Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6dd6b52f-c4cb-4dcf-118e-f5f9510a2d84@oracle.com>
Date: Wed, 19 Jul 2017 13:44:50 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Devil's Ivy (CVE-2017-9765) in gSOAP 2.7 up to 2.8.47

I noticed some press coverage of this but haven't seen mail here yet:

http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions
https://www.genivia.com/advisory.html#Security_advisory:_CVE-2017-9765_bug_in_certain_versions_of_gSOAP_2.7_up_to_2.8.47_(June_21,_2017)
https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017)

"a potential vulnerability to a large and specific XML message over 2GB in size
  (greater than 2147483711 bytes to trigger the software bug). A buffer overflow
  can cause an open unsecured server to crash or malfunction after 2GB is
  received."

Unfortunately, the subversion repo on sourceforge for gSOAP only has
full releases, not individual changes, in each commit, so the fix
appears to be somewhere mixed in [r119] on
https://sourceforge.net/p/gsoap2/code/commit_browser
making it a challenge for distros who want to patch instead of upgrade.

-- 
	-Alan Coopersmith-               alan.coopersmith@...cle.com
	 Oracle Solaris Engineering - https://blogs.oracle.com/alanc

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.