Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 19 Jul 2017 23:43:59 +0200
From: Andreas Stieger <>
Subject: Re: Devil's Ivy (CVE-2017-9765) in gSOAP 2.7 up to


On 07/19/2017 10:44 PM, Alan Coopersmith wrote:
> I noticed some press coverage of this but haven't seen mail here yet:
> "a potential vulnerability to a large and specific XML message over
> 2GB in size
>  (greater than 2147483711 bytes to trigger the software bug). A buffer
> overflow
>  can cause an open unsecured server to crash or malfunction after 2GB is
>  received."
> Unfortunately, the subversion repo on sourceforge for gSOAP only has
> full releases, not individual changes, in each commit, so the fix
> appears to be somewhere mixed in [r119] on
> making it a challenge for distros who want to patch instead of upgrade.

Or just ask them, see


Andreas Stieger <>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton,
HRB 21284 (AG N├╝rnberg)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