Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2

2019-02-18 Thread Chris Lamb 
[Adding 922...@bugs.debian.org to CC for completeness / BTS archive]

Chris Lamb wrote:

> > So using the ssize_t version that preserves the sizes of the arguments
> > and return type of the function is the safer choice, regardless of
> > upstream's claim that the function is private.
> 
> Upstream have not replied so I will upload and release the ssize_t
> version shortly.

I've gone ahead and done this as DLA 1681-1, the only change being:

  - gsoap (2.8.17-1+deb8u2) jessie; urgency=medium
  + gsoap (2.8.17-1+deb8u2) jessie-security; urgency=high

Thanks for your help, Mattias.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org  chris-lamb.co.uk
   `-

Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2

2019-02-15 Thread Mattias Ellert 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This is a proposal to fix CVE-2019-7659 in jessie.

The update also addresses one additional advisory published by the
upstream developers.

debdiff is attached.

gsoap (2.8.17-1+deb8u2) jessie; urgency=medium

  * Fix for CVE-2019-7659
Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a
denial of service (application abort) or possibly have unspecified other
impact if a server application is built with the -DWITH_COOKIES flag. This
affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++
libraries, as these are built with that flag.
  * Fix issue with DIME protocol receiver and malformed DIME headers
This patch addresses a critical issue with the DIME protocol receiver that
may cause the receiver to become unresponsive when a malformed DIME
protocol message is received. -- https://www.genivia.com/advisory.html

Mattias Ellert

diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
--- gsoap-2.8.17/debian/changelog	2017-08-16 11:30:40.0 +0200
+++ gsoap-2.8.17/debian/changelog	2019-02-14 16:59:28.0 +0100
@@ -1,3 +1,18 @@
+gsoap (2.8.17-1+deb8u2) jessie; urgency=medium
+
+  * Fix for CVE-2019-7659
+Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a
+denial of service (application abort) or possibly have unspecified other
+impact if a server application is built with the -DWITH_COOKIES flag. This
+affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++
+libraries, as these are built with that flag.
+  * Fix issue with DIME protocol receiver and malformed DIME headers
+This patch addresses a critical issue with the DIME protocol receiver that
+may cause the receiver to become unresponsive when a malformed DIME
+protocol message is received. -- https://www.genivia.com/advisory.html
+
+ -- Mattias Ellert   Thu, 14 Feb 2019 16:59:28 +0100
+
 gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
 
   * Fix for CVE-2017-9765
diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch
--- gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch	1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch	2019-02-14 11:32:59.0 +0100
@@ -0,0 +1,50 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c
+--- gsoap-2.8.orig/gsoap/stdsoap2.c	2019-01-18 15:22:36.285318129 +0100
 gsoap-2.8/gsoap/stdsoap2.c	2019-01-18 15:26:44.648630944 +0100
+@@ -6199,11 +6199,12 @@
+ /**/
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++int
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, int len)
+ { register int c;
+-  register size_t n = len;
++  register int n = len;
++  if (n <= 0) return 0;
+   while ((c = *s++) && --n > 0)
+   { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+   *t++ = c;
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp
+--- gsoap-2.8.orig/gsoap/stdsoap2.cpp	2019-01-18 15:22:36.353317393 +0100
 gsoap-2.8/gsoap/stdsoap2.cpp	2019-01-18 15:26:44.648630944 +0100
+@@ -6199,11 +6199,12 @@
+ /**/
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++int
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, int len)
+ { register int c;
+-  register size_t n = len;
++  register int n = len;
++  if (n <= 0) return 0;
+   while ((c = *s++) && --n > 0)
+   { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+   *t++ = c;
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.h gsoap-2.8/gsoap/stdsoap2.h
+--- gsoap-2.8.orig/gsoap/stdsoap2.h	2019-01-18 15:22:36.256318443 +0100
 gsoap-2.8/gsoap/stdsoap2.h	2019-01-18 15:25:20.408542687 +0100
+@@ -2747,7 +2747,7 @@
+ SOAP_FMAC1 void SOAP_FMAC2 soap_clr_attr(struct soap *soap);
+ 
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_url(struct soap *soap, const char*, const char*);
+-SOAP_FMAC1 size_t SOAP_FMAC2 soap_encode_url(const char*, char*, size_t);
++SOAP_FMAC1 int SOAP_FMAC2 soap_encode_url(const char*, char*, int);
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_encode_url_string(struct soap*, const char*);
+ #ifdef WITH_COOKIES
+ SOAP_FMAC1 void SOAP_FMAC2 soap_getcookies(struct soap *soap, const char *val);
diff -Nru gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch
--- gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch	1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch	2019-02-14 11:33:00.0 +0100
@@ -0,0 +1,22 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c