oss-sec mailing list archives
Devil's Ivy (CVE-2017-9765) in gSOAP 2.7 up to 2.8.47
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 19 Jul 2017 13:44:50 -0700
I noticed some press coverage of this but haven't seen mail here yet: http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions https://www.genivia.com/advisory.html#Security_advisory:_CVE-2017-9765_bug_in_certain_versions_of_gSOAP_2.7_up_to_2.8.47_(June_21,_2017) https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017) "a potential vulnerability to a large and specific XML message over 2GB in size (greater than 2147483711 bytes to trigger the software bug). A buffer overflow can cause an open unsecured server to crash or malfunction after 2GB is received." Unfortunately, the subversion repo on sourceforge for gSOAP only has full releases, not individual changes, in each commit, so the fix appears to be somewhere mixed in [r119] on https://sourceforge.net/p/gsoap2/code/commit_browser making it a challenge for distros who want to patch instead of upgrade. -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/alanc
Current thread:
- Devil's Ivy (CVE-2017-9765) in gSOAP 2.7 up to 2.8.47 Alan Coopersmith (Jul 19)
- Re: Devil's Ivy (CVE-2017-9765) in gSOAP 2.7 up to 2.8.47 Andreas Stieger (Jul 19)