Debian Bug report logs - #560942
CVE-2009-3560 and CVE-2009-3720 denial-of-services

version graph

Package: xmlrpc-c; Maintainer for xmlrpc-c is Sean Finney <seanius@debian.org>;

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Sun, 13 Dec 2009 04:10:02 UTC

Severity: serious

Tags: security

Found in version 1.06.27-1

Fixed in versions xmlrpc-c/1.06.27-1.1, 1.16.33-1

Done: Sean Finney <seanius@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#560942; Package xmlrpc-c. (Sun, 13 Dec 2009 04:10:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Sean Finney <seanius@debian.org>. (Sun, 13 Dec 2009 04:10:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2009-3560 and CVE-2009-3720 denial-of-services
Date: Sat, 12 Dec 2009 22:55:54 -0500
package: xmlrpc-c
severity: serious
tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) ids were
published for expat.  I have determined that this package embeds a
vulnerable copy of xmlparse.c and xmltok_impl.c.  However, since this is
a mass bug filing (due to so many packages embedding expat), I have
not had time to determine whether the vulnerable code is actually
present in any of the binary packages derived from this source package.
Please determine whether this is the case. If the binary packages are
not affected, please feel free to close the bug with a message
containing the details of what you did to check.

CVE-2009-3560[0]:
| The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
| as used in the XML-Twig module for Perl, allows context-dependent
| attackers to cause a denial of service (application crash) via an XML
| document with malformed UTF-8 sequences that trigger a buffer
| over-read, related to the doProlog function in lib/xmlparse.c, a
| different vulnerability than CVE-2009-2625 and CVE-2009-3720.

CVE-2009-3720[1]:
| The updatePosition function in lib/xmltok_impl.c in libexpat in Expat
| 2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
| allows context-dependent attackers to cause a denial of service
| (application crash) via an XML document with crafted UTF-8 sequences
| that trigger a buffer over-read, a different vulnerability than
| CVE-2009-2625.

These issues also affect old versions of expat, so this package in etch
and lenny is very likely affected.  This is a low-severity security
issue, so DSAs will not be issued to correct these problems.  However,
you can optionally submit a proposed-update to the release team for
inclusion in the next stable point releases.  If you plan to do this, 
please open new bugs and include the security tag so we are aware that
you are working on that.

For further information see [0],[1],[2],[3].  In particular, [2] and [3]
are links to the patches for CVE-2009-3560 and CVE-2009-3720
respectively. Note that the ideal solution would be to make use of the
system expat so only one package will need to be updated for future
security issues. Preferably in your update to unstable, alter your
package to make use of the system expat.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
    http://security-tracker.debian.org/tracker/CVE-2009-3560
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
    http://security-tracker.debian.org/tracker/CVE-2009-3720
[2]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
[3]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch




Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#560942; Package xmlrpc-c. (Sun, 13 Dec 2009 15:33:57 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Sun, 13 Dec 2009 15:33:57 GMT) Full text and rfc822 format available.

Message #10 received at 560942@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 560912@bugs.debian.org, 560913@bugs.debian.org, 560914@bugs.debian.org, 560915@bugs.debian.org, 560916@bugs.debian.org, 560917@bugs.debian.org, 560918@bugs.debian.org, 560919@bugs.debian.org, 560920@bugs.debian.org, 560921@bugs.debian.org, 560922@bugs.debian.org, 560923@bugs.debian.org, 560924@bugs.debian.org, 560925@bugs.debian.org, 560926@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560929@bugs.debian.org, 560930@bugs.debian.org, 560931@bugs.debian.org, 560932@bugs.debian.org, 560933@bugs.debian.org, 560934@bugs.debian.org, 560935@bugs.debian.org, 560936@bugs.debian.org, 560937@bugs.debian.org, 560938@bugs.debian.org, 560939@bugs.debian.org, 560940@bugs.debian.org, 560941@bugs.debian.org, 560942@bugs.debian.org, 560943@bugs.debian.org, 560944@bugs.debian.org, 560945@bugs.debian.org, 560946@bugs.debian.org, 560947@bugs.debian.org, 560948@bugs.debian.org, 560949@bugs.debian.org, 560950@bugs.debian.org, 560951@bugs.debian.org
Subject: Expat issues update
Date: Sun, 13 Dec 2009 10:29:27 -0500
Hi all,

