Bug 1049348 (CVE-2017-9765) - VUL-0: CVE-2017-9765: gsoap stack buffer overflow vulnerability could lead to remote execution
Summary: VUL-0: CVE-2017-9765: gsoap stack buffer overflow vulnerability could lead to...
Status: RESOLVED FIXED
Alias: CVE-2017-9765
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/188725/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-19 09:17 UTC by Victor Pereira
Modified: 2018-02-08 10:40 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2017-9765.patch (1.87 KB, patch)
2017-07-19 18:06 UTC, Andreas Stieger
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-07-19 09:17:36 UTC
CVE-2017-9765

Download gSOAP 2.8.48 (released June 21), or greater, to fix a potential vulnerability to a large and specific XML message over 2GB in size (greater than 2147483711 bytes to trigger the software bug). A buffer overflow can cause an open unsecured server to crash after 2GB is received. Fortunately, the overflowing data after 2GB is cleaned up in the buffer which means that the chances of exploiting this flaw (by injecting code) is significantly reduced in gSOAP versions affected.
Update: services developed with our Apache module for gSOAP with the LimitRequestBody set in .htaccess or httpd.conf to any non-zero value (a common configuration that avoids DDoS attacks) by default, should prevent this vulnerability from occurring: the size of the HTTP message body uploaded is limited to 2GB max in Apache with gSOAP. The Apache or IIS deployment of gSOAP with our bundled Apache and ISAPI modules is preferred and recommended in the gSOAP documentation since 2002. Therefore, we expect that most gSOAP services run this Apache configuration or use IIS. If not, this is strong reminder to do so and test the server configuration settings. Also, clients communicating with trusted and authenticated HTTPS servers are likely not affected, but updating is recommended.
If upgrading to the latest gSOAP versions is not possible and you have a technical support and maintenance contract then please check the list of updated releases or submit a ticket to receive a patch. The patch consists of two lines of source code to change and will not affect the functioning or performance of the gSOAP software.

References:
https://www.genivia.com/advisory.html
http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9765
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9765.html
Comment 1 Bernhard Wiedemann 2017-07-19 10:01:07 UTC
This is an autogenerated message for OBS integration:
This bug (1049348) was mentioned in
https://build.opensuse.org/request/show/511364 42.3 / gsoap
Comment 2 Bernhard Wiedemann 2017-07-19 12:01:38 UTC
This is an autogenerated message for OBS integration:
This bug (1049348) was mentioned in
https://build.opensuse.org/request/show/511384 42.2 / gsoap
Comment 3 Andreas Stieger 2017-07-19 12:34:57 UTC
To patch older gSOAP versions before 2.8.48, update function soap_get_pi() in stdsoap2.c and stdsoap2.cpp by replacing the lines up to the DBGLOG statement with the following:

soap_get_pi(struct soap *soap)
{ char buf[64];
  char *s = buf;
  size_t i = sizeof(buf);
  soap_wchar c;
  /* Parse the XML PI encoding declaration and look for <?xml ... encoding=X ?> */
  while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
  { if (i > 1)
    { if (soap_blank(c))
        c = ' ';
      *s++ = (char)c;
      i--;
    }
  }
  *s = '\0’;
Comment 4 Andreas Stieger 2017-07-19 14:51:18 UTC
Jan, we would prefer it if you would patch the function as per the code above. Would that be possible?
Comment 5 Jan Engelhardt 2017-07-19 15:27:56 UTC
Feel free.
Comment 6 Bernhard Wiedemann 2017-07-19 16:00:56 UTC
This is an autogenerated message for OBS integration:
This bug (1049348) was mentioned in
https://build.opensuse.org/request/show/511438 42.3 / gsoap
Comment 7 Andreas Stieger 2017-07-19 18:06:32 UTC
Created attachment 733005 [details]
CVE-2017-9765.patch

https://build.opensuse.org/request/show/511467
Comment 8 Andreas Stieger 2017-07-19 18:07:20 UTC
Submitted backport, Jan please review
Comment 9 Jan Engelhardt 2017-07-19 19:42:34 UTC
Seems ok. (Just the cause seems a bit underanalyzed, though that's not for openSUSE to worry.: If I read the code right, undefined behavior can already be triggered with just ~64/65 bytes — rather than 2G — since 'i' starts out with value 64 and underflows after that many iterations, causing 's' to go past &buf[64].)
Comment 10 Bernhard Wiedemann 2017-07-19 20:00:31 UTC
This is an autogenerated message for OBS integration:
This bug (1049348) was mentioned in
https://build.opensuse.org/request/show/511468 Factory / gsoap
Comment 11 Andreas Stieger 2017-07-25 19:50:34 UTC
releasing, done
Comment 12 Swamp Workflow Management 2017-07-26 01:10:37 UTC
openSUSE-SU-2017:1957-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1049348
CVE References: CVE-2017-9765
Sources used:
openSUSE Leap 42.3 (src):    gsoap-2.8.46-3.1
openSUSE Leap 42.2 (src):    gsoap-2.8.33-2.3.1
Comment 13 Forgotten User vySMBg9MD4 2018-02-08 10:25:03 UTC
it is not downloading, i tried to load on my website https://www.talktosonic.info/ which gives info about getting free drinks by just filling survey.