Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 625638 (CVE-2017-9765) - <net-libs/gsoap-2.8.50: Stack-based buffer overflow when receieving XML message with size larger than 2GB
Summary: <net-libs/gsoap-2.8.50: Stack-based buffer overflow when receieving XML messa...
Status: RESOLVED FIXED
Alias: CVE-2017-9765
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-19 13:26 UTC by Agostino Sarubbo
Modified: 2018-01-20 16:33 UTC (History)
2 users (show)

See Also:
Package list:
=net-libs/gsoap-2.8.51
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-07-19 13:26:00 UTC 
From ${URL} :

A buffer overflow can cause an open unsecured server to crash after 2GB (greater than 2147483711 bytes to trigger the software bug)) XML message is received. Fortunately, the overflowing data after 2GB 
is cleaned up in the buffer which means that the chances of exploiting this flaw (by injecting code) is significantly reduced in gSOAP versions affected.

References:

https://www.genivia.com/advisory.html


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-08-21 08:04:21 UTC 
Arches please test and mark stable =net-libs/gsoap-2.8.51 with target KEYWORDS:

amd64 x86
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-09-02 17:20:04 UTC 
amd64/x86 stable

@maintainer(s), please cleanup the vulnerable versions.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2017-09-24 21:08:48 UTC 
@maintainer, please clean.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-09-24 23:18:18 UTC 
GLSA Vote: No
Maintainer(s), please drop the vulnerable version(s).
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2018-01-20 16:33:12 UTC 
Tree is clean.