--- xmlrpc-c-1.06.27.orig/GNUmakefile +++ xmlrpc-c-1.06.27/GNUmakefile @@ -100,13 +100,13 @@ # Install old names of header files for backward compatibility cd $(DESTDIR)$(HEADERINST_DIR); \ rm -f xmlrpc.h xmlrpc_client.h xmlrpc_server.h xmlrpc_cgi.h \ - xmlrpc_server_abyss.h xmlrpc_server_w32httpsys.h \ + xmlrpc_abyss.h xmlrpc_server_w32httpsys.h \ XmlRpcCpp.h; \ $(LN_S) xmlrpc-c/oldxmlrpc.h xmlrpc.h; \ $(LN_S) xmlrpc-c/client.h xmlrpc_client.h; \ $(LN_S) xmlrpc-c/server.h xmlrpc_server.h; \ $(LN_S) xmlrpc-c/server_cgi.h xmlrpc_cgi.h; \ - $(LN_S) xmlrpc-c/server_abyss.h xmlrpc_server_abyss.h; \ + $(LN_S) xmlrpc-c/server_abyss.h xmlrpc_abyss.h; \ $(LN_S) xmlrpc-c/server_w32httpsys.h xmlrpc_server_w32httpsys.h; \ $(LN_S) xmlrpc-c/oldcppwrapper.hpp XmlRpcCpp.h ;\ --- xmlrpc-c-1.06.27.orig/version.h +++ xmlrpc-c-1.06.27/version.h @@ -0,0 +1,2 @@ +/* This file was generated by a make rule */ +#define XMLRPC_C_VERSION "1.06.27" --- xmlrpc-c-1.06.27.orig/debian/changelog +++ xmlrpc-c-1.06.27/debian/changelog @@ -0,0 +1,225 @@ +xmlrpc-c (1.06.27-1ubuntu7.1) lucid-security; urgency=low + + * Run the tests as part of the build process + - debian/patches/FTBFS-tests.patch: Fix issues when running make check. + Based on upstream patches. + - debian/rules: Run make check after building + * SECURITY UPDATE: Denial of service via hash collisions + - debian/patches/CVE-2012-0876.patch: Add random salt value to + hash inputs. Based on upstream patch. + - CVE-2012-0876 + * SECURITY UPDATE: Denial of service via memory leak + - debian/patches/CVE-2012-1148.patch: Properly reallocate memory. + Based on upstream patch. + - CVE-2012-1148 + + -- Tyler Hicks Sun, 09 Sep 2012 22:57:33 -0700 + +xmlrpc-c (1.06.27-1ubuntu7) lucid; urgency=low + + * SECURITY UPDATE: fix DoS via malformed XML + - debian/patches/CVE-2009-3720.patch: update expat/xmltok/xmltok_impl.c + to not access beyond end of input string + - CVE-2009-3720 + * SECURITY UPDATE: fix DoS via malformed UTF-8 sequences + - debian/patches/CVE-2009-3560.patch: update expat/xmlparse/xmlparse.c to + properly recognize the end of a token + - CVE-2009-3560 + + -- Jamie Strandboge Tue, 26 Jan 2010 13:14:57 -0600 + +xmlrpc-c (1.06.27-1ubuntu6) karmic; urgency=low + + * Move xmlrpc-c/server.h to libxmlrpc-core-c3-dev where it belongs, + without which xmlrpc.h doesn't compile. + + -- Steve Langasek Fri, 11 Sep 2009 21:43:09 +0000 + +xmlrpc-c (1.06.27-1ubuntu5) karmic; urgency=low + + * debian/libxmlrpc-core-c3-dev.install + debian/libxmlrpc-c3-dev.install : + Remove installation of /usr/bin/xmlrpc-c-config and /usr/include, + already in libxmlrpc-core-c3-dev.install (LP: #376133) + * debian/libxmlrpc-c3.install : + Don't install .a and .so files for libxmlrpc_client++ + + -- Julien Lavergne Thu, 14 May 2009 22:30:04 +0200 + +xmlrpc-c (1.06.27-1ubuntu4) karmic; urgency=low + + * Remove libxmlrpc-c3-dev Provides libxmlrpc-c-dev, it also conflicts with libxmlrpc-c-dev and + this confuses the install of libxmlrpc-core-c3-dev + + -- Jonathan Riddell Tue, 12 May 2009 14:26:29 +0000 + +xmlrpc-c (1.06.27-1ubuntu3) karmic; urgency=low + + * Rename patch lpia-gnulp to other-gnu-triplets and add support for + linux-gnueabi as well as it was also failing to build on armel. + + -- Loic Minier Mon, 11 May 2009 14:18:57 +0200 + +xmlrpc-c (1.06.27-1ubuntu2) karmic; urgency=low + + * Set CFLAGS_PERSONAL to CFLAGS and export this new var; also covers cpp + files; note that -O2 was ignored until now, and upstream sets -O3, but -O2 + is probably good enough for us. + * Pass $(addprefix -X,$(muckfiles)) to dh_clean -k calls; LP: #374813. + * New patch, lpia-gnulp, fixes FTBFS on lpia by supporting its + i686-linux-gnulp triplet identically to i686-linux-gnu. + + -- Loic Minier Mon, 11 May 2009 12:33:27 +0200 + +xmlrpc-c (1.06.27-1ubuntu1) karmic; urgency=low + + * Split out libraries used by cmake into libxmlrpc-core-c3-dev and + libxmlrpc-core-c3 to put only those parts into main, LP: #369918 + + -- Jonathan Riddell Fri, 01 May 2009 20:20:33 +0000 + +xmlrpc-c (1.06.27-1) unstable; urgency=low + + * New upstream release + * FTBFS fix for macro "curl_easy_setopt", thanks to Adam Sloboda and Peter + Green for the suggestions of the easy fix (closes: #477016). + + -- Sean Finney Thu, 15 May 2008 22:27:17 +0200 + +xmlrpc-c (1.06.25-2) unstable; urgency=low + + * disable building of libwww client, removing all dependencies on the + libwww packages, as they are buggy and will be removed from debian. + thanks to Regis Boudin for the patch (closes: #458775). + * start build-depending on (and using) quilt for add-on patch management. + * new patch: old-libtool, fixing FTBFS on kfreebsd-gnu. thanks to + Petr Salinger (closes: #466054). + + -- Sean Finney Thu, 20 Mar 2008 08:35:02 +0100 + +xmlrpc-c (1.06.25-1) unstable; urgency=low + + * New Upstream Version + * Bump Standards-Version to 3.7.3 + * debian/rules cleanup, add autotools-dev to build-deps. + + -- Sean Finney Thu, 13 Mar 2008 23:56:29 +0100 + +xmlrpc-c (1.06.21-3) unstable; urgency=low + + * re-upload due to ftp-master outage. + * change build-deps for curl to libcurl4-openssl-dev | libcurl3-openssl-dev, + to facilitate easier backporting to etch. + + -- Sean Finney Mon, 28 Jan 2008 21:57:45 +0100 + +xmlrpc-c (1.06.21-1) unstable; urgency=low + + * new upstream release + * Wasn't building with curl support, needed to add libcurl4-openssl-dev + to the list of build-dependencies. Thanks to Bas van Sisseren for + catching this (closes: #309954). + + -- Sean Finney Sat, 03 Nov 2007 18:46:58 +0100 + +xmlrpc-c (1.06.17-0ubuntu4) gutsy; urgency=low + + * libxmlrpc-c3-dev: + -> Fix header file transition link: the legacy name for + /usr/include/xmlrpc-c/server_abyss.h is xmlrpc_abyss.h, not + xmlrpc_server_abyss.h (LP: #134529). + -> Ship xmlrpc and its documentation (LP: #134985). + + -- Jeremie Corbier Mon, 27 Aug 2007 15:44:57 -0700 + +xmlrpc-c (1.06.17-0ubuntu3) gutsy; urgency=low + + * The WTF release. + * Properly install files, including manpages (LP: #133766). + + -- Jeremie Corbier Tue, 21 Aug 2007 13:51:25 -0700 + +xmlrpc-c (1.06.17-0ubuntu2) gutsy; urgency=low + + * debian/rules: Add $(MAKE) CADD=-fPIC for AMD64 FTBFS + + -- Barry deFreese Mon, 13 Aug 2007 10:49:33 -0400 + +xmlrpc-c (1.06.17-0ubuntu1) gutsy; urgency=low + + * New upstream version. (LP: #61682) + * debian/control + - Updated Maintainer value to match Debian-Maintainer-Field Spec. + - Changed ${Source-Version} to ${binary:Version} (safely binNMUable). + - Fixed typo (description-synopsis-might-not-be-phrased-properly). + * Use of debian/compat instead of DH_COMPAT. + - debian/compat: Updated. + - debian/rules: Removed 'export