In order to guarantee that the system expat is used, the
'--with-expat=sys' configure argument must be used.  If you think
your package is already using the system expat, or if you are updating
your package to use the system expat, please check to make sure that
this option is being used. Thanks.

Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#560942; Package xmlrpc-c. (Sun, 13 Dec 2009 16:28:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matthias Klose <doko@debian.org>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Sun, 13 Dec 2009 16:28:09 GMT) Full text and rfc822 format available.

Message #15 received at 560942@bugs.debian.org (full text, mbox):

From: Matthias Klose <doko@debian.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 560912@bugs.debian.org
Cc: 560913@bugs.debian.org, 560914@bugs.debian.org, 560915@bugs.debian.org, 560916@bugs.debian.org, 560917@bugs.debian.org, 560918@bugs.debian.org, 560919@bugs.debian.org, 560920@bugs.debian.org, 560921@bugs.debian.org, 560922@bugs.debian.org, 560923@bugs.debian.org, 560924@bugs.debian.org, 560925@bugs.debian.org, 560926@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560929@bugs.debian.org, 560930@bugs.debian.org, 560931@bugs.debian.org, 560932@bugs.debian.org, 560933@bugs.debian.org, 560934@bugs.debian.org, 560935@bugs.debian.org, 560936@bugs.debian.org, 560937@bugs.debian.org, 560938@bugs.debian.org, 560939@bugs.debian.org, 560940@bugs.debian.org, 560941@bugs.debian.org, 560942@bugs.debian.org, 560943@bugs.debian.org, 560944@bugs.debian.org, 560945@bugs.debian.org, 560946@bugs.debian.org, 560947@bugs.debian.org, 560948@bugs.debian.org, 560949@bugs.debian.org, 560950@bugs.debian.org, 560951@bugs.debian.org
Subject: Re: Bug#560912: Expat issues update
Date: Sun, 13 Dec 2009 17:21:26 +0100
On 13.12.2009 16:29, Michael Gilbert wrote:
> Hi all,
>
> In order to guarantee that the system expat is used, the
> '--with-expat=sys' configure argument must be used.  If you think
> your package is already using the system expat, or if you are updating
> your package to use the system expat, please check to make sure that
> this option is being used. Thanks.

there's no such option for python, which uses a modified copy of expat.





Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#560942; Package xmlrpc-c. (Mon, 14 Dec 2009 07:58:00 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Mon, 14 Dec 2009 07:58:00 GMT) Full text and rfc822 format available.

Message #20 received at 560942@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: 560932@bugs.debian.org
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>, 560912@bugs.debian.org, 560913@bugs.debian.org, 560914@bugs.debian.org, 560915@bugs.debian.org, 560916@bugs.debian.org, 560917@bugs.debian.org, 560918@bugs.debian.org, 560919@bugs.debian.org, 560920@bugs.debian.org, 560921@bugs.debian.org, 560922@bugs.debian.org, 560923@bugs.debian.org, 560924@bugs.debian.org, 560925@bugs.debian.org, 560926@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560929@bugs.debian.org, 560930@bugs.debian.org, 560931@bugs.debian.org, 560933@bugs.debian.org, 560934@bugs.debian.org, 560935@bugs.debian.org, 560936@bugs.debian.org, 560937@bugs.debian.org, 560938@bugs.debian.org, 560939@bugs.debian.org, 560940@bugs.debian.org, 560941@bugs.debian.org, 560942@bugs.debian.org, 560943@bugs.debian.org, 560944@bugs.debian.org, 560945@bugs.debian.org, 560946@bugs.debian.org, 560947@bugs.debian.org, 560948@bugs.debian.org, 560949@bugs.debian.org, 560950@bugs.debian.org, 560951@bugs.debian.org
Subject: Re: Bug#560932: Bug#560912: Expat issues update
Date: Mon, 14 Dec 2009 08:55:03 +0100
On Sun, Dec 13, 2009 at 05:21:26PM +0100, Matthias Klose wrote:
> On 13.12.2009 16:29, Michael Gilbert wrote:
> >Hi all,
> >
> >In order to guarantee that the system expat is used, the
> >'--with-expat=sys' configure argument must be used.  If you think
> >your package is already using the system expat, or if you are updating
> >your package to use the system expat, please check to make sure that
> >this option is being used. Thanks.
> 
> there's no such option for python, which uses a modified copy of expat.

