1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1102554: xmlrpc-c: bundles a (very old and) vulnerable copy of libe

    From Salvatore Bonaccorso@21:1/5 to All on Thu Apr 10 13:10:02 2025
    Source: xmlrpc-c
    Version: 1.59.03-7
    Severity: important
    Tags: upstream security
    X-Debbugs-Cc: carnil@debian.org,team@security.debian.org

    Hi

    Triggered by the oss-security post from the expat upstream maintainer: https://www.openwall.com/lists/oss-security/2025/04/09/4

    It might be worth to use similar patch to make xmlrpc-c switch to use
    the system expat instead of the internal copy.

    Ideally usptream would even just remove the upstream embedded source
    but from what I read in the above there is no interest in that for
    now.

    https://raw.githubusercontent.com/gentoo/gentoo/61b6130343a41b49da1ffe7376ab5d2077a37411/dev-libs/xmlrpc-c/files/xmlrpc-c-1.59.03-use-system-expat.patch
    is the patch by Sebastian Pipping to use the system libexpat.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adrian Bunk@21:1/5 to Salvatore Bonaccorso on Sat Apr 12 11:40:01 2025
    On Thu, Apr 10, 2025 at 12:57:14PM +0200, Salvatore Bonaccorso wrote:
    ...
    Triggered by the oss-security post from the expat upstream maintainer: https://www.openwall.com/lists/oss-security/2025/04/09/4

    It might be worth to use similar patch to make xmlrpc-c switch to use
    the system expat instead of the internal copy.

    Ideally usptream would even just remove the upstream embedded source
    but from what I read in the above there is no interest in that for
    now.

    https://raw.githubusercontent.com/gentoo/gentoo/61b6130343a41b49da1ffe7376ab5d2077a37411/dev-libs/xmlrpc-c/files/xmlrpc-c-1.59.03-use-system-expat.patch
    is the patch by Sebastian Pipping to use the system libexpat.
    ...

    The options offered by upstream are internal expat or external libxml2,
    and external libxml2 is the new upstream default.

    Building the package with external libxml2 worked for me.

    No matter whether we use the supported external libxml2 or patch in
    support for external expat, this means xmlrpc-c will drop the two
    libraries containing the vendered expat from libxmlrpc-core-c3t64 (libxmlrpc_xmlparse.so and libxmlrpc_xmltok.so).

    For trixie an option might be:
    - switch to external libxml2
    - for a new library name compared to bookworm,
    dropping the ${t64:Provides} would be an option

    There does not seem to be any other package actually linking to any of
    the two libraries containing the vendored expat, but 3rd party software
    might do so in *stable.
    In bookworm:
    $ xmlrpc-c-config --libs
    -L/usr/lib/x86_64-linux-gnu -lxmlrpc -lxmlrpc_xmlparse -lxmlrpc_xmltok -lxmlrpc_util
    $
    as-needed obviously helps and headers don't seem to be installed, but
    these libraries should perhaps be provided as stubs if they disappear
    in *stable.

    Another issue for *stable is that changing the XML parser might result
    in behaviour changes.

    Relevant for *stable would also be whether that would actually reduce
    the number of expat1 copies that need fixing to zero.

    src:libxmltok is expat1 with a different name.
    CVE-2021-46143 was fixed in trixie, other expat CVEs need triaging.
    php8.4 has a (stale?) build dependency on libxmltok1-dev.

    Regards,
    Salvatore

    cu
    Adrian

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Richard Fuchs@21:1/5 to All on Wed Apr 23 18:30:02 2025
    Hi,

    The packages pkgconfig/xmlrpc.pc file still refers to xmlrpc_expat which
    now doesn't exist any more, so building anything against xmlrpc-c fails.

    $ pkg-config xmlrpc --libs
    Package xmlrpc_expat was not found in the pkg-config search path.
    Perhaps you should add the directory containing `xmlrpc_expat.pc'
    to the PKG_CONFIG_PATH environment variable
    Package 'xmlrpc_expat', required by 'xmlrpc', not found

    Thanks

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Florian Ernst@21:1/5 to Richard Fuchs on Fri May 2 16:30:01 2025
    On Wed, Apr 23, 2025 at 12:24:40PM -0400, Richard Fuchs wrote:
    The packages pkgconfig/xmlrpc.pc file still refers to xmlrpc_expat which now doesn't exist any more, so building anything against xmlrpc-c fails.

    Furthermore xmlrpc-c-config still references the dropped libraries (libxmlrpc_xmlparse.so and libxmlrpc_xmltok.so), so rtorrent FTBFS now,
    cf. <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104366>.

    | $ xmlrpc-c-config server-util --libs
    | -L/usr/lib/x86_64-linux-gnu -lxmlrpc_server -lxmlrpc -lxmlrpc_xmlparse -lxmlrpc_xmltok -lxmlrpc_util -lpthread

    HTH,
    Flo

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEBn03XtJwVyplJ26xBjdBuvXdHs4FAmgU1SAACgkQBjdBuvXd Hs7SSxAArLWzRuskZcGwuH4593ZfI/mgulVG9Mv/LaDwVnkET550mi1JtT6xA2d9 sKCmQmRBH5lqLLDIXEBG/mvy/YvFjFTmnoxw7Nh4OOrlal7rK9nCZqdUyNgRf4ME +PKFSDqWJlB2F2lDrLnEhOlrFcVTycCLLcurmGfgjsv/UzR1ialdf8nTB+fWNTTW pJXBnKgAYZupGMX/3zkCH3tmXd0hCRo2/bGPTBhwWWbg5oa5CPGBGTlAEr4G1lY/ b7mjjsNueYHaIXR3l0ZlPGgBUlrhLPctKPDd13lnuHxG6hVutxEDl+mbKOQ7zeJP 3zyzY0oNVzgAo3rVzYSXSEswUVv97RV+ZXvDhzmvIo0goOVPg5yCvWETIV3LzJ1T kCSL5LNlxINI+rnYQgjeI9DMtYDkQklXcDW9NGymVV8AUKSVaftVYDjuvh4vi3Mb LQsnyzORvUtAPsBOYPQpZGH1SPL8qz2k9m3c04Z3NIbKdOQZnLMiPyHRNgitg3Uq t/KgsWe6whBD2H6oBdOS2wG2bDYba/CwxCDcfKsdIzDtNxnl7rlWq0HA6GhlRiEU 8O33rO+tC0Hq3Ww8UNNrAJq2zHsRVNBo8vvFnFl0GQm5hg8DUkFYoG5I2NytnIWs OA6UFCIo1U7+O/4rq4kGiLEtcIVqNTDb5XymZiI3uYpRod56q14=
    =PuSK
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)