hi jamie, it looks like the version in git[1,2] is based on 1.16.07, which probably explains the discrepancy. i'm pretty sure this version predates the CVE by large enough of a margin that it's likely to be vulnerable unless it's been hacked enough to have lost the vulnerable code paths.
thanks,
sean
[1] ssh://git.debian.org/git/users/seanius/xmlrpc-c.git
[2] this hasn't yet been uploaded to unstable, though it can be
fetched from experimental as well as git.
On Thu, Jan 28, 2010 at 06:58:51AM -0600, Jamie Strandboge wrote:
> On Thu, 2010-01-28 at 10:00 +0100, sean finney wrote:
> > 560942
>
> > i've imported the patches into git but one of them does not apply:
> >
> > Applying patch CVE-2009-3560.patch
> > patching file lib/expat/xmlparse/xmlparse.c
> > Hunk #1 FAILED at 2330.
> > 1 out of 1 hunk FAILED -- rejects in file ib/expat/xmlparse/xmlparse.c
> > Patch CVE-2009-3560.patch does not apply (enforce with -f)
>
> That's weird cause it works fine here:
> $ md5sum /tmp/xmlrpc-c.diff
> 11b2a93bf29420838e7e560304aba980 /tmp/xmlrpc-c.diff
>
> $ apt-get source xmlrpc-c=1.06.27-1
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> Need to get 707kB of source archives.
> Get:1 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (dsc)
> [1,070B]
> Get:2 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (tar)
> [700kB]
> Get:3 http://ftp.debian.org unstable/main xmlrpc-c 1.06.27-1 (diff)
> [6,767B]
> Fetched 707kB in 1s (458kB/s)
> dpkg-source: info: extracting xmlrpc-c in xmlrpc-c-1.06.27
> dpkg-source: info: unpacking xmlrpc-c_1.06.27.orig.tar.gz
> dpkg-source: info: applying xmlrpc-c_1.06.27-1.diff.gz
>
> $ cd ./xmlrpc-c-1.06.27/
>
> $ cat /tmp/xmlrpc-c.diff | patch -p1
> patching file debian/patches/series
> patching file debian/patches/CVE-2009-3560.patch
> patching file debian/patches/CVE-2009-3720.patch
>
> $ fakeroot debian/rules patch
> QUILT_PATCHES=debian/patches quilt --quiltrc /dev/null push -a || test
> $? = 2
> Applying patch old-libtool.patch
> patching file ltconfig
>
> Applying patch curl_easy_setopt.patch
> patching file lib/curl_transport/xmlrpc_curl_transport.c
>
> Applying patch CVE-2009-3720.patch
> patching file lib/expat/xmltok/xmltok_impl.c
>
> Applying patch CVE-2009-3560.patch
> patching file lib/expat/xmlparse/xmlparse.c
>
> Now at patch CVE-2009-3560.patch
> touch debian/stamp-patched
>
>
> Are you looking at 1.16.07-1 from experimental and not 1.06.27-1 from
> unstable?
>
> Jamie
>
> --
> Jamie Strandboge | http://www.canonical.com
--
signature.asc
Description: Digital signature
