diffstat of debian/ for xmlrpc-c_1.16.33-3.1 xmlrpc-c_1.16.33-3.1ubuntu5.2 debian/libxmlrpc-core-c3-udeb.install | 5 debian/patches/CVE-2012-0876.patch | 541 +++++++++++++++++ debian/patches/CVE-2012-1148.patch | 134 ++++ debian/patches/CVE-2012-6702-1.patch | 38 + debian/patches/CVE-2012-6702-2.patch | 27 debian/patches/CVE-2015-1283.patch | 38 + debian/patches/CVE-2016-0718.patch | 732 ++++++++++++++++++++++++ debian/patches/CVE-2016-4472.patch | 28 debian/patches/CVE-2016-5300-1.patch | 36 + debian/patches/CVE-2016-5300-2.patch | 31 + debian/patches/FTBFS-tests.patch | 276 +++++++++ debian/patches/backport-gssapi-delegation.patch | 389 ++++++++++++ xmlrpc-c-1.16.33/debian/changelog | 182 +++++ xmlrpc-c-1.16.33/debian/control | 38 - xmlrpc-c-1.16.33/debian/patches/series | 11 xmlrpc-c-1.16.33/debian/rules | 4 16 files changed, 2497 insertions(+), 13 deletions(-) diff -u xmlrpc-c-1.16.33/debian/changelog xmlrpc-c-1.16.33/debian/changelog --- xmlrpc-c-1.16.33/debian/changelog +++ xmlrpc-c-1.16.33/debian/changelog @@ -1,3 +1,91 @@ +xmlrpc-c (1.16.33-3.1ubuntu5.2) precise-security; urgency=medium + + * SECURITY UPDATE: integer overflows in xmlrpc_XML_GetBuffer + - debian/patches/CVE-2015-1283.patch: add checks to + lib/expat/xmlparse/xmlparse.c. + - CVE-2015-1283 + * SECURITY UPDATE: integer overflows in xmlrpc_XML_GetBuffer + - debian/patches/CVE-2016-4472.patch: improved existing fix in + lib/expat/xmlparse/xmlparse.c. + - CVE-2016-4472 + * SECURITY UPDATE: unanticipated internal calls to srand + - debian/patches/CVE-2012-6702-1.patch: remove srand, use more entropy + in lib/expat/xmlparse/xmlparse.c. + - debian/patches/CVE-2012-6702-2.patch: use a prime that fits 32bits + on 32bit platforms in lib/expat/xmlparse/xmlparse.c. + - CVE-2012-6702 + * SECURITY UPDATE: use of too little entropy + - debian/patches/CVE-2016-5300-1.patch: extract method + gather_time_entropy in lib/expat/xmlparse/xmlparse.c. + - debian/patches/CVE-2016-5300-2.patch: extract entropy from + XML_Parser address in lib/expat/xmlparse/xmlparse.c. + - CVE-2016-5300 + * SECURITY UPDATE: denial of service and possible code execution via + malformed documents + - debian/patches/CVE-2016-0718.patch: fix out of bounds memory access + and integer overflow in lib/expat/xmlparse/xmlparse.c, + lib/expat/xmltok/xmltok.c, lib/expat/xmltok/xmltok.h, + lib/expat/xmltok/xmltok_impl.c. + - CVE-2016-0718 + + -- Marc Deslauriers Tue, 14 Jun 2016 16:23:39 +0300 + +xmlrpc-c (1.16.33-3.1ubuntu5.1) precise-security; urgency=low + + * Run the tests as part of the build process + - debian/patches/FTBFS-tests.patch: Fix issues when running make check. + Based on upstream patches. + - debian/rules: Run make check after building + * Fix dependencies of xmlrpc-api-utils + - debian/control: xml-rcp-api2cpp needs libxmlrpc_cpp.so.4, so depend on + libxmlrpc-c++4 + * SECURITY UPDATE: Denial of service via hash collisions + - debian/patches/CVE-2012-0876.patch: Add random salt value to + hash inputs. Based on upstream patch. + - CVE-2012-0876 + * SECURITY UPDATE: Denial of service via memory leak + - debian/patches/CVE-2012-1148.patch: Properly reallocate memory. + Based on upstream patch. + - CVE-2012-1148 + + -- Tyler Hicks Sun, 09 Sep 2012 22:57:33 -0700 + +xmlrpc-c (1.16.33-3.1ubuntu5) precise; urgency=low + + * Bump the build-dep on libcurl3-openssl-dev as well, otherwise the + old libcurl4-openssl-dev gets installed. + + -- Timo Aaltonen Fri, 25 Nov 2011 18:32:04 +0200 + +xmlrpc-c (1.16.33-3.1ubuntu4) precise; urgency=low + + * Add backport-gssapi-delegation.patch, and bump the build-depends on + libcurl4-openssl-dev to >= 7.22.0. + + -- Timo Aaltonen Fri, 25 Nov 2011 17:59:23 +0200 + +xmlrpc-c (1.16.33-3.1ubuntu3) precise; urgency=low + + * Fix dh_makeshlibs calls for libxmlrpc-core-c3-0 -> libxmlrpc-core-c3 + rename. + + -- Colin Watson Sat, 12 Nov 2011 00:51:00 +0000 + +xmlrpc-c (1.16.33-3.1ubuntu2) precise; urgency=low + + * Rename libxmlrpc-core-c3-0-udeb to libxmlrpc-core-c3-udeb to match the deb + variant from Debian (LP: #878716). + * Add Breaks/Replaces to cover binary package reorganisation (LP: #878180). + + -- Robie Basak Thu, 20 Oct 2011 15:46:59 +0100 + +xmlrpc-c (1.16.33-3.1ubuntu1) precise; urgency=low + + * Merge from Debian testing. Remaining changes: + - Add libxmlrpc-core-c3-0-udeb for use during installation (LP: #831496). + + -- Dave Walker (Daviey) Wed, 19 Oct 2011 10:55:41 +0100 + xmlrpc-c (1.16.33-3.1) unstable; urgency=low * Non-maintainer upload with OK from Maintainer. @@ -45,6 +133,34 @@ -- Sean Finney Sat, 19 Feb 2011 18:03:30 +0000 +xmlrpc-c (1.16.32-0ubuntu4) oneiric; urgency=low + + * Add libxmlrpc-core-c3-0-udeb for use during installation (LP: #831496). + + -- Colin Watson Thu, 15 Sep 2011 18:34:36 +0100 + +xmlrpc-c (1.16.32-0ubuntu3) natty; urgency=low + + * Move c_util.h to libxmlrpc-core-c3-dev + + -- Jonathan Riddell Tue, 11 Jan 2011 00:18:21 +0000 + +xmlrpc-c (1.16.32-0ubuntu2) natty; urgency=low + + * Don't use the symbols files, renamed the library packages anyway. + + -- Matthias Klose Thu, 06 Jan 2011 20:57:20 +0100 + +xmlrpc-c (1.16.32-0ubuntu1) natty; urgency=low + + * New upstream version (stable release). LP: #659591. + - No unresolved symbols in the shared libraries. LP: #690779. + - Builds with --no-add-needed and --as-needed. + * Rename shared library packages. + * Add symbols files. + + -- Matthias Klose Thu, 06 Jan 2011 18:56:02 +0100 + xmlrpc-c (1.16.07-1) unstable; urgency=low * New upstream release. @@ -67,6 +183,69 @@ -- Moritz Muehlenhoff Wed, 28 Jul 2010 22:18:54 -0400 +xmlrpc-c (1.06.27-1ubuntu7) lucid; urgency=low + + * SECURITY UPDATE: fix DoS via malformed XML + - debian/patches/CVE-2009-3720.patch: update expat/xmltok/xmltok_impl.c + to not access beyond end of input string + - CVE-2009-3720 + * SECURITY UPDATE: fix DoS via malformed UTF-8 sequences + - debian/patches/CVE-2009-3560.patch: update expat/xmlparse/xmlparse.c to + properly recognize the end of a token + - CVE-2009-3560 + + -- Jamie Strandboge Tue, 26 Jan 2010 13:14:57 -0600 + +xmlrpc-c (1.06.27-1ubuntu6) karmic; urgency=low + + * Move xmlrpc-c/server.h to libxmlrpc-core-c3-dev where it belongs, + without which xmlrpc.h doesn't compile. + + -- Steve Langasek Fri, 11 Sep 2009 21:43:09 +0000 + +xmlrpc-c (1.06.27-1ubuntu5) karmic; urgency=low + + * debian/libxmlrpc-core-c3-dev.install + debian/libxmlrpc-c3-dev.install : + Remove installation of /usr/bin/xmlrpc-c-config and /usr/include, + already in libxmlrpc-core-c3-dev.install (LP: #376133) + * debian/libxmlrpc-c3.install : + Don't install .a and .so files for libxmlrpc_client++ + + -- Julien Lavergne Thu, 14 May 2009 22:30:04 +0200 + +xmlrpc-c (1.06.27-1ubuntu4) karmic; urgency=low + + * Remove libxmlrpc-c3-dev Provides libxmlrpc-c-dev, it also conflicts with libxmlrpc-c-dev and + this confuses the install of libxmlrpc-core-c3-dev + + -- Jonathan Riddell Tue, 12 May 2009 14:26:29 +0000 + +xmlrpc-c (1.06.27-1ubuntu3) karmic; urgency=low + + * Rename patch lpia-gnulp to other-gnu-triplets and add support for + linux-gnueabi as well as it was also failing to build on armel. + + -- Loic Minier Mon, 11 May 2009 14:18:57 +0200 + +xmlrpc-c (1.06.27-1ubuntu2) karmic; urgency=low + + * Set CFLAGS_PERSONAL to CFLAGS and export this new var; also covers cpp + files; note that -O2 was ignored until now, and upstream sets -O3, but -O2 + is probably good enough for us. + * Pass $(addprefix -X,$(muckfiles)) to dh_clean -k calls; LP: #374813. + * New patch, lpia-gnulp, fixes FTBFS on lpia by supporting its + i686-linux-gnulp triplet identically to i686-linux-gnu. + + -- Loic Minier Mon, 11 May 2009 12:33:27 +0200 + +xmlrpc-c (1.06.27-1ubuntu1) karmic; urgency=low + + * Split out libraries used by cmake into libxmlrpc-core-c3-dev and + libxmlrpc-core-c3 to put only those parts into main, LP: #369918 + + -- Jonathan Riddell Fri, 01 May 2009 20:20:33 +0000 + xmlrpc-c (1.06.27-1) unstable; urgency=low * New upstream release @@ -239,3 +417,0 @@ -Local variables: -mode: debian-changelog -End: diff -u xmlrpc-c-1.16.33/debian/rules xmlrpc-c-1.16.33/debian/rules --- xmlrpc-c-1.16.33/debian/rules +++ xmlrpc-c-1.16.33/debian/rules @@ -53,6 +53,7 @@ dh_testdir $(MAKE) CADD=-fPIC ( cd tools && $(MAKE) CADD=-fPIC ) + $(MAKE) CADD=-fPIC check touch build-arch-stamp build-indep: build-indep-stamp @@ -122,7 +123,8 @@ dh_fixperms # dh_perl # dh_python - dh_makeshlibs + dh_makeshlibs -Nlibxmlrpc-core-c3 + dh_makeshlibs -plibxmlrpc-core-c3 --add-udeb=libxmlrpc-core-c3-udeb dh_shlibdeps dh_installdeb dh_gencontrol diff -u xmlrpc-c-1.16.33/debian/control xmlrpc-c-1.16.33/debian/control --- xmlrpc-c-1.16.33/debian/control +++ xmlrpc-c-1.16.33/debian/control @@ -1,8 +1,9 @@ Source: xmlrpc-c Priority: optional Section: libs -Maintainer: Sean Finney -Build-Depends: autotools-dev, debhelper (>= 5), libcurl4-openssl-dev | libcurl3-openssl-dev, quilt +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Sean Finney +Build-Depends: autotools-dev, debhelper (>= 5), libcurl4-openssl-dev (>= 7.22.0) | libcurl3-openssl-dev (>= 7.22.0), quilt Homepage: http://xmlrpc-c.sourceforge.net Standards-Version: 3.9.1 @@ -11,8 +12,8 @@ Architecture: any Depends: libxmlrpc-c++4 (= ${binary:Version}), libxmlrpc-core-c3-dev (= ${binary:Version}), libc6-dev, ${misc:Depends} Provides: libxmlrpc-c++-dev -Conflicts: libxmlrpc-c3-dev (<= 1.16.07-1) -Replaces: libxmlrpc-c3-dev +Breaks: libxmlrpc-c3-dev (<< 1.16.33-3.1ubuntu2), libxmlrpc-core-c3-dev (<< 1.16.33-3.1ubuntu2) +Replaces: libxmlrpc-c3-dev, libxmlrpc-core-c3-dev (<< 1.16.33-3.1ubuntu2) Suggests: xmlrpc-api-utils Description: lightweight RPC library based on XML and HTTP [C++ development libraries] XML-RPC is a quick-and-easy way to make procedure calls over the Internet. @@ -28,6 +29,8 @@ Section: libs Architecture: any Depends: libxmlrpc-core-c3 (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} +Breaks: libxmlrpc-c3-0 +Replaces: libxmlrpc-c3-0 Description: lightweight RPC library based on XML and HTTP [C++ runtime libraries] XML-RPC is a quick-and-easy way to make procedure calls over the Internet. It converts the procedure call into an XML document, sends it to a remote @@ -52,8 +55,8 @@ Architecture: any Depends: libxmlrpc-core-c3 (= ${binary:Version}), libc6-dev, ${misc:Depends} Provides: libxmlrpc-c-dev, libxmlrpc-c3-dev -Conflicts: libxmlrpc-c3-dev (<= 1.16.07-1) -Replaces: libxmlrpc-c3-dev +Breaks: libxmlrpc-c3-dev (<< 1.16.33-3.1ubuntu2) +Replaces: libxmlrpc-c3-dev (<< 1.16.33-3.1ubuntu2) Suggests: xmlrpc-api-utils Description: lightweight RPC library based on XML and HTTP [C development libraries] XML-RPC is a quick-and-easy way to make procedure calls over the Internet. @@ -69,8 +72,9 @@ Section: libs Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} +Breaks: libxmlrpc-core-c3-0, libxmlrpc-c3-0 Conflicts: libxmlrpc-c3 (<= 1.16.07-1) -Replaces: libxmlrpc-c3 +Replaces: libxmlrpc-c3, libxmlrpc-core-c3-0, libxmlrpc-c3-0 Description: lightweight RPC library based on XML and HTTP [C runtime libraries] XML-RPC is a quick-and-easy way to make procedure calls over the Internet. It converts the procedure call into an XML document, sends it to a remote @@ -78,14 +82,30 @@ . This library provides a modular implementation of XML-RPC for C. +Package: libxmlrpc-core-c3-udeb +Section: debian-installer +XC-Package-Type: udeb +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: A lightweight RPC library based on XML and HTTP (core libraries) + XML-RPC is a quick-and-easy way to make procedure calls over the Internet. + It converts the procedure call into an XML document, sends it to a remote + server using HTTP, and gets back the response as XML. + . + This library provides a modular implementation of XML-RPC for C and C++. + . + This package contains the minimal runtime libraries for the Debian Installer + (udeb). + Package: xmlrpc-api-utils Conflicts: xml-rpc-api2cpp, xml-rpc-api2txt Provides: xml-rpc-api2cpp, xml-rpc-api2txt Replaces: xml-rpc-api2cpp, xml-rpc-api2txt Architecture: any Section: devel -Depends: libxmlrpc-core-c3 (= ${binary:Version}), libc6-dev, - libfrontier-rpc-perl, ${misc:Depends} +Depends: libxmlrpc-core-c3 (= ${binary:Version}), + libxmlrpc-c++4 (= ${binary:Version}), libc6-dev, libfrontier-rpc-perl, + ${misc:Depends} Description: Generate C++ wrapper classes for XML-RPC servers XML-RPC is a quick-and-easy way to make procedure calls over the Internet. It converts the procedure call into an XML document, sends it to a remote diff -u xmlrpc-c-1.16.33/debian/patches/series xmlrpc-c-1.16.33/debian/patches/series --- xmlrpc-c-1.16.33/debian/patches/series +++ xmlrpc-c-1.16.33/debian/patches/series @@ -3,0 +4,11 @@ +backport-gssapi-delegation.patch +FTBFS-tests.patch +CVE-2012-0876.patch +CVE-2012-1148.patch +CVE-2015-1283.patch +CVE-2016-4472.patch +CVE-2012-6702-1.patch +CVE-2016-5300-1.patch +CVE-2016-5300-2.patch +CVE-2012-6702-2.patch +CVE-2016-0718.patch --- xmlrpc-c-1.16.33.orig/debian/libxmlrpc-core-c3-udeb.install +++ xmlrpc-c-1.16.33/debian/libxmlrpc-core-c3-udeb.install @@ -0,0 +1,5 @@ +debian/tmp/usr/lib/libxmlrpc.so.* +debian/tmp/usr/lib/libxmlrpc_client.so.* +debian/tmp/usr/lib/libxmlrpc_util.so.* +debian/tmp/usr/lib/libxmlrpc_xmlparse.so.* +debian/tmp/usr/lib/libxmlrpc_xmltok.so.* --- xmlrpc-c-1.16.33.orig/debian/patches/FTBFS-tests.patch +++ xmlrpc-c-1.16.33/debian/patches/FTBFS-tests.patch @@ -0,0 +1,276 @@ +Description: Fix issues when running make check + Fixes FTBFS issues from missing #include's and the placement of -l options + when linking. Also fixes many "inlining failed" compiler warnings by + uninlining functions in test.h. +Origin: backport, http://xmlrpc-c.svn.sourceforge.net/viewvc/xmlrpc-c?revision=1630&view=revision +Origin: backport, http://xmlrpc-c.svn.sourceforge.net/viewvc/xmlrpc-c?revision=1631&view=revision +Origin: backport, http://xmlrpc-c.svn.sourceforge.net/viewvc/xmlrpc-c?revision=1943&view=revision +Origin: backport, http://xmlrpc-c.svn.sourceforge.net/viewvc/xmlrpc-c?revision=1945&view=revision +Index: xmlrpc-c-1.16.32/src/cpp/test/test.cpp +=================================================================== +--- xmlrpc-c-1.16.32.orig/src/cpp/test/test.cpp 2012-09-07 11:54:45.209317841 -0700 ++++ xmlrpc-c-1.16.32/src/cpp/test/test.cpp 2012-09-07 12:01:12.453309894 -0700 +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + #include + + #include "xmlrpc-c/girerr.hpp" +Index: xmlrpc-c-1.16.32/src/cpp/test/server_abyss.cpp +=================================================================== +--- xmlrpc-c-1.16.32.orig/src/cpp/test/server_abyss.cpp 2012-09-07 11:54:45.209317841 -0700 ++++ xmlrpc-c-1.16.32/src/cpp/test/server_abyss.cpp 2012-09-07 12:01:12.453309894 -0700 +@@ -10,6 +10,8 @@ + #include + #include + #include ++#include ++#include + #include + #ifdef WIN32 + #include +Index: xmlrpc-c-1.16.32/src/cpp/test/server_pstream.cpp +=================================================================== +--- xmlrpc-c-1.16.32.orig/src/cpp/test/server_pstream.cpp 2012-09-07 11:54:45.209317841 -0700 ++++ xmlrpc-c-1.16.32/src/cpp/test/server_pstream.cpp 2012-09-07 12:01:12.453309894 -0700 +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + + #include "xmlrpc-c/girerr.hpp" +Index: xmlrpc-c-1.16.32/src/test/Makefile +=================================================================== +--- xmlrpc-c-1.16.32.orig/src/test/Makefile 2012-09-07 11:54:45.209317841 -0700 ++++ xmlrpc-c-1.16.32/src/test/Makefile 2012-09-07 12:07:30.261302141 -0700 +@@ -28,6 +28,7 @@ + LDFLAGS = $(LADD) + + TEST_OBJS = \ ++ testtool.o \ + test.o \ + abyss.o \ + cgi.o \ +@@ -60,9 +61,11 @@ + $(CCLD) -o $@ $(LDFLAGS) \ + $(TEST_OBJS) $(LDADD_CLIENT) $(LDADD_ABYSS_SERVER) $(CASPRINTF) + +-cgitest1:%:%.o $(LIBXMLRPC_SERVER_A) $(LIBXMLRPC_SERVER_CGI_A) \ ++CGITEST1_OBJS = cgitest1.o testtool.o ++ ++cgitest1: $(CGITEST1_OBJS) $(LIBXMLRPC_SERVER_A) $(LIBXMLRPC_SERVER_CGI_A) \ + $(LIBXMLRPC_A) $(LIBXMLRPC_UTIL_A) $(LIBXMLRPC_XML) +- $(CCLD) -o $@ $< $(LDFLAGS) $(LDADD_CGI_SERVER) ++ $(CCLD) -o $@ $(CGITEST1_OBJS) $(LDFLAGS) $(LDADD_CGI_SERVER) + + CFLAGS = $(CFLAGS_COMMON) $(CFLAGS_PERSONAL) $(CADD) + +Index: xmlrpc-c-1.16.32/src/test/test.h +=================================================================== +--- xmlrpc-c-1.16.32.orig/src/test/test.h 2012-09-07 11:54:45.209317841 -0700 ++++ xmlrpc-c-1.16.32/src/test/test.h 2012-09-07 12:07:30.261302141 -0700 +@@ -2,7 +2,6 @@ + #include + #include + +-#include "xmlrpc_config.h" + #include "xmlrpc-c/util.h" + #include "xmlrpc-c/util_int.h" + +@@ -10,19 +9,22 @@ + extern int total_failures; + + +-/* This is a good place to set a breakpoint. */ +-static __inline__ void ++void + test_failure(const char * const file, + unsigned int const line, + const char * const label, +- const char * const statement) { +- +- ++total_failures; +- printf("\n%s:%u: test failure: %s (%s)\n", file, line, label, statement); +- abort(); +-} ++ const char * const statement); + ++void ++test_fault(xmlrpc_env * const envP, ++ int const expectedCode, ++ const char * const fileName, ++ unsigned int const lineNumber); + ++void ++test_null_string(const char * const string, ++ const char * const fileName, ++ unsigned int const lineNumber); + + #define TEST(statement) \ + do { \ +@@ -54,47 +56,11 @@ + #define TESTFLOATEQUAL(comparand, comparator) \ + TEST(FLOATEQUAL(comparand, comparator)) + +-static __inline__ void +-test_fault(xmlrpc_env * const envP, +- int const expectedCode, +- const char * const fileName, +- unsigned int const lineNumber) { +- +- ++total_tests; +- +- if (!envP->fault_occurred) +- test_failure(fileName, lineNumber, "no fault occurred", ""); +- else if (envP->fault_code != expectedCode) +- test_failure(fileName, lineNumber, "wrong fault occurred", +- envP->fault_string); +- else +- printf("."); +- +- xmlrpc_env_clean(envP); +- xmlrpc_env_init(envP); +-} +- +- + #define TEST_FAULT(envP, code) \ + do { test_fault(envP, code, __FILE__, __LINE__); } while(0) + + ; + +- +-static __inline__ void +-test_null_string(const char * const string, +- const char * const fileName, +- unsigned int const lineNumber) { +- +- ++total_tests; +- +- if (string != NULL) +- test_failure(fileName, lineNumber, "string not null", string); +- else +- printf("."); +-} +- +- + #define TEST_NULL_STRING(string) \ + do { test_null_string(string, __FILE__, __LINE__); } while(0) + +Index: xmlrpc-c-1.16.32/src/test/testtool.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ xmlrpc-c-1.16.32/src/test/testtool.c 2012-09-07 12:06:54.261302880 -0700 +@@ -0,0 +1,65 @@ ++#include ++#include ++ ++#include "xmlrpc_config.h" ++#include "xmlrpc-c/util.h" ++#include "xmlrpc-c/util_int.h" ++ ++#include "test.h" ++ /* Defines global variable, 'total_tests', 'total_failures' */ ++ ++ ++/* This is a good place to set a breakpoint. */ ++void ++test_failure(const char * const file, ++ unsigned int const line, ++ const char * const label, ++ const char * const statement) { ++ ++ ++total_failures; ++ printf("\n%s:%u: test failure: %s (%s)\n", file, line, label, statement); ++ ++ /* We abort rather than exit so one can tell from a dump or debug session ++ who called us. ++ */ ++ abort(); ++} ++ ++ ++ ++void ++test_fault(xmlrpc_env * const envP, ++ int const expectedCode, ++ const char * const fileName, ++ unsigned int const lineNumber) { ++ ++ ++total_tests; ++ ++ if (!envP->fault_occurred) ++ test_failure(fileName, lineNumber, "no fault occurred", ""); ++ else if (envP->fault_code != expectedCode) ++ test_failure(fileName, lineNumber, "wrong fault occurred", ++ envP->fault_string); ++ else ++ printf("."); ++ ++ xmlrpc_env_clean(envP); ++ xmlrpc_env_init(envP); ++} ++ ++ ++ ++void ++test_null_string(const char * const string, ++ const char * const fileName, ++ unsigned int const lineNumber) { ++ ++ ++total_tests; ++ ++ if (string != NULL) ++ test_failure(fileName, lineNumber, "string not null", string); ++ else ++ printf("."); ++} ++ ++ +Index: xmlrpc-c-1.16.32/src/cpp/test/Makefile +=================================================================== +--- xmlrpc-c-1.16.32.orig/src/cpp/test/Makefile 2012-09-07 11:54:45.209317841 -0700 ++++ xmlrpc-c-1.16.32/src/cpp/test/Makefile 2012-09-07 12:01:12.457309894 -0700 +@@ -19,18 +19,16 @@ + + CXXFLAGS = $(CXXFLAGS_COMMON) $(CFLAGS_PERSONAL) $(CADD) + +-LDFLAGS += $(shell $(XMLRPC_C_CONFIG) client --ldadd) ++LIBS := $(shell $(XMLRPC_C_CONFIG) client --ldadd) + + ifeq ($(MUST_BUILD_CURL_CLIENT),yes) +- LDFLAGS += $(shell curl-config --libs) ++ LIBS += $(shell curl-config --libs) + endif + ifeq ($(MUST_BUILD_LIBWWW_CLIENT),yes) +- LDFLAGS += $(shell libwww-config --libs) ++ LIBS += $(shell libwww-config --libs) + endif + +-LDFLAGS += "-lpthread" +- +-LDFLAGS += $(LADD) ++LIBS += -lpthread + + INCLUDES = -Isrcdir/include -I$(BLDDIR) -Isrcdir -Isrcdir/lib/util/include + +@@ -69,13 +67,13 @@ + ifneq ($(ENABLE_LIBXML2_BACKEND),yes) + # We're using the internal