Likewise with mozilla, which uses a heavily modified copy of expat.




Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#560942; Package xmlrpc-c. (Mon, 14 Dec 2009 12:15:57 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ove Kaaven <ovek@arcticnet.no>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Mon, 14 Dec 2009 12:15:57 GMT) Full text and rfc822 format available.

Message #25 received at 560942@bugs.debian.org (full text, mbox):

From: Ove Kaaven <ovek@arcticnet.no>
To: Mike Hommey <mh@glandium.org>, 560937@bugs.debian.org
Cc: 560932@bugs.debian.org, 560948@bugs.debian.org, 560945@bugs.debian.org, 560935@bugs.debian.org, 560946@bugs.debian.org, 560921@bugs.debian.org, 560939@bugs.debian.org, 560949@bugs.debian.org, 560917@bugs.debian.org, 560924@bugs.debian.org, 560938@bugs.debian.org, 560919@bugs.debian.org, 560913@bugs.debian.org, 560916@bugs.debian.org, 560943@bugs.debian.org, 560920@bugs.debian.org, 560912@bugs.debian.org, 560931@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>, 560918@bugs.debian.org, 560930@bugs.debian.org, 560940@bugs.debian.org, 560951@bugs.debian.org, 560933@bugs.debian.org, 560914@bugs.debian.org, 560922@bugs.debian.org, 560941@bugs.debian.org, 560926@bugs.debian.org, 560923@bugs.debian.org, 560942@bugs.debian.org, 560936@bugs.debian.org, 560915@bugs.debian.org, 560950@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560947@bugs.debian.org, 560929@bugs.debian.org, 560944@bugs.debian.org, 560934@bugs.debian.org, 560925@bugs.debian.org
Subject: Re: [pkg-fgfs-crew] Bug#560937: Bug#560932: Bug#560912: Expat issues update
Date: Mon, 14 Dec 2009 12:17:17 +0100
Mike Hommey skrev:
> On Sun, Dec 13, 2009 at 05:21:26PM +0100, Matthias Klose wrote:
>> On 13.12.2009 16:29, Michael Gilbert wrote:
>>> Hi all,
>>>
>>> In order to guarantee that the system expat is used, the
>>> '--with-expat=sys' configure argument must be used.  If you think
>>> your package is already using the system expat, or if you are updating
>>> your package to use the system expat, please check to make sure that
>>> this option is being used. Thanks.
>> there's no such option for python, which uses a modified copy of expat.
> 
> Likewise with mozilla, which uses a heavily modified copy of expat.

And I think the xml parser in simgear was ripped from some version of
mozilla. (Of course, I wouldn't consider a security flaw in a flight
simulator library as critical as one in an actual web browser or
anything, so I'm not sure how much I need to worry...)




Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#560942; Package xmlrpc-c. (Mon, 04 Jan 2010 12:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Leidert <daniel.leidert@wgdd.de>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Mon, 04 Jan 2010 12:03:08 GMT) Full text and rfc822 format available.

Message #30 received at 560942@bugs.debian.org (full text, mbox):

From: Daniel Leidert <daniel.leidert@wgdd.de>
To: 560912@bugs.debian.org, 560913@bugs.debian.org, 560914@bugs.debian.org, 560915@bugs.debian.org, 560916@bugs.debian.org, 560917@bugs.debian.org, 560918@bugs.debian.org, 560919@bugs.debian.org, 560920@bugs.debian.org, 560921@bugs.debian.org, 560922@bugs.debian.org, 560923@bugs.debian.org, 560924@bugs.debian.org, 560925@bugs.debian.org, 560926@bugs.debian.org, 560927@bugs.debian.org, 560928@bugs.debian.org, 560929@bugs.debian.org, 560930@bugs.debian.org, 560931@bugs.debian.org, 560932@bugs.debian.org, 560933@bugs.debian.org, 560934@bugs.debian.org, 560935@bugs.debian.org, 560936@bugs.debian.org, 560937@bugs.debian.org, 560938@bugs.debian.org, 560939@bugs.debian.org, 560940@bugs.debian.org, 560941@bugs.debian.org, 560942@bugs.debian.org, 560943@bugs.debian.org, 560944@bugs.debian.org, 560945@bugs.debian.org, 560946@bugs.debian.org, 560947@bugs.debian.org, 560948@bugs.debian.org, 560949@bugs.debian.org, 560950@bugs.debian.org, 560951@bugs.debian.org
Subject: CVE-2009-3560: Revised patch
Date: Mon, 04 Jan 2010 08:40:26 +0100
[Message part 1 (text/plain, inline)]
Hi,

After fixing CVE-2009-3560 in the expat package [1] I was informed, that
it broke parsing [2] in some documents. After talking to upstream [3],
the fix for CVE-2009-3560 has been adjusted [4][5].

[1] http://bugs.debian.org/560901
[2] http://bugs.debian.org/561658
[3] http://mail.libexpat.org/pipermail/expat-discuss/2009-December/002644.html
[4] http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.166
[5] http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.166

Please note, that I just copied the bug-addresses from the mass bug
filing. I did not check, if you already fixed the issue or if this
information applies to you.

Regards, Daniel
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#560942; Package xmlrpc-c. (Tue, 26 Jan 2010 19:45:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jamie Strandboge <jamie@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Tue, 26 Jan 2010 19:45:07 GMT) Full text and rfc822 format available.

Message #35 received at 560942@bugs.debian.org (full text, mbox):

From: Jamie Strandboge <jamie@ubuntu.com>
To: Debian Bug Tracking System <560942@bugs.debian.org>
Subject: Re: CVE-2009-3560 and CVE-2009-3720 denial-of-services
Date: Tue, 26 Jan 2010 13:38:59 -0600
[Message part 1 (text/plain, inline)]
Package: xmlrpc-c
Version: 1.06.27-1
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu karmic ubuntu-patch

In Ubuntu, we've applied the attached patch to achieve the following:

  * SECURITY UPDATE: fix DoS via malformed XML
    - debian/patches/CVE-2009-3720.patch: update expat/xmltok/xmltok_impl.c
      to not access beyond end of input string
    - CVE-2009-3720
  * SECURITY UPDATE: fix DoS via malformed UTF-8 sequences
    - debian/patches/CVE-2009-3560.patch: update expat/xmlparse/xmlparse.c to
      properly recognize the end of a token
    - CVE-2009-3560

We thought you might be interested in doing the same. Please note that the
patches do include the regressions fixes.

Jamie


-- System Information:
Debian Release: squeeze/sid
  APT prefers karmic-updates
  APT policy: (500, 'karmic-updates'), (500, 'karmic-security'), (500, 'karmic')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-17-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[tmp5CrU9D (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#560942; Package xmlrpc-c. (Thu, 28 Jan 2010 09:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Thu, 28 Jan 2010 09:03:09 GMT) Full text and rfc822 format available.

