Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
Control: tags -1 + pending On Thu, 2017-08-17 at 16:38 +0200, Mattias Ellert wrote: > This is a proposal to fix CVE-2017-9765 in jessie. > Flagged for acceptance. Regards, Adam
Processed: Re: Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
Processing control commands: > tags -1 + pending Bug #872442 [release.debian.org] jessie-pu: package gsoap/2.8.17-1+deb8u1 Added tag(s) pending. -- 872442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872442 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
On Thu, 2017-08-24 at 20:11 +0200, Martin Zobel-Helas wrote: > Hi, > > On Thu Aug 24, 2017 at 15:51:30 +0200, Mattias Ellert wrote: > > fre 2017-08-18 klockan 13:47 +0200 skrev Mattias Ellert: > > > > > > > No. You want to open a bug report against your own package, telling > > > > there is a security bug. and you want to refer that on in the closes > > > > statement. > > > > > > > > > > This contradicts what Adam said in bug #872441: > > > > > > > If there is no bug filed against gsoap that relates to the issue, then > > > > there should be no bug closed in the changelog. > > > > > > Can you resolve your differences? > > > > > > Mattias > > > > Hi again. > > > > Is there a resolution to this? Is a Closes statement mandatory or not? > > Adam has the last word on this. If he says it is okay, that is fine with > me. In general, it's helpful for there to be an easily referenceable source for details of any issues being resolved in an upload, and for bugs being addressed in stable it is useful to be able to quickly verify whether the issue has already been resolved in unstable. In the case of an upload addressing one or more CVEs, the Debian Security Tracker already contains the information required in order to verify that unstable has already been fixed, so a new bug does not need to be filed - in most cases, there will be a bug anyway, as the Security Team will have filed one. Regards, Adam
Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
Hi, On Thu Aug 24, 2017 at 15:51:30 +0200, Mattias Ellert wrote: > fre 2017-08-18 klockan 13:47 +0200 skrev Mattias Ellert: > > > > > No. You want to open a bug report against your own package, telling > > > there is a security bug. and you want to refer that on in the closes > > > statement. > > > > > > > This contradicts what Adam said in bug #872441: > > > > > If there is no bug filed against gsoap that relates to the issue, then > > > there should be no bug closed in the changelog. > > > > Can you resolve your differences? > > > > Mattias > > Hi again. > > Is there a resolution to this? Is a Closes statement mandatory or not? Adam has the last word on this. If he says it is okay, that is fine with me. Cheers, Martin -- Martin Zobel-HelasDebian System Administrator Debian & GNU/Linux Developer Debian Listmaster http://about.me/zobel Debian Webmaster GPG Fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
fre 2017-08-18 klockan 13:47 +0200 skrev Mattias Ellert: > > > No. You want to open a bug report against your own package, telling > > there is a security bug. and you want to refer that on in the closes > > statement. > > > > This contradicts what Adam said in bug #872441: > > > If there is no bug filed against gsoap that relates to the issue, then > > there should be no bug closed in the changelog. > > Can you resolve your differences? > > Mattias Hi again. Is there a resolution to this? Is a Closes statement mandatory or not? Mattias signature.asc Description: This is a digitally signed message part
Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
fre 2017-08-18 klockan 13:08 +0200 skrev Martin Zobel-Helas: > Hi, > > On Fri Aug 18, 2017 at 11:35:21 +0200, Mattias Ellert wrote: > > tor 2017-08-17 klockan 20:21 +0200 skrev Martin Zobel-Helas: > > > Hi, > > > > > > On Thu Aug 17, 2017 at 16:38:30 +0200, Mattias Ellert wrote: > > > > Package: release.debian.org > > > > Severity: normal > > > > Tags: jessie > > > > User: release.debian@packages.debian.org > > > > Usertags: pu > > > > > > > > This is a proposal to fix CVE-2017-9765 in jessie. > > > > debdiff is attached. > > > > > > > > Mattias Ellert > > > > diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog > > > > --- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 > > > > +0200 > > > > +++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 > > > > +0200 > > > > @@ -1,3 +1,9 @@ > > > > +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium > > > > + > > > > + * Fix for CVE-2017-9765 (Closes: ) > > > > + > > > > + -- Mattias EllertWed, 16 Aug 2017 > > > > 11:30:40 +0200 > > > > + > > > > gsoap (2.8.17-1) unstable; urgency=medium > > > > > > once this changelog has a proper Closes line with bug-number this patch > > > looks sane to me. > > > > > > Cheers, > > > Martin > > > (former stable release manager) > > > > > > > Closes statement removed as requested. > > See bug #872441 for the discussion. > > No. You want to open a bug report against your own package, telling > there is a security bug. and you want to refer that on in the closes > statement. > This contradicts what Adam said in bug #872441: > If there is no bug filed against gsoap that relates to the issue, then > there should be no bug closed in the changelog. Can you resolve your differences? Mattias signature.asc Description: This is a digitally signed message part
Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
Hi, On Fri Aug 18, 2017 at 11:35:21 +0200, Mattias Ellert wrote: > tor 2017-08-17 klockan 20:21 +0200 skrev Martin Zobel-Helas: > > Hi, > > > > On Thu Aug 17, 2017 at 16:38:30 +0200, Mattias Ellert wrote: > > > Package: release.debian.org > > > Severity: normal > > > Tags: jessie > > > User: release.debian@packages.debian.org > > > Usertags: pu > > > > > > This is a proposal to fix CVE-2017-9765 in jessie. > > > debdiff is attached. > > > > > > Mattias Ellert > > > diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog > > > --- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 +0200 > > > +++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200 > > > @@ -1,3 +1,9 @@ > > > +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium > > > + > > > + * Fix for CVE-2017-9765 (Closes: ) > > > + > > > + -- Mattias EllertWed, 16 Aug 2017 > > > 11:30:40 +0200 > > > + > > > gsoap (2.8.17-1) unstable; urgency=medium > > > > once this changelog has a proper Closes line with bug-number this patch > > looks sane to me. > > > > Cheers, > > Martin > > (former stable release manager) > > > > Closes statement removed as requested. > See bug #872441 for the discussion. No. You want to open a bug report against your own package, telling there is a security bug. and you want to refer that on in the closes statement. -- Martin Zobel-Helas Debian System Administrator Debian & GNU/Linux Developer Debian Listmaster http://about.me/zobel Debian Webmaster GPG Fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
tor 2017-08-17 klockan 20:21 +0200 skrev Martin Zobel-Helas: > Hi, > > On Thu Aug 17, 2017 at 16:38:30 +0200, Mattias Ellert wrote: > > Package: release.debian.org > > Severity: normal > > Tags: jessie > > User: release.debian@packages.debian.org > > Usertags: pu > > > > This is a proposal to fix CVE-2017-9765 in jessie. > > debdiff is attached. > > > > Mattias Ellert > > diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog > > --- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 +0200 > > +++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200 > > @@ -1,3 +1,9 @@ > > +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium > > + > > + * Fix for CVE-2017-9765 (Closes: ) > > + > > + -- Mattias EllertWed, 16 Aug 2017 > > 11:30:40 +0200 > > + > > gsoap (2.8.17-1) unstable; urgency=medium > > once this changelog has a proper Closes line with bug-number this patch > looks sane to me. > > Cheers, > Martin > (former stable release manager) > Closes statement removed as requested. See bug #872441 for the discussion. Mattias diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog --- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 +0200 +++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200 @@ -1,3 +1,9 @@ +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium + + * Fix for CVE-2017-9765 + + -- Mattias Ellert Wed, 16 Aug 2017 11:30:40 +0200 + gsoap (2.8.17-1) unstable; urgency=medium * New upstream release diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch --- gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch 2017-08-16 09:29:32.0 +0200 @@ -0,0 +1,54 @@ +diff -ur gsoap-2.7.orig/gsoap/stdsoap2.c gsoap-2.7/gsoap/stdsoap2.c +--- gsoap-2.7.orig/gsoap/stdsoap2.c 2010-04-06 18:23:14.0 +0200 gsoap-2.7/gsoap/stdsoap2.c 2017-08-01 15:05:03.634309308 +0200 +@@ -1509,17 +1509,16 @@ + soap_get_pi(struct soap *soap) + { char buf[64]; + register char *s = buf; +- register int i = sizeof(buf); +- register soap_wchar c = soap_getchar(soap); +- /* This is a quick way to parse XML PI and we could use a callback instead to +- * enable applications to intercept processing instructions */ +- while ((int)c != EOF && c != '?') +- { if (--i > 0) ++ register size_t i = sizeof(buf); ++ register soap_wchar c; ++ /* Parse the XML PI encoding declaration and look for */ ++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') ++ { if (i > 1) + { if (soap_blank(c)) + c = ' '; + *s++ = (char)c; ++ i--; + } +-c = soap_getchar(soap); + } + *s = '\0'; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf)); +diff -ur gsoap-2.7.orig/gsoap/stdsoap2.cpp gsoap-2.7/gsoap/stdsoap2.cpp +--- gsoap-2.7.orig/gsoap/stdsoap2.cpp 2010-04-06 18:23:14.0 +0200 gsoap-2.7/gsoap/stdsoap2.cpp 2017-08-01 15:05:03.636309306 +0200 +@@ -1509,17 +1509,16 @@ + soap_get_pi(struct soap *soap) + { char buf[64]; + register char *s = buf; +- register int i = sizeof(buf); +- register soap_wchar c = soap_getchar(soap); +- /* This is a quick way to parse XML PI and we could