Expat XML parser + TEST_LIBS += $(LIBXMLRPC_XMLPARSE_A) $(LIBXMLRPC_XMLTOK_A) +- LDADD_XML = ++ LIB_XML = + else +- LDADD_XML = $(shell xml2-config --libs) ++ LIB_XML = $(shell xml2-config --libs) + endif + + test: $(TEST_OBJS) $(TEST_LIBS) +- $(CXXLD) -o $@ $(LDFLAGS) $(LDADD_XML) $^ ++ $(CXXLD) -o $@ $(LDFLAGS) $(LADD) $^ $(LIB_XML) $(LIBS) + + %.o:%.cpp + $(CXX) -c $(INCLUDES) $(CXXFLAGS) $< --- xmlrpc-c-1.16.33.orig/debian/patches/CVE-2016-5300-2.patch +++ xmlrpc-c-1.16.33/debian/patches/CVE-2016-5300-2.patch @@ -0,0 +1,31 @@ +Description: fix use of too little entropy +Origin: upstream, https://sourceforge.net/p/expat/code_git/ci/ca523deca47303436fe522d030dbd9af3635be60/ + +Index: xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c +=================================================================== +--- xmlrpc-c-1.16.33.orig/lib/expat/xmlparse/xmlparse.c 2016-06-14 16:21:22.082656056 +0300 ++++ xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c 2016-06-14 16:22:36.231584620 +0300 +@@ -587,11 +587,12 @@ + } + + static unsigned long +-generate_hash_secret_salt(void) ++generate_hash_secret_salt(XML_Parser parser) + { + /* Process ID is 0 bits entropy if attacker has local access ++ * XML_Parser address is few bits of entropy if attacker has local access + * Factor is 2^61-1 (Mersenne prime M61) */ +- return (gather_time_entropy() ^ getpid()) * 2305843009213693951; ++ return (gather_time_entropy() ^ getpid() ^ (unsigned long)parser) * 2305843009213693951; + } + + static int /* only valid for root parser */ +@@ -613,7 +614,7 @@ + + /* hash functions must be initialized before setContext() is called */ + if (hash_secret_salt == 0) +- hash_secret_salt = generate_hash_secret_salt(); ++ hash_secret_salt = generate_hash_secret_salt(parser); + if (parser) + return setContext(parser, implicitContext); + return 0; --- xmlrpc-c-1.16.33.orig/debian/patches/CVE-2015-1283.patch +++ xmlrpc-c-1.16.33/debian/patches/CVE-2015-1283.patch @@ -0,0 +1,38 @@ +Description: fix multiple integer overflows in the XML_GetBuffer function +Origin: Mozilla, https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c + +Index: xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c +=================================================================== +--- xmlrpc-c-1.16.33.orig/lib/expat/xmlparse/xmlparse.c 2016-06-14 16:04:17.341673937 +0300 ++++ xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c 2016-06-14 16:09:20.009541259 +0300 +@@ -4553,9 +4553,17 @@ + void * + xmlrpc_XML_GetBuffer(XML_Parser parser, int len) + { ++ if (len < 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return 0; ++ } + if (len > bufferLim - bufferEnd) { + /* FIXME avoid integer overflow */ + int neededSize = len + (bufferEnd - bufferPtr); ++ if (neededSize < 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return 0; ++ } + if (neededSize <= bufferLim - buffer) { + memmove(buffer, bufferPtr, bufferEnd - bufferPtr); + bufferEnd = buffer + (bufferEnd - bufferPtr); +@@ -4568,7 +4576,11 @@ + bufferSize = INIT_BUFFER_SIZE; + do { + bufferSize *= 2; +- } while (bufferSize < neededSize); ++ } while (bufferSize < neededSize && bufferSize > 0); ++ if (bufferSize <= 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return 0; ++ } + newBuf = malloc(bufferSize); + if (newBuf == 0) { + errorCode = XML_ERROR_NO_MEMORY; --- xmlrpc-c-1.16.33.orig/debian/patches/CVE-2016-0718.patch +++ xmlrpc-c-1.16.33/debian/patches/CVE-2016-0718.patch @@ -0,0 +1,732 @@ +Description: fix denial of service and possible code execution via + malformed documents +Origin: backported from original patch by Sebastian Pipping + +Index: xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c +=================================================================== +--- xmlrpc-c-1.16.33.orig/lib/expat/xmlparse/xmlparse.c 2016-06-14 16:52:57.387157051 +0300 ++++ xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c 2016-06-14 17:04:17.176151856 +0300 +@@ -481,9 +481,14 @@ + } + } + if (pool->blocks && pool->start == pool->blocks->s) { +- int blockSize = (pool->end - pool->start)*2; +- BLOCK *temp = realloc(pool->blocks, offsetof(BLOCK, s) + +- blockSize * sizeof(XML_Char)); ++ BLOCK *temp; ++ int blockSize = (int)((unsigned)(pool->end - pool->start)*2U); ++ ++ if (blockSize < 0) ++ return 0; ++ ++ temp = realloc(pool->blocks, offsetof(BLOCK, s) + ++ blockSize * sizeof(XML_Char)); + if (!temp) + return 0; + pool->blocks = temp; +@@ -495,6 +500,10 @@ + else { + BLOCK *tem; + int blockSize = pool->end - pool->start; ++ ++ if (blockSize < 0) ++ return 0; ++ + if (blockSize < INIT_BLOCK_SIZE) + blockSize = INIT_BLOCK_SIZE; + else +@@ -524,8 +533,8 @@ + if (!pool->ptr && !poolGrow(pool)) + return 0; + for (;;) { +- XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end); +- if (ptr == end) ++ const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end); ++ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) + break; + if (!poolGrow(pool)) + return 0; +@@ -1200,6 +1209,7 @@ + s = startArg; + + if (MUST_CONVERT(enc, s)) { ++ enum XML_Convert_Result convert_res; + const char **eventPP; + const char **eventEndPP; + +@@ -1213,11 +1223,11 @@ + } + do { + ICHAR *dataPtr = (ICHAR *)dataBuf; +- XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd); ++ convert_res = XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd); + *eventEndPP = s; + defaultHandler(handlerArg, dataBuf, dataPtr - (ICHAR *)dataBuf); + *eventPP = s; +- } while (s != end); ++ } while ((convert_res != XML_CONVERT_COMPLETED) && (convert_res != XML_CONVERT_INPUT_INCOMPLETE)); + } else + defaultHandler(handlerArg, (XML_Char *)s, + (XML_Char *)end - (XML_Char *)s); +@@ -2225,10 +2235,10 @@ + if (MUST_CONVERT(enc, s)) { + for (;;) { + ICHAR *dataPtr = (ICHAR *)dataBuf; +- XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); ++ const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); + *eventEndPP = next; + characterDataHandler(handlerArg, dataBuf, dataPtr - (ICHAR *)dataBuf); +- if (s == next) ++ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) + break; + *eventPP = s; + } +@@ -2531,10 +2541,10 @@ + else + toPtr = (XML_Char *)tag->buf; + tag->name.str = toPtr; +- XmlConvert(enc, ++ const enum XML_Convert_Result convert_res = XmlConvert(enc, + &fromPtr, rawNameEnd, + (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1); +- if (fromPtr == rawNameEnd) ++ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) + break; + else { + int const bufSize = (tag->bufEnd - tag->buf) << 1; +Index: xmlrpc-c-1.16.33/lib/expat/xmltok/xmltok.c +=================================================================== +--- xmlrpc-c-1.16.33.orig/lib/expat/xmltok/xmltok.c 2011-02-18 20:24:00.000000000 +0200 ++++ xmlrpc-c-1.16.33/lib/expat/xmltok/xmltok.c 2016-06-14 17:19:47.445223466 +0300 +@@ -259,47 +259,69 @@ + UTF8_cval4 = 0xf0 + }; + +-static +-void utf8_toUtf8(const ENCODING * enc ATTR_UNUSED, ++static enum XML_Convert_Result ++utf8_toUtf8(const ENCODING * enc ATTR_UNUSED, + const char **fromP, const char *fromLim, + char **toP, const char *toLim) + { ++ enum XML_Convert_Result res = XML_CONVERT_COMPLETED; + char *to; + const char *from; + if (fromLim - *fromP > toLim - *toP) { + /* Avoid copying partial characters. */ ++ res = XML_CONVERT_OUTPUT_EXHAUSTED; + for (fromLim = *fromP + (toLim - *toP); fromLim > *fromP; fromLim--) + if (((unsigned char)fromLim[-1] & 0xc0) != 0x80) + break; + } +- for (to = *toP, from = *fromP; from != fromLim; from++, to++) ++ for (to = *toP, from = *fromP; (from < fromLim) && (to < toLim); from++, to++) + *to = *from; + *fromP = from; + *toP = to; ++ ++ if ((to == toLim) && (from < fromLim)) ++ return XML_CONVERT_OUTPUT_EXHAUSTED; ++ else ++ return res; + } + +-static +-void utf8_toUtf16(const ENCODING *enc, ++static enum XML_Convert_Result ++utf8_toUtf16(const ENCODING *enc, + const char **fromP, const char *fromLim, + unsigned short **toP, const unsigned short *toLim) + { ++ enum XML_Convert_Result res = XML_CONVERT_COMPLETED; + unsigned short *to = *toP; + const char *from = *fromP; +- while (from != fromLim && to != toLim) { ++ while (from < fromLim && to < toLim) { + switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) { + case BT_LEAD2: ++ if (fromLim - from < 2) { ++ res = XML_CONVERT_INPUT_INCOMPLETE; ++ break; ++ } + *to++ = ((from[0] & 0x1f) << 6) | (from[1] & 0x3f); + from += 2; + break; + case BT_LEAD3: ++ if (fromLim - from < 3) { ++ res = XML_CONVERT_INPUT_INCOMPLETE; ++ break; ++ } + *to++ = ((from[0] & 0xf) << 12) | ((from[1] & 0x3f) << 6) | (from[2] & 0x3f); + from += 3; + break; + case BT_LEAD4: + { + unsigned long n; +- if (to + 1 == toLim) +- break; ++ if (toLim - to < 2) { ++ res = XML_CONVERT_OUTPUT_EXHAUSTED; ++ goto after; ++ } ++ if (fromLim - from < 4) { ++ res = XML_CONVERT_INPUT_INCOMPLETE; ++ goto after; ++ } + n = ((from[0] & 0x7) << 18) | ((from[1] & 0x3f) << 12) | ((from[2] & 0x3f) << 6) | (from[3] & 0x3f); + n -= 0x10000; + to[0] = (unsigned short)((n >> 10) | 0xD800); +@@ -313,8 +335,10 @@ + break; + } + } ++after: + *fromP = from; + *toP = to; ++ return res; + } + + static const struct normal_encoding utf8_encoding_ns = { +@@ -357,38 +381,43 @@ + STANDARD_VTABLE(sb_) NORMAL_VTABLE(utf8_) + }; + +-static +-void latin1_toUtf8(const ENCODING *enc ATTR_UNUSED, ++static enum XML_Convert_Result ++latin1_toUtf8(const ENCODING *enc ATTR_UNUSED, + const char **fromP, const char *fromLim, + char **toP, const char *toLim) + { + for (;;) { + unsigned char c; + if (*fromP == fromLim) +- break; ++ return XML_CONVERT_COMPLETED; + c = (unsigned char)**fromP; + if (c & 0x80) { + if (toLim - *toP < 2) +- break; ++ return XML_CONVERT_OUTPUT_EXHAUSTED; + *(*toP)++ = ((c >> 6) | UTF8_cval2); + *(*toP)++ = ((c & 0x3f) | 0x80); + (*fromP)++; + } + else { + if (*toP == toLim) +- break; ++ return XML_CONVERT_OUTPUT_EXHAUSTED; + *(*toP)++ = *(*fromP)++; + } + } + } + +-static +-void latin1_toUtf16(const ENCODING *enc ATTR_UNUSED, ++static enum XML_Convert_Result ++latin1_toUtf16(const ENCODING *enc ATTR_UNUSED, + const char **fromP, const char *fromLim, + unsigned short **toP, const unsigned short *toLim) + { +- while (*fromP != fromLim && *toP != toLim) ++ while (*fromP < fromLim && *toP < toLim) + *(*toP)++ = (unsigned char)*(*fromP)++; ++ ++ if ((*toP == toLim) && (*fromP < fromLim)) ++ return XML_CONVERT_OUTPUT_EXHAUSTED; ++ else ++ return XML_CONVERT_COMPLETED; + } + + static const struct normal_encoding latin1_encoding_ns = { +@@ -411,13 +440,18 @@ + STANDARD_VTABLE(sb_) NULL_NORMAL_VTABLE + }; + +-static +-void ascii_toUtf8(const ENCODING *enc ATTR_UNUSED, ++static enum XML_Convert_Result ++ascii_toUtf8(const ENCODING *enc ATTR_UNUSED, + const char **fromP, const char *fromLim, + char **toP, const char *toLim) + { +- while (*fromP != fromLim && *toP != toLim) ++ while (*fromP < fromLim && *toP < toLim) + *(*toP)++ = *(*fromP)++; ++ ++ if ((*toP == toLim) && (*fromP < fromLim)) ++ return XML_CONVERT_OUTPUT_EXHAUSTED; ++ else ++ return XML_CONVERT_COMPLETED; + } + + static const struct normal_encoding ascii_encoding_ns = { +@@ -459,13 +493,14 @@ + } + + #define DEFINE_UTF16_TO_UTF8(E) \ +-static \ +-void E ## toUtf8(const ENCODING *enc ATTR_UNUSED, \ ++static enum XML_Convert_Result \ ++E ## toUtf8(const ENCODING *enc ATTR_UNUSED, \ + const char **fromP, const char *fromLim, \ + char **toP, const char *toLim) \ + { \ +- const char *from; \ +- for (from = *fromP; from != fromLim; from += 2) { \ ++ const char *from = *fromP; \ ++ fromLim = from + (((fromLim - from) >> 1) << 1); /* shrink to even */ \ ++ for (; from < fromLim; from += 2) { \ + int plane; \ + unsigned char lo2; \ + unsigned char lo = GET_LO(from); \ +@@ -475,7 +510,7 @@ + if (lo < 0x80) { \ + if (*toP == toLim) { \ + *fromP = from; \ +- return; \ ++ return XML_CONVERT_OUTPUT_EXHAUSTED; \ + } \ + *(*toP)++ = lo; \ + break; \ +@@ -485,7 +520,7 @@ + case 0x4: case 0x5: case 0x6: case 0x7: \ + if (toLim - *toP < 2) { \ + *fromP = from; \ +- return; \ ++ return XML_CONVERT_OUTPUT_EXHAUSTED; \ + } \ + *(*toP)++ = ((lo >> 6) | (hi << 2) | UTF8_cval2); \ + *(*toP)++ = ((lo & 0x3f) | 0x80); \ +@@ -493,7 +528,7 @@ + default: \ + if (toLim - *toP < 3) { \ + *fromP = from; \ +- return; \ ++ return XML_CONVERT_OUTPUT_EXHAUSTED; \ + } \ + /* 16 bits divided 4, 6, 6 amongst 3 bytes */ \ + *(*toP)++ = ((hi >> 4) | UTF8_cval3); \ +@@ -503,7 +538,11 @@ + case 0xD8: case 0xD9: case 0xDA: case 0xDB: \ + if (toLim - *toP < 4) { \ + *fromP = from; \ +- return; \ ++ return XML_CONVERT_OUTPUT_EXHAUSTED; \ ++ } \ ++ if (fromLim - from < 4) { \ ++ *fromP = from; \ ++ return XML_CONVERT_INPUT_INCOMPLETE; \ + } \ + plane = (((hi & 0x3) << 2) | ((lo >> 6) & 0x3)) + 1; \ + *(*toP)++ = ((plane >> 2) | UTF8_cval4); \ +@@ -519,20 +558,32 @@ + } \ + } \ + *fromP = from; \ ++ if (from < fromLim) \ ++ return XML_CONVERT_INPUT_INCOMPLETE; \ ++ else \ ++ return XML_CONVERT_COMPLETED; \ + } + + #define DEFINE_UTF16_TO_UTF16(E) \ +-static \ +-void E ## toUtf16(const ENCODING *enc ATTR_UNUSED, \ ++static enum XML_Convert_Result \ ++E ## toUtf16(const ENCODING *enc ATTR_UNUSED, \ + const char **fromP, const char *fromLim, \ + unsigned short **toP, const unsigned short *toLim) \ + { \ ++ enum XML_Convert_Result res = XML_CONVERT_COMPLETED; \ ++ fromLim = *fromP + (((fromLim - *fromP) >> 1) << 1); /* shrink to even */ \ + /* Avoid copying first half only of surrogate */ \ + if (fromLim - *fromP > ((toLim - *toP) << 1) \ +- && (GET_HI(fromLim - 2) & 0xF8) == 0xD8) \ ++ && (GET_HI(fromLim - 2) & 0xF8) == 0xD8) { \ + fromLim -= 2; \ +- for (; *fromP != fromLim && *toP != toLim; *fromP += 2) \ ++ res = XML_CONVERT_INPUT_INCOMPLETE; \ ++ } \ ++ for (; *fromP < fromLim && *toP < toLim; *fromP += 2) \ + *(*toP)++ = (GET_HI(*fromP) << 8) | GET_LO(*fromP); \ ++ if ((*toP == toLim) && (*fromP < fromLim)) \ ++ return XML_CONVERT_OUTPUT_EXHAUSTED; \ ++ else \ ++ return res; \ + } + + #define SET2(ptr, ch) \ +@@ -1198,8 +1249,8 @@ + return (c & ~0xFFFF) || checkCharRefNumber(c) < 0; + } + +-static +-void unknown_toUtf8(const ENCODING *enc, ++static enum XML_Convert_Result ++unknown_toUtf8(const ENCODING *enc, + const char **fromP, const char *fromLim, + char **toP, const char *toLim) + { +@@ -1208,7 +1259,7 @@ + const char *utf8; + int n; + if (*fromP == fromLim) +- break; ++ return XML_CONVERT_COMPLETED; + utf8 = ((const struct unknown_encoding *)enc)->utf8[(unsigned char)**fromP]; + n = *utf8++; + if (n == 0) { +@@ -1216,14 +1267,14 @@ + ->convert(((const struct unknown_encoding *)enc)->userData, *fromP); + n = xmlrpc_XmlUtf8Encode(c, buf); + if (n > toLim - *toP) +- break; ++ return XML_CONVERT_OUTPUT_EXHAUSTED; + utf8 = buf; + *fromP += ((const struct normal_encoding *)enc)->type[(unsigned char)**fromP] + - (BT_LEAD2 - 2); + } + else { + if (n > toLim - *toP) +- break; ++ return XML_CONVERT_OUTPUT_EXHAUSTED; + (*fromP)++; + } + do { +@@ -1232,12 +1283,12 @@ + } + } + +-static +-void unknown_toUtf16(const ENCODING *enc, ++static enum XML_Convert_Result ++unknown_toUtf16(const ENCODING *enc, + const char **fromP, const char *fromLim, + unsigned short **toP, const unsigned short *toLim) + { +- while (*fromP != fromLim && *toP != toLim) { ++ while (*fromP < fromLim && *toP < toLim) { + unsigned short c + = ((const struct unknown_encoding *)enc)->utf16[(unsigned char)**fromP]; + if (c == 0) { +@@ -1250,6 +1301,11 @@ + (*fromP)++; + *(*toP)++ = c; + } ++ ++ if ((*toP == toLim) && (*fromP < fromLim)) ++ return XML_CONVERT_OUTPUT_EXHAUSTED; ++ else ++ return XML_CONVERT_COMPLETED; + } + + ENCODING * +@@ -1408,7 +1464,7 @@ + { + const ENCODING **encPtr; + +- if (ptr == end) ++ if (ptr >= end) + return XML_TOK_NONE; + encPtr = enc->encPtr; + if (ptr + 1 == end) { +Index: xmlrpc-c-1.16.33/lib/expat/xmltok/xmltok.h +=================================================================== +--- xmlrpc-c-1.16.33.orig/lib/expat/xmltok/xmltok.h 2011-02-18 20:24:00.000000000 +0200 ++++ xmlrpc-c-1.16.33/lib/expat/xmltok/xmltok.h 2016-06-14 17:21:13.618392286 +0300 +@@ -114,6 +114,12 @@ + char normalized; + } ATTRIBUTE; + ++enum XML_Convert_Result { ++ XML_CONVERT_COMPLETED = 0, ++ XML_CONVERT_INPUT_INCOMPLETE = 1, ++ XML_CONVERT_OUTPUT_EXHAUSTED = 2 /* and therefore potentially input remaining as well */ ++}; ++ + struct encoding; + typedef struct encoding ENCODING; + +@@ -142,12 +148,12 @@ + POSITION *); + int (*isPublicId)(const ENCODING *enc, const char *ptr, const char *end, + const char **badPtr); +- void (*utf8Convert)(const ENCODING *enc, ++ enum XML_Convert_Result (*utf8Convert)(const ENCODING *enc, + const char **fromP, + const char *fromLim, + char **toP, + const char *toLim); +- void (*utf16Convert)(const ENCODING *enc, ++ enum XML_Convert_Result (*utf16Convert)(const ENCODING *enc, + const char **fromP, + const char *fromLim, + unsigned short **toP, +Index: xmlrpc-c-1.16.33/lib/expat/xmltok/xmltok_impl.c +=================================================================== +--- xmlrpc-c-1.16.33.orig/lib/expat/xmltok/xmltok_impl.c 2011-02-18 20:24:00.000000000 +0200 ++++ xmlrpc-c-1.16.33/lib/expat/xmltok/xmltok_impl.c 2016-06-14 17:27:55.179951282 +0300 +@@ -91,13 +91,13 @@ + int PREFIX(scanComment)(const ENCODING *enc, const char *ptr, const char *end, + const char **nextTokPtr) + { +- if (ptr != end) { ++ if (ptr < end) { + if (!CHAR_MATCHES(enc, ptr, ASCII_MINUS)) { + *nextTokPtr = ptr; + return XML_TOK_INVALID; + } + ptr += MINBPC(enc); +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + INVALID_CASES(ptr, nextTokPtr) + case BT_MINUS: +@@ -145,7 +145,7 @@ + *nextTokPtr = ptr; + return XML_TOK_INVALID; + } +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + case BT_PERCNT: + if (ptr + MINBPC(enc) == end) +@@ -233,7 +233,7 @@ + *nextTokPtr = ptr; + return XML_TOK_INVALID; + } +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) + case BT_S: case BT_CR: case BT_LF: +@@ -242,7 +242,7 @@ + return XML_TOK_INVALID; + } + ptr += MINBPC(enc); +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + INVALID_CASES(ptr, nextTokPtr) + case BT_QUEST: +@@ -307,7 +307,7 @@ + int PREFIX(cdataSectionTok)(const ENCODING *enc, const char *ptr, const char *end, + const char **nextTokPtr) + { +- if (ptr == end) ++ if (ptr >= end) + return XML_TOK_NONE; + if (MINBPC(enc) > 1) { + size_t n = end - ptr; +@@ -350,7 +350,7 @@ + ptr += MINBPC(enc); + break; + } +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ + case BT_LEAD ## n: \ +@@ -393,11 +393,11 @@ + *nextTokPtr = ptr; + return XML_TOK_INVALID; + } +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) + case BT_S: case BT_CR: case BT_LF: +- for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) { ++ for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) { + switch (BYTE_TYPE(enc, ptr)) { + case BT_S: case BT_CR: case BT_LF: + break; +@@ -431,7 +431,7 @@ + int PREFIX(scanHexCharRef)(const ENCODING *enc, const char *ptr, const char *end, + const char **nextTokPtr) + { +- if (ptr != end) { ++ if (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + case BT_DIGIT: + case BT_HEX: +@@ -440,7 +440,7 @@ + *nextTokPtr = ptr; + return XML_TOK_INVALID; + } +- for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) { ++ for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) { + switch (BYTE_TYPE(enc, ptr)) { + case BT_DIGIT: + case BT_HEX: +@@ -463,7 +463,7 @@ + int PREFIX(scanCharRef)(const ENCODING *enc, const char *ptr, const char *end, + const char **nextTokPtr) + { +- if (ptr != end) { ++ if (ptr < end) { + if (CHAR_MATCHES(enc, ptr, ASCII_x)) + return PREFIX(scanHexCharRef)(enc, ptr + MINBPC(enc), end, nextTokPtr); + switch (BYTE_TYPE(enc, ptr)) { +@@ -473,7 +473,7 @@ + *nextTokPtr = ptr; + return XML_TOK_INVALID; + } +- for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) { ++ for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) { + switch (BYTE_TYPE(enc, ptr)) { + case BT_DIGIT: + break; +@@ -505,7 +505,7 @@ + *nextTokPtr = ptr; + return XML_TOK_INVALID; + } +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) + case BT_SEMI: +@@ -526,7 +526,7 @@ + const char **nextTokPtr) + { + int hadColon = 0; +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) + case BT_COLON: +@@ -705,7 +705,7 @@ + } + hadColon = 0; + /* we have a start-tag */ +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) + case BT_COLON: +@@ -727,7 +727,7 @@ + case BT_S: case BT_CR: case BT_LF: + { + ptr += MINBPC(enc); +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + CHECK_NMSTRT_CASES(enc, ptr, end, nextTokPtr) + case BT_GT: +@@ -772,7 +772,7 @@ + int PREFIX(contentTok)(const ENCODING *enc, const char *ptr, const char *end, + const char **nextTokPtr) + { +- if (ptr == end) ++ if (ptr >= end) + return XML_TOK_NONE; + if (MINBPC(enc) > 1) { + size_t n = end - ptr; +@@ -819,7 +819,7 @@ + ptr += MINBPC(enc); + break; + } +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ + case BT_LEAD ## n: \ +@@ -882,7 +882,7 @@ + *nextTokPtr = ptr; + return XML_TOK_INVALID; + } +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) + case BT_SEMI: +@@ -908,7 +908,7 @@ + *nextTokPtr = ptr; + return XML_TOK_INVALID; + } +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) + case BT_CR: case BT_LF: case BT_S: +@@ -928,7 +928,7 @@ + const char *ptr, const char *end, + const char **nextTokPtr) + { +- while (ptr != end) { ++ while (ptr < end) { + int t = BYTE_TYPE(enc, ptr); + switch (t) { + INVALID_CASES(ptr, nextTokPtr) +@@ -960,7 +960,7 @@ + const char **nextTokPtr) + { + int tok; +- if (ptr == end) ++ if (ptr >= end) + return XML_TOK_NONE; + if (MINBPC(enc) > 1) { + size_t n = end - ptr; +@@ -1123,7 +1123,7 @@ + *nextTokPtr = ptr; + return XML_TOK_INVALID; + } +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) + case BT_GT: case BT_RPAR: case BT_COMMA: +@@ -1184,10 +1184,10 @@ + const char **nextTokPtr) + { + const char *start; +- if (ptr == end) ++ if (ptr >= end) + return XML_TOK_NONE; + start = ptr; +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ + case BT_LEAD ## n: ptr += n; break; +@@ -1242,10 +1242,10 @@ + const char **nextTokPtr) + { + const char *start; +- if (ptr == end) ++ if (ptr >= end) + return XML_TOK_NONE; + start = ptr; +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ + case BT_LEAD ## n: ptr += n; break; +@@ -1303,7 +1303,7 @@ + end = ptr + n; + } + } +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + INVALID_CASES(ptr, nextTokPtr) + case BT_LT: +@@ -1350,7 +1350,7 @@ + { + ptr += MINBPC(enc); + end -= MINBPC(enc); +- for (; ptr != end; ptr += MINBPC(enc)) { ++ for (; ptr < end; ptr += MINBPC(enc)) { + switch (BYTE_TYPE(enc, ptr)) { + case BT_DIGIT: + case BT_HEX: +@@ -1727,7 +1727,7 @@ + case BT_CR: + pos->lineNumber++; + ptr += MINBPC(enc); +- if (ptr != end && BYTE_TYPE(enc, ptr) == BT_LF) ++ if (ptr < end && BYTE_TYPE(enc, ptr) == BT_LF) + ptr += MINBPC(enc); + pos->columnNumber = (unsigned)-1; + break; --- xmlrpc-c-1.16.33.orig/debian/patches/CVE-2012-6702-1.patch +++ xmlrpc-c-1.16.33/debian/patches/CVE-2012-6702-1.patch @@ -0,0 +1,38 @@ +Description: fix unanticipated internal calls to srand +Origin: upstream, https://sourceforge.net/p/expat/code_git/ci/6acb0a47372a9079cc6ff70c384f015a47f2c34a/ + +Index: xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c +=================================================================== +--- xmlrpc-c-1.16.33.orig/lib/expat/xmlparse/xmlparse.c 2016-06-14 16:19:00.592880706 +0300 ++++ xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c 2016-06-14 16:20:17.181842289 +0300 +@@ -18,7 +18,9 @@ + #include + #include + #include /* UINT_MAX */ +-#include /* time() */ ++#include /* gettimeofday() */ ++#include /* getpid() */ ++#include /* getpid() */ + + #include "xmlrpc_config.h" + #include "c_util.h" +@@ -574,9 +576,16 @@ + static unsigned long + generate_hash_secret_salt(void) + { +- unsigned int seed = time(NULL) % UINT_MAX; +- srand(seed); +- return rand(); ++ struct timeval tv; ++ int gettimeofday_res; ++ ++ gettimeofday_res = gettimeofday(&tv, NULL); ++ assert (gettimeofday_res == 0); ++ ++ /* Microseconds time is <20 bits entropy ++ * Process ID is 0 bits entropy if attacker has local access ++ * Factor is 2^61-1 (Mersenne prime M61) */ ++ return (tv.tv_usec ^ getpid()) * 2305843009213693951; + } + + static int /* only valid for root parser */ --- xmlrpc-c-1.16.33.orig/debian/patches/CVE-2012-0876.patch +++ xmlrpc-c-1.16.33/debian/patches/CVE-2012-0876.patch @@ -0,0 +1,541 @@ +Description: Prevent predictable hash collisions by using a random salt value + Backported from the upstream Expat sources to the embedded copy of Expat in + xmlrpc-c. +Origin: backport, http://xmlrpc-c.svn.sourceforge.net/viewvc/xmlrpc-c?view=revision&revision=2391 +Index: xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c +=================================================================== +--- xmlrpc-c-1.16.33.orig/lib/expat/xmlparse/xmlparse.c 2012-09-06 09:54:29.920445233 -0700 ++++ xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c 2012-09-06 11:42:34.792312153 -0700 +@@ -17,6 +17,8 @@ + + #include + #include ++#include /* UINT_MAX */ ++#include /* time() */ + + #include "xmlrpc_config.h" + #include "c_util.h" +@@ -211,6 +213,8 @@ + enum XML_Error * const errorCodeP, + const char ** const errorP); + ++static ++int setContext(XML_Parser parser, const XML_Char *context); + + #define poolStart(pool) ((pool)->start) + #define poolEnd(pool) ((pool)->ptr) +@@ -314,6 +318,7 @@ + XML_Char m_namespaceSeparator; + enum XML_ParamEntityParsing m_paramEntityParsing; + XML_Parser m_parentParser; ++ unsigned long m_hash_secret_salt; + } Parser; + + #define userData (((Parser *)parser)->m_userData) +@@ -391,6 +396,7 @@ + #define namespaceSeparator (((Parser *)parser)->m_namespaceSeparator) + #define parentParser (((Parser *)parser)->m_parentParser) + #define paramEntityParsing (((Parser *)parser)->m_paramEntityParsing) ++#define hash_secret_salt (((Parser *)parser)->m_hash_secret_salt) + + + +@@ -564,6 +570,39 @@ + return pool->start; + } + ++static unsigned long ++generate_hash_secret_salt(void) ++{ ++ unsigned int seed = time(NULL) % UINT_MAX; ++ srand(seed); ++ return rand(); ++} ++ ++static int /* only valid for root parser */ ++startParsing(XML_Parser parser) ++{ ++ static ++ const XML_Char implicitContext[] = { ++ XML_T('x'), XML_T('m'), XML_T('l'), XML_T('='), ++ XML_T('h'), XML_T('t'), XML_T('t'), XML_T('p'), XML_T(':'), ++ XML_T('/'), XML_T('/'), XML_T('w'), XML_T('w'), XML_T('w'), ++ XML_T('.'), XML_T('w'), XML_T('3'), ++ XML_T('.'), XML_T('o'), XML_T('r'), XML_T('g'), ++ XML_T('/'), XML_T('X'), XML_T('M'), XML_T('L'), ++ XML_T('/'), XML_T('1'), XML_T('9'), XML_T('9'), XML_T('8'), ++ XML_T('/'), XML_T('n'), XML_T('a'), XML_T('m'), XML_T('e'), ++ XML_T('s'), XML_T('p'), XML_T('a'), XML_T('c'), XML_T('e'), ++ XML_T('\0') ++ }; ++ ++ /* hash functions must be initialized before setContext() is called */ ++ if (hash_secret_salt == 0) ++ hash_secret_salt = generate_hash_secret_salt(); ++ if (parser) ++ return setContext(parser, implicitContext); ++ return 0; ++} ++ + #define INIT_SIZE 64 + + static +@@ -576,16 +615,16 @@ + } + + static +-unsigned long hash(KEY s) ++unsigned long hash(XML_Parser parser, KEY s) + { +- unsigned long h = 0; ++ unsigned long h = hash_secret_salt; + while (*s) + h = (h << 5) + h + (unsigned char)*s++; + return h; + } + + static +-NAMED *lookup(HASH_TABLE *table, KEY name, size_t createSize) ++NAMED *lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) + { + size_t i; + if (table->size == 0) { +@@ -596,10 +635,10 @@ + return 0; + table->size = INIT_SIZE; + table->usedLim = INIT_SIZE / 2; +- i = hash(name) & (table->size - 1); ++ i = hash(parser, name) & (table->size - 1); + } + else { +- unsigned long h = hash(name); ++ unsigned long h = hash(parser, name); + for (i = h & (table->size - 1); + table->v[i]; + i == 0 ? i = table->size - 1 : --i) { +@@ -617,7 +656,7 @@ + for (i = 0; i < table->size; i++) + if (table->v[i]) { + size_t j; +- for (j = hash(table->v[i]->name) & (newSize - 1); ++ for (j = hash(parser, table->v[i]->name) & (newSize - 1); + newV[j]; + j == 0 ? j = newSize - 1 : --j) + ; +@@ -730,7 +769,8 @@ + poolDestroy(&(p->pool)); + } + +-static int copyEntityTable(HASH_TABLE *newTable, ++static int copyEntityTable(XML_Parser oldParser, ++ HASH_TABLE *newTable, + STRING_POOL *newPool, + const HASH_TABLE *oldTable) + { +@@ -749,7 +789,7 @@ + name = poolCopyString(newPool, oldE->name); + if (!name) + return 0; +- newE = (ENTITY *)lookup(newTable, name, sizeof(ENTITY)); ++ newE = (ENTITY *)lookup(oldParser, newTable, name, sizeof(ENTITY)); + if (!newE) + return 0; + if (oldE->systemId) { +@@ -792,7 +832,7 @@ + /* Do a deep copy of the DTD. Return 0 for out of memory; non-zero otherwise. + The new DTD has already been initialized. */ + +-static int dtdCopy(DTD *newDtd, const DTD *oldDtd) ++static int dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd) + { + HASH_TABLE_ITER iter; + +@@ -807,7 +847,7 @@ + name = poolCopyString(&(newDtd->pool), oldP->name); + if (!name) + return 0; +- if (!lookup(&(newDtd->prefixes), name, sizeof(PREFIX))) ++ if (!lookup(oldParser, &(newDtd->prefixes), name, sizeof(PREFIX))) + return 0; + } + +@@ -830,7 +870,7 @@ + return 0; + ++name; + newA = (ATTRIBUTE_ID *) +- lookup(&(newDtd->attributeIds), name, sizeof(ATTRIBUTE_ID)); ++ lookup(oldParser, &(newDtd->attributeIds), name, sizeof(ATTRIBUTE_ID)); + if (!newA) + return 0; + newA->maybeTokenized = oldA->maybeTokenized; +@@ -840,7 +880,7 @@ + newA->prefix = &newDtd->defaultPrefix; + else + newA->prefix = (PREFIX *) +- lookup(&(newDtd->prefixes), oldA->prefix->name, 0); ++ lookup(oldParser, &(newDtd->prefixes), oldA->prefix->name, 0); + } + } + +@@ -859,7 +899,7 @@ + if (!name) + return 0; + newE = (ELEMENT_TYPE *) +- lookup(&(newDtd->elementTypes), name, sizeof(ELEMENT_TYPE)); ++ lookup(oldParser, &(newDtd->elementTypes), name, sizeof(ELEMENT_TYPE)); + if (!newE) + return 0; + if (oldE->nDefaultAtts) { +@@ -870,14 +910,15 @@ + } + if (oldE->idAtt) + newE->idAtt = (ATTRIBUTE_ID *) +- lookup(&(newDtd->attributeIds), oldE->idAtt->name, 0); ++ lookup(oldParser, &(newDtd->attributeIds), oldE->idAtt->name, 0); + newE->allocDefaultAtts = newE->nDefaultAtts = oldE->nDefaultAtts; + if (oldE->prefix) + newE->prefix = (PREFIX *) +- lookup(&(newDtd->prefixes), oldE->prefix->name, 0); ++ lookup(oldParser, &(newDtd->prefixes), oldE->prefix->name, 0); + for (i = 0; i < newE->nDefaultAtts; i++) { + newE->defaultAtts[i].id = (ATTRIBUTE_ID *) +- lookup(&(newDtd->attributeIds), oldE->defaultAtts[i].id->name, 0); ++ lookup(oldParser, &(newDtd->attributeIds), ++ oldE->defaultAtts[i].id->name, 0); + newE->defaultAtts[i].isCdata = oldE->defaultAtts[i].isCdata; + if (oldE->defaultAtts[i].value) { + newE->defaultAtts[i].value = +@@ -891,12 +932,12 @@ + } + + /* Copy the entity tables. */ +- if (!copyEntityTable(&(newDtd->generalEntities), ++ if (!copyEntityTable(oldParser, &(newDtd->generalEntities), + &(newDtd->pool), + &(oldDtd->generalEntities))) + return 0; + +- if (!copyEntityTable(&(newDtd->paramEntities), ++ if (!copyEntityTable(oldParser, &(newDtd->paramEntities), + &(newDtd->pool), + &(oldDtd->paramEntities))) + return 0; +@@ -1043,7 +1084,8 @@ + ENTITY *e; + if (!poolAppendChar(&tempPool, XML_T('\0'))) + return 0; +- e = (ENTITY *)lookup(&dtd.generalEntities, poolStart(&tempPool), 0); ++ e = (ENTITY *)lookup(parser, &dtd.generalEntities, poolStart(&tempPool), ++ 0); + if (e) + e->open = 1; + if (*s != XML_T('\0')) +@@ -1059,7 +1101,7 @@ + if (!poolAppendChar(&tempPool, XML_T('\0'))) + return 0; + prefix = (PREFIX *) +- lookup(&dtd.prefixes, poolStart(&tempPool), sizeof(PREFIX)); ++ lookup(parser, &dtd.prefixes, poolStart(&tempPool), sizeof(PREFIX)); + if (!prefix) + return 0; + if (prefix->name == poolStart(&tempPool)) { +@@ -1370,7 +1412,8 @@ + if (!name) + return 0; + ++name; +- id = (ATTRIBUTE_ID *)lookup(&dtd.attributeIds, name, sizeof(ATTRIBUTE_ID)); ++ id = (ATTRIBUTE_ID *)lookup(parser, &dtd.attributeIds, name, ++ sizeof(ATTRIBUTE_ID)); + if (!id) + return 0; + if (id->name != name) +@@ -1388,7 +1431,8 @@ + if (name[5] == '\0') + id->prefix = &dtd.defaultPrefix; + else +- id->prefix = (PREFIX *)lookup(&dtd.prefixes, name + 6, sizeof(PREFIX)); ++ id->prefix = (PREFIX *)lookup(parser, &dtd.prefixes, name + 6, ++ sizeof(PREFIX)); + id->xmlns = 1; + } + else { +@@ -1403,7 +1447,8 @@ + if (!poolAppendChar(&dtd.pool, XML_T('\0'))) + return 0; + id->prefix = (PREFIX *) +- lookup(&dtd.prefixes, poolStart(&dtd.pool), sizeof(PREFIX)); ++ lookup(parser, &dtd.prefixes, poolStart(&dtd.pool), ++ sizeof(PREFIX)); + if (id->prefix->name == poolStart(&dtd.pool)) + poolFinish(&dtd.pool); + else +@@ -1454,7 +1499,7 @@ + if (!poolAppendChar(&dtd.pool, XML_T('\0'))) + return 0; + prefix = (PREFIX *) +- lookup(&dtd.prefixes, poolStart(&dtd.pool), sizeof(PREFIX)); ++ lookup(parser, &dtd.prefixes, poolStart(&dtd.pool), sizeof(PREFIX)); + if (!prefix) + return 0; + if (prefix->name == poolStart(&dtd.pool)) +@@ -1556,7 +1601,7 @@ + next - enc->minBytesPerChar); + if (!name) + return XML_ERROR_NO_MEMORY; +- entity = (ENTITY *)lookup(&dtd.generalEntities, name, 0); ++ entity = (ENTITY *)lookup(parser, &dtd.generalEntities, name, 0); + poolDiscard(&temp2Pool); + if (!entity) { + if (dtd.complete) { +@@ -1651,7 +1696,7 @@ + next - enc->minBytesPerChar); + if (!name) + return XML_ERROR_NO_MEMORY; +- entity = (ENTITY *)lookup(&dtd.paramEntities, name, 0); ++ entity = (ENTITY *)lookup(parser, &dtd.paramEntities, name, 0); + poolDiscard(&tempPool); + if (!entity) { + if (enc == parser->m_encoding) +@@ -1807,13 +1852,14 @@ + /* lookup the element type name */ + if (tagNamePtr) { + elementType = (ELEMENT_TYPE *) +- lookup(&dtd.elementTypes, tagNamePtr->str, 0); ++ lookup(parser, &dtd.elementTypes, tagNamePtr->str, 0); + if (!elementType) { + tagNamePtr->str = poolCopyString(&dtd.pool, tagNamePtr->str); + if (!tagNamePtr->str) + return XML_ERROR_NO_MEMORY; + elementType = (ELEMENT_TYPE *) +- lookup(&dtd.elementTypes, tagNamePtr->str, sizeof(ELEMENT_TYPE)); ++ lookup(parser, &dtd.elementTypes, tagNamePtr->str, ++ sizeof(ELEMENT_TYPE)); + if (!elementType) + return XML_ERROR_NO_MEMORY; + if (ns && !setElementTypePrefix(xmlParserP, elementType)) +@@ -1948,7 +1994,7 @@ + if (appAtts[i][-1] == 2) { + ATTRIBUTE_ID *id; + ((XML_Char *)(appAtts[i]))[-1] = 0; +- id = (ATTRIBUTE_ID *)lookup(&dtd.attributeIds, appAtts[i], 0); ++ id = (ATTRIBUTE_ID *)lookup(parser, &dtd.attributeIds, appAtts[i], 0); + if (id->prefix->binding) { + int j; + const BINDING *b = id->prefix->binding; +@@ -2311,7 +2357,7 @@ + *errorCodeP = XML_ERROR_NO_MEMORY; + return; + } +- entity = (ENTITY *)lookup(&dtd.generalEntities, name, 0); ++ entity = (ENTITY *)lookup(parser, &dtd.generalEntities, name, 0); + poolDiscard(&dtd.pool); + if (!entity) { + if (dtd.complete || dtd.standalone) +@@ -3289,7 +3335,7 @@ + } + break; + case XML_ROLE_DOCTYPE_PUBLIC_ID: +- declEntity = (ENTITY *)lookup(&dtd.paramEntities, ++ declEntity = (ENTITY *)lookup(parser, &dtd.paramEntities, + externalSubsetName, + sizeof(ENTITY)); + if (!declEntity) { +@@ -3320,7 +3366,7 @@ + if (dtd.complete && hadExternalDoctype) { + dtd.complete = 0; + if (paramEntityParsing && externalEntityRefHandler) { +- ENTITY *entity = (ENTITY *)lookup(&dtd.paramEntities, ++ ENTITY *entity = (ENTITY *)lookup(parser, &dtd.paramEntities, + externalSubsetName, + 0); + if (!externalEntityRefHandler(externalEntityRefHandlerArg, +@@ -3356,7 +3402,7 @@ + return; + } + declElementType = (ELEMENT_TYPE *) +- lookup(&dtd.elementTypes, name, sizeof(ELEMENT_TYPE)); ++ lookup(parser, &dtd.elementTypes, name, sizeof(ELEMENT_TYPE)); + if (!declElementType) { + *errorCodeP = XML_ERROR_NO_MEMORY; + return; +@@ -3432,7 +3478,8 @@ + poolFinish(&dtd.pool); + if (internalParsedEntityDeclHandler + /* Check it's not a parameter entity */ +- && ((ENTITY *)lookup(&dtd.generalEntities, declEntity->name, 0) ++ && ((ENTITY *)lookup(parser, &dtd.generalEntities, ++ declEntity->name, 0) + == declEntity)) { + *eventEndPP = s; + internalParsedEntityDeclHandler(handlerArg, +@@ -3459,7 +3506,7 @@ + } + hadExternalDoctype = 1; + if (!declEntity) { +- declEntity = (ENTITY *)lookup(&dtd.paramEntities, ++ declEntity = (ENTITY *)lookup(parser, &dtd.paramEntities, + externalSubsetName, + sizeof(ENTITY)); + if (!declEntity) { +@@ -3525,7 +3572,7 @@ + } + if (dtd.complete) { + declEntity = (ENTITY *) +- lookup(&dtd.generalEntities, name, sizeof(ENTITY)); ++ lookup(parser, &dtd.generalEntities, name, sizeof(ENTITY)); + if (!declEntity) { + *errorCodeP = XML_ERROR_NO_MEMORY; + return; +@@ -3551,7 +3598,7 @@ + return; + } + declEntity = (ENTITY *) +- lookup(&dtd.paramEntities, name, sizeof(ENTITY)); ++ lookup(parser, &dtd.paramEntities, name, sizeof(ENTITY)); + if (!declEntity) { + *errorCodeP = XML_ERROR_NO_MEMORY; + return; +@@ -3688,7 +3735,7 @@ + *errorCodeP = XML_ERROR_NO_MEMORY; + return; + } +- entity = (ENTITY *)lookup(&dtd.paramEntities, name, 0); ++ entity = (ENTITY *)lookup(parser, &dtd.paramEntities, name, 0); + poolDiscard(&dtd.pool); + if (!entity) { + /* FIXME what to do if !dtd.complete? */ +@@ -3922,6 +3969,7 @@ + namespaceSeparator = '!'; + parentParser = 0; + paramEntityParsing = XML_PARAM_ENTITY_PARSING_NEVER; ++ hash_secret_salt = 0; + ns = 0; + poolInit(&tempPool); + poolInit(&temp2Pool); +@@ -3946,42 +3994,17 @@ + xmlrpc_XML_ParserCreateNS(const XML_Char * const encodingName, + XML_Char const nsSep) { + +- static +- const XML_Char implicitContext[] = { +- XML_T('x'), XML_T('m'), XML_T('l'), XML_T('='), +- XML_T('h'), XML_T('t'), XML_T('t'), XML_T('p'), XML_T(':'), +- XML_T('/'), XML_T('/'), XML_T('w'), XML_T('w'), XML_T('w'), +- XML_T('.'), XML_T('w'), XML_T('3'), +- XML_T('.'), XML_T('o'), XML_T('r'), XML_T('g'), +- XML_T('/'), XML_T('X'), XML_T('M'), XML_T('L'), +- XML_T('/'), XML_T('1'), XML_T('9'), XML_T('9'), XML_T('8'), +- XML_T('/'), XML_T('n'), XML_T('a'), XML_T('m'), XML_T('e'), +- XML_T('s'), XML_T('p'), XML_T('a'), XML_T('c'), XML_T('e'), +- XML_T('\0') +- }; +- + XML_Parser const xmlParserP = xmlrpc_XML_ParserCreate(encodingName); + Parser * const parser = (Parser *)xmlParserP; +- XML_Parser retval; + + if (xmlParserP) { +- int succeeded; + xmlrpc_XmlInitEncodingNS(&initEncoding, &parser->m_encoding, 0); + ns = 1; + internalEncoding = XmlGetInternalEncodingNS(); + namespaceSeparator = nsSep; ++ } + +- succeeded = setContext(xmlParserP, implicitContext); +- if (succeeded) +- retval = xmlParserP; +- else { +- xmlrpc_XML_ParserFree(xmlParserP); +- retval = NULL; +- } +- } else +- retval = NULL; +- +- return retval; ++ return xmlParserP; + } + + +@@ -4030,6 +4053,12 @@ + int oldDefaultExpandInternalEntities = defaultExpandInternalEntities; + void *oldExternalEntityRefHandlerArg = externalEntityRefHandlerArg; + int oldParamEntityParsing = paramEntityParsing; ++ /* Note that the new parser shares the same hash secret as the old ++ parser, so that dtdCopy and copyEntityTable can lookup values ++ from hash tables associated with either parser without us having ++ to worry which hash secrets each table has. ++ */ ++ unsigned long oldhash_secret_salt = hash_secret_salt; + parser = (ns + ? xmlrpc_XML_ParserCreateNS(encodingName, namespaceSeparator) + : xmlrpc_XML_ParserCreate(encodingName)); +@@ -4060,9 +4089,10 @@ + if (oldExternalEntityRefHandlerArg != oldParser) + externalEntityRefHandlerArg = oldExternalEntityRefHandlerArg; + defaultExpandInternalEntities = oldDefaultExpandInternalEntities; ++ hash_secret_salt = oldhash_secret_salt; + paramEntityParsing = oldParamEntityParsing; + if (context) { +- if (!dtdCopy(&dtd, oldDtd) || !setContext(parser, context)) { ++ if (!dtdCopy(oldParser, &dtd, oldDtd) || !setContext(parser, context)) { + xmlrpc_XML_ParserFree(parser); + return 0; + } +@@ -4423,6 +4453,13 @@ + } + + ++int ++XML_SetHashSalt(XML_Parser parser, ++ unsigned long hash_salt) ++{ ++ hash_secret_salt = hash_salt; ++ return 1; ++} + + int + xmlrpc_XML_Parse(XML_Parser const xmlParserP, +@@ -4439,6 +4476,11 @@ + errorString = NULL; + } + ++ if (parentParser == NULL && !startParsing(parser)) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return 0; ++ } ++ + if (len == 0) { + if (!isFinal) + retval = 1; +@@ -4469,6 +4511,11 @@ + errorString = NULL; + } + ++ if (parentParser == NULL && !startParsing(parser)) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return 0; ++ } ++ + positionPtr = start; + bufferEnd += len; + parseEndByteIndex += len; +Index: xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.h +=================================================================== +--- xmlrpc-c-1.16.33.orig/lib/expat/xmlparse/xmlparse.h 2012-09-06 09:54:29.920445233 -0700 ++++ xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.h 2012-09-06 11:43:02.888311576 -0700 +@@ -477,6 +477,14 @@ + xmlrpc_XML_SetParamEntityParsing(XML_Parser parser, + enum XML_ParamEntityParsing parsing); + ++/* Sets the hash salt to use for internal hash calculations. ++ Helps in preventing DoS attacks based on predicting hash ++ function behavior. This must be called before parsing is started. ++ Returns 1 if successful, 0 when called after parsing has started. ++*/ ++int ++XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt); ++ + enum XML_Error { + XML_ERROR_NONE, + XML_ERROR_NO_MEMORY, --- xmlrpc-c-1.16.33.orig/debian/patches/CVE-2016-4472.patch +++ xmlrpc-c-1.16.33/debian/patches/CVE-2016-4472.patch @@ -0,0 +1,28 @@ +Description: fix integer overflows in XML_GetBuffer +Author: Pascal Cuoq + +Index: xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c +=================================================================== +--- xmlrpc-c-1.16.33.orig/lib/expat/xmlparse/xmlparse.c 2016-06-14 16:09:56.190001498 +0300 ++++ xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c 2016-06-14 16:11:18.511047150 +0300 +@@ -4558,8 +4558,8 @@ + return 0; + } + if (len > bufferLim - bufferEnd) { +- /* FIXME avoid integer overflow */ +- int neededSize = len + (bufferEnd - bufferPtr); ++ /* Do not invoke signed arithmetic overflow: */ ++ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr)); + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return 0; +@@ -4575,7 +4575,8 @@ + if (bufferSize == 0) + bufferSize = INIT_BUFFER_SIZE; + do { +- bufferSize *= 2; ++ /* Do not invoke signed arithmetic overflow: */ ++ bufferSize = (int) (2U * (unsigned) bufferSize); + } while (bufferSize < neededSize && bufferSize > 0); + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; --- xmlrpc-c-1.16.33.orig/debian/patches/CVE-2016-5300-1.patch +++ xmlrpc-c-1.16.33/debian/patches/CVE-2016-5300-1.patch @@ -0,0 +1,36 @@ +Description: fix use of too little entropy +Origin: upstream, https://sourceforge.net/p/expat/code_git/ci/a5f2d0406056d384cdd4b9955384703137a4d19a/ + +Index: xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c +=================================================================== +--- xmlrpc-c-1.16.33.orig/lib/expat/xmlparse/xmlparse.c 2016-06-14 16:20:17.181842289 +0300 ++++ xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c 2016-06-14 16:21:22.082656056 +0300 +@@ -574,7 +574,7 @@ + } + + static unsigned long +-generate_hash_secret_salt(void) ++gather_time_entropy(void) + { + struct timeval tv; + int gettimeofday_res; +@@ -582,10 +582,16 @@ + gettimeofday_res = gettimeofday(&tv, NULL); + assert (gettimeofday_res == 0); + +- /* Microseconds time is <20 bits entropy +- * Process ID is 0 bits entropy if attacker has local access ++ /* Microseconds time is <20 bits entropy */ ++ return tv.tv_usec; ++} ++ ++static unsigned long ++generate_hash_secret_salt(void) ++{ ++ /* Process ID is 0 bits entropy if attacker has local access + * Factor is 2^61-1 (Mersenne prime M61) */ +- return (tv.tv_usec ^ getpid()) * 2305843009213693951; ++ return (gather_time_entropy() ^ getpid()) * 2305843009213693951; + } + + static int /* only valid for root parser */ --- xmlrpc-c-1.16.33.orig/debian/patches/backport-gssapi-delegation.patch +++ xmlrpc-c-1.16.33/debian/patches/backport-gssapi-delegation.patch @@ -0,0 +1,389 @@ +From d0d5d27d65315e8b6bc4e18a4d36b1ff92875bae Mon Sep 17 00:00:00 2001 +From: "Vojtech Vitek (V-Teq)" +Date: Wed, 10 Aug 2011 17:51:01 +0200 +Subject: [PATCH] Backport: Add gssapi_delegation Curl transport option + +--- + include/xmlrpc-c/client.h | 65 +++++++++++++++++ + include/xmlrpc-c/client_transport.hpp | 7 ++ + lib/curl_transport/curltransaction.c | 109 +++++++++++++++++++++++++++- + lib/curl_transport/curltransaction.h | 12 +++ + lib/curl_transport/curlversion.h | 6 ++ + lib/curl_transport/xmlrpc_curl_transport.c | 14 ++++ + src/cpp/curl.cpp | 30 ++++++++- + 7 files changed, 241 insertions(+), 2 deletions(-) + +diff --git a/include/xmlrpc-c/client.h b/include/xmlrpc-c/client.h +index c2e2e61..d157682 100644 +--- a/include/xmlrpc-c/client.h ++++ b/include/xmlrpc-c/client.h +@@ -50,6 +50,11 @@ enum xmlrpc_sslversion { + XMLRPC_SSLVERSION_SSLv3 + }; + ++enum xmlrpc_httpproxytype { ++ XMLRPC_HTTPPROXY_HTTP = 0, ++ XMLRPC_HTTPPROXY_SOCKS5 = 5 ++}; ++ + struct xmlrpc_curl_xportparms { + /* This is designed so that zero values are always the defaults. */ + const char * network_interface; +@@ -71,6 +76,66 @@ struct xmlrpc_curl_xportparms { + const char * egdsocket; + const char * ssl_cipher_list; + unsigned int timeout; ++ ++ /*! ++ * Not backported. ++ * ++ * DON'T ADVERTISE option is available from Xmlrpc-c 1.21.00 and thus ++ * *IS NOT AVAILABLE* in the current version of the library. ++ * The parameter below is listed because of forward compatibility ++ * with future libxmlrpc_client versions and thus must be set to ++ * FALSE/zero value, or an error will occur. ++ */ ++ xmlrpc_bool dont_advertise; ++ ++ /*! ++ * Not backported. ++ * ++ * HTTP PROXY Control is available from Xmlrpc-c 1.23.00 and thus ++ * *IS NOT AVAILABLE* in the current version of the library. ++ * The parameters below are listed because of forward compatibility ++ * with future libxmlrpc_client versions and thus must be all set ++ * to zero values, or an error will occur. ++ */ ++ const char * proxy; ++ unsigned int proxy_port; ++ enum xmlrpc_httpproxytype proxy_type; ++ unsigned int proxy_auth; ++ const char * proxy_userpwd; ++ ++ /*! ++ * Backported. ++ * ++ * GSSAPI DELEGATION is available from Xmlrpc-c 1.27.04 (August 2011) ++ * and the functionality is backported to the current version of the library. ++ * ++ * About Curl and GSSAPI credential delegation: ++ * ++ * Up through Curl 7.21.6, libcurl always delegates GSSAPI credentials, which ++ * means it gives the client's secrets to the server so the server can operate ++ * on the client's behalf. In mid-2011, this was noticed to be a major ++ * security exposure, because the server is not necessarily trustworthy. ++ * One is supposed to delegate one's credentials only to a server one trusts. ++ * So in 7.21.7, Curl never delegates GSSAPI credentials. ++ * ++ * But that causes problems for clients that _do_ trust their server, which ++ * had always relied upon Curl's delegation. ++ * ++ * So starting in 7.21.8, Curl gives the user the choice. The default is no ++ * delegation, but the Curl user can set the CURLOPT_GSSAPI_DELEGATION flag to ++ * order delegation. ++ * ++ * Complicating matters is that some people made local variations of Curl ++ * during the transition phase, so the version number alone isn't ++ * determinative, so we rely on it only where we have to. ++ * ++ * So Xmlrpc-c gives the same choice to its own user, via its ++ * 'gssapi_delegation' Curl transport option. ++ * ++ * Current Xmlrpc-c can be linked with, and compiled with, any version of ++ * Curl, so it has to carefully consider all the possibilities. ++ */ ++ xmlrpc_bool gssapi_delegation; + }; + + +diff --git a/include/xmlrpc-c/client_transport.hpp b/include/xmlrpc-c/client_transport.hpp +index 8d6053d..2b06c21 100644 +--- a/include/xmlrpc-c/client_transport.hpp ++++ b/include/xmlrpc-c/client_transport.hpp +@@ -318,6 +318,11 @@ public: + }; + + clientXmlTransport_curl(constrOpt const& opt); ++ ++ /* GSSAPI delegation option is not member of constrOpt ++ * because of ABI backward compatibility. */ ++ clientXmlTransport_curl(constrOpt const& opt, ++ bool const gssapiDelegation); + + clientXmlTransport_curl(std::string const networkInterface = "", + bool const noSslVerifyPeer = false, +@@ -329,6 +334,8 @@ public: + private: + void + initialize(constrOpt const& opt); ++ void ++ initialize(constrOpt const& opt, bool const gssapiDelegation); + }; + + /*=========================================================================== +diff --git a/lib/curl_transport/curltransaction.c b/lib/curl_transport/curltransaction.c +index abf243f..a74eb43 100644 +--- a/lib/curl_transport/curltransaction.c ++++ b/lib/curl_transport/curltransaction.c +@@ -351,6 +351,99 @@ assertConstantsMatch(void) { + + + ++/* About Curl and GSSAPI credential delegation: ++ ++ Up through Curl 7.21.6, libcurl always delegates GSSAPI credentials, which ++ means it gives the client's secrets to the server so the server can operate ++ on the client's behalf. In mid-2011, this was noticed to be a major ++ security exposure, because the server is not necessarily trustworthy. ++ One is supposed to delegate one's credentials only to a server one trusts. ++ So in 7.21.7, Curl never delegates GSSAPI credentials. ++ ++ But that causes problems for clients that _do_ trust their server, which ++ had always relied upon Curl's delegation. ++ ++ So starting in 7.21.8, Curl gives the user the choice. The default is no ++ delegation, but the Curl user can set the CURLOPT_GSSAPI_DELEGATION flag to ++ order delegation. ++ ++ Complicating matters is that some people made local variations of Curl ++ during the transition phase, so the version number alone isn't ++ determinative, so we rely on it only where we have to. ++ ++ So Xmlrpc-c gives the same choice to its own user, via its ++ 'gssapi_delegation' Curl transport option. ++ ++ Current Xmlrpc-c can be linked with, and compiled with, any version of ++ Curl, so it has to carefully consider all the possibilities. ++*/ ++ ++ ++ ++static bool ++curlAlwaysDelegatesGssapi(void) { ++/*---------------------------------------------------------------------------- ++ The Curl library we're using always delegates GSSAPI credentials ++ (we don't have a choice). ++ ++ This works with Curl as distributed by the Curl project, but there are ++ other versions of Curl for which it doesn't -- those versions report ++ older version numbers but in fact don't always delegate. Some never ++ delegate, and some give the user the option. ++-----------------------------------------------------------------------------*/ ++ curl_version_info_data * const curlInfoP = ++ curl_version_info(CURLVERSION_NOW); ++ ++ return (curlInfoP->version_num <= 0x071506); /* 7.21.6 */ ++} ++ ++ ++ ++static void ++requestGssapiDelegation(CURL * const curlSessionP ATTR_UNUSED, ++ bool * const gotItP) { ++/*---------------------------------------------------------------------------- ++ Set up the Curl session *curlSessionP to delegate its GSSAPI credentials to ++ the server. ++ ++ Return *gotitP is true iff we succeed. We fail when the version of libcurl ++ for which we are compiled or to which we are linked is not capable of such ++ delegation. ++-----------------------------------------------------------------------------*/ ++#if HAVE_CURL_GSSAPI_DELEGATION ++ int rc; ++ ++ rc = curl_easy_setopt(curlSessionP, CURLOPT_GSSAPI_DELEGATION, ++ CURLGSSAPI_DELEGATION_FLAG); ++ ++ if (rc == CURLE_OK) ++ *gotItP = true; ++ else { ++ /* The only way curl_easy_setopt() could have failed is that we ++ are running with an old libcurl from before ++ CURLOPT_GSSAPI_DELEGATION was invented. ++ */ ++ if (curlAlwaysDelegatesGssapi()) { ++ /* No need to request delegation; we got it anyway */ ++ *gotItP = true; ++ } else ++ *gotItP = false; ++ } ++#else ++ if (curlAlwaysDelegatesGssapi()) ++ *gotItP = true; ++ else { ++ /* The library may be able to do credential delegation on request, but ++ we have no way to request it; the Curl for which we are compiled is ++ too old. ++ */ ++ *gotItP = false; ++ } ++#endif ++} ++ ++ ++ + static void + setupCurlSession(xmlrpc_env * const envP, + curlTransaction * const curlTransactionP, +@@ -457,10 +550,24 @@ setupCurlSession(xmlrpc_env * const envP, + curl_easy_setopt(curlSessionP, CURLOPT_SSL_CIPHER_LIST, + curlSetupP->sslCipherList); + ++ /* Not backported */ ++ assert(curlSetupP->proxy == NULL); ++ + if (curlSetupP->timeout) + setCurlTimeout(curlSessionP, curlSetupP->timeout); + +- { ++ if (curlSetupP->gssapiDelegation) { ++ bool gotIt; ++ requestGssapiDelegation(curlSessionP, &gotIt); ++ ++ if (!gotIt) ++ xmlrpc_faultf(envP, "Cannot honor 'gssapi_delegation' " ++ "Curl transport option. " ++ "This version of libcurl is not " ++ "capable of delegating GSSAPI credentials"); ++ } ++ ++ if (!envP->fault_occurred) { + const char * authHdrValue; + /* NULL means we don't have to construct an explicit + Authorization: header. non-null means we have to +diff --git a/lib/curl_transport/curltransaction.h b/lib/curl_transport/curltransaction.h +index c1ab5ce..c41d4e9 100644 +--- a/lib/curl_transport/curltransaction.h ++++ b/lib/curl_transport/curltransaction.h +@@ -70,6 +70,18 @@ struct curlSetup { + const char * randomFile; + const char * egdSocket; + const char * sslCipherList; ++ ++ const char * proxy; ++ unsigned int proxyPort; ++ unsigned int proxyAuth; ++ /* e.g. CURLAUTH_BASIC, CURLAUTH_NTLM, ... */ ++ const char * proxyUserPwd; ++ unsigned int proxyType; ++ /* see enum curl_proxytype: CURLPROXY_HTTP, CURLPROXY_SOCKS4, ... */ ++ ++ bool gssapiDelegation; ++ /* allow GSSAPI credential delegation */ ++ + unsigned int timeout; + /* 0 = no Curl timeout. This is in milliseconds. */ + }; +diff --git a/lib/curl_transport/curlversion.h b/lib/curl_transport/curlversion.h +index 71c5a68..4ad445a 100644 +--- a/lib/curl_transport/curlversion.h ++++ b/lib/curl_transport/curlversion.h +@@ -14,6 +14,12 @@ + #define HAVE_CURL_STRERROR 0 + #endif + ++#ifdef CURLGSSAPI_DELEGATION_FLAG ++#define HAVE_CURL_GSSAPI_DELEGATION 1 ++#else ++#define HAVE_CURL_GSSAPI_DELEGATION 0 ++#endif ++ + #undef CMAJOR + #undef CMINOR + +diff --git a/lib/curl_transport/xmlrpc_curl_transport.c b/lib/curl_transport/xmlrpc_curl_transport.c +index 526381d..85e105b 100644 +--- a/lib/curl_transport/xmlrpc_curl_transport.c ++++ b/lib/curl_transport/xmlrpc_curl_transport.c +@@ -765,6 +765,20 @@ getXportParms(xmlrpc_env * const envP, + else + curlSetupP->sslCipherList = strdup(curlXportParmsP->ssl_cipher_list); + ++ /* Not backported */ ++ curlSetupP->proxy = NULL; ++ curlSetupP->proxyPort = 0; ++ curlSetupP->proxyAuth = 0; ++ curlSetupP->proxyUserPwd = NULL; ++ curlSetupP->proxyType = 0; ++ ++ /* Backported */ ++ if (!curlXportParmsP || parmSize < XMLRPC_CXPSIZE(gssapi_delegation)) ++ curlSetupP->gssapiDelegation = false; ++ else ++ curlSetupP->gssapiDelegation = !!curlXportParmsP->gssapi_delegation; ++ ++ + getTimeoutParm(envP, curlXportParmsP, parmSize, &curlSetupP->timeout); + } + +diff --git a/src/cpp/curl.cpp b/src/cpp/curl.cpp +index 6181929..8e105f2 100644 +--- a/src/cpp/curl.cpp ++++ b/src/cpp/curl.cpp +@@ -186,6 +186,11 @@ DEFINE_OPTION_SETTER(timeout, unsigned int); + + void + clientXmlTransport_curl::initialize(constrOpt const& opt) { ++ clientXmlTransport_curl::initialize(opt, false); ++} ++ ++void ++clientXmlTransport_curl::initialize(constrOpt const& opt, bool const gssapiDelegation) { + struct xmlrpc_curl_xportparms transportParms; + + transportParms.network_interface = opt.present.network_interface ? +@@ -227,13 +232,24 @@ clientXmlTransport_curl::initialize(constrOpt const& opt) { + transportParms.timeout = opt.present.timeout ? + opt.value.timeout : 0; + ++ /* Not backported */ ++ transportParms.dont_advertise = false; ++ transportParms.proxy = NULL; ++ transportParms.proxy_port = 0; ++ transportParms.proxy_auth = 0; ++ transportParms.proxy_userpwd = NULL; ++ transportParms.proxy_type = XMLRPC_HTTPPROXY_HTTP; ++ ++ /* Backported */ ++ transportParms.gssapi_delegation = gssapiDelegation; ++ + this->c_transportOpsP = &xmlrpc_curl_transport_ops; + + env_wrap env; + + xmlrpc_curl_transport_ops.create( + &env.env_c, 0, "", "", +- &transportParms, XMLRPC_CXPSIZE(timeout), ++ &transportParms, XMLRPC_CXPSIZE(gssapi_delegation), + &this->c_transportP); + + if (env.env_c.fault_occurred) +@@ -249,6 +265,14 @@ clientXmlTransport_curl::initialize(constrOpt const& opt) { + "library")); + } + ++void ++clientXmlTransport_curl::initialize(constrOpt const& opt, bool const gssapiDelegation) { ++ ++ throw(error("There is no Curl client XML transport in this XML-RPC client " ++ "library")); ++} ++ ++ + #endif + + clientXmlTransport_curl::clientXmlTransport_curl(constrOpt const& opt) { +@@ -256,6 +280,10 @@ clientXmlTransport_curl::clientXmlTransport_curl(constrOpt const& opt) { + this->initialize(opt); + } + ++clientXmlTransport_curl::clientXmlTransport_curl(constrOpt const& opt, bool const gssapiDelegation) { ++ ++ this->initialize(opt, gssapiDelegation); ++} + + + clientXmlTransport_curl::clientXmlTransport_curl( +-- +1.7.6 + --- xmlrpc-c-1.16.33.orig/debian/patches/CVE-2012-1148.patch +++ xmlrpc-c-1.16.33/debian/patches/CVE-2012-1148.patch @@ -0,0 +1,134 @@ +Description: Don't leak memory when realloc() returns NULL + Backported from the upstream Expat sources to the embedded copy of Expat in + xmlrpc-c. +Origin: backport, http://xmlrpc-c.svn.sourceforge.net/viewvc/xmlrpc-c?view=revision&revision=2393 +Index: xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c +=================================================================== +--- xmlrpc-c-1.16.33.orig/lib/expat/xmlparse/xmlparse.c 2012-08-28 17:15:21.103200078 -0700 ++++ xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c 2012-08-28 17:15:21.135200079 -0700 +@@ -480,10 +480,11 @@ + } + if (pool->blocks && pool->start == pool->blocks->s) { + int blockSize = (pool->end - pool->start)*2; +- pool->blocks = realloc(pool->blocks, offsetof(BLOCK, s) + +- blockSize * sizeof(XML_Char)); +- if (!pool->blocks) ++ BLOCK *temp = realloc(pool->blocks, offsetof(BLOCK, s) + ++ blockSize * sizeof(XML_Char)); ++ if (!temp) + return 0; ++ pool->blocks = temp; + pool->blocks->size = blockSize; + pool->ptr = pool->blocks->s + (pool->ptr - pool->start); + pool->start = pool->blocks->s; +@@ -965,9 +966,10 @@ + if (freeBindingList) { + b = freeBindingList; + if (len > b->uriAlloc) { +- b->uri = realloc(b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE)); +- if (!b->uri) ++ XML_Char *temp = realloc(b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE)); ++ if (!temp) + return 0; ++ b->uri = temp; + b->uriAlloc = len + EXPAND_SPARE; + } + freeBindingList = b->nextTagBinding; +@@ -1804,15 +1806,18 @@ + type->allocDefaultAtts = 8; + type->defaultAtts = + malloc(type->allocDefaultAtts*sizeof(DEFAULT_ATTRIBUTE)); ++ if (!type->defaultAtts) ++ return 0; + } + else { ++ DEFAULT_ATTRIBUTE *temp; + type->allocDefaultAtts *= 2; +- type->defaultAtts = +- realloc(type->defaultAtts, +- type->allocDefaultAtts*sizeof(DEFAULT_ATTRIBUTE)); ++ temp = realloc(type->defaultAtts, ++ type->allocDefaultAtts*sizeof(DEFAULT_ATTRIBUTE)); ++ if (!temp) ++ return 0; ++ type->defaultAtts = temp; + } +- if (!type->defaultAtts) +- return 0; + } + att = type->defaultAtts + type->nDefaultAtts; + att->id = attId; +@@ -1871,10 +1876,12 @@ + n = XmlGetAttributes(enc, attStr, attsSize, atts); + if (n + nDefaultAtts > attsSize) { + int oldAttsSize = attsSize; ++ ATTRIBUTE *temp; + attsSize = n + nDefaultAtts + INIT_ATTS_SIZE; +- atts = realloc((void *)atts, attsSize * sizeof(ATTRIBUTE)); +- if (!atts) ++ temp = realloc((void *)atts, attsSize * sizeof(ATTRIBUTE)); ++ if (!temp) + return XML_ERROR_NO_MEMORY; ++ atts = temp; + if (n > oldAttsSize) + XmlGetAttributes(enc, attStr, n, atts); + } +@@ -2473,13 +2480,15 @@ + if (tag->rawNameLength + + (int)(sizeof(XML_Char) - 1) + + (int)sizeof(XML_Char) > tag->bufEnd - tag->buf) { ++ char *temp; + int bufSize = tag->rawNameLength * 4; + bufSize = ROUND_UP(bufSize, sizeof(XML_Char)); +- tag->buf = realloc(tag->buf, bufSize); +- if (!tag->buf) { ++ temp = realloc(tag->buf, bufSize); ++ if (!temp) { + *errorCodeP = XML_ERROR_NO_MEMORY; + return; + } ++ tag->buf = temp; + tag->bufEnd = tag->buf + bufSize; + } + memcpy(tag->buf, tag->rawName, tag->rawNameLength); +@@ -2506,11 +2515,12 @@ + break; + else { + int const bufSize = (tag->bufEnd - tag->buf) << 1; +- tag->buf = realloc(tag->buf, bufSize); +- if (!tag->buf) { ++ char *temp = realloc(tag->buf, bufSize); ++ if (!temp) { + *errorCodeP = XML_ERROR_NO_MEMORY; + return; + } ++ tag->buf = temp; + tag->bufEnd = tag->buf + bufSize; + if (nextPtr) + tag->rawName = tag->buf; +@@ -3697,13 +3707,19 @@ + break; + case XML_ROLE_GROUP_OPEN: + if (prologState.level >= groupSize) { +- if (groupSize) +- groupConnector = realloc(groupConnector, groupSize *= 2); +- else ++ if (groupSize) { ++ char *temp = realloc(groupConnector, groupSize *= 2); ++ if (!temp) { ++ *errorCodeP = XML_ERROR_NO_MEMORY; ++ return; ++ } ++ groupConnector = temp; ++ } else { + groupConnector = malloc(groupSize = 32); +- if (!groupConnector) { +- *errorCodeP = XML_ERROR_NO_MEMORY; +- return; ++ if (!groupConnector) { ++ *errorCodeP = XML_ERROR_NO_MEMORY; ++ return; ++ } + } + } + groupConnector[prologState.level] = 0; --- xmlrpc-c-1.16.33.orig/debian/patches/CVE-2012-6702-2.patch +++ xmlrpc-c-1.16.33/debian/patches/CVE-2012-6702-2.patch @@ -0,0 +1,27 @@ +Description: fix unanticipated internal calls to srand +Origin: upstream, https://sourceforge.net/p/expat/code_git/ci/f627ff74d631f4548f924ca5bd27ddad6cae07ab/ + +Index: xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c +=================================================================== +--- xmlrpc-c-1.16.33.orig/lib/expat/xmlparse/xmlparse.c 2016-06-14 16:22:36.231584620 +0300 ++++ xmlrpc-c-1.16.33/lib/expat/xmlparse/xmlparse.c 2016-06-14 16:23:18.272110558 +0300 +@@ -590,9 +590,16 @@ + generate_hash_secret_salt(XML_Parser parser) + { + /* Process ID is 0 bits entropy if attacker has local access +- * XML_Parser address is few bits of entropy if attacker has local access +- * Factor is 2^61-1 (Mersenne prime M61) */ +- return (gather_time_entropy() ^ getpid() ^ (unsigned long)parser) * 2305843009213693951; ++ * XML_Parser address is few bits of entropy if attacker has local access */ ++ const unsigned long entropy = ++ gather_time_entropy() ^ getpid() ^ (unsigned long)parser; ++ ++ /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */ ++ if (sizeof(unsigned long) == 4) { ++ return entropy * 2147483647; ++ } else { ++ return entropy * 2305843009213693951; ++ } + } + + static int /* only valid for root parser */