Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1

2017-10-08 Thread Adam D. Barratt 
Control: tags -1 + pending

On Thu, 2017-08-17 at 16:38 +0200, Mattias Ellert wrote:
> This is a proposal to fix CVE-2017-9765 in jessie.
> 

Flagged for acceptance.

Regards,

Adam

Processed: Re: Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1

2017-10-08 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + pending
Bug #872442 [release.debian.org] jessie-pu: package gsoap/2.8.17-1+deb8u1
Added tag(s) pending.

-- 
872442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872442
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1

2017-08-27 Thread Adam D. Barratt 
On Thu, 2017-08-24 at 20:11 +0200, Martin Zobel-Helas wrote:
> Hi, 
> 
> On Thu Aug 24, 2017 at 15:51:30 +0200, Mattias Ellert wrote:
> > fre 2017-08-18 klockan 13:47 +0200 skrev Mattias Ellert:
> > > 
> > > > No. You want to open a bug report against your own package, telling
> > > > there is a security bug. and you want to refer that on in the closes
> > > > statement.
> > > > 
> > > 
> > > This contradicts what Adam said in bug #872441:
> > > 
> > > > If there is no bug filed against gsoap that relates to the issue, then 
> > > > there should be no bug closed in the changelog.
> > > 
> > > Can you resolve your differences?
> > > 
> > >   Mattias
> > 
> > Hi again.
> > 
> > Is there a resolution to this? Is a Closes statement mandatory or not?
> 
> Adam has the last word on this. If he says it is okay, that is fine with
> me.

In general, it's helpful for there to be an easily referenceable source
for details of any issues being resolved in an upload, and for bugs
being addressed in stable it is useful to be able to quickly verify
whether the issue has already been resolved in unstable.

In the case of an upload addressing one or more CVEs, the Debian
Security Tracker already contains the information required in order to
verify that unstable has already been fixed, so a new bug does not need
to be filed - in most cases, there will be a bug anyway, as the Security
Team will have filed one.

Regards,

Adam

Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1

2017-08-24 Thread Martin Zobel-Helas 
Hi, 

On Thu Aug 24, 2017 at 15:51:30 +0200, Mattias Ellert wrote:
> fre 2017-08-18 klockan 13:47 +0200 skrev Mattias Ellert:
> > 
> > > No. You want to open a bug report against your own package, telling
> > > there is a security bug. and you want to refer that on in the closes
> > > statement.
> > > 
> > 
> > This contradicts what Adam said in bug #872441:
> > 
> > > If there is no bug filed against gsoap that relates to the issue, then 
> > > there should be no bug closed in the changelog.
> > 
> > Can you resolve your differences?
> > 
> > Mattias
> 
> Hi again.
> 
> Is there a resolution to this? Is a Closes statement mandatory or not?

Adam has the last word on this. If he says it is okay, that is fine with
me.

Cheers,
Martin
-- 
 Martin Zobel-Helas Debian System Administrator
 Debian & GNU/Linux Developer   Debian Listmaster
 http://about.me/zobel   Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B

Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1

2017-08-24 Thread Mattias Ellert 
fre 2017-08-18 klockan 13:47 +0200 skrev Mattias Ellert:
> 
> > No. You want to open a bug report against your own package, telling
> > there is a security bug. and you want to refer that on in the closes
> > statement.
> > 
> 
> This contradicts what Adam said in bug #872441:
> 
> > If there is no bug filed against gsoap that relates to the issue, then 
> > there should be no bug closed in the changelog.
> 
> Can you resolve your differences?
> 
>   Mattias

Hi again.

Is there a resolution to this? Is a Closes statement mandatory or not?

Mattias


signature.asc
Description: This is a digitally signed message part

Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1

2017-08-18 Thread Mattias Ellert 
fre 2017-08-18 klockan 13:08 +0200 skrev Martin Zobel-Helas:
> Hi, 
> 
> On Fri Aug 18, 2017 at 11:35:21 +0200, Mattias Ellert wrote:
> > tor 2017-08-17 klockan 20:21 +0200 skrev Martin Zobel-Helas:
> > > Hi, 
> > > 
> > > On Thu Aug 17, 2017 at 16:38:30 +0200, Mattias Ellert wrote:
> > > > Package: release.debian.org
> > > > Severity: normal
> > > > Tags: jessie
> > > > User: release.debian@packages.debian.org
> > > > Usertags: pu
> > > > 
> > > > This is a proposal to fix CVE-2017-9765 in jessie.
> > > > debdiff is attached.
> > > > 
> > > > Mattias Ellert
> > > > diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
> > > > --- gsoap-2.8.17/debian/changelog   2014-07-11 13:45:59.0 
> > > > +0200
> > > > +++ gsoap-2.8.17/debian/changelog   2017-08-16 11:30:40.0 
> > > > +0200
> > > > @@ -1,3 +1,9 @@
> > > > +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
> > > > +
> > > > +  * Fix for CVE-2017-9765 (Closes: )
> > > > +
> > > > + -- Mattias Ellert   Wed, 16 Aug 2017 
> > > > 11:30:40 +0200
> > > > +
> > > >  gsoap (2.8.17-1) unstable; urgency=medium
> > > 
> > > once this changelog has a proper Closes line with bug-number this patch
> > > looks sane to me.
> > > 
> > > Cheers,
> > > Martin
> > > (former stable release manager)
> > > 
> > 
> > Closes statement removed as requested.
> > See bug #872441 for the discussion.
> 
> No. You want to open a bug report against your own package, telling
> there is a security bug. and you want to refer that on in the closes
> statement.
> 

This contradicts what Adam said in bug #872441:

> If there is no bug filed against gsoap that relates to the issue, then 
> there should be no bug closed in the changelog.

