Date: Wed, 19 Jul 2017 23:43:59 +0200 From: Andreas Stieger <astieger@...e.com> To: oss-security@...ts.openwall.com Subject: Re: Devil's Ivy (CVE-2017-9765) in gSOAP 2.7 up to 2.8.47 Hello, On 07/19/2017 10:44 PM, Alan Coopersmith wrote: > I noticed some press coverage of this but haven't seen mail here yet: > > http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions > > https://www.genivia.com/advisory.html#Security_advisory:_CVE-2017-9765_bug_in_certain_versions_of_gSOAP_2.7_up_to_2.8.47_(June_21,_2017) > > https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017) > > "a potential vulnerability to a large and specific XML message over > 2GB in size > (greater than 2147483711 bytes to trigger the software bug). A buffer > overflow > can cause an open unsecured server to crash or malfunction after 2GB is > received." > > Unfortunately, the subversion repo on sourceforge for gSOAP only has > full releases, not individual changes, in each commit, so the fix > appears to be somewhere mixed in [r119] on > https://sourceforge.net/p/gsoap2/code/commit_browser > making it a challenge for distros who want to patch instead of upgrade. > Or just ask them, see https://bugzilla.suse.com/show_bug.cgi?id=1049348 Andreas -- Andreas Stieger <astieger@...e.com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.