Bugzilla – Bug 1049348
VUL-0: CVE-2017-9765: gsoap stack buffer overflow vulnerability could lead to remote execution
Last modified: 2018-02-08 10:40:42 UTC
CVE-2017-9765 Download gSOAP 2.8.48 (released June 21), or greater, to fix a potential vulnerability to a large and specific XML message over 2GB in size (greater than 2147483711 bytes to trigger the software bug). A buffer overflow can cause an open unsecured server to crash after 2GB is received. Fortunately, the overflowing data after 2GB is cleaned up in the buffer which means that the chances of exploiting this flaw (by injecting code) is significantly reduced in gSOAP versions affected. Update: services developed with our Apache module for gSOAP with the LimitRequestBody set in .htaccess or httpd.conf to any non-zero value (a common configuration that avoids DDoS attacks) by default, should prevent this vulnerability from occurring: the size of the HTTP message body uploaded is limited to 2GB max in Apache with gSOAP. The Apache or IIS deployment of gSOAP with our bundled Apache and ISAPI modules is preferred and recommended in the gSOAP documentation since 2002. Therefore, we expect that most gSOAP services run this Apache configuration or use IIS. If not, this is strong reminder to do so and test the server configuration settings. Also, clients communicating with trusted and authenticated HTTPS servers are likely not affected, but updating is recommended. If upgrading to the latest gSOAP versions is not possible and you have a technical support and maintenance contract then please check the list of updated releases or submit a ticket to receive a patch. The patch consists of two lines of source code to change and will not affect the functioning or performance of the gSOAP software. References: https://www.genivia.com/advisory.html http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9765 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9765.html
This is an autogenerated message for OBS integration: This bug (1049348) was mentioned in https://build.opensuse.org/request/show/511364 42.3 / gsoap
This is an autogenerated message for OBS integration: This bug (1049348) was mentioned in https://build.opensuse.org/request/show/511384 42.2 / gsoap
To patch older gSOAP versions before 2.8.48, update function soap_get_pi() in stdsoap2.c and stdsoap2.cpp by replacing the lines up to the DBGLOG statement with the following: soap_get_pi(struct soap *soap) { char buf[64]; char *s = buf; size_t i = sizeof(buf); soap_wchar c; /* Parse the XML PI encoding declaration and look for <?xml ... encoding=X ?> */ while ((int)(c = soap_getchar(soap)) != EOF && c != '?') { if (i > 1) { if (soap_blank(c)) c = ' '; *s++ = (char)c; i--; } } *s = '\0’;
Jan, we would prefer it if you would patch the function as per the code above. Would that be possible?
Feel free.
This is an autogenerated message for OBS integration: This bug (1049348) was mentioned in https://build.opensuse.org/request/show/511438 42.3 / gsoap
Created attachment 733005 [details] CVE-2017-9765.patch https://build.opensuse.org/request/show/511467
Submitted backport, Jan please review
Seems ok. (Just the cause seems a bit underanalyzed, though that's not for openSUSE to worry.: If I read the code right, undefined behavior can already be triggered with just ~64/65 bytes — rather than 2G — since 'i' starts out with value 64 and underflows after that many iterations, causing 's' to go past &buf[64].)
This is an autogenerated message for OBS integration: This bug (1049348) was mentioned in https://build.opensuse.org/request/show/511468 Factory / gsoap
releasing, done
openSUSE-SU-2017:1957-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1049348 CVE References: CVE-2017-9765 Sources used: openSUSE Leap 42.3 (src): gsoap-2.8.46-3.1 openSUSE Leap 42.2 (src): gsoap-2.8.33-2.3.1
it is not downloading, i tried to load on my website https://www.talktosonic.info/ which gives info about getting free drinks by just filling survey.