DH_COMPAT=3' + * debian/rules + - Updated to work with new upstream version. + * debian/libxmlrpc-c3-dev.docs + - Updated documentation available. + + -- Miguel Ruiz Sun, 12 Aug 2007 19:17:06 -0400 + +xmlrpc-c (0.9.10-4) unstable; urgency=low + + * Fixed timestamps on build files (closes: Bug#229456) + + -- Chris Leishman Wed, 17 Mar 2004 21:50:18 +1100 + +xmlrpc-c (0.9.10-3) unstable; urgency=low + + * Updated libtool (closes: Bug#201940) + + -- Chris Leishman Mon, 8 Dec 2003 16:47:30 +1100 + +xmlrpc-c (0.9.10-2) unstable; urgency=low + + * g++ 3.2 compatability fixes (closes: Bug#177741) + + -- Chris Leishman Fri, 4 Mar 2003 11:37:12 +0300 + +xmlrpc-c (0.9.10-1) unstable; urgency=low + + * Upstream version 0.9.10 + * Updated config.sub and config.guess (closes: Bug#166820) + + -- Chris Leishman Fri, 17 Jan 2003 01:01:22 +0300 + +xmlrpc-c (0.9.9-5) unstable; urgency=low + + * Added conflict against libxmlrpc-c0 (closes: Bug#155050) + * Installed overview.txt into /usr/share/doc (closes: Bug#153223) + + -- Chris Leishman Mon, 5 Aug 2002 14:51:22 +0300 + +xmlrpc-c (0.9.9-4) unstable; urgency=low + + * Changed package names to libxmlrpc-c3(-dev) (closes: Bug#147739) + * Added depend on libwww-dev to libxmlrpc-c0-dev (closes: Bug#147353) + + -- Chris Leishman Thu, 30 May 2002 10:24:31 +1000 + +xmlrpc-c (0.9.9-3) unstable; urgency=low + + * Updates for gcc-3.0 compatability (closes: Bug#111392) + * Updated config.guess & friends. + + -- Chris Leishman Tue, 25 Sep 2001 02:01:31 -0700 + +xmlrpc-c (0.9.9-2) unstable; urgency=low + + * Fixed some issues in xmlrpc.h + + -- Chris Leishman Wed, 29 Aug 2001 09:57:52 -0700 + +xmlrpc-c (0.9.9-1) unstable; urgency=low + + * Initial release. + + -- Chris Leishman Thu, 16 Aug 2001 13:50:52 +1000 + +Local variables: +mode: debian-changelog +End: --- xmlrpc-c-1.06.27.orig/debian/libxmlrpc-c3-dev.docs +++ xmlrpc-c-1.06.27/debian/libxmlrpc-c3-dev.docs @@ -0,0 +1,5 @@ +README +doc/CREDITS +doc/DEVELOPING +doc/SECURITY +doc/TESTING --- xmlrpc-c-1.06.27.orig/debian/control +++ xmlrpc-c-1.06.27/debian/control @@ -0,0 +1,93 @@ +Source: xmlrpc-c +Priority: optional +Section: libs +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Sean Finney +Build-Depends: autotools-dev, debhelper, libcurl4-openssl-dev | libcurl3-openssl-dev, quilt +Standards-Version: 3.7.3 + +Package: libxmlrpc-c3-dev +Section: libdevel +Architecture: any +Depends: libxmlrpc-c3 (= ${binary:Version}), libc6-dev, libxmlrpc-core-c3-dev +Conflicts: libxmlrpc-c-dev, libxmlrpc-c0-dev, xmlrpc-c-dev, libxmlrpc++-dev +Replaces: libxmlrpc-c-dev +Suggests: xml-rpc-api2cpp, xml-rpc-api2txt +Description: A lightweight RPC library based on XML and HTTP for C and C++ + XML-RPC is a quick-and-easy way to make procedure calls over the Internet. + It converts the procedure call into an XML document, sends it to a remote + server using HTTP, and gets back the response as XML. + . + This library provides a modular implementation of XML-RPC for C and C++. + . + Install this package if you wish to develop your own programs using this + library. + . + xmlrpc-c homepage: http://xmlrpc-c.sourceforge.net/ + +Package: libxmlrpc-c3 +Section: libs +Architecture: any +Depends: ${shlibs:Depends} +Conflicts: libxmlrpc-c0, xmlrpc-c0 +Description: A lightweight RPC library based on XML and HTTP for C and C++ + XML-RPC is a quick-and-easy way to make procedure calls over the Internet. + It converts the procedure call into an XML document, sends it to a remote + server using HTTP, and gets back the response as XML. + . + This library provides a modular implementation of XML-RPC for C and C++. + . + xmlrpc-c homepage: http://xmlrpc-c.sourceforge.net/ + +Package: libxmlrpc-core-c3-dev +Section: libdevel +Architecture: any +Depends: libxmlrpc-core-c3 (= ${binary:Version}), libc6-dev +Conflicts: libxmlrpc-c-dev, libxmlrpc-c0-dev, xmlrpc-c-dev, libxmlrpc++-dev +Replaces: libxmlrpc-c-dev, libxmlrpc-c3-dev (<= 1.06.27-1ubuntu5) +Description: A lightweight RPC library based on XML and HTTP (core libraries) + XML-RPC is a quick-and-easy way to make procedure calls over the Internet. + It converts the procedure call into an XML document, sends it to a remote + server using HTTP, and gets back the response as XML. + . + This library provides a modular implementation of XML-RPC for C and C++. + . + Install this package if you wish to develop your own programs using this + library. + . + xmlrpc-c homepage: http://xmlrpc-c.sourceforge.net/ + +Package: libxmlrpc-core-c3 +Section: libs +Architecture: any +Depends: ${shlibs:Depends} +Conflicts: libxmlrpc-c0, xmlrpc-c0 +Replaces: libxmlrpc-c3 (<= 1.06.27-1ubuntu1) +Description: A lightweight RPC library based on XML and HTTP (core libraries) + XML-RPC is a quick-and-easy way to make procedure calls over the Internet. + It converts the procedure call into an XML document, sends it to a remote + server using HTTP, and gets back the response as XML. + . + This library provides a modular implementation of XML-RPC for C and C++. + . + xmlrpc-c homepage: http://xmlrpc-c.sourceforge.net/ + +Package: xml-rpc-api2cpp +Architecture: any +Section: devel +Depends: libxmlrpc-c3 (= ${binary:Version}), libc6-dev +Description: Generate C++ wrapper classes for XML-RPC servers + A utility for generating C++ wrapper classes based on an XML-RPC API, + obtained by interrogating an XML-RPC server. + . + xmlrpc-c homepage: http://xmlrpc-c.sourceforge.net/ + +Package: xml-rpc-api2txt +Architecture: any +Section: devel +Depends: libxmlrpc-c3 (= ${binary:Version}), libc6-dev, libfrontier-rpc-perl +Description: Dump an XML-RPC API as a text file + A utility for printing out an XML-RPC API as a text file. The API is + obtained by interrogating an XML-RPC server. + . + xmlrpc-c homepage: http://xmlrpc-c.sourceforge.net/ --- xmlrpc-c-1.06.27.orig/debian/xmlrpc-c.lintian-overrides +++ xmlrpc-c-1.06.27/debian/xmlrpc-c.lintian-overrides @@ -0,0 +1,2 @@ +# the soname is close enough... +libxmlrpc-c3 binary: package-name-doesnt-match-sonames --- xmlrpc-c-1.06.27.orig/debian/compat +++ xmlrpc-c-1.06.27/debian/compat @@ -0,0 +1 @@ +5 --- xmlrpc-c-1.06.27.orig/debian/copyright +++ xmlrpc-c-1.06.27/debian/copyright @@ -0,0 +1,135 @@ +This package was debianized by Chris Leishman on +Thu, 16 Aug 2001 13:50:52 +1000. + +It was downloaded from http://xmlrpc-c.sourceforge.net/ + +Copyright: + +This software package is covered by the XML-RPC C Library License. +Additionally, certain parts of this library are derived from pre-existing +code, which may carry its own license. + +In particular, the Expat Licence applies to the contents of the directory +lib/expat, the ABYSS Web Server License applies to the contents of the +directory lib/abyss and parts of the file src/xmlrpc_abyss.c, and the +Python 1.5.2 license applies to parts of the file src/xmlrpc_base64.c. + +And as for the tools/ directory, you'll have to examine the licenses on +your own. + + + XML-RPC C Library License + ------------------------- + +Copyright (C) 2001 by First Peer, Inc. All rights reserved. +Copyright (C) 2001 by Eric Kidd. