Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
[Adding 922...@bugs.debian.org to CC for completeness / BTS archive] Chris Lamb wrote: > > So using the ssize_t version that preserves the sizes of the arguments > > and return type of the function is the safer choice, regardless of > > upstream's claim that the function is private. > > Upstream have not replied so I will upload and release the ssize_t > version shortly. I've gone ahead and done this as DLA 1681-1, the only change being: - gsoap (2.8.17-1+deb8u2) jessie; urgency=medium + gsoap (2.8.17-1+deb8u2) jessie-security; urgency=high Thanks for your help, Mattias. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
Hi Mattias, > Is the aim of this discussion still to determine which version of the > proposed change to use? The original int version, or the updated > ssize_t version? I'm sorry to hear in your mail that you are feeling frustrated ("derail into a general complaint…" etc.) as our shared goal is surely to get a good patch out as quick as possible… and if upstream can "bless" such a change, all the better. > So using the ssize_t version that preserves the sizes of the arguments > and return type of the function is the safer choice, regardless of > upstream's claim that the function is private. Upstream have not replied so I will upload and release the ssize_t version shortly. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
lör 2019-02-16 klockan 22:05 + skrev Ben Hutchings: > On Sat, 2019-02-16 at 06:43 +0100, Mattias Ellert wrote: > > lör 2019-02-16 klockan 00:12 +0100 skrev Chris Lamb: > > > Hi Mattias, > > > > > > > What exactly do you want to run past upstream? It is not clear to me > > > > what you are requesting here. > > > > > > Your change to the patch, no? :) > > > > > > > > > Regards, > > > > > > > OK. > > > > https://sourceforge.net/p/gsoap2/bugs/1236/ > > ...which has now been closed because "[t]his is not a public API > function but an internal one." But the function is declared in a > public header, and is exported, so I don't know whether this > distinction exists other than in the mind of the upstream developer... > > Ben. > Is the aim of this discussion still to determine which version of the proposed change to use? The original int version, or the updated ssize_t version? Or has the discussion derail into a general complaint about how strange upstream is behaving that will go on forever and thereby block fixing the issue? When upstream says that the function soap_encode_url is "private", this is true in as much as it is not called by code generated by the stdsoap2 program. Such code calls soap_encode_url_string not soap_encode_url. However, since the function is declared in the public header file it is not really private, and in theory it is accessible to be called by any code using the library. So using the ssize_t version that preserves the sizes of the arguments and return type of the function is the safer choice, regardless of upstream's claim that the function is private. Mattias smime.p7s Description: S/MIME cryptographic signature
Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
On Sat, 2019-02-16 at 06:43 +0100, Mattias Ellert wrote: > lör 2019-02-16 klockan 00:12 +0100 skrev Chris Lamb: > > Hi Mattias, > > > > > What exactly do you want to run past upstream? It is not clear to me > > > what you are requesting here. > > > > Your change to the patch, no? :) > > > > > > Regards, > > > > OK. > > https://sourceforge.net/p/gsoap2/bugs/1236/ ...which has now been closed because "[t]his is not a public API function but an internal one." But the function is declared in a public header, and is exported, so I don't know whether this distinction exists other than in the mind of the upstream developer... Ben. -- Ben Hutchings When in doubt, use brute force. - Ken Thompson signature.asc Description: This is a digitally signed message part
Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
lör 2019-02-16 klockan 00:12 +0100 skrev Chris Lamb: > Hi Mattias, > > > What exactly do you want to run past upstream? It is not clear to me > > what you are requesting here. > > Your change to the patch, no? :) > > > Regards, > OK. https://sourceforge.net/p/gsoap2/bugs/1236/ Mattias smime.p7s Description: S/MIME cryptographic signature
Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
Hi Mattias, > What exactly do you want to run past upstream? It is not clear to me > what you are requesting here. Your change to the patch, no? :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
fre 2019-02-15 klockan 22:15 +0100 skrev Chris Lamb: > Hi Mattias, > > The patch was based on the suggested fix from upstream which uses int. > > But I agree ssize_t is a better choice. > > Thanks for attaching an updated debdiff. Can you run this past upstream? > > > Regards, What exactly do you want to run past upstream? It is not clear to me what you are requesting here. Mattias smime.p7s Description: S/MIME cryptographic signature
Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
Hi Mattias, > The patch was based on the suggested fix from upstream which uses int. > But I agree ssize_t is a better choice. Thanks for attaching an updated debdiff. Can you run this past upstream? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
fre 2019-02-15 klockan 17:56 +0100 skrev Chris Lamb: > Ben Hutchings wrote: > > > > Given the reference to cookies in the upstream advisory, I think the > > actual bug is > > […] > > Thanks for looking into this. For the avoidance of doubt I will not > proceed with an upload. > > With my "front desk" hat on, I've also added a link in the data/ > CVE/list to this thread as it discusses the merits of the patch: > > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/f9c0c26172f864a9fb70c332d61dabd72b47a56e > > > Regards, > Thank you for your comments. The patch was based on the suggested fix from upstream which uses int. But I agree ssize_t is a better choice. Updated debdiff attatched. Mattias diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog --- gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200 +++ gsoap-2.8.17/debian/changelog 2019-02-14 16:59:28.0 +0100 @@ -1,3 +1,18 @@ +gsoap (2.8.17-1+deb8u2) jessie; urgency=medium + + * Fix for CVE-2019-7659 +Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a +denial of service (application abort) or possibly have unspecified other +impact if a server application is built with the -DWITH_COOKIES flag. This +affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ +libraries, as these are built with that flag. + * Fix issue with DIME protocol receiver and malformed DIME headers +This patch addresses a critical issue with the DIME protocol receiver that +may cause the receiver to become unresponsive when a malformed DIME +protocol message is received. -- https://www.genivia.com/advisory.html + + -- Mattias Ellert Thu, 14 Feb 2019 16:59:28 +0100 + gsoap (2.8.17-1+deb8u1) jessie; urgency=medium * Fix for CVE-2017-9765 diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch --- gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch 2019-02-14 16:59:28.0 +0100 @@ -0,0 +1,50 @@ +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c +--- gsoap-2.8.orig/gsoap/stdsoap2.c 2019-01-18 15:22:36.285318129 +0100 gsoap-2.8/gsoap/stdsoap2.c 2019-01-18 15:26:44.648630944 +0100 +@@ -6199,11 +6199,12 @@ + /**/ + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++ssize_t + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, ssize_t len) + { register int c; +- register size_t n = len; ++ register ssize_t n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp +--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2019-01-18 15:22:36.353317393 +0100 gsoap-2.8/gsoap/stdsoap2.cpp 2019-01-18 15:26:44.648630944 +0100 +@@ -6199,11 +6199,12 @@ + /**/ + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++ssize_t + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, ssize_t len) + { register int c; +- register size_t n = len; ++ register ssize_t n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.h gsoap-2.8/gsoap/stdsoap2.h +--- gsoap-2.8.orig/gsoap/stdsoap2.h 2019-01-18 15:22:36.256318443 +0100 gsoap-2.8/gsoap/stdsoap2.h 2019-01-18 15:25:20.408542687 +0100 +@@ -2747,7 +2747,7 @@ + SOAP_FMAC1 void SOAP_FMAC2 soap_clr_attr(struct soap *soap); + + SOAP_FMAC1 const char* SOAP_FMAC2 soap_url(struct soap *soap, const char*, const char*); +-SOAP_FMAC1 size_t SOAP_FMAC2 soap_encode_url(const char*, char*, size_t); ++SOAP_FMAC1 ssize_t SOAP_FMAC2 soap_encode_url(const char*, char*, ssize_t); + SOAP_FMAC1 const char* SOAP_FMAC2 soap_encode_url_string(struct soap*, const char*); + #ifdef WITH_COOKIES + SOAP_FMAC1 void SOAP_FMAC2 soap_getcookies(struct soap *soap, const char *val); diff -Nru gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch --- gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch 2019-02-14 11:33:00.0 +0100 @@ -0,0 +1,22 @@ +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c +--- gsoap-2.8.orig/gsoap/stdsoap2.c 2017-07-11 03:51:16.0 +0200 gsoap-2.8/gsoap/stdsoap2.c 2018-04-18 16:09:06.340071192 +0200 +@@ -16965,7 +16965,6 @@ + return soap->error = SOAP_CHK_EOF; + soap_unget(soap,
Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
Ben Hutchings wrote: > Given the reference to cookies in the upstream advisory, I think the > actual bug is […] Thanks for looking into this. For the avoidance of doubt I will not proceed with an upload. With my "front desk" hat on, I've also added a link in the data/ CVE/list to this thread as it discusses the merits of the patch: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f9c0c26172f864a9fb70c332d61dabd72b47a56e Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
On Fri, 2019-02-15 at 13:39 +0100, Emilio Pozuelo Monfort wrote: > On 15/02/2019 13:31, Chris Lamb wrote: > > Hi Mattias, > > > > > I submitted this jessie update to the release team, but was informed to > > > contact you about it instead. What do I do? > > > > Indeed, they have sent you to the right place. :) As-per: > > > > https://wiki.debian.org/LTS/Development > > > > … we would fix CVE-2019-7659 via a jessie "LTS" security upload. > > > > I assume you are not part of the LTS team so you cannot follow the > > procedure outlined above, but would you object if I took your patch > > and did the upload and announcement myself? > > Before pushing this, I was wondering if the change is safe. It is changing the > signature of a public symbol. I don't think size_t and int are guaranteed to > have the same size, Correct, int is 32-bit on all Debian architectures while size_t is a native word so 64-bit on 64-bit architectures. > thus it would be changing the ABI and rdeps would need to be > rebuilt (in those cases where size_t and int have different sizes). And if we > go > down that slope, then libgsoap needs to bump the SONAME... That sort of change is not suitable for a stable update. Given the reference to cookies in the upstream advisory, I think the actual bug is an integer underflow in soap_putcookies() which results in passing a very large buffer size to soap_encode_url(). The upstream patch attempts to fix this by removing the implicit conversion to an unsigned type and then checking for a negative value. I think that a portable and ABI-compatible fix would be to add this at the top of soap_encode_url() instead: if (len == 0 || len > PTRDIFF_MAX) return 0; > Is that right? If so, would it be possible to just change the type to a > ssize_t > instead? Either that or ptrdiff_t should work. Ben. -- Ben Hutchings When in doubt, use brute force. - Ken Thompson signature.asc Description: This is a digitally signed message part
Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
On 15/02/2019 13:31, Chris Lamb wrote: > Hi Mattias, > >> I submitted this jessie update to the release team, but was informed to >> contact you about it instead. What do I do? > > Indeed, they have sent you to the right place. :) As-per: > > https://wiki.debian.org/LTS/Development > > … we would fix CVE-2019-7659 via a jessie "LTS" security upload. > > I assume you are not part of the LTS team so you cannot follow the > procedure outlined above, but would you object if I took your patch > and did the upload and announcement myself? Before pushing this, I was wondering if the change is safe. It is changing the signature of a public symbol. I don't think size_t and int are guaranteed to have the same size, thus it would be changing the ABI and rdeps would need to be rebuilt (in those cases where size_t and int have different sizes). And if we go down that slope, then libgsoap needs to bump the SONAME... Is that right? If so, would it be possible to just change the type to a ssize_t instead? Cheers, Emilio
Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
Hi Mattias, > I submitted this jessie update to the release team, but was informed to > contact you about it instead. What do I do? Indeed, they have sent you to the right place. :) As-per: https://wiki.debian.org/LTS/Development … we would fix CVE-2019-7659 via a jessie "LTS" security upload. I assume you are not part of the LTS team so you cannot follow the procedure outlined above, but would you object if I took your patch and did the upload and announcement myself? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
Hi! I submitted this jessie update to the release team, but was informed to contact you about it instead. What do I do? Mattias Vidarebefordrat meddelande Från: Debian Bug Tracking System Svara till: 922...@bugs.debian.org Till: Mattias Ellert Ämne: Bug#922384 closed by "Adam D. Barratt" (Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2) Datum: Fri, 15 Feb 2019 10:36:08 + This is an automatic notification regarding your Bug report which was filed against the release.debian.org package: #922384: jessie-pu: package gsoap/2.8.17-1+deb8u2 It has been closed by "Adam D. Barratt" . Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact "Adam D. Barratt" by replying to this email. -- 922384: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922384 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- On 2019-02-15 10:12, Mattias Ellert wrote: Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu This is a proposal to fix CVE-2019-7659 in jessie. The Release Team haven't handled jessie for nearly 9 months now. Please liaise with the LTS Team - https://wiki.debian.org/LTS/ Regards, Adam --- End Message --- --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu This is a proposal to fix CVE-2019-7659 in jessie. The update also addresses one additional advisory published by the upstream developers. debdiff is attached. gsoap (2.8.17-1+deb8u2) jessie; urgency=medium * Fix for CVE-2019-7659 Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a denial of service (application abort) or possibly have unspecified other impact if a server application is built with the -DWITH_COOKIES flag. This affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ libraries, as these are built with that flag. * Fix issue with DIME protocol receiver and malformed DIME headers This patch addresses a critical issue with the DIME protocol receiver that may cause the receiver to become unresponsive when a malformed DIME protocol message is received. -- https://www.genivia.com/advisory.html Mattias Ellert diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog --- gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200 +++ gsoap-2.8.17/debian/changelog 2019-02-14 16:59:28.0 +0100 @@ -1,3 +1,18 @@ +gsoap (2.8.17-1+deb8u2) jessie; urgency=medium + + * Fix for CVE-2019-7659 +Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a +denial of service (application abort) or possibly have unspecified other +impact if a server application is built with the -DWITH_COOKIES flag. This +affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ +libraries, as these are built with that flag. + * Fix issue with DIME protocol receiver and malformed DIME headers +This patch addresses a critical issue with the DIME protocol receiver that +may cause the receiver to become unresponsive when a malformed DIME +protocol message is received. -- https://www.genivia.com/advisory.html + + -- Mattias Ellert Thu, 14 Feb 2019 16:59:28 +0100 + gsoap (2.8.17-1+deb8u1) jessie; urgency=medium * Fix for CVE-2017-9765 diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch --- gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch 2019-02-14 11:32:59.0 +0100 @@ -0,0 +1,50 @@ +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c +--- gsoap-2.8.orig/gsoap/stdsoap2.c 2019-01-18 15:22:36.285318129 +0100 gsoap-2.8/gsoap/stdsoap2.c 2019-01-18 15:26:44.648630944 +0100 +@@ -6199,11 +6199,12 @@ + /**/ + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++int + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, int len) + { register int c; +- register size_t n = len; ++ register int n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp +--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2019-01-18 15:22:36.353317393 +0100 gsoap-2.8/gsoap/stdsoap2.cpp 2019-01-18 15:26:44.648630944 +0100 +@@ -6199,11 +6199,12 @@ + /**