Can you resolve your differences?

Mattias


signature.asc
Description: This is a digitally signed message part

Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1

2017-08-18 Thread Martin Zobel-Helas 
Hi, 

On Fri Aug 18, 2017 at 11:35:21 +0200, Mattias Ellert wrote:
> tor 2017-08-17 klockan 20:21 +0200 skrev Martin Zobel-Helas:
> > Hi, 
> > 
> > On Thu Aug 17, 2017 at 16:38:30 +0200, Mattias Ellert wrote:
> > > Package: release.debian.org
> > > Severity: normal
> > > Tags: jessie
> > > User: release.debian@packages.debian.org
> > > Usertags: pu
> > > 
> > > This is a proposal to fix CVE-2017-9765 in jessie.
> > > debdiff is attached.
> > > 
> > > Mattias Ellert
> > > diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
> > > --- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 +0200
> > > +++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200
> > > @@ -1,3 +1,9 @@
> > > +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
> > > +
> > > +  * Fix for CVE-2017-9765 (Closes: )
> > > +
> > > + -- Mattias Ellert   Wed, 16 Aug 2017 
> > > 11:30:40 +0200
> > > +
> > >  gsoap (2.8.17-1) unstable; urgency=medium
> > 
> > once this changelog has a proper Closes line with bug-number this patch
> > looks sane to me.
> > 
> > Cheers,
> > Martin
> > (former stable release manager)
> > 
> 
> Closes statement removed as requested.
> See bug #872441 for the discussion.

No. You want to open a bug report against your own package, telling
there is a security bug. and you want to refer that on in the closes
statement.

-- 
 Martin Zobel-Helas Debian System Administrator
 Debian & GNU/Linux Developer   Debian Listmaster
 http://about.me/zobel   Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B

Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1

2017-08-18 Thread Mattias Ellert 
tor 2017-08-17 klockan 20:21 +0200 skrev Martin Zobel-Helas:
> Hi, 
> 
> On Thu Aug 17, 2017 at 16:38:30 +0200, Mattias Ellert wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: jessie
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > 
> > This is a proposal to fix CVE-2017-9765 in jessie.
> > debdiff is attached.
> > 
> > Mattias Ellert
> > diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
> > --- gsoap-2.8.17/debian/changelog   2014-07-11 13:45:59.0 +0200
> > +++ gsoap-2.8.17/debian/changelog   2017-08-16 11:30:40.0 +0200
> > @@ -1,3 +1,9 @@
> > +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
> > +
> > +  * Fix for CVE-2017-9765 (Closes: )
> > +
> > + -- Mattias Ellert   Wed, 16 Aug 2017 
> > 11:30:40 +0200
> > +
> >  gsoap (2.8.17-1) unstable; urgency=medium
> 
> once this changelog has a proper Closes line with bug-number this patch
> looks sane to me.
> 
> Cheers,
> Martin
> (former stable release manager)
> 

Closes statement removed as requested.
See bug #872441 for the discussion.

Mattias
diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
--- gsoap-2.8.17/debian/changelog	2014-07-11 13:45:59.0 +0200
+++ gsoap-2.8.17/debian/changelog	2017-08-16 11:30:40.0 +0200
@@ -1,3 +1,9 @@
+gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
+
+  * Fix for CVE-2017-9765
+
+ -- Mattias Ellert   Wed, 16 Aug 2017 11:30:40 +0200
+
 gsoap (2.8.17-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch
--- gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch	1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch	2017-08-16 09:29:32.0 +0200
@@ -0,0 +1,54 @@
+diff -ur gsoap-2.7.orig/gsoap/stdsoap2.c gsoap-2.7/gsoap/stdsoap2.c
+--- gsoap-2.7.orig/gsoap/stdsoap2.c	2010-04-06 18:23:14.0 +0200
 gsoap-2.7/gsoap/stdsoap2.c	2017-08-01 15:05:03.634309308 +0200
+@@ -1509,17 +1509,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   register char *s = buf;
+-  register int i = sizeof(buf);
+-  register soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  register size_t i = sizeof(buf);
++  register soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for  */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+   *s++ = (char)c;
++  i--;
+ }
+-c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
+diff -ur gsoap-2.7.orig/gsoap/stdsoap2.cpp gsoap-2.7/gsoap/stdsoap2.cpp
+--- gsoap-2.7.orig/gsoap/stdsoap2.cpp	2010-04-06 18:23:14.0 +0200
 gsoap-2.7/gsoap/stdsoap2.cpp	2017-08-01 15:05:03.636309306 +0200
+@@ -1509,17 +1509,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   register char *s = buf;
+-  register int i = sizeof(buf);
+-  register soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  register size_t i = sizeof(buf);
++  register soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for  */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+   *s++ = (char)c;
++  i--;
+ }
+-c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
diff -Nru gsoap-2.8.17/debian/patches/series gsoap-2.8.17/debian/patches/series
--- gsoap-2.8.17/debian/patches/series	2014-07-11 20:36:40.0 +0200
+++ gsoap-2.8.17/debian/patches/series	2017-08-16 11:28:38.0 +0200
@@ -21,3 +21,6 @@
 
