CVE-2017-9765

NameCVE-2017-9765
DescriptionInteger overflow in the soap_get function in Genivia gSOAP 2.7.x and 2.8.x before 2.8.48, as used on Axis cameras and other devices, allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow and application crash) via a large XML document, aka Devil's Ivy. NOTE: the large document would be blocked by many common web-server configurations on general-purpose computers.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1036-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gsoap (PTS)bullseye2.8.104-3fixed
bookworm2.8.124-2fixed
sid, trixie2.8.135-2fixed
r-other-x4r (PTS)bookworm, bullseye, sid, trixie1.0.1+git20150806.c6bd9bd-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gsoapsourcewheezy2.8.7-2+deb7u1DLA-1036-1
gsoapsourcejessie2.8.17-1+deb8u1
gsoapsourcestretch2.8.35-4+deb9u1
gsoapsource(unstable)2.8.48-1
r-other-x4rsource(unstable)1.0.1+git20150806.c6bd9bd-2

Notes

http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions
https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017)
SuSE patch: https://bugzilla.suse.com/attachment.cgi?id=733005
Search for package or bug name: Reporting problems