Bug 21298 - gsoap new security issue CVE-2017-9765
Summary: gsoap new security issue CVE-2017-9765
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5TOO MGA5-32-OK MGA5-64-O...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-07-20 02:39 CEST by David Walser
Modified: 2017-07-26 00:08 CEST (History)
6 users (show)

See Also:
Source RPM: gsoap-2.8.33-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-07-20 02:39:09 CEST
A security issue in gsoap has been reported:
http://openwall.com/lists/oss-security/2017/07/19/7

There is apparently a fix upstream.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-07-20 02:39:23 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Angelo Naselli 2017-07-20 09:06:32 CEST

CC: (none) => anaselli

Comment 1 Angelo Naselli 2017-07-20 09:10:05 CEST
can we update to the last version eventually? i should find the time tonight... then i'm going on holiday...
Comment 2 David Walser 2017-07-20 12:07:38 CEST
To fix this I think we need to update to the latest version *and* pull patches from upstream SVN (as I think I read that they haven't yet made a release with the fixes).
Comment 3 Angelo Naselli 2017-07-20 17:06:39 CEST
gsoap_2.8.49.zip has been released the 11t of July, and seems after the r119 commit
Comment 4 Angelo Naselli 2017-07-20 19:19:59 CEST
Latest changlog says:
Version 2.8.49 (07/10/2017) {#latest}
---

- Improved JSON API to compile with XML data bindings, see updated JSON API documentation on "Compiling XML-RPC/JSON together with gSOAP XML data binding code"
- Improved white space handling of built-in XSD types that have "replace" and "collapse" white space properties. Further, types derived from these built-in XSD types will now inherit the white space "replace" or "collapse" property, meaning that white space of inbound strings are normalized (`xsd__anyURI`, `xsd__language` `xsd__ENTITY`, `xsd__ENTITIES`, `xsd__ID`, `xsd__IDREF`, `xsd__IDREFS`, `xsd__Name`, `xsd__NCName`, `xsd__NMTOKEN`, `xsd__NMTOKENS`, `xsd__normalizedString`, `xsd__token`, etc).
- Fixed a memory leak in the deserializer of `std::vector<xsd__anyType>` (and dynamic arrays of `xsd__anyType`) where `xsd__anyType` is a DOM node imported with `#import "dom.h"`.
- Fixed WSSE plugin recanonicalization of inclusive C14N SignedInfo.
- Fixes for minor issues, improvements.
Comment 5 David Walser 2017-07-21 04:29:33 CEST
Oh good, so hopefully we can just update it.
Comment 6 Angelo Naselli 2017-07-21 19:53:03 CEST
i committed it in cauldron, but i cannot do anything else by now I'm going on holiday, sorry.
Comment 7 Marja Van Waes 2017-07-21 20:50:27 CEST
(In reply to Angelo Naselli from comment #6)
> i committed it in cauldron, but i cannot do anything else by now I'm going
> on holiday, sorry.

No problem, assigning to all packagers collectively, then.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 8 David Walser 2017-07-22 00:27:11 CEST
gsoap-2.8.49-1.mga7 uploaded for Cauldron.

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Comment 9 David Walser 2017-07-22 23:36:30 CEST
Updated packages uploaded for Mageia 5 and Mageia 6.

Advisory:
========================

Updated gsoap packages fix security vulnerability:

A potential vulnerability to a large and specific XML message over 2GB in size
(greater than 2147483711 bytes to trigger the software bug). A buffer overflow
can cause an open unsecured server to crash or malfunction after 2GB is
received (CVE-2017-9765).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9765
http://openwall.com/lists/oss-security/2017/07/19/7
========================

Updated packages in core/updates_testing:
========================
gsoap-2.8.49-1.mga5
gsoap-source-2.8.49-1.mga5
gsoap-2.8.49-1.mga6
gsoap-source-2.8.49-1.mga6

from SRPMS:
gsoap-2.8.49-1.mga5.src.rpm
gsoap-2.8.49-1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 10 Len Lawrence 2017-07-24 01:22:53 CEST
Not on the mga6 mirrors yet?
maga5 has them.