Message #40 received at 560942@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: Jamie Strandboge <jamie@ubuntu.com>, 560942@bugs.debian.org
Subject: Re: Bug#560942: CVE-2009-3560 and CVE-2009-3720 denial-of-services
Date: Thu, 28 Jan 2010 10:00:24 +0100
[Message part 1 (text/plain, inline)]
hi,

just a quick ack:

i've imported the patches into git but one of them does not apply:

Applying patch CVE-2009-3560.patch
patching file lib/expat/xmlparse/xmlparse.c
Hunk #1 FAILED at 2330.
1 out of 1 hunk FAILED -- rejects in file lib/expat/xmlparse/xmlparse.c
Patch CVE-2009-3560.patch does not apply (enforce with -f)

i've taken a very cursory look but can't tell if this has already been
addressed for the unstable version; there are a number of switch statements
in this file and i'm not sure which one is supposed to be patched ("-p" output
from diff might help there).  in one of the switch statements at least there's
a default case that seems to do the same error handling, though i'm not
sure if it's sufficient to address the issue.  is there some test case
i can use to verify the error?

i'll look closer when i have a chance but if you have any further info that
could help it would be appreciated.

thanks,
	sean
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#560942; Package xmlrpc-c. (Thu, 28 Jan 2010 13:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jamie Strandboge <jamie@canonical.com>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Thu, 28 Jan 2010 13:03:08 GMT) Full text and rfc822 format available.

Message #45 received at 560942@bugs.debian.org (full text, mbox):

From: Jamie Strandboge <jamie@canonical.com>
To: sean finney <seanius@debian.org>
Cc: 560942@bugs.debian.org
Subject: Re: Bug#560942: CVE-2009-3560 and CVE-2009-3720 denial-of-services
Date: Thu, 28 Jan 2010 06:58:51 -0600
[Message part 1 (text/plain, inline)]
On Thu, 2010-01-28 at 10:00 +0100, sean finney wrote:
> 560942

> i've imported the patches into git but one of them does not apply:
> 
> Applying patch CVE-2009-3560.patch
> patching file lib/expat/xmlparse/xmlparse.c
> Hunk #1 FAILED at 2330.
> 1 out of 1 hunk FAILED -- rejects in file ib/expat/xmlparse/xmlparse.c
> Patch CVE-2009-3560.patch does not apply (enforce with -f)

That's weird cause it works fine here:
$ md5sum /tmp/xmlrpc-c.diff
11b2a93bf29420838e7e560304aba980  /tmp/xmlrpc-c.diff

$ apt-get source xmlrpc-c=1.06.27-1
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Need to get 707kB of source archives.
Get:1 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (dsc)
[1,070B]
Get:2 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (tar)
[700kB]
Get:3 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (diff)
[6,767B]
Fetched 707kB in 1s (458kB/s)   
dpkg-source: info: extracting xmlrpc-c in xmlrpc-c-1.06.27
dpkg-source: info: unpacking xmlrpc-c_1.06.27.orig.tar.gz
dpkg-source: info: applying xmlrpc-c_1.06.27-1.diff.gz

$ cd ./xmlrpc-c-1.06.27/

$ cat /tmp/xmlrpc-c.diff | patch -p1
patching file debian/patches/series
patching file debian/patches/CVE-2009-3560.patch
patching file debian/patches/CVE-2009-3720.patch

$ fakeroot debian/rules patch
QUILT_PATCHES=debian/patches quilt --quiltrc /dev/null push -a || test
$? = 2
Applying patch old-libtool.patch
patching file ltconfig

Applying patch curl_easy_setopt.patch
patching file lib/curl_transport/xmlrpc_curl_transport.c

Applying patch CVE-2009-3720.patch
patching file lib/expat/xmltok/xmltok_impl.c

Applying patch CVE-2009-3560.patch
patching file lib/expat/xmlparse/xmlparse.c

Now at patch CVE-2009-3560.patch
touch debian/stamp-patched


Are you looking at 1.16.07-1 from experimental and not 1.06.27-1 from
unstable?

Jamie

-- 
Jamie Strandboge             | http://www.canonical.com
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#560942; Package xmlrpc-c. (Thu, 28 Jan 2010 13:30:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Thu, 28 Jan 2010 13:30:07 GMT) Full text and rfc822 format available.

Message #50 received at 560942@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: Jamie Strandboge <jamie@canonical.com>, 560942@bugs.debian.org
Subject: Re: Bug#560942: CVE-2009-3560 and CVE-2009-3720 denial-of-services
Date: Thu, 28 Jan 2010 14:24:25 +0100
[Message part 1 (text/plain, inline)]
hi jamie,

it looks like the version in git[1,2] is based on 1.16.07, which probably
explains the discrepancy.  i'm pretty sure this version predates the CVE
by large enough of a margin that it's likely to be vulnerable unless it's
been hacked enough to have lost the vulnerable code paths.

thanks,
	sean

[1] ssh://git.debian.org/git/users/seanius/xmlrpc-c.git
[2] this hasn't yet been uploaded to unstable, though it can be
    fetched from experimental as well as git.

On Thu, Jan 28, 2010 at 06:58:51AM -0600, Jamie Strandboge wrote:
> On Thu, 2010-01-28 at 10:00 +0100, sean finney wrote:
> > 560942
> 
> > i've imported the patches into git but one of them does not apply:
> > 
> > Applying patch CVE-2009-3560.patch
> > patching file lib/expat/xmlparse/xmlparse.c
> > Hunk #1 FAILED at 2330.
> > 1 out of 1 hunk FAILED -- rejects in file ib/expat/xmlparse/xmlparse.c
> > Patch CVE-2009-3560.patch does not apply (enforce with -f)
> 
> That's weird cause it works fine here:
> $ md5sum /tmp/xmlrpc-c.diff
> 11b2a93bf29420838e7e560304aba980  /tmp/xmlrpc-c.diff
> 
> $ apt-get source xmlrpc-c=1.06.27-1
> Reading package lists... Done
> Building dependency tree       
> Reading state information... Done
> Need to get 707kB of source archives.
> Get:1 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (dsc)
> [1,070B]
> Get:2 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (tar)
> [700kB]
> Get:3 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (diff)
> [6,767B]
> Fetched 707kB in 1s (458kB/s)   
> dpkg-source: info: extracting xmlrpc-c in xmlrpc-c-1.06.27
> dpkg-source: info: unpacking xmlrpc-c_1.06.27.orig.tar.gz
> dpkg-source: info: applying xmlrpc-c_1.06.27-1.diff.gz
> 
> $ cd ./xmlrpc-c-1.06.27/
> 
> $ cat /tmp/xmlrpc-c.diff | patch -p1
> patching file debian/patches/series
> patching file debian/patches/CVE-2009-3560.patch
> patching file debian/patches/CVE-2009-3720.patch
> 
> $ fakeroot debian/rules patch
> QUILT_PATCHES=debian/patches quilt --quiltrc /dev/null push -a || test
> $? = 2
> Applying patch old-libtool.patch
> patching file ltconfig
> 
> Applying patch curl_easy_setopt.patch
> patching file lib/curl_transport/xmlrpc_curl_transport.c
> 
> Applying patch CVE-2009-3720.patch
> patching file lib/expat/xmltok/xmltok_impl.c
> 
> Applying patch CVE-2009-3560.patch
> patching file lib/expat/xmlparse/xmlparse.c
> 
> Now at patch CVE-2009-3560.patch
> touch debian/stamp-patched
> 
> 
> Are you looking at 1.16.07-1 from experimental and not 1.06.27-1 from
> unstable?
> 
> Jamie
> 
> -- 
> Jamie Strandboge             | http://www.canonical.com



-- 
[signature.asc (application/pgp-signature, inline)]

Reply sent to Moritz Muehlenhoff <jmm@debian.org>:
You have taken responsibility. (Thu, 29 Jul 2010 04:51:11 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Thu, 29 Jul 2010 04:51:11 GMT) Full text and rfc822 format available.

