. Regards, Adam
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
Hi, On Fri Aug 18, 2017 at 09:01:04 +0200, Mattias Ellert wrote: > tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt: > > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote: > > > Hi, > > > > > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote: > > > > [...] > > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > > > > + > > > > + * Fix for CVE-2017-9765 (Closes: ) > > > > + > > > > + -- Mattias EllertWed, 16 Aug 2017 > > > > 11:58:11 +0200 > > > > + > > > > gsoap (2.8.35-4) unstable; urgency=medium > > > > > > once this changelog has a proper Closes line with bug-number this patch > > > looks sane to me. > > > > Is there actually a Debian bug for the issue? I couldn't find one. > > > > Regards, > > > > Adam > > > > Hi! > > I don't understand the last comment here. > Of course there is a bug - it is this one. > > The reason the debdiff in the request says "Closes: ", is a > chicken-and-egg problem. You are supposed to attach the debdiff to the > request, but before you make the request its BTS number does not yet > exists - so you can't include it in the attachment at creation time. > After I got the confirmation back with the number I updated the > changelog with the bug number. No, this is the bug report für the p-u upload. What the release team is looking for is a (RC) bug assigned to the package, that describes the real issue, linking the CVEs, ... Cheers, Martin -- Martin Zobel-Helas Debian System Administrator Debian & GNU/Linux Developer Debian Listmaster http://about.me/zobel Debian Webmaster GPG Fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt: > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote: > > Hi, > > > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote: > > [...] > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > > > + > > > + * Fix for CVE-2017-9765 (Closes: ) > > > + > > > + -- Mattias EllertWed, 16 Aug 2017 > > > 11:58:11 +0200 > > > + > > > gsoap (2.8.35-4) unstable; urgency=medium > > > > once this changelog has a proper Closes line with bug-number this patch > > looks sane to me. > > Is there actually a Debian bug for the issue? I couldn't find one. > > Regards, > > Adam > Hi! I don't understand the last comment here. Of course there is a bug - it is this one. The reason the debdiff in the request says "Closes: ", is a chicken-and-egg problem. You are supposed to attach the debdiff to the request, but before you make the request its BTS number does not yet exists - so you can't include it in the attachment at creation time. After I got the confirmation back with the number I updated the changelog with the bug number. Mattias signature.asc Description: This is a digitally signed message part
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote: > Hi, > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote: [...] > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > > + > > + * Fix for CVE-2017-9765 (Closes: ) > > + > > + -- Mattias EllertWed, 16 Aug 2017 > > 11:58:11 +0200 > > + > > gsoap (2.8.35-4) unstable; urgency=medium > > once this changelog has a proper Closes line with bug-number this patch > looks sane to me. Is there actually a Debian bug for the issue? I couldn't find one. Regards, Adam
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
Hi, On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote: > Package: release.debian.org > Severity: normal > Tags: stretch > User: release.debian@packages.debian.org > Usertags: pu > > This is a proposal to fix CVE-2017-9765 in stretch. > debdiff is attached. > > Mattias Ellert > diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog > --- gsoap-2.8.35/debian/changelog 2016-12-06 09:32:36.0 +0100 > +++ gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200 > @@ -1,3 +1,9 @@ > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > + > + * Fix for CVE-2017-9765 (Closes: ) > + > + -- Mattias EllertWed, 16 Aug 2017 11:58:11 > +0200 > + > gsoap (2.8.35-4) unstable; urgency=medium once this changelog has a proper Closes line with bug-number this patch looks sane to me. Cheers, Martin (former stable release manager) -- Martin Zobel-Helas Debian System Administrator Debian & GNU/Linux Developer Debian Listmaster http://about.me/zobel Debian Webmaster GPG Fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu This is a proposal to fix CVE-2017-9765 in stretch. debdiff is attached. Mattias Ellert diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog --- gsoap-2.8.35/debian/changelog 2016-12-06 09:32:36.0 +0100 +++ gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200 @@ -1,3 +1,9 @@ +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium + + * Fix for CVE-2017-9765 (Closes: ) + + -- Mattias EllertWed, 16 Aug 2017 11:58:11 +0200 + gsoap (2.8.35-4) unstable; urgency=medium * Rebuild for OpenSSL 1.1.0 diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch --- gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch 2017-08-16 11:54:02.0 +0200 @@ -0,0 +1,54 @@ +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c +--- gsoap-2.8.orig/gsoap/stdsoap2.c 2016-04-03 03:33:31.0 +0200 gsoap-2.8/gsoap/stdsoap2.c 2017-08-01 14:51:44.141083499 +0200 +@@ -1711,17 +1711,16 @@ + soap_get_pi(struct soap *soap) + { char buf[64]; + char *s = buf; +- int i = sizeof(buf); +- soap_wchar c = soap_getchar(soap); +- /* This is a quick way to parse XML PI and we could use a callback instead to +- * enable applications to intercept processing instructions */ +- while ((int)c != EOF && c != '?') +- { if (--i > 0) ++ size_t i = sizeof(buf); ++ soap_wchar c; ++ /* Parse the XML PI encoding declaration and look for */ ++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') ++ { if (i > 1) + { if (soap_blank(c)) + c = ' '; + *s++ = (char)c; ++ i--; + } +-c = soap_getchar(soap); + } + *s = '\0'; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf)); +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp +--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2016-04-03 03:33:31.0 +0200 gsoap-2.8/gsoap/stdsoap2.cpp 2017-08-01 14:51:44.143083498 +0200 +@@ -1711,17 +1711,16 @@ + soap_get_pi(struct soap *soap) + { char buf[64]; + char *s = buf; +- int i = sizeof(buf); +- soap_wchar c = soap_getchar(soap); +- /* This is a quick way to parse XML PI and we could use a callback instead to +- * enable applications to intercept processing instructions */ +- while ((int)c != EOF && c != '?') +- { if (--i > 0) ++ size_t i = sizeof(buf); ++ soap_wchar c; ++ /* Parse the XML PI encoding declaration and look for */ ++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') ++ { if (i > 1) + { if (soap_blank(c)) + c = ' '; + *s++ = (char)c; ++ i--; + } +-c = soap_getchar(soap); + } + *s = '\0'; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf)); diff -Nru gsoap-2.8.35/debian/patches/series gsoap-2.8.35/debian/patches/series --- gsoap-2.8.35/debian/patches/series 2016-09-26 14:49:01.0 +0200 +++ gsoap-2.8.35/debian/patches/series 2017-08-16 11:57:36.0 +0200 @@ -10,3 +10,6 @@ # Backport fix from upstream gsoap-backport.patch + +# CVE-2017-9765 +gsoap-CVE-2017-9765.patch signature.asc Description: This is a digitally signed message part