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. +3. The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + + + Expat License + ------------- + +Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be included +in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + + ABYSS Web Server License + ------------------------ + +Copyright (C) 2000 by Moez Mahfoudh . All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. +3. The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + + + + Python 1.5.2 License + -------------------- + +Copyright 1991, 1992, 1993, 1994 by Stichting Mathematisch Centrum, +Amsterdam, The Netherlands. + + All Rights Reserved + +Permission to use, copy, modify, and distribute this software and its +documentation for any purpose and without fee is hereby granted, +provided that the above copyright notice appear in all copies and that +both that copyright notice and this permission notice appear in +supporting documentation, and that the names of Stichting Mathematisch +Centrum or CWI or Corporation for National Research Initiatives or +CNRI not be used in advertising or publicity pertaining to +distribution of the software without specific, written prior +permission. + +While CWI is the initial source for this software, a modified version +is made available by the Corporation for National Research Initiatives +(CNRI) at the Internet address ftp://ftp.python.org. + +STICHTING MATHEMATISCH CENTRUM AND CNRI DISCLAIM ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH +CENTRUM OR CNRI BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL +DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR +PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER +TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. --- xmlrpc-c-1.06.27.orig/debian/libxmlrpc-core-c3-dev.install +++ xmlrpc-c-1.06.27/debian/libxmlrpc-core-c3-dev.install @@ -0,0 +1,41 @@ +debian/tmp/usr/bin/xmlrpc-c-config +debian/tmp/usr/include/xmlrpc.h +debian/tmp/usr/include/xmlrpc_client.h +debian/tmp/usr/include/xmlrpc_server.h +debian/tmp/usr/include/xmlrpc_cgi.h +debian/tmp/usr/include/xmlrpc_abyss.h +debian/tmp/usr/include/XmlRpcCpp.h +debian/tmp/usr/include/xmlrpc-c/config.h +debian/tmp/usr/include/xmlrpc-c/util.h +debian/tmp/usr/include/xmlrpc-c/base.h +debian/tmp/usr/include/xmlrpc-c/abyss.h +debian/tmp/usr/include/xmlrpc-c/oldxmlrpc.h +debian/tmp/usr/include/xmlrpc-c/oldcppwrapper.hpp +debian/tmp/usr/include/xmlrpc-c/girerr.hpp +debian/tmp/usr/include/xmlrpc-c/girmem.hpp +debian/tmp/usr/include/xmlrpc-c/base.hpp +debian/tmp/usr/include/xmlrpc-c/timeout.hpp +debian/tmp/usr/include/xmlrpc-c/xml.hpp +debian/tmp/usr/include/xmlrpc-c/registry.hpp +debian/tmp/usr/include/xmlrpc-c/server.h +debian/tmp/usr/include/xmlrpc-c/client.h +debian/tmp/usr/include/xmlrpc-c/transport.h +debian/tmp/usr/include/xmlrpc-c/client_global.h +debian/tmp/usr/include/xmlrpc-c/client.hpp +debian/tmp/usr/include/xmlrpc-c/client_transport.hpp +debian/tmp/usr/include/xmlrpc-c/client_simple.hpp +debian/tmp/usr/lib/libxmlrpc.so +debian/tmp/usr/lib/libxmlrpc_client.so +debian/tmp/usr/lib/libxmlrpc_util.so +debian/tmp/usr/lib/libxmlrpc_xmlparse.so +debian/tmp/usr/lib/libxmlrpc_xmltok.so +debian/tmp/usr/lib/libxmlrpc.a +debian/tmp/usr/lib/libxmlrpc_client.a +debian/tmp/usr/lib/libxmlrpc_util.a +debian/tmp/usr/lib/libxmlrpc_xmlparse.a +debian/tmp/usr/lib/libxmlrpc_xmltok.a +debian/tmp/usr/lib/libxmlrpc.la +debian/tmp/usr/lib/libxmlrpc_client.la +debian/tmp/usr/lib/libxmlrpc_util.la +debian/tmp/usr/lib/libxmlrpc_xmlparse.la +debian/tmp/usr/lib/libxmlrpc_xmltok.la --- xmlrpc-c-1.06.27.orig/debian/xml-rpc-api2cpp.install +++ xmlrpc-c-1.06.27/debian/xml-rpc-api2cpp.install @@ -0,0 +1,2 @@ +tools/xml-rpc-api2cpp/xml-rpc-api2cpp usr/bin + --- xmlrpc-c-1.06.27.orig/debian/libxmlrpc-c3-dev.examples +++ xmlrpc-c-1.06.27/debian/libxmlrpc-c3-dev.examples @@ -0,0 +1,4 @@ +examples/*.c +examples/*.cc +examples/Win32* +conf --- xmlrpc-c-1.06.27.orig/debian/libxmlrpc-c3.install +++ xmlrpc-c-1.06.27/debian/libxmlrpc-c3.install @@ -0,0 +1,9 @@ +debian/tmp/usr/lib/libxmlrpc++.so.* +debian/tmp/usr/lib/libxmlrpc_abyss.so.* +debian/tmp/usr/lib/libxmlrpc_client++.so.* +debian/tmp/usr/lib/libxmlrpc_cpp.so.* +debian/tmp/usr/lib/libxmlrpc_server++.so.* +debian/tmp/usr/lib/libxmlrpc_server.so.* +debian/tmp/usr/lib/libxmlrpc_server_abyss++.so.* +debian/tmp/usr/lib/libxmlrpc_server_abyss.so.* +debian/tmp/usr/lib/libxmlrpc_server_cgi.so.* --- xmlrpc-c-1.06.27.orig/debian/libxmlrpc-core-c3.install +++ xmlrpc-c-1.06.27/debian/libxmlrpc-core-c3.install @@ -0,0 +1,5 @@ +debian/tmp/usr/lib/libxmlrpc.so.* +debian/tmp/usr/lib/libxmlrpc_client.so.* +debian/tmp/usr/lib/libxmlrpc_util.so.* +debian/tmp/usr/lib/libxmlrpc_xmlparse.so.* +debian/tmp/usr/lib/libxmlrpc_xmltok.so.* --- xmlrpc-c-1.06.27.orig/debian/libxmlrpc-c3-dev.install +++ xmlrpc-c-1.06.27/debian/libxmlrpc-c3-dev.install @@ -0,0 +1,29 @@ +tools/xmlrpc/xmlrpc usr/bin +tools/xmlrpc/xmlrpc.html usr/share/doc/libxmlrpc-c3-dev +debian/tmp/usr/include/xmlrpc-c/server_cgi.h +debian/tmp/usr/include/xmlrpc-c/server_abyss.hpp +debian/tmp/usr/include/xmlrpc-c/server_abyss.h +debian/tmp/usr/include/xmlrpc-c/server_w32httpsys.h +debian/tmp/usr/include/xmlrpc_server_w32httpsys.h +debian/tmp/usr/lib/libxmlrpc++.so +debian/tmp/usr/lib/libxmlrpc_abyss.so +debian/tmp/usr/lib/libxmlrpc_client++.so +debian/tmp/usr/lib/libxmlrpc_cpp.so +debian/tmp/usr/lib/libxmlrpc_server++.so +debian/tmp/usr/lib/libxmlrpc_server.so +debian/tmp/usr/lib/libxmlrpc_server_abyss++.so +debian/tmp/usr/lib/libxmlrpc_server_abyss.so +debian/tmp/usr/lib/libxmlrpc_server_cgi.so +debian/tmp/usr/lib/libxmlrpc_abyss.la +debian/tmp/usr/lib/libxmlrpc_server.la +debian/tmp/usr/lib/libxmlrpc_server_abyss.la +debian/tmp/usr/lib/libxmlrpc_server_cgi.la +debian/tmp/usr/lib/libxmlrpc++.a +debian/tmp/usr/lib/libxmlrpc_abyss.a +debian/tmp/usr/lib/libxmlrpc_client++.a +debian/tmp/usr/lib/libxmlrpc_cpp.a +debian/tmp/usr/lib/libxmlrpc_server++.a +debian/tmp/usr/lib/libxmlrpc_server.a +debian/tmp/usr/lib/libxmlrpc_server_abyss++.a +debian/tmp/usr/lib/libxmlrpc_server_abyss.a +debian/tmp/usr/lib/libxmlrpc_server_cgi.a --- xmlrpc-c-1.06.27.orig/debian/xml-rpc-api2cpp.manpages +++ xmlrpc-c-1.06.27/debian/xml-rpc-api2cpp.manpages @@ -0,0 +1 @@ +tools/xml-rpc-api2cpp/xml-rpc-api2cpp.1 --- xmlrpc-c-1.06.27.orig/debian/xml-rpc-api2txt.install +++ xmlrpc-c-1.06.27/debian/xml-rpc-api2txt.install @@ -0,0 +1,2 @@ +tools/xml-rpc-api2txt usr/bin/ + --- xmlrpc-c-1.06.27.orig/debian/xml-rpc-api2txt.manpages +++ xmlrpc-c-1.06.27/debian/xml-rpc-api2txt.manpages @@ -0,0 +1 @@ +tools/xml-rpc-api2txt.1 --- xmlrpc-c-1.06.27.orig/debian/rules +++ xmlrpc-c-1.06.27/debian/rules @@ -0,0 +1,146 @@ +#!