Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
This is a proposal to fix CVE-2017-9765 in stretch. debdiff is attached. Mattias Ellert
diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog --- gsoap-2.8.35/debian/changelog 2016-12-06 09:32:36.000000000 +0100 +++ gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.000000000 +0200 @@ -1,3 +1,9 @@ +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium + + * Fix for CVE-2017-9765 (Closes: xxxx) + + -- Mattias Ellert <mattias.ell...@physics.uu.se> Wed, 16 Aug 2017 11:58:11 +0200 + gsoap (2.8.35-4) unstable; urgency=medium * Rebuild for OpenSSL 1.1.0 diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch --- gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch 1970-01-01 01:00:00.000000000 +0100 +++ gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch 2017-08-16 11:54:02.000000000 +0200 @@ -0,0 +1,54 @@ +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c +--- gsoap-2.8.orig/gsoap/stdsoap2.c 2016-04-03 03:33:31.000000000 +0200 ++++ gsoap-2.8/gsoap/stdsoap2.c 2017-08-01 14:51:44.141083499 +0200 +@@ -1711,17 +1711,16 @@ + soap_get_pi(struct soap *soap) + { char buf[64]; + char *s = buf; +- int i = sizeof(buf); +- soap_wchar c = soap_getchar(soap); +- /* This is a quick way to parse XML PI and we could use a callback instead to +- * enable applications to intercept processing instructions */ +- while ((int)c != EOF && c != '?') +- { if (--i > 0) ++ size_t i = sizeof(buf); ++ soap_wchar c; ++ /* Parse the XML PI encoding declaration and look for <?xml ... encoding=X ?> */ ++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') ++ { if (i > 1) + { if (soap_blank(c)) + c = ' '; + *s++ = (char)c; ++ i--; + } +- c = soap_getchar(soap); + } + *s = '\0'; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI <?%s?>\n", buf)); +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp +--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2016-04-03 03:33:31.000000000 +0200 ++++ gsoap-2.8/gsoap/stdsoap2.cpp 2017-08-01 14:51:44.143083498 +0200 +@@ -1711,17 +1711,16 @@ + soap_get_pi(struct soap *soap) + { char buf[64]; + char *s = buf; +- int i = sizeof(buf); +- soap_wchar c = soap_getchar(soap); +- /* This is a quick way to parse XML PI and we could use a callback instead to +- * enable applications to intercept processing instructions */ +- while ((int)c != EOF && c != '?') +- { if (--i > 0) ++ size_t i = sizeof(buf); ++ soap_wchar c; ++ /* Parse the XML PI encoding declaration and look for <?xml ... encoding=X ?> */ ++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') ++ { if (i > 1) + { if (soap_blank(c)) + c = ' '; + *s++ = (char)c; ++ i--; + } +- c = soap_getchar(soap); + } + *s = '\0'; + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI <?%s?>\n", buf)); diff -Nru gsoap-2.8.35/debian/patches/series gsoap-2.8.35/debian/patches/series --- gsoap-2.8.35/debian/patches/series 2016-09-26 14:49:01.000000000 +0200 +++ gsoap-2.8.35/debian/patches/series 2017-08-16 11:57:36.000000000 +0200 @@ -10,3 +10,6 @@ # Backport fix from upstream gsoap-backport.patch + +# CVE-2017-9765 +gsoap-CVE-2017-9765.patch
signature.asc
Description: This is a digitally signed message part