Processed: Re: Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
Processing control commands: > tags -1 + confirmed Bug #922385 [release.debian.org] stretch-pu: package gsoap/2.8.35-4+deb9u2 Added tag(s) confirmed. -- 922385: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922385 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
Control: tags -1 + confirmed On Mon, 2019-02-18 at 18:12 +0100, Mattias Ellert wrote: > fre 2019-02-15 klockan 13:06 + skrev Adam D. Barratt: > > Control: tags -1 + moreinfo > > > > On 2019-02-15 10:12, Mattias Ellert wrote: > > > This is a proposal to fix CVE-2019-7659 in stretch. > > > > > > The update also addresses one additional advisory published by > > > the > > > upstream developers. > > > > +-soap_encode_url(const char *s, char *t, size_t len) > > ++soap_encode_url(const char *s, char *t, int len) > > > > If soap_encode_url is a public symbol, that's an ABI break - int > > and > > size_t may well not be the same size, but they're definitely > > different > > signedness. [...] > > The outcome of the discussion was that using ssize_t instead of int > in the patch was a better idea, and that version was accepted. > > I propose the same change for stretch. Please go ahead; sorry for the delay. Regards, Adam
Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
fre 2019-02-15 klockan 13:06 + skrev Adam D. Barratt: > Control: tags -1 + moreinfo > > On 2019-02-15 10:12, Mattias Ellert wrote: > > This is a proposal to fix CVE-2019-7659 in stretch. > > > > The update also addresses one additional advisory published by the > > upstream developers. > > +-soap_encode_url(const char *s, char *t, size_t len) > ++soap_encode_url(const char *s, char *t, int len) > > If soap_encode_url is a public symbol, that's an ABI break - int and > size_t may well not be the same size, but they're definitely different > signedness. > > Regards, > > Adam Hi Adam. After you closed the corresponding request for jessie I sent the jessie update to debian-lts as suggested. This triggered the same discussion regarding this function being public. This is a quite long discussion - se the archive for details: https://lists.debian.org/debian-lts/2019/02/msg00131.html The outcome of the discussion was that using ssize_t instead of int in the patch was a better idea, and that version was accepted. I propose the same change for stretch. Updated debdiff attached. Mattias diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog --- gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200 +++ gsoap-2.8.35/debian/changelog 2019-02-14 17:12:12.0 +0100 @@ -1,3 +1,18 @@ +gsoap (2.8.35-4+deb9u2) stretch; urgency=medium + + * Fix for CVE-2019-7659 +Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a +denial of service (application abort) or possibly have unspecified other +impact if a server application is built with the -DWITH_COOKIES flag. This +affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ +libraries, as these are built with that flag. + * Fix issue with DIME protocol receiver and malformed DIME headers +This patch addresses a critical issue with the DIME protocol receiver that +may cause the receiver to become unresponsive when a malformed DIME +protocol message is received. -- https://www.genivia.com/advisory.html + + -- Mattias Ellert Thu, 14 Feb 2019 17:12:12 +0100 + gsoap (2.8.35-4+deb9u1) stretch; urgency=medium * Fix for CVE-2017-9765 diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch --- gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch 2019-02-14 17:12:12.0 +0100 @@ -0,0 +1,50 @@ +diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.c gsoap-2.8.35/gsoap/stdsoap2.c +--- gsoap-2.8.35.orig/gsoap/stdsoap2.c 2016-09-18 10:56:10.0 +0200 gsoap-2.8.35/gsoap/stdsoap2.c 2019-02-13 17:21:44.18800 +0100 +@@ -7037,11 +7037,12 @@ + + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++ssize_t + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, ssize_t len) + { int c; +- size_t n = len; ++ ssize_t n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.cpp gsoap-2.8.35/gsoap/stdsoap2.cpp +--- gsoap-2.8.35.orig/gsoap/stdsoap2.cpp 2016-09-18 10:56:10.0 +0200 gsoap-2.8.35/gsoap/stdsoap2.cpp 2019-02-13 17:21:44.18800 +0100 +@@ -7037,11 +7037,12 @@ + + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++ssize_t + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, ssize_t len) + { int c; +- size_t n = len; ++ ssize_t n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.h gsoap-2.8.35/gsoap/stdsoap2.h +--- gsoap-2.8.35.orig/gsoap/stdsoap2.h 2016-09-18 10:56:10.0 +0200 gsoap-2.8.35/gsoap/stdsoap2.h 2019-02-13 17:19:31.08800 +0100 +@@ -3380,7 +3380,7 @@ + SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url(struct soap *soap, const char*, const char*); + SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url_query(struct soap *soap, const char*, const char*); + SOAP_FMAC1 void SOAP_FMAC2 soap_url_query(struct soap *soap, const char*, const char*); +-SOAP_FMAC1 size_t SOAP_FMAC2 soap_encode_url(const char*, char*, size_t); ++SOAP_FMAC1 ssize_t SOAP_FMAC2 soap_encode_url(const char*, char*, ssize_t); + SOAP_FMAC1 const char* SOAP_FMAC2 soap_encode_url_string(struct soap*, const char*); + #ifdef WITH_COOKIES + SOAP_FMAC1 void SOAP_FMAC2 soap_getcookies(struct soap *soap, const char *val); diff -Nru gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch --- gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch 2019-02-14 11:33:00.0 +0100
Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
Control: tags -1 + moreinfo On 2019-02-15 10:12, Mattias Ellert wrote: This is a proposal to fix CVE-2019-7659 in stretch. The update also addresses one additional advisory published by the upstream developers. +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, int len) If soap_encode_url is a public symbol, that's an ABI break - int and size_t may well not be the same size, but they're definitely different signedness. Regards, Adam
Processed: Re: Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
Processing control commands: > tags -1 + moreinfo Bug #922385 [release.debian.org] stretch-pu: package gsoap/2.8.35-4+deb9u2 Added tag(s) moreinfo. -- 922385: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922385 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu This is a proposal to fix CVE-2019-7659 in stretch. The update also addresses one additional advisory published by the upstream developers. debdiff is attached. gsoap (2.8.35-4+deb9u2) stretch; urgency=medium * Fix for CVE-2019-7659 Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a denial of service (application abort) or possibly have unspecified other impact if a server application is built with the -DWITH_COOKIES flag. This affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ libraries, as these are built with that flag. * Fix issue with DIME protocol receiver and malformed DIME headers This patch addresses a critical issue with the DIME protocol receiver that may cause the receiver to become unresponsive when a malformed DIME protocol message is received. -- https://www.genivia.com/advisory.html Mattias Ellert diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog --- gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200 +++ gsoap-2.8.35/debian/changelog 2019-02-14 17:12:12.0 +0100 @@ -1,3 +1,18 @@ +gsoap (2.8.35-4+deb9u2) stretch; urgency=medium + + * Fix for CVE-2019-7659 +Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a +denial of service (application abort) or possibly have unspecified other +impact if a server application is built with the -DWITH_COOKIES flag. This +affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ +libraries, as these are built with that flag. + * Fix issue with DIME protocol receiver and malformed DIME headers +This patch addresses a critical issue with the DIME protocol receiver that +may cause the receiver to become unresponsive when a malformed DIME +protocol message is received. -- https://www.genivia.com/advisory.html + + -- Mattias Ellert Thu, 14 Feb 2019 17:12:12 +0100 + gsoap (2.8.35-4+deb9u1) stretch; urgency=medium * Fix for CVE-2017-9765 diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch --- gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch 2019-02-14 17:12:12.0 +0100 @@ -0,0 +1,50 @@ +diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.c gsoap-2.8.35/gsoap/stdsoap2.c +--- gsoap-2.8.35.orig/gsoap/stdsoap2.c 2016-09-18 10:56:10.0 +0200 gsoap-2.8.35/gsoap/stdsoap2.c 2019-02-13 17:21:44.18800 +0100 +@@ -7037,11 +7037,12 @@ + + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++int + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, int len) + { int c; +- size_t n = len; ++ int n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.cpp gsoap-2.8.35/gsoap/stdsoap2.cpp +--- gsoap-2.8.35.orig/gsoap/stdsoap2.cpp 2016-09-18 10:56:10.0 +0200 gsoap-2.8.35/gsoap/stdsoap2.cpp 2019-02-13 17:21:44.18800 +0100 +@@ -7037,11 +7037,12 @@ + + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++int + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, int len) + { int c; +- size_t n = len; ++ int n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.h gsoap-2.8.35/gsoap/stdsoap2.h +--- gsoap-2.8.35.orig/gsoap/stdsoap2.h 2016-09-18 10:56:10.0 +0200 gsoap-2.8.35/gsoap/stdsoap2.h 2019-02-13 17:19:31.08800 +0100 +@@ -3380,7 +3380,7 @@ + SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url(struct soap *soap, const char*, const char*); + SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url_query(struct soap *soap, const char*, const char*); + SOAP_FMAC1 void SOAP_FMAC2 soap_url_query(struct soap *soap, const char*, const char*); +-SOAP_FMAC1 size_t SOAP_FMAC2 soap_encode_url(const char*, char*, size_t); ++SOAP_FMAC1 int SOAP_FMAC2 soap_encode_url(const char*, char*, int); + SOAP_FMAC1 const char* SOAP_FMAC2 soap_encode_url_string(struct soap*, const char*); + #ifdef WITH_COOKIES + SOAP_FMAC1 void SOAP_FMAC2 soap_getcookies(struct soap *soap, const char *val); diff -Nru gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch --- gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch 2019-02-13 17:12:41.0 +0100 @@ -0,0 +1,22 @@ +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c +---