Date: Wed, 19 Jul 2017 23:43:59 +0200 From: Andreas Stieger <astieger@...e.com> To: oss-security@...ts.openwall.com Subject: Re: Devil's Ivy (CVE-2017-9765) in gSOAP 2.7 up to 2.8.47 Hello, On 07/19/2017 10:44 PM, Alan Coopersmith wrote: > I noticed some press coverage of this but haven't seen mail here yet: > > http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions > > https://www.genivia.com/advisory.html#Security_advisory:_CVE-2017-9765_bug_in_certain_versions_of_gSOAP_2.7_up_to_2.8.47_(June_21,_2017) > > https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017) > > "a potential vulnerability to a large and specific XML message over > 2GB in size > (greater than 2147483711 bytes to trigger the software bug). A buffer > overflow > can cause an open unsecured server to crash or malfunction after 2GB is > received." > > Unfortunately, the subversion repo on sourceforge for gSOAP only has > full releases, not individual changes, in each commit, so the fix > appears to be somewhere mixed in [r119] on > https://sourceforge.net/p/gsoap2/code/commit_browser > making it a challenge for distros who want to patch instead of upgrade. > Or just ask them, see https://bugzilla.suse.com/show_bug.cgi?id=1049348 Andreas -- Andreas Stieger <astieger@...e.com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