Bug#1105769: marked as done (unblock: xmlrpc-c/1.59.03-10)

Mon, 19 May 2025 07:57:15 -0700 

Your message dated Mon, 19 May 2025 14:52:10 +0000
with message-id <e1uh1qc-002isv...@respighi.debian.org>
and subject line unblock xmlrpc-c
has caused the Debian Bug report #1105769,
regarding unblock: xmlrpc-c/1.59.03-10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1105769: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105769
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: xmlrp...@packages.debian.org, Guillem Jover <gjo...@sipwise.com>
Control: affects -1 + src:xmlrpc-c
User: release.debian....@packages.debian.org
Usertags: unblock

This is a pre-approval request.

----

Please unblock package xmlrpc-c

The Security Team discovered a latent vulnerability:

  "xmlrpc-c: bundles a (very old and) vulnerable copy of libexpat"
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102554

This needed extensive patching to get this right.

[ Reason ]
xmlrpc-c/1.59.03-10 fix the FTBFS of the reverse dependencies
whom for some other reasons end-up dependening on 'pkgconf'

[ Impact ]
That is not exactly clear to me, but I'm the one _learning_
from all my previous & current interractions with Guillem;
so I trust he's judgement.

[ Tests ]
I revuild the reverse dependencies again just fine.

  Reverse-Build-Depends
  =====================
  * flowgrind                     (for libxmlrpc-core-c3-dev)
  * rtorrent                      (for libxmlrpc-core-c3-dev)
  * rtpengine                     (for libxmlrpc-core-c3-dev)
  * tlf                           (for libxmlrpc-core-c3-dev)

[ Risks ]
xmlrpc-c/1.59.03-9 fix mosts of this mess already;
the remaining debdiff is small

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock xmlrpc-c/1.59.03-10

-----

$ git diff HEAD~3..HEAD | cat
diff --git a/debian/changelog b/debian/changelog
index 59b0dcf..b382579 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+xmlrpc-c (1.59.03-10) unstable; urgency=medium
+
+  * Depends on external libexpat1-dev (Closes: #1104753)
+  * Reinstate hardening patch, fix blhc job on Salsa
+
+ -- Alexandre Detiste <tc...@debian.org>  Wed, 14 May 2025 16:42:44 +0200
+
 xmlrpc-c (1.59.03-9) unstable; urgency=high
 
   * Expand libexpat1 patch to also update xmlrpc-c-config &
diff --git a/debian/control b/debian/control
index c7d9041..ef000c7 100644
--- a/debian/control
+++ b/debian/control
@@ -60,6 +60,7 @@ Architecture: any
 Depends:
  libc6-dev,
  libcurl4-openssl-dev | libcurl4-gnutls-dev,
+ libexpat1-dev,
  libxmlrpc-core-c3t64 (= ${binary:Version}),
  libxmlrpc-util-dev,
  ${misc:Depends},
diff --git a/debian/patches/XXXFLAGS.patch b/debian/patches/XXXFLAGS.patch
index e84ff57..ae1778d 100644
--- a/debian/patches/XXXFLAGS.patch
+++ b/debian/patches/XXXFLAGS.patch
@@ -1,33 +1,21 @@
 Description: hardening stuff
 Author: Herbert Parentes Fortes Neto <h...@debian.org>
 Last-Update: 2016-07-22
-Index: xmlrpc-c-1.33.14/common.mk
-===================================================================
---- xmlrpc-c-1.33.14.orig/common.mk
-+++ xmlrpc-c-1.33.14/common.mk
-@@ -45,8 +45,10 @@ GCC_CXX_WARNINGS = $(GCC_WARNINGS)  -Wsy
+--- a/common.mk
++++ b/common.mk
+@@ -48,8 +48,9 @@
  # assertion and crash the program if it isn't really true.  You can add
  # -UNDEBUG (in any of various ways) to override this.
  #
--CFLAGS_COMMON = -DNDEBUG
--CXXFLAGS_COMMON = -DNDEBUG
+-CFLAGS_COMMON = -DNDEBUG $(CFLAGS_PTHREAD)
+-CXXFLAGS_COMMON = -DNDEBUG $(CFLAGS_PTHREAD)
 +CPPFLAGS_COMMON = -D_FORTIFY_SOURCE=2
-+CFLAGS_COMMON = $(CPPFLAGS_COMMON) -DNDEBUG -fPIE
-+CXXFLAGS_COMMON = $(CPPFLAGS_COMMON) -DNDEBUG -fPIE
-+
++CFLAGS_COMMON = $(CPPFLAGS_COMMON) -DNDEBUG $(CFLAGS_PTHREAD)
++CXXFLAGS_COMMON = $(CPPFLAGS_COMMON) -DNDEBUG $(CFLAGS_PTHREAD)
  
  ifeq ($(C_COMPILER_GNU),yes)
    CFLAGS_COMMON += $(GCC_C_WARNINGS) -fno-common -g -O3
-@@ -84,7 +86,7 @@ ifneq ($(LADD),)
-   LDFLAGS := $(LADD)
- endif
- 
--LDFLAGS_ALL = $(LDFLAGS_PERSONAL) $(LDFLAGS)
-+LDFLAGS_ALL = $(LDFLAGS_PERSONAL) $(LDFLAGS) -fPIE -pie -Wl,-z,now
- 
- ##############################################################################
- #                        STATIC LINK LIBRARY RULES                           #
-@@ -160,10 +162,10 @@ LDFLAGS_SHLIB_ALL=$(LDFLAGS_ALL) $(LDFLA
+@@ -173,10 +174,10 @@
  
  #------ the actual rules ----------------------------------------------------
  $(TARGET_SHARED_LIBRARIES) dummyshlib:
@@ -40,7 +28,7 @@ Index: xmlrpc-c-1.33.14/common.mk
  #----------------------------------------------------------------------------
  
  LIBXMLRPC_UTIL_DIR = $(BLDDIR)/lib/libutil
-@@ -315,7 +316,7 @@ $(TARGET_MODS:%=%.osh):%.osh:%.c
+@@ -347,7 +348,7 @@
        $(CC) -c -o $@ $(INCLUDES) $(CFLAGS_ALL) $(CFLAGS_SHLIB) $<
  
  $(TARGET_MODS_PP:%=%.o):%.o:%.cpp
diff --git a/debian/patches/series b/debian/patches/series
index 619d27b..2d90dcc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,5 +1,5 @@
 typo.patch
-#XXXFLAGS.patch
+XXXFLAGS.patch
 #no_curl_test.patch
 614937_FTBFS_hurd-i386.patch
 reproducible_build.patch
diff --git a/debian/patches/xmlrpc-c-1.59.03-use-system-expat.patch 
b/debian/patches/xmlrpc-c-1.59.03-use-system-expat.patch
index dca1bd1..d7d5372 100644
--- a/debian/patches/xmlrpc-c-1.59.03-use-system-expat.patch
+++ b/debian/patches/xmlrpc-c-1.59.03-use-system-expat.patch
@@ -120,6 +120,16 @@ Subject: [PATCH] Use system libexpat rather than bundled 
lib/expat/ for
  endif
  
  $(LIBXMLRPC_MODS:%=%.o) \
+@@ -339,7 +337,8 @@
+       @echo 'Description: Xmlrpc-c basic XML-RPC library'                >>$@
+       @echo 'Version:     $(XMLRPC_VERSION_STRING)'                      >>$@
+       @echo                                                              >>$@
+-      @echo 'Requires: xmlrpc_util $(XML_PKGCONFIG_REQ)'                 >>$@
++      @echo 'Requires: xmlrpc_util'                                      >>$@
++      @echo 'Requires.private: $(XML_PKGCONFIG_REQ)'                     >>$@
+       @echo 'Libs:     -L$${libdir} -lxmlrpc'                            >>$@
+       @echo 'Cflags:   -I$${includedir}'                                 >>$@
+ 
 --- a/src/cpp/Makefile
 +++ b/src/cpp/Makefile
 @@ -42,15 +42,13 @@

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---

Reply via email to