Bug#1105769: unblock: xmlrpc-c/1.59.03-10

Wed, 14 May 2025 07:48:31 -0700 

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: xmlrp...@packages.debian.org, Guillem Jover <gjo...@sipwise.com>
Control: affects -1 + src:xmlrpc-c
User: release.debian....@packages.debian.org
Usertags: unblock

This is a pre-approval request.

----

Please unblock package xmlrpc-c

The Security Team discovered a latent vulnerability:

  "xmlrpc-c: bundles a (very old and) vulnerable copy of libexpat"
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102554

This needed extensive patching to get this right.

[ Reason ]
xmlrpc-c/1.59.03-10 fix the FTBFS of the reverse dependencies
whom for some other reasons end-up dependening on 'pkgconf'

[ Impact ]
That is not exactly clear to me, but I'm the one _learning_
from all my previous & current interractions with Guillem;
so I trust he's judgement.

[ Tests ]
I revuild the reverse dependencies again just fine.

  Reverse-Build-Depends
  =====================
  * flowgrind                     (for libxmlrpc-core-c3-dev)
  * rtorrent                      (for libxmlrpc-core-c3-dev)
  * rtpengine                     (for libxmlrpc-core-c3-dev)
  * tlf                           (for libxmlrpc-core-c3-dev)

[ Risks ]
xmlrpc-c/1.59.03-9 fix mosts of this mess already;
the remaining debdiff is small

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock xmlrpc-c/1.59.03-10

-----

$ git diff HEAD~3..HEAD | cat
diff --git a/debian/changelog b/debian/changelog
index 59b0dcf..b382579 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+xmlrpc-c (1.59.03-10) unstable; urgency=medium
+
+  * Depends on external libexpat1-dev (Closes: #1104753)
+  * Reinstate hardening patch, fix blhc job on Salsa
+
+ -- Alexandre Detiste <tc...@debian.org>  Wed, 14 May 2025 16:42:44 +0200
+
 xmlrpc-c (1.59.03-9) unstable; urgency=high
 
   * Expand libexpat1 patch to also update xmlrpc-c-config &
diff --git a/debian/control b/debian/control
index c7d9041..ef000c7 100644
--- a/debian/control
+++ b/debian/control
@@ -60,6 +60,7 @@ Architecture: any
 Depends:
  libc6-dev,
  libcurl4-openssl-dev | libcurl4-gnutls-dev,
+ libexpat1-dev,
  libxmlrpc-core-c3t64 (= ${binary:Version}),
  libxmlrpc-util-dev,
  ${misc:Depends},
diff --git a/debian/patches/XXXFLAGS.patch b/debian/patches/XXXFLAGS.patch
index e84ff57..ae1778d 100644
--- a/debian/patches/XXXFLAGS.patch
+++ b/debian/patches/XXXFLAGS.patch
@@ -1,33 +1,21 @@
 Description: hardening stuff
 Author: Herbert Parentes Fortes Neto <h...@debian.org>
 Last-Update: 2016-07-22
-Index: xmlrpc-c-1.33.14/common.mk
-===================================================================
---- xmlrpc-c-1.33.14.orig/common.mk
-+++ xmlrpc-c-1.33.14/common.mk
-@@ -45,8 +45,10 @@ GCC_CXX_WARNINGS = $(GCC_WARNINGS)  -Wsy
+--- a/common.mk
++++ b/common.mk
+@@ -48,8 +48,9 @@
  # assertion and crash the program if it isn't really true.  You can add
  # -UNDEBUG (in any of various ways) to override this.
  #
--CFLAGS_COMMON = -DNDEBUG
--CXXFLAGS_COMMON = -DNDEBUG
+-CFLAGS_COMMON = -DNDEBUG $(CFLAGS_PTHREAD)
+-CXXFLAGS_COMMON = -DNDEBUG $(CFLAGS_PTHREAD)
 +CPPFLAGS_COMMON = -D_FORTIFY_SOURCE=2
-+CFLAGS_COMMON = $(CPPFLAGS_COMMON) -DNDEBUG -fPIE
-+CXXFLAGS_COMMON = $(CPPFLAGS_COMMON) -DNDEBUG -fPIE
-+
++CFLAGS_COMMON = $(CPPFLAGS_COMMON) -DNDEBUG $(CFLAGS_PTHREAD)
++CXXFLAGS_COMMON = $(CPPFLAGS_COMMON) -DNDEBUG $(CFLAGS_PTHREAD)
  
