Bug#1105769: unblock: xmlrpc-c/1.59.03-10
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: xmlrpc-c@packages.debian.org, Guillem Jover <gjover@sipwise.com>
Control: affects -1 + src:xmlrpc-c
User: release.debian.org@packages.debian.org
Usertags: unblock
This is a pre-approval request.
----
Please unblock package xmlrpc-c
The Security Team discovered a latent vulnerability:
"xmlrpc-c: bundles a (very old and) vulnerable copy of libexpat"
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102554
This needed extensive patching to get this right.
[ Reason ]
xmlrpc-c/1.59.03-10 fix the FTBFS of the reverse dependencies
whom for some other reasons end-up dependening on 'pkgconf'
[ Impact ]
That is not exactly clear to me, but I'm the one _learning_
from all my previous & current interractions with Guillem;
so I trust he's judgement.
[ Tests ]
I revuild the reverse dependencies again just fine.
Reverse-Build-Depends
=====================
* flowgrind (for libxmlrpc-core-c3-dev)
* rtorrent (for libxmlrpc-core-c3-dev)
* rtpengine (for libxmlrpc-core-c3-dev)
* tlf (for libxmlrpc-core-c3-dev)
[ Risks ]
xmlrpc-c/1.59.03-9 fix mosts of this mess already;
the remaining debdiff is small
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
unblock xmlrpc-c/1.59.03-10
-----
$ git diff HEAD~3..HEAD | cat
diff --git a/debian/changelog b/debian/changelog
index 59b0dcf..b382579 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+xmlrpc-c (1.59.03-10) unstable; urgency=medium
+
+ * Depends on external libexpat1-dev (Closes: #1104753)
+ * Reinstate hardening patch, fix blhc job on Salsa
+
+ -- Alexandre Detiste <tchet@debian.org> Wed, 14 May 2025 16:42:44 +0200
+
xmlrpc-c (1.59.03-9) unstable; urgency=high
* Expand libexpat1 patch to also update xmlrpc-c-config &
diff --git a/debian/control b/debian/control
index c7d9041..ef000c7 100644
--- a/debian/control
+++ b/debian/control
@@ -60,6 +60,7 @@ Architecture: any
Depends:
libc6-dev,
libcurl4-openssl-dev | libcurl4-gnutls-dev,
+ libexpat1-dev,
libxmlrpc-core-c3t64 (= ${binary:Version}),
libxmlrpc-util-dev,
${misc:Depends},
diff --git a/debian/patches/XXXFLAGS.patch b/debian/patches/XXXFLAGS.patch
index e84ff57..ae1778d 100644
--- a/debian/patches/XXXFLAGS.patch
+++ b/debian/patches/XXXFLAGS.patch
@@ -1,33 +1,21 @@
Description: hardening stuff
Author: Herbert Parentes Fortes Neto <hpfn@debian.org>
Last-Update: 2016-07-22
-Index: xmlrpc-c-1.33.14/common.mk
-===================================================================
---- xmlrpc-c-1.33.14.orig/common.mk
-+++ xmlrpc-c-1.33.14/common.mk
-@@ -45,8 +45,10 @@ GCC_CXX_WARNINGS = $(GCC_WARNINGS) -Wsy
+--- a/common.mk
++++ b/common.mk
+@@ -48,8 +48,9 @@
# assertion and crash the program if it isn't really true. You can add
# -UNDEBUG (in any of various ways) to override this.
#
--CFLAGS_COMMON = -DNDEBUG
--CXXFLAGS_COMMON = -DNDEBUG
+-CFLAGS_COMMON = -DNDEBUG $(CFLAGS_PTHREAD)
+-CXXFLAGS_COMMON = -DNDEBUG $(CFLAGS_PTHREAD)
+CPPFLAGS_COMMON = -D_FORTIFY_SOURCE=2
-+CFLAGS_COMMON = $(CPPFLAGS_COMMON) -DNDEBUG -fPIE
-+CXXFLAGS_COMMON = $(CPPFLAGS_COMMON) -DNDEBUG -fPIE
-+
++CFLAGS_COMMON = $(CPPFLAGS_COMMON) -DNDEBUG $(CFLAGS_PTHREAD)
++CXXFLAGS_COMMON = $(CPPFLAGS_COMMON) -DNDEBUG $(CFLAGS_PTHREAD)
ifeq ($(C_COMPILER_GNU),yes)
CFLAGS_COMMON += $(GCC_C_WARNINGS) -fno-common -g -O3
-@@ -84,7 +86,7 @@ ifneq ($(LADD),)
- LDFLAGS := $(LADD)
- endif
-
--LDFLAGS_ALL = $(LDFLAGS_PERSONAL) $(LDFLAGS)
-+LDFLAGS_ALL = $(LDFLAGS_PERSONAL) $(LDFLAGS) -fPIE -pie -Wl,-z,now
-
- ##############################################################################
- # STATIC LINK LIBRARY RULES #
-@@ -160,10 +162,10 @@ LDFLAGS_SHLIB_ALL=$(LDFLAGS_ALL) $(LDFLA
+@@ -173,10 +174,10 @@
#------ the actual rules ----------------------------------------------------
$(TARGET_SHARED_LIBRARIES) dummyshlib:
@@ -40,7 +28,7 @@ Index: xmlrpc-c-1.33.14/common.mk
#----------------------------------------------------------------------------
LIBXMLRPC_UTIL_DIR = $(BLDDIR)/lib/libutil
-@@ -315,7 +316,7 @@ $(TARGET_MODS:%=%.osh):%.osh:%.c
+@@ -347,7 +348,7 @@
$(CC) -c -o $@ $(INCLUDES) $(CFLAGS_ALL) $(CFLAGS_SHLIB) $<
$(TARGET_MODS_PP:%=%.o):%.o:%.cpp
diff --git a/debian/patches/series b/debian/patches/series
index 619d27b..2d90dcc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,5 +1,5 @@
typo.patch
-#XXXFLAGS.patch
+XXXFLAGS.patch
#no_curl_test.patch
614937_FTBFS_hurd-i386.patch
reproducible_build.patch
diff --git a/debian/patches/xmlrpc-c-1.59.03-use-system-expat.patch b/debian/patches/xmlrpc-c-1.59.03-use-system-expat.patch
index dca1bd1..d7d5372 100644
--- a/debian/patches/xmlrpc-c-1.59.03-use-system-expat.patch
+++ b/debian/patches/xmlrpc-c-1.59.03-use-system-expat.patch
@@ -120,6 +120,16 @@ Subject: [PATCH] Use system libexpat rather than bundled lib/expat/ for
endif
$(LIBXMLRPC_MODS:%=%.o) \
+@@ -339,7 +337,8 @@
+ @echo 'Description: Xmlrpc-c basic XML-RPC library' >>$@
+ @echo 'Version: $(XMLRPC_VERSION_STRING)' >>$@
+ @echo >>$@
+- @echo 'Requires: xmlrpc_util $(XML_PKGCONFIG_REQ)' >>$@
++ @echo 'Requires: xmlrpc_util' >>$@
++ @echo 'Requires.private: $(XML_PKGCONFIG_REQ)' >>$@
+ @echo 'Libs: -L$${libdir} -lxmlrpc' >>$@
+ @echo 'Cflags: -I$${includedir}' >>$@
+
--- a/src/cpp/Makefile
+++ b/src/cpp/Makefile
@@ -42,15 +42,13 @@
Reply to: