Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2
On Wed, Feb 13, 2019 at 03:34:50PM +0100, Nicolas Braud-Santoni wrote: > I assume I can't just dput this, as it already exists in stable-new. > Could you reject the existing package first, and I will reupload? Uploaded a new revision at the request of jcristau. signature.asc Description: PGP signature
Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
Control: tags -1 + moreinfo On 2019-02-15 10:12, Mattias Ellert wrote: This is a proposal to fix CVE-2019-7659 in stretch. The update also addresses one additional advisory published by the upstream developers. +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, int len) If soap_encode_url is a public symbol, that's an ABI break - int and size_t may well not be the same size, but they're definitely different signedness. Regards, Adam
Processed: Re: Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
Processing control commands: > tags -1 + moreinfo Bug #922385 [release.debian.org] stretch-pu: package gsoap/2.8.35-4+deb9u2 Added tag(s) moreinfo. -- 922385: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922385 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#922384: marked as done (jessie-pu: package gsoap/2.8.17-1+deb8u2)
Your message dated Fri, 15 Feb 2019 10:33:12 + with message-id <940b78f9e6f926880c3d3418eeebf...@mail.adam-barratt.org.uk> and subject line Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2 has caused the Debian Bug report #922384, regarding jessie-pu: package gsoap/2.8.17-1+deb8u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 922384: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922384 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu This is a proposal to fix CVE-2019-7659 in jessie. The update also addresses one additional advisory published by the upstream developers. debdiff is attached. gsoap (2.8.17-1+deb8u2) jessie; urgency=medium * Fix for CVE-2019-7659 Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a denial of service (application abort) or possibly have unspecified other impact if a server application is built with the -DWITH_COOKIES flag. This affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ libraries, as these are built with that flag. * Fix issue with DIME protocol receiver and malformed DIME headers This patch addresses a critical issue with the DIME protocol receiver that may cause the receiver to become unresponsive when a malformed DIME protocol message is received. -- https://www.genivia.com/advisory.html Mattias Ellert diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog --- gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200 +++ gsoap-2.8.17/debian/changelog 2019-02-14 16:59:28.0 +0100 @@ -1,3 +1,18 @@ +gsoap (2.8.17-1+deb8u2) jessie; urgency=medium + + * Fix for CVE-2019-7659 +Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a +denial of service (application abort) or possibly have unspecified other +impact if a server application is built with the -DWITH_COOKIES flag. This +affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ +libraries, as these are built with that flag. + * Fix issue with DIME protocol receiver and malformed DIME headers +This patch addresses a critical issue with the DIME protocol receiver that +may cause the receiver to become unresponsive when a malformed DIME +protocol message is received. -- https://www.genivia.com/advisory.html + + -- Mattias Ellert Thu, 14 Feb 2019 16:59:28 +0100 + gsoap (2.8.17-1+deb8u1) jessie; urgency=medium * Fix for CVE-2017-9765 diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch --- gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch 2019-02-14 11:32:59.0 +0100 @@ -0,0 +1,50 @@ +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c +--- gsoap-2.8.orig/gsoap/stdsoap2.c 2019-01-18 15:22:36.285318129 +0100 gsoap-2.8/gsoap/stdsoap2.c 2019-01-18 15:26:44.648630944 +0100 +@@ -6199,11 +6199,12 @@ + /**/ + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++int + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, int len) + { register int c; +- register size_t n = len; ++ register int n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp +--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2019-01-18 15:22:36.353317393 +0100 gsoap-2.8/gsoap/stdsoap2.cpp 2019-01-18 15:26:44.648630944 +0100 +@@ -6199,11 +6199,12 @@ + /**/ + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++int + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, int len) + { register int c; +- register size_t n = len; ++ register int n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.h gsoap-2.8/gsoap/stdsoap2.h +--- gsoap-2.8.orig/gsoap/stdsoap2.h 2019-01-18 15:22:36.256318443 +0100 gsoap-2.8/gsoap/stdsoap2.h 2019-01-18 15:25:20.408542687 +0100 +@@ -2747,7 +2747,7 @@ +
Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu This is a proposal to fix CVE-2019-7659 in stretch. The update also addresses one additional advisory published by the upstream developers. debdiff is attached. gsoap (2.8.35-4+deb9u2) stretch; urgency=medium * Fix for CVE-2019-7659 Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a denial of service (application abort) or possibly have unspecified other impact if a server application is built with the -DWITH_COOKIES flag. This affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ libraries, as these are built with that flag. * Fix issue with DIME protocol receiver and malformed DIME headers This patch addresses a critical issue with the DIME protocol receiver that may cause the receiver to become unresponsive when a malformed DIME protocol message is received. -- https://www.genivia.com/advisory.html Mattias Ellert diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog --- gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200 +++ gsoap-2.8.35/debian/changelog 2019-02-14 17:12:12.0 +0100 @@ -1,3 +1,18 @@ +gsoap (2.8.35-4+deb9u2) stretch; urgency=medium + + * Fix for CVE-2019-7659 +Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a +denial of service (application abort) or possibly have unspecified other +impact if a server application is built with the -DWITH_COOKIES flag. This +affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ +libraries, as these are built with that flag. + * Fix issue with DIME protocol receiver and malformed DIME headers +This patch addresses a critical issue with the DIME protocol receiver that +may cause the receiver to become unresponsive when a malformed DIME +protocol message is received. -- https://www.genivia.com/advisory.html + + -- Mattias Ellert Thu, 14 Feb 2019 17:12:12 +0100 + gsoap (2.8.35-4+deb9u1) stretch; urgency=medium * Fix for CVE-2017-9765 diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch --- gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch 2019-02-14 17:12:12.0 +0100 @@ -0,0 +1,50 @@ +diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.c gsoap-2.8.35/gsoap/stdsoap2.c +--- gsoap-2.8.35.orig/gsoap/stdsoap2.c 2016-09-18 10:56:10.0 +0200 gsoap-2.8.35/gsoap/stdsoap2.c 2019-02-13 17:21:44.18800 +0100 +@@ -7037,11 +7037,12 @@ + + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++int + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, int len) + { int c; +- size_t n = len; ++ int n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.cpp gsoap-2.8.35/gsoap/stdsoap2.cpp +--- gsoap-2.8.35.orig/gsoap/stdsoap2.cpp 2016-09-18 10:56:10.0 +0200 gsoap-2.8.35/gsoap/stdsoap2.cpp 2019-02-13 17:21:44.18800 +0100 +@@ -7037,11 +7037,12 @@ + + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++int + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, int len) + { int c; +- size_t n = len; ++ int n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.h gsoap-2.8.35/gsoap/stdsoap2.h +--- gsoap-2.8.35.orig/gsoap/stdsoap2.h 2016-09-18 10:56:10.0 +0200 gsoap-2.8.35/gsoap/stdsoap2.h 2019-02-13 17:19:31.08800 +0100 +@@ -3380,7 +3380,7 @@ + SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url(struct soap *soap, const char*, const char*); + SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url_query(struct soap *soap, const char*, const char*); + SOAP_FMAC1 void SOAP_FMAC2 soap_url_query(struct soap *soap, const char*, const char*); +-SOAP_FMAC1 size_t SOAP_FMAC2 soap_encode_url(const char*, char*, size_t); ++SOAP_FMAC1 int SOAP_FMAC2 soap_encode_url(const char*, char*, int); + SOAP_FMAC1 const char* SOAP_FMAC2 soap_encode_url_string(struct soap*, const char*); + #ifdef WITH_COOKIES + SOAP_FMAC1 void SOAP_FMAC2 soap_getcookies(struct soap *soap, const char *val); diff -Nru gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch --- gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch 2019-02-13 17:12:41.0 +0100 @@ -0,0 +1,22 @@ +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c +---
Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu This is a proposal to fix CVE-2019-7659 in jessie. The update also addresses one additional advisory published by the upstream developers. debdiff is attached. gsoap (2.8.17-1+deb8u2) jessie; urgency=medium * Fix for CVE-2019-7659 Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a denial of service (application abort) or possibly have unspecified other impact if a server application is built with the -DWITH_COOKIES flag. This affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ libraries, as these are built with that flag. * Fix issue with DIME protocol receiver and malformed DIME headers This patch addresses a critical issue with the DIME protocol receiver that may cause the receiver to become unresponsive when a malformed DIME protocol message is received. -- https://www.genivia.com/advisory.html Mattias Ellert diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog --- gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200 +++ gsoap-2.8.17/debian/changelog 2019-02-14 16:59:28.0 +0100 @@ -1,3 +1,18 @@ +gsoap (2.8.17-1+deb8u2) jessie; urgency=medium + + * Fix for CVE-2019-7659 +Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a +denial of service (application abort) or possibly have unspecified other +impact if a server application is built with the -DWITH_COOKIES flag. This +affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ +libraries, as these are built with that flag. + * Fix issue with DIME protocol receiver and malformed DIME headers +This patch addresses a critical issue with the DIME protocol receiver that +may cause the receiver to become unresponsive when a malformed DIME +protocol message is received. -- https://www.genivia.com/advisory.html + + -- Mattias Ellert Thu, 14 Feb 2019 16:59:28 +0100 + gsoap (2.8.17-1+deb8u1) jessie; urgency=medium * Fix for CVE-2017-9765 diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch --- gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch 2019-02-14 11:32:59.0 +0100 @@ -0,0 +1,50 @@ +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c +--- gsoap-2.8.orig/gsoap/stdsoap2.c 2019-01-18 15:22:36.285318129 +0100 gsoap-2.8/gsoap/stdsoap2.c 2019-01-18 15:26:44.648630944 +0100 +@@ -6199,11 +6199,12 @@ + /**/ + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++int + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, int len) + { register int c; +- register size_t n = len; ++ register int n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp +--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2019-01-18 15:22:36.353317393 +0100 gsoap-2.8/gsoap/stdsoap2.cpp 2019-01-18 15:26:44.648630944 +0100 +@@ -6199,11 +6199,12 @@ + /**/ + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++int + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, int len) + { register int c; +- register size_t n = len; ++ register int n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.h gsoap-2.8/gsoap/stdsoap2.h +--- gsoap-2.8.orig/gsoap/stdsoap2.h 2019-01-18 15:22:36.256318443 +0100 gsoap-2.8/gsoap/stdsoap2.h 2019-01-18 15:25:20.408542687 +0100 +@@ -2747,7 +2747,7 @@ + SOAP_FMAC1 void SOAP_FMAC2 soap_clr_attr(struct soap *soap); + + SOAP_FMAC1 const char* SOAP_FMAC2 soap_url(struct soap *soap, const char*, const char*); +-SOAP_FMAC1 size_t SOAP_FMAC2 soap_encode_url(const char*, char*, size_t); ++SOAP_FMAC1 int SOAP_FMAC2 soap_encode_url(const char*, char*, int); + SOAP_FMAC1 const char* SOAP_FMAC2 soap_encode_url_string(struct soap*, const char*); + #ifdef WITH_COOKIES + SOAP_FMAC1 void SOAP_FMAC2 soap_getcookies(struct soap *soap, const char *val); diff -Nru gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch --- gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch 2019-02-14 11:33:00.0 +0100 @@ -0,0 +1,22 @@ +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c