FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

gsoap -- remote code execution via via overflow

Affected packages
gsoap < 2.8.47

Details

VuXML ID 8745c67e-7dd1-4165-96e2-fcf9da2dc5b5
Discovery 2017-07-18
Entry 2017-07-25

Senrio reports:

Genivia gSOAP is prone to a stack-based buffer-overflow vulnerability because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized buffer.

A remote attacker may exploit this issue to execute arbitrary code in the context of the affected device. Failed attempts will likely cause a denial-of-service condition.

References

CVE Name CVE-2017-9765
URL http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions
URL http://blog.senr.io/devilsivy.html
URL http://www.securityfocus.com/bid/99868/discuss
URL https://www.genivia.com/advisory.html#Security_advisory:_CVE-2017-9765_bug_in_certain_versions_of_gSOAP_2.7_up_to_2.8.47_%28June_21,_2017%29
URL https://www.genivia.com/changelog.html#Version_2.8.48_upd_%2806/21/2017%29