use a callback instead to +- * enable applications to intercept processing instructions */ +- while ((int)c != EOF && c != '?') +- { if (--i > 0) ++ register size_t i = sizeof(buf); ++ register soap_wchar c; ++ /* Parse the XML PI encoding declaration and look for */ ++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') ++ { if (i > 1) + { if (soap_blank(c)) + c = ' '; + *s++ = (char)c; ++ i--; + } +-c = soap_getchar(soap); + } + *s = '\0'; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf)); diff -Nru gsoap-2.8.17/debian/patches/series gsoap-2.8.17/debian/patches/series --- gsoap-2.8.17/debian/patches/series 2014-07-11 20:36:40.0 +0200 +++ gsoap-2.8.17/debian/patches/series 2017-08-16 11:28:38.0 +0200 @@ -21,3 +21,6 @@ # https://sourceforge.net/p/gsoap2/patches/119/ gsoap-doxygen-paths.patch + +# CVE-2017-9765 +gsoap-CVE-2017-9765.patch signature.asc Description: This is a digitally signed message part
Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
Hi, On Thu Aug 17, 2017 at 16:38:30 +0200, Mattias Ellert wrote: > Package: release.debian.org > Severity: normal > Tags: jessie > User: release.debian@packages.debian.org > Usertags: pu > > This is a proposal to fix CVE-2017-9765 in jessie. > debdiff is attached. > > Mattias Ellert > diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog > --- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 +0200 > +++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200 > @@ -1,3 +1,9 @@ > +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium > + > + * Fix for CVE-2017-9765 (Closes: ) > + > + -- Mattias EllertWed, 16 Aug 2017 11:30:40 > +0200 > + > gsoap (2.8.17-1) unstable; urgency=medium once this changelog has a proper Closes line with bug-number this patch looks sane to me. Cheers, Martin (former stable release manager) -- Martin Zobel-Helas Debian System Administrator Debian & GNU/Linux Developer Debian Listmaster http://about.me/zobel Debian Webmaster GPG Fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu This is a proposal to fix CVE-2017-9765 in jessie. debdiff is attached. Mattias Ellert diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog --- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 +0200 +++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200 @@ -1,3 +1,9 @@ +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium + + * Fix for CVE-2017-9765 (Closes: ) + + -- Mattias EllertWed, 16 Aug 2017 11:30:40 +0200 + gsoap (2.8.17-1) unstable; urgency=medium * New upstream release diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch --- gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch 2017-08-16 09:29:32.0 +0200 @@ -0,0 +1,54 @@ +diff -ur gsoap-2.7.orig/gsoap/stdsoap2.c gsoap-2.7/gsoap/stdsoap2.c +--- gsoap-2.7.orig/gsoap/stdsoap2.c 2010-04-06 18:23:14.0 +0200 gsoap-2.7/gsoap/stdsoap2.c 2017-08-01 15:05:03.634309308 +0200 +@@ -1509,17 +1509,16 @@ + soap_get_pi(struct soap *soap) + { char buf[64]; + register char *s = buf; +- register int i = sizeof(buf); +- register soap_wchar c = soap_getchar(soap); +- /* This is a quick way to parse XML PI and we could use a callback instead to +- * enable applications to intercept processing instructions */ +- while ((int)c != EOF && c != '?') +- { if (--i > 0) ++ register size_t i = sizeof(buf); ++ register soap_wchar c; ++ /* Parse the XML PI encoding declaration and look for */ ++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') ++ { if (i > 1) + { if (soap_blank(c)) + c = ' '; + *s++ = (char)c; ++ i--; + } +-c = soap_getchar(soap); + } + *s = '\0'; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf)); +diff -ur gsoap-2.7.orig/gsoap/stdsoap2.cpp gsoap-2.7/gsoap/stdsoap2.cpp +--- gsoap-2.7.orig/gsoap/stdsoap2.cpp 2010-04-06 18:23:14.0 +0200 gsoap-2.7/gsoap/stdsoap2.cpp 2017-08-01 15:05:03.636309306 +0200 +@@ -1509,17 +1509,16 @@ + soap_get_pi(struct soap *soap) + { char buf[64]; + register char *s = buf; +- register int i = sizeof(buf); +- register soap_wchar c = soap_getchar(soap); +- /* This is a quick way to parse XML PI and we could use a callback instead to +- * enable applications to intercept processing instructions */ +- while ((int)c != EOF && c != '?') +- { if (--i > 0) ++ register size_t i = sizeof(buf); ++ register soap_wchar c; ++ /* Parse the XML PI encoding declaration and look for */ ++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') ++ { if (i > 1) + { if (soap_blank(c)) + c = ' '; + *s++ = (char)c; ++ i--; + } +-c = soap_getchar(soap); + } + *s = '\0'; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf)); diff -Nru gsoap-2.8.17/debian/patches/series gsoap-2.8.17/debian/patches/series --- gsoap-2.8.17/debian/patches/series 2014-07-11 20:36:40.0 +0200 +++ gsoap-2.8.17/debian/patches/series 2017-08-16 11:28:38.0 +0200 @@ -21,3 +21,6 @@ # https://sourceforge.net/p/gsoap2/patches/119/ gsoap-doxygen-paths.patch + +# CVE-2017-9765 +gsoap-CVE-2017-9765.patch signature.asc Description: This is a digitally signed message part