/usr/bin/make -f +# Sample debian/rules that uses debhelper. +# GNU copyright 1997 to 1999 by Joey Hess. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + + + +# These are used for cross-compiling and for saving the configure script +# from having to guess our platform (since we know it already) +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + +ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) + confflags += --build $(DEB_BUILD_GNU_TYPE) +else + confflags += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) +endif + + +CFLAGS = -Wall -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif + +# upstream build doesn't honor CFLAGS but CFLAGS_PERSONAL +CFLAGS_PERSONAL = $(CFLAGS) +export CFLAGS_PERSONAL + +# include the patch/unpatch rules from quilt +include /usr/share/quilt/quilt.make + +muckfiles:=config.sub config.guess + +config.status: configure $(QUILT_STAMPFN) + dh_testdir + # backup files that either we or upstream muck with + for f in $(muckfiles); do cp -a $$f $$f.orig; done + ln -sf /usr/share/misc/config.sub config.sub + ln -sf /usr/share/misc/config.guess config.guess + ./configure $(confflags) \ + --prefix=/usr \ + --disable-libwww-client \ + --mandir=\$${prefix}/share/man \ + --infodir=\$${prefix}/share/info + + +build: build-arch-stamp build-indep-stamp + +build-arch: build-arch-stamp +build-arch-stamp: config.status + dh_testdir + $(MAKE) CADD=-fPIC + $(MAKE) CADD=-fPIC check + touch build-arch-stamp + +build-indep: build-indep-stamp +build-indep-stamp: config.status + dh_testdir + # nothing to build + touch build-indep-stamp + +clean: unpatch + dh_testdir + dh_testroot + rm -f build-arch-stamp build-indep-stamp + # Add here commands to clean up after the build process. + # xxx upstream build process still breaks on distclean... + [ ! -f Makefile ] || [ ! -f config.status ] || $(MAKE) distclean || true + # restore files mucked by us or upstream during build/clean + for f in $(muckfiles); do \ + [ ! -e $$f.orig ] || ( rm -rf $$f; mv $$f.orig $$f ) ; \ + done + dh_clean -X autom4te.cache + +#install: install-indep install-arch +install: install-arch + +install-arch: build-arch + dh_testdir + dh_testroot + dh_clean -k -a $(addprefix -X,$(muckfiles)) + dh_installdirs -a + + $(MAKE) install DESTDIR=$(CURDIR)/debian/tmp + + dh_install -a --list-missing + # plop in our lintian override file + mkdir -p debian/libxmlrpc-c3/usr/share/lintian/overrides/ + cp debian/xmlrpc-c.lintian-overrides debian/libxmlrpc-c3/usr/share/lintian/overrides/libxmlrpc-c3 + +install-indep: build-indep + dh_testdir + dh_testroot + dh_clean -k -i $(addprefix -X,$(muckfiles)) + dh_installdirs -i + dh_install -i --list-missing + + +# Common target for binary-indep/binary-arch. Must not depend on anything and +# will get called by another 'make' thread. +binary-common: + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs + dh_installexamples +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime +# dh_installinit +# dh_installcron +# dh_installinfo + dh_installman + dh_link + dh_strip + dh_compress + dh_fixperms +# dh_perl +# dh_python + dh_makeshlibs + dh_shlibdeps + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +#binary: binary-indep binary-arch +binary: binary-arch + +# Build architecture-independent files using the common target. +binary-indep: install-indep + $(MAKE) -f debian/rules DH_OPTIONS=-i binary-common + +# Build architecture-dependent files using the common target. +binary-arch: install-arch + $(MAKE) -f debian/rules DH_OPTIONS=-a binary-common + +.PHONY: build clean install install-indep install-arch install binary binary-common binary-indep binary-arch --- xmlrpc-c-1.06.27.orig/debian/patches/CVE-2012-0876.patch +++ xmlrpc-c-1.06.27/debian/patches/CVE-2012-0876.patch @@ -0,0 +1,556 @@ +Description: Prevent predictable hash collisions by using a random salt value + Backported from the upstream Expat sources to the embedded copy of Expat in + xmlrpc-c. +Origin: backport, http://xmlrpc-c.svn.sourceforge.net/viewvc/xmlrpc-c?view=revision&revision=2391 +Index: xmlrpc-c-1.06.27/lib/expat/xmlparse/xmlparse.c +=================================================================== +--- xmlrpc-c-1.06.27.orig/lib/expat/xmlparse/xmlparse.c 2012-09-06 14:54:24.144075962 -0700 ++++ xmlrpc-c-1.06.27/lib/expat/xmlparse/xmlparse.c 2012-09-06 14:54:26.416075915 -0700 +@@ -16,6 +16,8 @@ + */ + + #include ++#include /* UINT_MAX */ ++#include /* time() */ + + #include "xmlrpc_config.h" + #include "c_util.h" +@@ -40,6 +42,8 @@ + typedef char ICHAR; + #endif + ++static ++int setContext(XML_Parser parser, const XML_Char *context); + + #ifndef XML_NS + +@@ -256,12 +260,15 @@ + static void normalizePublicId(XML_Char *s); + static int dtdInit(DTD *); + static void dtdDestroy(DTD *); +-static int dtdCopy(DTD *newDtd, const DTD *oldDtd); +-static int copyEntityTable(HASH_TABLE *, STRING_POOL *, const HASH_TABLE *); ++static int dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd); ++static int copyEntityTable(XML_Parser, HASH_TABLE *, STRING_POOL *, ++ const HASH_TABLE *); + #ifdef XML_DTD + static void dtdSwap(DTD *, DTD *); + #endif /* XML_DTD */ +-static NAMED *lookup(HASH_TABLE *table, KEY name, size_t createSize); ++static NAMED *lookup(XML_Parser parser, HASH_TABLE *table, KEY name, ++ size_t createSize); ++static int startParsing(XML_Parser parser); + static void hashTableInit(HASH_TABLE *); + static void hashTableDestroy(HASH_TABLE *); + static void hashTableIterInit(HASH_TABLE_ITER *, const HASH_TABLE *); +@@ -370,6 +377,7 @@ + enum XML_ParamEntityParsing m_paramEntityParsing; + XML_Parser m_parentParser; + #endif ++ unsigned long m_hash_secret_salt; + } Parser; + + #define userData (((Parser *)parser)->m_userData) +@@ -449,6 +457,7 @@ + #define parentParser (((Parser *)parser)->m_parentParser) + #define paramEntityParsing (((Parser *)parser)->m_paramEntityParsing) + #endif /* XML_DTD */ ++#define hash_secret_salt (((Parser *)parser)->m_hash_secret_salt) + + #ifdef _MSC_VER + #ifdef _DEBUG +@@ -527,6 +536,7 @@ + parentParser = 0; + paramEntityParsing = XML_PARAM_ENTITY_PARSING_NEVER; + #endif ++ hash_secret_salt = 0; + ns = 0; + poolInit(&tempPool); + poolInit(&temp2Pool); +@@ -546,20 +556,6 @@ + XML_Parser + xmlrpc_XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) + { +- static +- const XML_Char implicitContext[] = { +- XML_T('x'), XML_T('m'), XML_T('l'), XML_T('='), +- XML_T('h'), XML_T('t'), XML_T('t'), XML_T('p'), XML_T(':'), +- XML_T('/'), XML_T('/'), XML_T('w'), XML_T('w'), XML_T('w'), +- XML_T('.'), XML_T('w'), XML_T('3'), +- XML_T('.'), XML_T('o'), XML_T('r'), XML_T('g'), +- XML_T('/'), XML_T('X'), XML_T('M'), XML_T('L'), +- XML_T('/'), XML_T('1'), XML_T('9'), XML_T('9'), XML_T('8'), +- XML_T('/'), XML_T('n'), XML_T('a'), XML_T('m'), XML_T('e'), +- XML_T('s'), XML_T('p'), XML_T('a'), XML_T('c'), XML_T('e'), +- XML_T('\0') +- }; +- + XML_Parser parser = xmlrpc_XML_ParserCreate(encodingName); + if (parser) { + XmlInitEncodingNS(&initEncoding, &encoding, 0); +@@ -567,10 +563,6 @@ + internalEncoding = XmlGetInternalEncodingNS(); + namespaceSeparator = nsSep; + } +- if (!setContext(parser, implicitContext)) { +- xmlrpc_XML_ParserFree(parser); +- return 0; +- } + return parser; + } + +@@ -618,6 +610,12 @@ + #ifdef XML_DTD + int oldParamEntityParsing = paramEntityParsing; + #endif ++ /* Note that the new parser shares the same hash secret as the old ++ parser, so that dtdCopy and copyEntityTable can lookup values ++ from hash tables associated with either parser without us having ++ to worry which hash secrets each table has. ++ */ ++ unsigned long oldhash_secret_salt = hash_secret_salt; + parser = (ns + ? xmlrpc_XML_ParserCreateNS(encodingName, namespaceSeparator) + : xmlrpc_XML_ParserCreate(encodingName)); +@@ -648,11 +646,12 @@ + if (oldExternalEntityRefHandlerArg != oldParser) + externalEntityRefHandlerArg = oldExternalEntityRefHandlerArg; + defaultExpandInternalEntities = oldDefaultExpandInternalEntities; ++ hash_secret_salt = oldhash_secret_salt; + #ifdef XML_DTD + paramEntityParsing = oldParamEntityParsing; + if (context) { + #endif /* XML_DTD */ +- if (!dtdCopy(&dtd, oldDtd) || !setContext(parser, context)) { ++ if (!dtdCopy(parser, &dtd, oldDtd) || !setContext(parser, context)) { + xmlrpc_XML_ParserFree(parser); + return 0; + } +@@ -929,6 +928,11 @@ + int + xmlrpc_XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) + { ++ if (!startParsing(parser)) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return 0; ++ } ++ + if (len == 0) { + if (!isFinal) + return 1; +@@ -990,6 +994,12 @@ + xmlrpc_XML_ParseBuffer(XML_Parser parser, int len, int isFinal) + { + const char *start = bufferPtr; ++ ++ if (!startParsing(parser)) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return 0; ++ } ++ + positionPtr = start; + bufferEnd += len; + parseEndByteIndex += len; +@@ -1323,7 +1333,7 @@ + next - enc->minBytesPerChar); + if (!name) + return XML_ERROR_NO_MEMORY; +- entity = (ENTITY *)lookup(&dtd.generalEntities, name, 0); ++ entity = (ENTITY *)lookup(parser, &dtd.generalEntities, name, 0); + poolDiscard(&dtd.pool); + if (!entity) { + if (dtd.complete || dtd.standalone) +@@ -1692,13 +1702,14 @@ + /* lookup the element type name */ + if (tagNamePtr) { + elementType = (ELEMENT_TYPE *) +- lookup(&dtd.elementTypes, tagNamePtr->str, 0); ++ lookup(parser, &dtd.elementTypes, tagNamePtr->str, 0); + if (!elementType) { + tagNamePtr->str = poolCopyString(&dtd.pool, tagNamePtr->str); + if (!tagNamePtr->str) + return XML_ERROR_NO_MEMORY; + elementType = (ELEMENT_TYPE *) +- lookup(&dtd.elementTypes, tagNamePtr->str, sizeof(ELEMENT_TYPE)); ++ lookup(parser, &dtd.elementTypes, tagNamePtr->str, ++ sizeof(ELEMENT_TYPE)); + if (!elementType) + return XML_ERROR_NO_MEMORY; + if (ns && !setElementTypePrefix(parser, elementType)) +@@ -1833,7 +1844,7 @@ + if (appAtts[i][-1] == 2) { + ATTRIBUTE_ID *id; + ((XML_Char *)(appAtts[i]))[-1] = 0; +- id = (ATTRIBUTE_ID *)lookup(&dtd.attributeIds, appAtts[i], 0); ++ id = (ATTRIBUTE_ID *)lookup(parser, &dtd.attributeIds, appAtts[i], 0); + if (id->prefix->binding) { + int j; + const BINDING *b = id->prefix->binding; +@@ -2383,7 +2394,7 @@ + #endif /* XML_DTD */ + case XML_ROLE_DOCTYPE_PUBLIC_ID: + #ifdef XML_DTD +- declEntity = (ENTITY *)lookup(&dtd.paramEntities, ++ declEntity = (ENTITY *)lookup(parser, &dtd.paramEntities, + externalSubsetName, + sizeof(ENTITY)); + if (!declEntity) +@@ -2410,7 +2421,7 @@ + dtd.complete = 0; + #ifdef XML_DTD + if (paramEntityParsing && externalEntityRefHandler) { +- ENTITY *entity = (ENTITY *)lookup(&dtd.paramEntities, ++ ENTITY *entity = (ENTITY *)lookup(parser, &dtd.paramEntities, + externalSubsetName, + 0); + if (!externalEntityRefHandler(externalEntityRefHandlerArg, +@@ -2439,7 +2450,7 @@ + if (!name) + return XML_ERROR_NO_MEMORY; + declElementType = (ELEMENT_TYPE *) +- lookup(&dtd.elementTypes, name, sizeof(ELEMENT_TYPE)); ++ lookup(parser, &dtd.elementTypes, name, sizeof(ELEMENT_TYPE)); + if (!declElementType) + return XML_ERROR_NO_MEMORY; + if (declElementType->name != name) +@@ -2503,7 +2514,8 @@ + poolFinish(&dtd.pool); + if (internalParsedEntityDeclHandler + /* Check it's not a parameter entity */ +- && ((ENTITY *)lookup(&dtd.generalEntities, declEntity->name, 0) ++ && ((ENTITY *)lookup(parser, &dtd.generalEntities, ++ declEntity->name, 0) + == declEntity)) { + *eventEndPP = s; + internalParsedEntityDeclHandler(handlerArg, +@@ -2531,7 +2543,7 @@ + break; + #else /* XML_DTD */ + if (!declEntity) { +- declEntity = (ENTITY *)lookup(&dtd.paramEntities, ++ declEntity = (ENTITY *)lookup(parser, &dtd.paramEntities, + externalSubsetName, + sizeof(ENTITY)); + if (!declEntity) +@@ -2590,7 +2602,7 @@ + return XML_ERROR_NO_MEMORY; + if (dtd.complete) { + declEntity = (ENTITY *) +- lookup(&dtd.generalEntities, name, sizeof(ENTITY)); ++ lookup(parser, &dtd.generalEntities, name, sizeof(ENTITY)); + if (!declEntity) + return XML_ERROR_NO_MEMORY; + if (declEntity->name != name) { +@@ -2613,7 +2625,7 @@ + if (!name) + return XML_ERROR_NO_MEMORY; + declEntity = (ENTITY *) +- lookup(&dtd.paramEntities, name, sizeof(ENTITY)); ++ lookup(parser, &dtd.paramEntities, name, sizeof(ENTITY)); + if (!declEntity) + return XML_ERROR_NO_MEMORY; + if (declEntity->name != name) { +@@ -2736,7 +2748,7 @@ + next - enc->minBytesPerChar); + if (!name) + return XML_ERROR_NO_MEMORY; +- entity = (ENTITY *)lookup(&dtd.paramEntities, name, 0); ++ entity = (ENTITY *)lookup(parser, &dtd.paramEntities, name, 0); + poolDiscard(&dtd.pool); + if (!entity) { + /* FIXME what to do if !dtd.complete? */ +@@ -3004,7 +3016,7 @@ + next - enc->minBytesPerChar); + if (!name) + return XML_ERROR_NO_MEMORY; +- entity = (ENTITY *)lookup(&dtd.generalEntities, name, 0); ++ entity = (ENTITY *)lookup(parser, &dtd.generalEntities, name, 0); + poolDiscard(&temp2Pool); + if (!entity) { + if (dtd.complete) { +@@ -3071,7 +3083,7 @@ + next - enc->minBytesPerChar); + if (!name) + return XML_ERROR_NO_MEMORY; +- entity = (ENTITY *)lookup(&dtd.paramEntities, name, 0); ++ entity = (ENTITY *)lookup(parser, &dtd.paramEntities, name, 0); + poolDiscard(&tempPool); + if (!entity) { + if (enc == encoding) +@@ -3320,7 +3332,7 @@ + if (!poolAppendChar(&dtd.pool, XML_T('\0'))) + return 0; + prefix = (PREFIX *) +- lookup(&dtd.prefixes, poolStart(&dtd.pool), sizeof(PREFIX)); ++ lookup(parser, &dtd.prefixes, poolStart(&dtd.pool), sizeof(PREFIX)); + if (!prefix) + return 0; + if (prefix->name == poolStart(&dtd.pool)) +@@ -3348,7 +3360,8 @@ + if (!name) + return 0; + ++name; +- id = (ATTRIBUTE_ID *)lookup(&dtd.attributeIds, name, sizeof(ATTRIBUTE_ID)); ++ id = (ATTRIBUTE_ID *)lookup(parser, &dtd.attributeIds, name, ++ sizeof(ATTRIBUTE_ID)); + if (!id) + return 0; + if (id->name != name) +@@ -3366,7 +3379,8 @@ + if (name[5] == '\0') + id->prefix = &dtd.defaultPrefix; + else +- id->prefix = (PREFIX *)lookup(&dtd.prefixes, name + 6, sizeof(PREFIX)); ++ id->prefix = (PREFIX *)lookup(parser, &dtd.prefixes, name + 6, ++ sizeof(PREFIX)); + id->xmlns = 1; + } + else { +@@ -3381,7 +3395,8 @@ + if (!poolAppendChar(&dtd.pool, XML_T('\0'))) + return 0; + id->prefix = (PREFIX *) +- lookup(&dtd.prefixes, poolStart(&dtd.pool), sizeof(PREFIX)); ++ lookup(parser, &dtd.prefixes, poolStart(&dtd.pool), ++ sizeof(PREFIX)); + if (id->prefix->name == poolStart(&dtd.pool)) + poolFinish(&dtd.pool); + else +@@ -3474,7 +3489,8 @@ + ENTITY *e; + if (!poolAppendChar(&tempPool, XML_T('\0'))) + return 0; +- e = (ENTITY *)lookup(&dtd.generalEntities, poolStart(&tempPool), 0); ++ e = (ENTITY *)lookup(parser, &dtd.generalEntities, poolStart(&tempPool), ++ 0); + if (e) + e->open = 1; + if (*s != XML_T('\0')) +@@ -3490,7 +3506,7 @@ + if (!poolAppendChar(&tempPool, XML_T('\0'))) + return 0; + prefix = (PREFIX *) +- lookup(&dtd.prefixes, poolStart(&tempPool), sizeof(PREFIX)); ++ lookup(parser, &dtd.prefixes, poolStart(&tempPool), sizeof(PREFIX)); + if (!prefix) + return 0; + if (prefix->name == poolStart(&tempPool)) { +@@ -3600,7 +3616,7 @@ + /* Do a deep copy of the DTD. Return 0 for out of memory; non-zero otherwise. + The new DTD has already been initialized. */ + +-static int dtdCopy(DTD *newDtd, const DTD *oldDtd) ++static int dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd) + { + HASH_TABLE_ITER iter; + +@@ -3615,7 +3631,7 @@ + name = poolCopyString(&(newDtd->pool), oldP->name); + if (!name) + return 0; +- if (!lookup(&(newDtd->prefixes), name, sizeof(PREFIX))) ++ if (!lookup(oldParser, &(newDtd->prefixes), name, sizeof(PREFIX))) + return 0; + } + +@@ -3638,7 +3654,7 @@ + return 0; + ++name; + newA = (ATTRIBUTE_ID *) +- lookup(&(newDtd->attributeIds), name, sizeof(ATTRIBUTE_ID)); ++ lookup(oldParser, &(newDtd->attributeIds), name, sizeof(ATTRIBUTE_ID)); + if (!newA) + return 0; + newA->maybeTokenized = oldA->maybeTokenized; +@@ -3648,7 +3664,7 @@ + newA->prefix = &newDtd->defaultPrefix; + else + newA->prefix = (PREFIX *) +- lookup(&(newDtd->prefixes), oldA->prefix->name, 0); ++ lookup(oldParser, &(newDtd->prefixes), oldA->prefix->name, 0); + } + } + +@@ -3667,7 +3683,7 @@ + if (!name) + return 0; + newE = (ELEMENT_TYPE *) +- lookup(&(newDtd->elementTypes), name, sizeof(ELEMENT_TYPE)); ++ lookup(oldParser, &(newDtd->elementTypes), name, sizeof(ELEMENT_TYPE)); + if (!newE) + return 0; + if (oldE->nDefaultAtts) { +@@ -3678,14 +3694,15 @@ + } + if (oldE->idAtt) + newE->idAtt = (ATTRIBUTE_ID *) +- lookup(&(newDtd->attributeIds), oldE->idAtt->name, 0); ++ lookup(oldParser, &(newDtd->attributeIds), oldE->idAtt->name, 0); + newE->allocDefaultAtts = newE->nDefaultAtts = oldE->nDefaultAtts; + if (oldE->prefix) + newE->prefix = (PREFIX *) +- lookup(&(newDtd->prefixes), oldE->prefix->name, 0); ++ lookup(oldParser, &(newDtd->prefixes), oldE->prefix->name, 0); + for (i = 0; i < newE->nDefaultAtts; i++) { + newE->defaultAtts[i].id = (ATTRIBUTE_ID *) +- lookup(&(newDtd->attributeIds), oldE->defaultAtts[i].id->name, 0); ++ lookup(oldParser, &(newDtd->attributeIds), ++ oldE->defaultAtts[i].id->name, 0); + newE->defaultAtts[i].isCdata = oldE->defaultAtts[i].isCdata; + if (oldE->defaultAtts[i].value) { + newE->defaultAtts[i].value = +@@ -3699,13 +3716,13 @@ + } + + /* Copy the entity tables. */ +- if (!copyEntityTable(&(newDtd->generalEntities), ++ if (!copyEntityTable(oldParser, &(newDtd->generalEntities), + &(newDtd->pool), + &(oldDtd->generalEntities))) + return 0; + + #ifdef XML_DTD +- if (!copyEntityTable(&(newDtd->paramEntities), ++ if (!copyEntityTable(oldParser, &(newDtd->paramEntities), + &(newDtd->pool), + &(oldDtd->paramEntities))) + return 0; +@@ -3716,7 +3733,8 @@ + return 1; + } + +-static int copyEntityTable(HASH_TABLE *newTable, ++static int copyEntityTable(XML_Parser oldParser, ++ HASH_TABLE *newTable, + STRING_POOL *newPool, + const HASH_TABLE *oldTable) + { +@@ -3735,7 +3753,7 @@ + name = poolCopyString(newPool, oldE->name); + if (!name) + return 0; +- newE = (ENTITY *)lookup(newTable, name, sizeof(ENTITY)); ++ newE = (ENTITY *)lookup(oldParser, newTable, name, sizeof(ENTITY)); + if (!newE) + return 0; + if (oldE->systemId) { +@@ -3773,6 +3791,44 @@ + return 1; + } + ++static unsigned long ++generate_hash_secret_salt(void) ++{ ++ unsigned int seed = time(NULL) % UINT_MAX; ++ srand(seed); ++ return rand(); ++} ++ ++static int ++startParsing(XML_Parser parser) ++{ ++ static ++ const XML_Char implicitContext[] = { ++ XML_T('x'), XML_T('m'), XML_T('l'), XML_T('='), ++ XML_T('h'), XML_T('t'), XML_T('t'), XML_T('p'), XML_T(':'), ++ XML_T('/'), XML_T('/'), XML_T('w'), XML_T('w'), XML_T('w'), ++ XML_T('.'), XML_T('w'), XML_T('3'), ++ XML_T('.'), XML_T('o'), XML_T('r'), XML_T('g'), ++ XML_T('/'), XML_T('X'), XML_T('M'), XML_T('L'), ++ XML_T('/'), XML_T('1'), XML_T('9'), XML_T('9'), XML_T('8'), ++ XML_T('/'), XML_T('n'), XML_T('a'), XML_T('m'), XML_T('e'), ++ XML_T('s'), XML_T('p'), XML_T('a'), XML_T('c'), XML_T('e'), ++ XML_T('\0') ++ }; ++ ++#ifdef XML_DTD ++ if (parentParser != NULL) ++ return 1; ++#endif ++ ++ /* hash functions must be initialized before setContext() is called */ ++ if (hash_secret_salt == 0) ++ hash_secret_salt = generate_hash_secret_salt(); ++ if (parser) ++ return setContext(parser, implicitContext); ++ return 0; ++} ++ + #define INIT_SIZE 64 + + static +@@ -3785,16 +3841,16 @@ + } + + static +-unsigned long hash(KEY s) ++unsigned long hash(XML_Parser parser, KEY s) + { +- unsigned long h = 0; ++ unsigned long h = hash_secret_salt; + while (*s) + h = (h << 5) + h + (unsigned char)*s++; + return h; + } + + static +-NAMED *lookup(HASH_TABLE *table, KEY name, size_t createSize) ++NAMED *lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) + { + size_t i; + if (table->size == 0) { +@@ -3805,10 +3861,10 @@ + return 0; + table->size = INIT_SIZE; + table->usedLim = INIT_SIZE / 2; +- i = hash(name) & (table->size - 1); ++ i = hash(parser, name) & (table->size - 1); + } + else { +- unsigned long h = hash(name); ++ unsigned long h = hash(parser, name); + for (i = h & (table->size - 1); + table->v[i]; + i == 0 ? i = table->size - 1 : --i) { +@@ -3826,7 +3882,7 @@ + for (i = 0; i < table->size; i++) + if (table->v[i]) { + size_t j; +- for (j = hash(table->v[i]->name) & (newSize - 1); ++ for (j = hash(parser, table->v[i]->name) & (newSize - 1); + newV[j]; + j == 0 ? j = newSize - 1 : --j) + ; +@@ -3890,6 +3946,13 @@ + return 0; + } + ++int ++XML_SetHashSalt(XML_Parser parser, ++ unsigned long hash_salt) ++{ ++ hash_secret_salt = hash_salt; ++ return 1; ++} + + static + void poolInit(STRING_POOL *pool) +Index: xmlrpc-c-1.06.27/lib/expat/xmlparse/xmlparse.h +=================================================================== +--- xmlrpc-c-1.06.27.orig/lib/expat/xmlparse/xmlparse.h 2012-08-29 11:55:00.777227617 -0700 ++++ xmlrpc-c-1.06.27/lib/expat/xmlparse/xmlparse.h 2012-09-06 14:54:35.064075737 -0700 +@@ -477,6 +477,14 @@ + xmlrpc_XML_SetParamEntityParsing(XML_Parser parser, + enum XML_ParamEntityParsing parsing); + ++/* Sets the hash salt to use for internal hash calculations. ++ Helps in preventing DoS attacks based on predicting hash ++ function behavior. This must be called before parsing is started. ++ Returns 1 if successful, 0 when called after parsing has started. ++*/ ++int ++XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt); ++ + enum XML_Error { + XML_ERROR_NONE, + XML_ERROR_NO_MEMORY, --- xmlrpc-c-1.06.27.orig/debian/patches/FTBFS-tests.patch +++ xmlrpc-c-1.06.27/debian/patches/FTBFS-tests.patch @@ -0,0 +1,76 @@ +Description: Fix issues when running make check + Fixes FTBFS issues from missing #include's. Also fixes bad test cases so that + make check can be used successfully. +Origin: backport, http://xmlrpc-c.svn.sourceforge.net/viewvc/xmlrpc-c?revision=1630&view=revision +Origin: upstream, http://xmlrpc-c.svn.sourceforge.net/viewvc/xmlrpc-c?revision=1564&view=revision +Origin: upstream, http://xmlrpc-c.svn.sourceforge.net/viewvc/xmlrpc-c?revision=784&view=revision +Index: xmlrpc-c-1.06.27/src/cpp/test/test.cpp +=================================================================== +--- xmlrpc-c-1.06.27.orig/src/cpp/test/test.cpp 2012-09-06 16:12:40.139979593 -0700 ++++ xmlrpc-c-1.06.27/src/cpp/test/test.cpp 2012-09-07 10:28:25.593424135 -0700 +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + #include + + #include "xmlrpc-c/girerr.hpp" +Index: xmlrpc-c-1.06.27/src/cpp/test/server_abyss.cpp +=================================================================== +--- xmlrpc-c-1.06.27.orig/src/cpp/test/server_abyss.cpp 2012-09-06 16:12:40.139979593 -0700 ++++ xmlrpc-c-1.06.27/src/cpp/test/server_abyss.cpp 2012-09-07 10:26:12.241426871 -0700 +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + + #include "xmlrpc-c/girerr.hpp" +Index: xmlrpc-c-1.06.27/src/cpp/test/testclient.cpp +=================================================================== +--- xmlrpc-c-1.06.27.orig/src/cpp/test/testclient.cpp 2012-09-06 16:12:40.139979593 -0700 ++++ xmlrpc-c-1.06.27/src/cpp/test/testclient.cpp 2012-09-07 10:25:22.425427893 -0700 +@@ -33,7 +33,7 @@ + class sampleAddMethod : public method { + public: + sampleAddMethod() { +- this->_signature = "ii"; ++ this->_signature = "i:ii"; + this->_help = "This method adds two integers together"; + } + void +@@ -438,12 +438,28 @@ + + rpcPtr rpc2P("blowme", paramList0); + +- // This fails because the server doesn't exist +- EXPECT_ERROR(rpc2P->start(&client0, &carriageParmCurl);); ++ // This RPC fails to execute because the server doesn't exist, ++ // But libcurl "starts" it just fine. ++ rpc2P->start(&client0, &carriageParmCurl); ++ ++ transportc0.finishAsync(5000); ++ ++ TEST(rpc2P->isFinished()); ++ ++ TEST(!rpc2P->isSuccessful()); ++ ++ // Because the RPC did not return an XML-RPC failure (because the ++ // server doesn't exist), this throws: ++ EXPECT_ERROR(rpc2P->getFault();); + + rpcPtr rpc3P("blowme", paramList0); +- // This fails because the server doesn't exist +- EXPECT_ERROR(rpc3P->start(connection0);); ++ // This RPC fails to execute because the server doesn't exist ++ rpc3P->start(connection0); ++ ++ transportc0.finishAsync(5000); ++ TEST(rpc2P->isFinished()); ++ TEST(!rpc2P->isSuccessful()); ++ + #else + // This fails because there is no Curl transport in the library. + EXPECT_ERROR(clientXmlTransport_curl transportc0;); --- xmlrpc-c-1.06.27.orig/debian/patches/other-gnu-triplets.patch +++ xmlrpc-c-1.06.27/debian/patches/other-gnu-triplets.patch @@ -0,0 +1,14 @@ +Fixed FTBFS on lpia by supporting its i686-linux-gnulp triplet + +--- a/Makefile.config.in ++++ b/Makefile.config.in +@@ -136,7 +136,8 @@ + # out how. For the rest, we have this default: + SHARED_LIB_TYPE = NONE + +-ifeq ($(HOST_OS),linux-gnu) ++# linux-gnu, linux-gnueabi and linux-gnulp ++ifneq ($(filter linux-gnu linux-gnueabi linux-gnulp, $(HOST_OS)),) + # Assume linker is GNU Compiler (gcc) + SHARED_LIB_TYPE = unix + SHLIB_SUFFIX = so --- xmlrpc-c-1.06.27.orig/debian/patches/series +++ xmlrpc-c-1.06.27/debian/patches/series @@ -0,0 +1,8 @@ +old-libtool.patch +curl_easy_setopt.patch +other-gnu-triplets.patch +CVE-2009-3720.patch +CVE-2009-3560.patch +FTBFS-tests.patch +CVE-2012-0876.patch +CVE-2012-1148.patch --- xmlrpc-c-1.06.27.orig/debian/patches/CVE-2012-1148.patch +++ xmlrpc-c-1.06.27/debian/patches/CVE-2012-1148.patch @@ -0,0 +1,147 @@ +Description: Don't leak memory when realloc() returns NULL + Backported from the upstream Expat sources to the embedded copy of Expat in + xmlrpc-c. +Origin: backport, http://xmlrpc-c.svn.sourceforge.net/viewvc/xmlrpc-c?view=revision&revision=2393 +Index: xmlrpc-c-1.06.27/lib/expat/xmlparse/xmlparse.c +=================================================================== +--- xmlrpc-c-1.06.27.orig/lib/expat/xmlparse/xmlparse.c 2012-08-29 01:07:09.907092848 -0700 ++++ xmlrpc-c-1.06.27/lib/expat/xmlparse/xmlparse.c 2012-08-29 01:07:14.851092966 -0700 +@@ -967,15 +967,16 @@ + nLeftOver = s + len - end; + if (nLeftOver) { + if (buffer == 0 || nLeftOver > bufferLim - buffer) { ++ char *temp; + /* FIXME avoid integer overflow */ +- buffer = buffer == 0 ? malloc(len * 2) : realloc(buffer, len * 2); +- /* FIXME storage leak if realloc fails */ +- if (!buffer) { ++ temp = buffer == 0 ? malloc(len * 2) : realloc(buffer, len * 2); ++ if (!temp) { + errorCode = XML_ERROR_NO_MEMORY; + eventPtr = eventEndPtr = 0; + processor = errorProcessor; + return 0; + } ++ buffer = temp; + bufferLim = buffer + len * 2; + } + memcpy(buffer, end, nLeftOver); +@@ -1424,11 +1425,13 @@ + /* Need to guarantee that: + tag->buf + ROUND_UP(tag->rawNameLength, sizeof(XML_Char)) <= tag->bufEnd - sizeof(XML_Char) */ + if (tag->rawNameLength + (int)(sizeof(XML_Char) - 1) + (int)sizeof(XML_Char) > tag->bufEnd - tag->buf) { ++ char *temp; + int bufSize = tag->rawNameLength * 4; + bufSize = ROUND_UP(bufSize, sizeof(XML_Char)); +- tag->buf = realloc(tag->buf, bufSize); +- if (!tag->buf) ++ temp = realloc(tag->buf, bufSize); ++ if (!temp) + return XML_ERROR_NO_MEMORY; ++ tag->buf = temp; + tag->bufEnd = tag->buf + bufSize; + } + memcpy(tag->buf, tag->rawName, tag->rawNameLength); +@@ -1441,6 +1444,7 @@ + for (;;) { + const char *rawNameEnd = tag->rawName + tag->rawNameLength; + const char *fromPtr = tag->rawName; ++ char *temp; + int bufSize; + if (nextPtr) + toPtr = (XML_Char *)(tag->buf + ROUND_UP(tag->rawNameLength, sizeof(XML_Char))); +@@ -1453,9 +1457,10 @@ + if (fromPtr == rawNameEnd) + break; + bufSize = (tag->bufEnd - tag->buf) << 1; +- tag->buf = realloc(tag->buf, bufSize); +- if (!tag->buf) ++ temp = realloc(tag->buf, bufSize); ++ if (!temp) + return XML_ERROR_NO_MEMORY; ++ tag->buf = temp; + tag->bufEnd = tag->buf + bufSize; + if (nextPtr) + tag->rawName = tag->buf; +@@ -1721,10 +1726,12 @@ + n = XmlGetAttributes(enc, attStr, attsSize, atts); + if (n + nDefaultAtts > attsSize) { + int oldAttsSize = attsSize; ++ ATTRIBUTE *temp; + attsSize = n + nDefaultAtts + INIT_ATTS_SIZE; +- atts = realloc((void *)atts, attsSize * sizeof(ATTRIBUTE)); +- if (!atts) ++ temp = realloc((void *)atts, attsSize * sizeof(ATTRIBUTE)); ++ if (!temp) + return XML_ERROR_NO_MEMORY; ++ atts = temp; + if (n > oldAttsSize) + XmlGetAttributes(enc, attStr, n, atts); + } +@@ -1930,9 +1937,10 @@ + if (freeBindingList) { + b = freeBindingList; + if (len > b->uriAlloc) { +- b->uri = realloc(b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE)); +- if (!b->uri) ++ XML_Char *temp = realloc(b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE)); ++ if (!temp) + return 0; ++ b->uri = temp; + b->uriAlloc = len + EXPAND_SPARE; + } + freeBindingList = b->nextTagBinding; +@@ -2717,12 +2725,16 @@ + #endif /* XML_DTD */ + case XML_ROLE_GROUP_OPEN: + if (prologState.level >= groupSize) { +- if (groupSize) +- groupConnector = realloc(groupConnector, groupSize *= 2); +- else ++ if (groupSize) { ++ char *temp = realloc(groupConnector, groupSize *= 2); ++ if (!temp) ++ return XML_ERROR_NO_MEMORY; ++ groupConnector = temp; ++ } else { + groupConnector = malloc(groupSize = 32); +- if (!groupConnector) +- return XML_ERROR_NO_MEMORY; ++ if (!groupConnector) ++ return XML_ERROR_NO_MEMORY; ++ } + } + groupConnector[prologState.level] = 0; + break; +@@ -3300,10 +3312,13 @@ + malloc(type->allocDefaultAtts*sizeof(DEFAULT_ATTRIBUTE)); + } + else { ++ DEFAULT_ATTRIBUTE *temp; + type->allocDefaultAtts *= 2; +- type->defaultAtts = +- realloc(type->defaultAtts, +- type->allocDefaultAtts*sizeof(DEFAULT_ATTRIBUTE)); ++ temp = realloc(type->defaultAtts, ++ type->allocDefaultAtts*sizeof(DEFAULT_ATTRIBUTE)); ++ if (!temp) ++ return 0; ++ type->defaultAtts = temp; + } + if (!type->defaultAtts) + return 0; +@@ -4090,10 +4105,11 @@ + } + if (pool->blocks && pool->start == pool->blocks->s) { + int blockSize = (pool->end - pool->start)*2; +- pool->blocks = realloc(pool->blocks, offsetof(BLOCK, s) + +- blockSize * sizeof(XML_Char)); +- if (!pool->blocks) ++ BLOCK *temp = realloc(pool->blocks, offsetof(BLOCK, s) + ++ blockSize * sizeof(XML_Char)); ++ if (!temp) + return 0; ++ pool->blocks = temp; + pool->blocks->size = blockSize; + pool->ptr = pool->blocks->s + (pool->ptr - pool->start); + pool->start = pool->blocks->s; --- xmlrpc-c-1.06.27.orig/debian/patches/CVE-2009-3560.patch +++ xmlrpc-c-1.06.27/debian/patches/CVE-2009-3560.patch @@ -0,0 +1,19 @@ +Description: DoS via XML document with malformed UTF-8 sequences + (CVE_2009_3560) +Origin: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.166 + http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.166 + http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.165 + +diff -Nur xmlrpc-c-1.06.27/lib/expat/xmlparse/xmlparse.c xmlrpc-c-1.06.27.new/lib/expat/xmlparse/xmlparse.c +--- xmlrpc-c-1.06.27/lib/expat/xmlparse/xmlparse.c 2007-01-10 19:08:53.000000000 -0600 ++++ xmlrpc-c-1.06.27.new/lib/expat/xmlparse/xmlparse.c 2010-01-26 12:56:33.885170530 -0600 +@@ -2330,6 +2330,9 @@ + return XML_ERROR_UNCLOSED_TOKEN; + case XML_TOK_PARTIAL_CHAR: + return XML_ERROR_PARTIAL_CHAR; ++ case -XML_TOK_PROLOG_S: ++ tok = -tok; ++ break; + case XML_TOK_NONE: + #ifdef XML_DTD + if (enc != encoding) --- xmlrpc-c-1.06.27.orig/debian/patches/curl_easy_setopt.patch +++ xmlrpc-c-1.06.27/debian/patches/curl_easy_setopt.patch @@ -0,0 +1,13 @@ +Index: xmlrpc-c/lib/curl_transport/xmlrpc_curl_transport.c +=================================================================== +--- xmlrpc-c.orig/lib/curl_transport/xmlrpc_curl_transport.c ++++ xmlrpc-c/lib/curl_transport/xmlrpc_curl_transport.c +@@ -1214,7 +1214,7 @@ setupCurlSession(xmlrpc_env * + curl_easy_setopt(curlSessionP, CURLOPT_SSLENGINE, + curlSetupP->sslEngine); + if (curlSetupP->sslEngineDefault) +- curl_easy_setopt(curlSessionP, CURLOPT_SSLENGINE_DEFAULT); ++ curl_easy_setopt(curlSessionP, CURLOPT_SSLENGINE_DEFAULT, 1); + if (curlSetupP->sslVersion != XMLRPC_SSLVERSION_DEFAULT) + curl_easy_setopt(curlSessionP, CURLOPT_SSLVERSION, + curlSetupP->sslVersion); --- xmlrpc-c-1.06.27.orig/debian/patches/old-libtool.patch +++ xmlrpc-c-1.06.27/debian/patches/old-libtool.patch @@ -0,0 +1,13 @@ +Index: xmlrpc-c/ltconfig +=================================================================== +--- xmlrpc-c.orig/ltconfig ++++ xmlrpc-c/ltconfig +@@ -1957,7 +1957,7 @@ + ;; + + # This must be Linux ELF. +-linux-gnu*) ++linux-gnu*|k*bsd*-gnu*) + version_type=linux + need_lib_prefix=no + need_version=no --- xmlrpc-c-1.06.27.orig/debian/patches/CVE-2009-3720.patch +++ xmlrpc-c-1.06.27/debian/patches/CVE-2009-3720.patch @@ -0,0 +1,15 @@ +Description: DoS via malformed XML (CVE-2009-3720) +Origin: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.15&r2=1.13 + +diff -Nur xmlrpc-c-1.06.27/lib/expat/xmltok/xmltok_impl.c xmlrpc-c-1.06.27.new/lib/expat/xmltok/xmltok_impl.c +--- xmlrpc-c-1.06.27/lib/expat/xmltok/xmltok_impl.c 2006-07-11 21:00:38.000000000 -0500 ++++ xmlrpc-c-1.06.27.new/lib/expat/xmltok/xmltok_impl.c 2010-01-26 12:55:26.395172892 -0600 +@@ -1737,7 +1737,7 @@ + const char *end, + POSITION *pos) + { +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ + case BT_LEAD ## n: \