 # https://sourceforge.net/p/gsoap2/patches/119/
 gsoap-doxygen-paths.patch
+
+# CVE-2017-9765
+gsoap-CVE-2017-9765.patch


signature.asc
Description: This is a digitally signed message part

Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1

2017-08-17 Thread Martin Zobel-Helas 
Hi, 

On Thu Aug 17, 2017 at 16:38:30 +0200, Mattias Ellert wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> This is a proposal to fix CVE-2017-9765 in jessie.
> debdiff is attached.
> 
> Mattias Ellert

> diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
> --- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 +0200
> +++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200
> @@ -1,3 +1,9 @@
> +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
> +
> +  * Fix for CVE-2017-9765 (Closes: )
> +
> + -- Mattias Ellert   Wed, 16 Aug 2017 11:30:40 
> +0200
> +
>  gsoap (2.8.17-1) unstable; urgency=medium

once this changelog has a proper Closes line with bug-number this patch
looks sane to me.

Cheers,
Martin
(former stable release manager)

-- 
 Martin Zobel-Helas Debian System Administrator
 Debian & GNU/Linux Developer   Debian Listmaster
 http://about.me/zobel   Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B

Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1

2017-08-17 Thread Mattias Ellert 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This is a proposal to fix CVE-2017-9765 in jessie.
debdiff is attached.

Mattias Ellert
diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
--- gsoap-2.8.17/debian/changelog	2014-07-11 13:45:59.0 +0200
+++ gsoap-2.8.17/debian/changelog	2017-08-16 11:30:40.0 +0200
@@ -1,3 +1,9 @@
+gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
+
+  * Fix for CVE-2017-9765 (Closes: )
+
+ -- Mattias Ellert   Wed, 16 Aug 2017 11:30:40 +0200
+
 gsoap (2.8.17-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch
--- gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch	1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch	2017-08-16 09:29:32.0 +0200
@@ -0,0 +1,54 @@
+diff -ur gsoap-2.7.orig/gsoap/stdsoap2.c gsoap-2.7/gsoap/stdsoap2.c
+--- gsoap-2.7.orig/gsoap/stdsoap2.c	2010-04-06 18:23:14.0 +0200
 gsoap-2.7/gsoap/stdsoap2.c	2017-08-01 15:05:03.634309308 +0200
+@@ -1509,17 +1509,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   register char *s = buf;
+-  register int i = sizeof(buf);
+-  register soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  register size_t i = sizeof(buf);
++  register soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for  */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+   *s++ = (char)c;
++  i--;
+ }
+-c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
+diff -ur gsoap-2.7.orig/gsoap/stdsoap2.cpp gsoap-2.7/gsoap/stdsoap2.cpp
+--- gsoap-2.7.orig/gsoap/stdsoap2.cpp	2010-04-06 18:23:14.0 +0200
 gsoap-2.7/gsoap/stdsoap2.cpp	2017-08-01 15:05:03.636309306 +0200
+@@ -1509,17 +1509,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+   register char *s = buf;
+-  register int i = sizeof(buf);
+-  register soap_wchar c = soap_getchar(soap);
+-  /* This is a quick way to parse XML PI and we could use a callback instead to
+-   * enable applications to intercept processing instructions */
+-  while ((int)c != EOF && c != '?')
+-  { if (--i > 0)
++  register size_t i = sizeof(buf);
++  register soap_wchar c;
++  /* Parse the XML PI encoding declaration and look for  */
++  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++  { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+   *s++ = (char)c;
++  i--;
+ }
+-c = soap_getchar(soap);
+   }
+   *s = '\0';
+   DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
diff -Nru gsoap-2.8.17/debian/patches/series gsoap-2.8.17/debian/patches/series
--- gsoap-2.8.17/debian/patches/series	2014-07-11 20:36:40.0 +0200
+++ gsoap-2.8.17/debian/patches/series	2017-08-16 11:28:38.0 +0200
@@ -21,3 +21,6 @@
 
 # https://sourceforge.net/p/gsoap2/patches/119/
 gsoap-doxygen-paths.patch
+
+# CVE-2017-9765
+gsoap-CVE-2017-9765.patch


signature.asc
Description: This is a digitally signed message part