CC: (none) => tarazed25

Comment 11 Len Lawrence 2017-07-24 01:33:30 CEST
gSOAP is a toolkit used in the development of SOAP web services and clients.  It provides a binding for C++ from SOAP applications.  I have not been able to find examples so we shall have to label this as too obscure to test and simply install it.  If anyone has any other ideas please speak up.

Claire's idea about differencing the sources to confirm that the patch(es) is/are in place might be considered.

For the time being just updating the two packages from 2.8.18-3 to 2.8.49-1.

mga5  
Clean install on x86_64 real hardware.
Rémi Verschelde 2017-07-24 14:51:10 CEST

Summary: gosap new security issue CVE-2017-9765 => gsoap new security issue CVE-2017-9765

Comment 12 Herman Viaene 2017-07-24 15:53:27 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
System didn't topple over after installation: OK.

There are examples of its use in the tutorial at https://www.genivia.com/examples/calc/index.html, but that's out of my league.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 13 Len Lawrence 2017-07-24 17:50:10 CEST
Re comment 12.
Quite right Herman; we are not in the business of building applications to test development libraries.  Code snippets we can cope with, if we know the language, but webkits and server applications are out of scope.
Comment 14 Lewis Smith 2017-07-25 10:01:24 CEST
Trying M5 x64

No previous updates for this. Installed from current repos:
 gsoap-2.8.18-3.mga5
 gsoap-source-2.8.18-3.mga5

Via MCC-Update system, from Updates Testing updated these to:
 gsoap-2.8.49-1.mga5
 gsoap-source-2.8.49-1.mga5
No problems en route. In the light of earlier comments, OKing this.

Need to do similarly for Mageia 6 x64.

CC: (none) => lewyssmith
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK advisory MGA5-64-OK

Comment 15 Lewis Smith 2017-07-25 21:02:59 CEST
(In reply to Len Lawrence from comment #10)
> Not on the mga6 mirrors yet?
> maga5 has them.
I cannot find these pkgs for Mageia 6 either.
Comment 16 Rémi Verschelde 2017-07-25 21:37:10 CEST
(In reply to Lewis Smith from comment #15)
> (In reply to Len Lawrence from comment #10)
> > Not on the mga6 mirrors yet?
> > maga5 has them.
> I cannot find these pkgs for Mageia 6 either.

I see them on e.g. ftp.free.fr: http://ftp.free.fr/mirrors/mageia.org/distrib/6/x86_64/media/core/updates_testing/

It could be that you are both using mirrors which are slightly out of date (ftp.free.fr itself only got properly updated a few hours ago).

I do the same test as in comment 14 on Mageia 6 x86_64, works fine.

Whiteboard: MGA5TOO MGA5-32-OK advisory MGA5-64-OK => advisory MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK

Comment 17 Lewis Smith 2017-07-25 21:56:15 CEST
Many thanks Rémi. I take it you did a 'clean update'; before & after versions would have been nice (for the future, not here).

My normal mirror is 'coffee', well reputed. I wonder whether my problem is the following path:
 /etc/urpmi/mediacfg.d/Devel-6-x86_64/media.cfg
                      ~~~~~~~~~~~~~~~
/etc/urpmi/mediacfg.d/ has no other sub-directory. The file has, however:
 [media_info]
 version=6
 mediacfg_version=2
 branch=Official
 ...
 [core/release]
 hdlist=hdlist_core_release.cz
 media_type=official:free:release
 ...

and /etc/product.id
vendor=Mageia.Org,distribution=Mageia,type=Basic,version=6,branch=Official,release=6,arch=x86_64,product=Default

As we are heavily burdened, I am validating this. Advisory already done.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 18 Mageia Robot 2017-07-26 00:08:12 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0221.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.