From owner-svn-ports-all@freebsd.org Tue Jul 25 12:27:59 2017 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8871EC7B0C0; Tue, 25 Jul 2017 12:27:59 +0000 (UTC) (envelope-from swills@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5747474D37; Tue, 25 Jul 2017 12:27:59 +0000 (UTC) (envelope-from swills@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v6PCRwB0071732; Tue, 25 Jul 2017 12:27:58 GMT (envelope-from swills@FreeBSD.org) Received: (from swills@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v6PCRwNd071730; Tue, 25 Jul 2017 12:27:58 GMT (envelope-from swills@FreeBSD.org) Message-Id: <201707251227.v6PCRwNd071730@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: swills set sender to swills@FreeBSD.org using -f From: Steve Wills Date: Tue, 25 Jul 2017 12:27:58 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r446577 - head/security/vuxml X-SVN-Group: ports-head X-SVN-Commit-Author: swills X-SVN-Commit-Paths: head/security/vuxml X-SVN-Commit-Revision: 446577 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2017 12:27:59 -0000 Author: swills Date: Tue Jul 25 12:27:58 2017 New Revision: 446577 URL: https://svnweb.freebsd.org/changeset/ports/446577 Log: Document gsoap vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Jul 25 12:22:54 2017 (r446576) +++ head/security/vuxml/vuln.xml Tue Jul 25 12:27:58 2017 (r446577) @@ -58,6 +58,41 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + gsoap -- remote code execution via via overflow + + + gsoap + 2.8.47 + + + + +

Senrio reports:

+
+

Genivia gSOAP is prone to a stack-based buffer-overflow + vulnerability because it fails to properly bounds check user-supplied + data before copying it into an insufficiently sized buffer.

+

A remote attacker may exploit this issue to execute arbitrary code + in the context of the affected device. Failed attempts will likely + cause a denial-of-service condition.

+
+ + + + http://www.securityfocus.com/bid/99868/discuss + http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions + http://blog.senr.io/devilsivy.html + https://www.genivia.com/advisory.html#Security_advisory:_CVE-2017-9765_bug_in_certain_versions_of_gSOAP_2.7_up_to_2.8.47_%28June_21,_2017%29 + https://www.genivia.com/changelog.html#Version_2.8.48_upd_%2806/21/2017%29 + CVE-2017-9765 + + + 2017-07-18 + 2017-07-25 + + + GitLab -- Various security issues