  ifeq ($(C_COMPILER_GNU),yes)
    CFLAGS_COMMON += $(GCC_C_WARNINGS) -fno-common -g -O3
-@@ -84,7 +86,7 @@ ifneq ($(LADD),)
-   LDFLAGS := $(LADD)
- endif
- 
--LDFLAGS_ALL = $(LDFLAGS_PERSONAL) $(LDFLAGS)
-+LDFLAGS_ALL = $(LDFLAGS_PERSONAL) $(LDFLAGS) -fPIE -pie -Wl,-z,now
- 
- ##############################################################################
- #                        STATIC LINK LIBRARY RULES                           #
-@@ -160,10 +162,10 @@ LDFLAGS_SHLIB_ALL=$(LDFLAGS_ALL) $(LDFLA
+@@ -173,10 +174,10 @@
  
  #------ the actual rules ----------------------------------------------------
  $(TARGET_SHARED_LIBRARIES) dummyshlib:
@@ -40,7 +28,7 @@ Index: xmlrpc-c-1.33.14/common.mk
  #----------------------------------------------------------------------------
  
  LIBXMLRPC_UTIL_DIR = $(BLDDIR)/lib/libutil
-@@ -315,7 +316,7 @@ $(TARGET_MODS:%=%.osh):%.osh:%.c
+@@ -347,7 +348,7 @@
        $(CC) -c -o $@ $(INCLUDES) $(CFLAGS_ALL) $(CFLAGS_SHLIB) $<
  
  $(TARGET_MODS_PP:%=%.o):%.o:%.cpp
diff --git a/debian/patches/series b/debian/patches/series
index 619d27b..2d90dcc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,5 +1,5 @@
 typo.patch
-#XXXFLAGS.patch
+XXXFLAGS.patch
 #no_curl_test.patch
 614937_FTBFS_hurd-i386.patch
 reproducible_build.patch
diff --git a/debian/patches/xmlrpc-c-1.59.03-use-system-expat.patch 
b/debian/patches/xmlrpc-c-1.59.03-use-system-expat.patch
index dca1bd1..d7d5372 100644
--- a/debian/patches/xmlrpc-c-1.59.03-use-system-expat.patch
+++ b/debian/patches/xmlrpc-c-1.59.03-use-system-expat.patch
@@ -120,6 +120,16 @@ Subject: [PATCH] Use system libexpat rather than bundled 
lib/expat/ for
  endif
  
  $(LIBXMLRPC_MODS:%=%.o) \
+@@ -339,7 +337,8 @@
+       @echo 'Description: Xmlrpc-c basic XML-RPC library'                >>$@
+       @echo 'Version:     $(XMLRPC_VERSION_STRING)'                      >>$@
+       @echo                                                              >>$@
+-      @echo 'Requires: xmlrpc_util $(XML_PKGCONFIG_REQ)'                 >>$@
++      @echo 'Requires: xmlrpc_util'                                      >>$@
++      @echo 'Requires.private: $(XML_PKGCONFIG_REQ)'                     >>$@
+       @echo 'Libs:     -L$${libdir} -lxmlrpc'                            >>$@
+       @echo 'Cflags:   -I$${includedir}'                                 >>$@
+ 
 --- a/src/cpp/Makefile
 +++ b/src/cpp/Makefile
 @@ -42,15 +42,13 @@

Reply via email to