[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Devil's Ivy (CVE-2017-9765) in gSOAP 2.7 up to 2.8.47
From: Andreas Stieger <astieger () suse ! com>
Date: 2017-07-19 21:43:59
Message-ID: 1c012c33-5b6e-0b1d-f12e-1efdeb2bab4a () suse ! com
[Download RAW message or body]
[Attachment #2 (multipart/mixed)]
Hello,
On 07/19/2017 10:44 PM, Alan Coopersmith wrote:
> I noticed some press coverage of this but haven't seen mail here yet:
>
> http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions
>
> https://www.genivia.com/advisory.html#Security_advisory:_CVE-2017-9765_bug_in_certain_versions_of_gSOAP_2.7_up_to_2.8.47_(June_21,_2017)
>
> https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017)
>
> "a potential vulnerability to a large and specific XML message over
> 2GB in size
> (greater than 2147483711 bytes to trigger the software bug). A buffer
> overflow
> can cause an open unsecured server to crash or malfunction after 2GB is
> received."
>
> Unfortunately, the subversion repo on sourceforge for gSOAP only has
> full releases, not individual changes, in each commit, so the fix
> appears to be somewhere mixed in [r119] on
> https://sourceforge.net/p/gsoap2/code/commit_browser
> making it a challenge for distros who want to patch instead of upgrade.
>
Or just ask them, see https://bugzilla.suse.com/show_bug.cgi?id=1049348
Andreas
--
Andreas Stieger <astieger@suse.com>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic