Bug 29015

Summary: gsoap new security issues CVE-2020-1357[4-8]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA8-64-OK MGA7-64-OK
Source RPM: gsoap-2.8.104-1.mga8.src.rpm CVE: CVE-2020-1357[4-8]
Status comment:

Description David Walser 2021-05-29 18:42:28 CEST 
Fedora has issued an advisory on March 17:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SMTJ3SJJ22SFLBLPKFADV7NVBH7UFA23/

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-29 18:42:41 CEST

Status comment: (none) => Patches available from Fedora
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-05-29 21:51:38 CEST 
Uncertain maintainers, so assigning globally. CC'ing DavidG who has touched this SRPM relatively recently.

CC: (none) => geiger.david68210
Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2021-06-07 15:59:24 CEST 
Done for Cauldron, mga8 and mga7!
Comment 3 David Walser 2021-06-09 02:02:52 CEST 
RPMS:
gsoap-2.8.67-2.1.mga7
gsoap-source-2.8.67-2.1.mga7
libgsoap-devel-2.8.104-1.1.mga8
libgsoap2.8.104-2.8.104-1.1.mga8
gsoap-doc-2.8.104-1.1.mga8
gsoap-source-2.8.104-1.1.mga8

from SRPMS:
gsoap-2.8.67-2.1.mga7.src.rpm
gsoap-2.8.104-1.1.mga8.src.rpm

Status comment: Patches available from Fedora => (none)
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8

Comment 4 Thomas Andrews 2021-06-15 15:37:10 CEST 
Tackled mga8 first.

Looked back for previous updates, and found just 3 bugs that referenced gsoap other than this one. I found Herman Viaene's test in Bug 21298 to be particularly compelling:

"No installation issues.
System didn't topple over after installation: OK."

This update passed that test perfectly.

I found another test in Bug 22963 and tried that:

$ wsdl2h -s -o calc.h http://www.cs.fsu.edu/~engelen/calc.wsdl
Saving calc.h


**  The gSOAP WSDL/WADL/XSD processor for C and C++, wsdl2h release 2.8.104
**  Copyright (C) 2000-2020 Robert van Engelen, Genivia Inc.
**  All Rights Reserved. This product is provided "as is", without any warranty.
**  The wsdl2h tool and its generated software are released under the GPL.
**  ----------------------------------------------------------------------------
**  A commercial use license is available from Genivia Inc., contact@genivia.com
**  ----------------------------------------------------------------------------

Reading type definitions from type map "/usr/share/gsoap/WS/typemap.dat"
Connecting to 'http://www.cs.fsu.edu/~engelen/calc.wsdl' to retrieve WSDL/WADL or XSD... connected, receiving...
Done reading 'http://www.cs.fsu.edu/~engelen/calc.wsdl'

To finalize code generation, execute:
> soapcpp2 calc.h
Or to generate C++ proxy and service classes:
> soapcpp2 -j calc.h

$  soapcpp2 -CL -I/path/to/gsoap/import calc.h

**  The gSOAP code generator for C and C++, soapcpp2 release 2.8.104
**  Copyright (C) 2000-2020, Robert van Engelen, Genivia Inc.
**  All Rights Reserved. This product is provided "as is", without any warranty.
**  The soapcpp2 tool and its generated software are released under the GPL.
**  ----------------------------------------------------------------------------
**  A commercial use license is available from Genivia Inc., contact@genivia.com
**  ----------------------------------------------------------------------------

Saving soapStub.h annotated copy of the source interface header file
Saving soapH.h serialization functions to #include in projects
Using ns2 service name: calc
Using ns2 service style: document
Using ns2 service encoding: literal
Using ns2 service location: http://websrv.cs.fsu.edu/~engelen/calcserver.cgi
Using ns2 schema namespace: urn:calc
Saving calc.add.req.xml sample SOAP/XML request
Saving calc.add.res.xml sample SOAP/XML response
Saving calc.sub.req.xml sample SOAP/XML request
Saving calc.sub.res.xml sample SOAP/XML response
Saving calc.mul.req.xml sample SOAP/XML request
Saving calc.mul.res.xml sample SOAP/XML response
Saving calc.div.req.xml sample SOAP/XML request
Saving calc.div.res.xml sample SOAP/XML response
Saving calc.pow.req.xml sample SOAP/XML request
Saving calc.pow.res.xml sample SOAP/XML response
Saving calc.nsmap namespace mapping table
Saving soapClient.cpp client call stub functions
Saving soapC.cpp serialization functions

Compilation successful 

Appears to bhe OK for mga8.

CC: (none) => andrewsfarm
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

Comment 5 Thomas Andrews 2021-06-15 15:54:09 CEST 
Tackled mga7 next. Same 2 tests, same results. OK for mga7.

Validating.

Keywords: (none) => validated_update
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Aurelien Oudelet 2021-06-15 21:41:02 CEST 
Advisory:
========================

Updated gsoap packages fix security vulnerabilities

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability (CVE-2020-13574).

A denial-of-service vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability (CVE-2020-13575).

A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability (CVE-2020-13576).

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability (CVE-2020-13577).

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability (CVE-2020-13578).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29015
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13574
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13575
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13576
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13577
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13578
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SMTJ3SJJ22SFLBLPKFADV7NVBH7UFA23/
========================

Updated packages in 7/core/updates_testing:
========================
gsoap-2.8.67-2.1.mga7
gsoap-source-2.8.67-2.1.mga7

from SRPM:
gsoap-2.8.67-2.1.mga7.src.rpm

========================

Updated packages in 8/core/updates_testing:
========================
lib(64)gsoap-devel-2.8.104-1.1.mga8
lib(64)gsoap2.8.104-2.8.104-1.1.mga8
gsoap-doc-2.8.104-1.1.mga8
gsoap-source-2.8.104-1.1.mga8
gsoap-2.8.104-1.1.mga8.src.rpm

from SRPM:
gsoap-2.8.104-1.1.mga8.src.rpm

CVE: (none) => CVE-2020-1357[4-8]
CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-06-16 22:24:12 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0263.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED