hi jamie, it looks like the version in git[1,2] is based on 1.16.07, which probably explains the discrepancy. i'm pretty sure this version predates the CVE by large enough of a margin that it's likely to be vulnerable unless it's been hacked enough to have lost the vulnerable code paths.
thanks, sean [1] ssh://git.debian.org/git/users/seanius/xmlrpc-c.git [2] this hasn't yet been uploaded to unstable, though it can be fetched from experimental as well as git. On Thu, Jan 28, 2010 at 06:58:51AM -0600, Jamie Strandboge wrote: > On Thu, 2010-01-28 at 10:00 +0100, sean finney wrote: > > 560942 > > > i've imported the patches into git but one of them does not apply: > > > > Applying patch CVE-2009-3560.patch > > patching file lib/expat/xmlparse/xmlparse.c > > Hunk #1 FAILED at 2330. > > 1 out of 1 hunk FAILED -- rejects in file ib/expat/xmlparse/xmlparse.c > > Patch CVE-2009-3560.patch does not apply (enforce with -f) > > That's weird cause it works fine here: > $ md5sum /tmp/xmlrpc-c.diff > 11b2a93bf29420838e7e560304aba980 /tmp/xmlrpc-c.diff > > $ apt-get source xmlrpc-c=1.06.27-1 > Reading package lists... Done > Building dependency tree > Reading state information... Done > Need to get 707kB of source archives. > Get:1 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (dsc) > [1,070B] > Get:2 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (tar) > [700kB] > Get:3 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (diff) > [6,767B] > Fetched 707kB in 1s (458kB/s) > dpkg-source: info: extracting xmlrpc-c in xmlrpc-c-1.06.27 > dpkg-source: info: unpacking xmlrpc-c_1.06.27.orig.tar.gz > dpkg-source: info: applying xmlrpc-c_1.06.27-1.diff.gz > > $ cd ./xmlrpc-c-1.06.27/ > > $ cat /tmp/xmlrpc-c.diff | patch -p1 > patching file debian/patches/series > patching file debian/patches/CVE-2009-3560.patch > patching file debian/patches/CVE-2009-3720.patch > > $ fakeroot debian/rules patch > QUILT_PATCHES=debian/patches quilt --quiltrc /dev/null push -a || test > $? = 2 > Applying patch old-libtool.patch > patching file ltconfig > > Applying patch curl_easy_setopt.patch > patching file lib/curl_transport/xmlrpc_curl_transport.c > > Applying patch CVE-2009-3720.patch > patching file lib/expat/xmltok/xmltok_impl.c > > Applying patch CVE-2009-3560.patch > patching file lib/expat/xmlparse/xmlparse.c > > Now at patch CVE-2009-3560.patch > touch debian/stamp-patched > > > Are you looking at 1.16.07-1 from experimental and not 1.06.27-1 from > unstable? > > Jamie > > -- > Jamie Strandboge | http://www.canonical.com --
signature.asc
Description: Digital signature