Message #55 received at 560942-close@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: 560942-close@bugs.debian.org
Subject: Bug#560942: fixed in xmlrpc-c 1.06.27-1.1
Date: Thu, 29 Jul 2010 04:47:21 +0000
Source: xmlrpc-c
Source-Version: 1.06.27-1.1

We believe that the bug you reported is fixed in the latest version of
xmlrpc-c, which is due to be installed in the Debian FTP archive:

libxmlrpc-c3-dev_1.06.27-1.1_i386.deb
  to main/x/xmlrpc-c/libxmlrpc-c3-dev_1.06.27-1.1_i386.deb
libxmlrpc-c3_1.06.27-1.1_i386.deb
  to main/x/xmlrpc-c/libxmlrpc-c3_1.06.27-1.1_i386.deb
xml-rpc-api2cpp_1.06.27-1.1_i386.deb
  to main/x/xmlrpc-c/xml-rpc-api2cpp_1.06.27-1.1_i386.deb
xml-rpc-api2txt_1.06.27-1.1_i386.deb
  to main/x/xmlrpc-c/xml-rpc-api2txt_1.06.27-1.1_i386.deb
xmlrpc-c_1.06.27-1.1.diff.gz
  to main/x/xmlrpc-c/xmlrpc-c_1.06.27-1.1.diff.gz
xmlrpc-c_1.06.27-1.1.dsc
  to main/x/xmlrpc-c/xmlrpc-c_1.06.27-1.1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 560942@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated xmlrpc-c package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 28 Jul 2010 22:18:54 -0400
Source: xmlrpc-c
Binary: libxmlrpc-c3-dev libxmlrpc-c3 xml-rpc-api2cpp xml-rpc-api2txt
Architecture: source i386
Version: 1.06.27-1.1
Distribution: unstable
Urgency: medium
Maintainer: Sean Finney <seanius@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description: 
 libxmlrpc-c3 - A lightweight RPC library based on XML and HTTP for C and C++
 libxmlrpc-c3-dev - A lightweight RPC library based on XML and HTTP for C and C++
 xml-rpc-api2cpp - Generate C++ wrapper classes for XML-RPC servers
 xml-rpc-api2txt - Dump an XML-RPC API as a text file
Closes: 560942
Changes: 
 xmlrpc-c (1.06.27-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix CVE-2009-3560 and CVE-2009-3720 (Closes: #560942)
Checksums-Sha1: 
 46140a45f4f796fab4a73de1218840cfb8ffafcd 1087 xmlrpc-c_1.06.27-1.1.dsc
 923e3a6b3131a755111c8029f80bf0a5d0106647 7251 xmlrpc-c_1.06.27-1.1.diff.gz
 276a19d84691d99bd3d8690d281d61ffdedb423d 361406 libxmlrpc-c3-dev_1.06.27-1.1_i386.deb
 250b0e55666a094de4e6134bf28cf2ef57042f6e 244042 libxmlrpc-c3_1.06.27-1.1_i386.deb
 9b134071fff0f9f127e282ac3d1c6c03bc66e593 30500 xml-rpc-api2cpp_1.06.27-1.1_i386.deb
 6cbf97ab71294f09b6fb92eaa72701db4d17e883 8424 xml-rpc-api2txt_1.06.27-1.1_i386.deb
Checksums-Sha256: 
 cc745290294ab491f0f60dedc6312320b21422e953ea74a85863c60ae2d36219 1087 xmlrpc-c_1.06.27-1.1.dsc
 fc8b751226b88eb172a6fe7a08e21dc55d3913101aa0e75fbc01569031239e90 7251 xmlrpc-c_1.06.27-1.1.diff.gz
 1dd0f43da2899e333749923e4fb65147f8a81ef14eeeb78b9eb1ae0a4a8f53d1 361406 libxmlrpc-c3-dev_1.06.27-1.1_i386.deb
 6388b7c6218995ffe2f5be4e5e8574261f31b2682f8009a65e3e101cd9317611 244042 libxmlrpc-c3_1.06.27-1.1_i386.deb
 9492b6c75661f08c7fd9413bcec1205f67ccbc00984d588f11f8aab4722a5a14 30500 xml-rpc-api2cpp_1.06.27-1.1_i386.deb
 9ac45ed7a208457d9cb1dd71645ec3bc2dba777926253763de7e8c2ec0a04eac 8424 xml-rpc-api2txt_1.06.27-1.1_i386.deb
Files: 
 61ce6912e75d334bfbdd60b6dd754d58 1087 libs optional xmlrpc-c_1.06.27-1.1.dsc
 321d69c24485c2421d7d39e94b915f5f 7251 libs optional xmlrpc-c_1.06.27-1.1.diff.gz
 4049df53c8ac541d8110d3dc5254909e 361406 libdevel optional libxmlrpc-c3-dev_1.06.27-1.1_i386.deb
 8028cbc1897f0772ec5896275acf171c 244042 libs optional libxmlrpc-c3_1.06.27-1.1_i386.deb
 b72a18b9bd47e8abd272212cf21ddbaf 30500 devel optional xml-rpc-api2cpp_1.06.27-1.1_i386.deb
 72c600972493fb088200c1ab0a381236 8424 devel optional xml-rpc-api2txt_1.06.27-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxQ5sQACgkQXm3vHE4uyloclgCg7Bi5jDL5gyGmyWfFyMfSwLFD
niQAniOXi1I9qneg/p5/wAiaqD/N/5IR
=pvN3
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#560942; Package xmlrpc-c. (Fri, 30 Jul 2010 02:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Fri, 30 Jul 2010 02:00:05 GMT) Full text and rfc822 format available.

Message #60 received at 560942@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 560942@bugs.debian.org
Subject: xmlrpc-c: diff for NMU version 1.06.27-1.1
Date: Thu, 29 Jul 2010 21:57:34 -0400
[Message part 1 (text/plain, inline)]
Hi,
here's the diff for my NMU.

Cheers,
        Moritz
[xmlrpc-c-1.06.27-1.1-nmu.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#560942; Package xmlrpc-c. (Wed, 09 Mar 2011 19:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sean Finney <seanius@debian.org>:
Extra info received and forwarded to list. (Wed, 09 Mar 2011 19:57:08 GMT) Full text and rfc822 format available.

Message #65 received at 560942@bugs.debian.org (full text, mbox):

From: Sean Finney <seanius@debian.org>
To: 560942@bugs.debian.org
Cc: ,control@bugs.debian.org
Subject: [/debian-sid] ACK NMU for #560942. Thanks, Moritz.
Date: Wed, 09 Mar 2011 19:55:03 +0000
tag 560942 pending
thanks

Date: Wed Mar 9 20:53:16 2011 +0100
Author: Sean Finney <seanius@debian.org>
Commit ID: 8de494e3ad6639809ac22664b03d1b1ee92947f1
Commit URL: http://git.debian.org/?p=users/seanius/xmlrpc-c.git;a=commitdiff;h=8de494e3ad6639809ac22664b03d1b1ee92947f1
Patch URL: http://git.debian.org/?p=users/seanius/xmlrpc-c.git;a=commitdiff_plain;h=8de494e3ad6639809ac22664b03d1b1ee92947f1

    ACK NMU for #560942.  Thanks, Moritz.

      




Added tag(s) pending. Request was from Sean Finney <seanius@debian.org> to control@bugs.debian.org. (Wed, 09 Mar 2011 19:57:13 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 1.16.33-1, send any further explanations to Michael Gilbert <michael.s.gilbert@gmail.com> Request was from Sean Finney <seanius@debian.org> to control@bugs.debian.org. (Wed, 09 Mar 2011 19:57:16 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 07 Apr 2011 07:53:30 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 16:33:24 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.