.gitignore

@@ -1,2 +1 @@
-/xmlrpc-c-1.51.0.tar.xz
+SOURCES/xmlrpc-c-1.51.0.tar.xz
-/benchmark-tests.tar.xz

.xmlrpc-c.metadata

@@ -0,0 +1 @@
+784a3e74971f3b7d992d768c732daa891ffd2412 SOURCES/xmlrpc-c-1.51.0.tar.xz

0007-Address-segfault-found-in-CVE-2023-52425.patch

@@ -1,106 +0,0 @@
-From 66e6f8700959f7a54056ed7946c179d808e838e8 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 25 Apr 2024 09:26:04 -0400
-Subject: [PATCH] Address segfault found in CVE-2023-52425
-
-The CVE addresses a possible DoS when unreasonably large tokens
-are passed into the XML parser for processing. These were taking
-upwards of 8 seconds per file processed with the exception of
-aaaaaa_cdata.xml which caused a segmentation fault. The XML
-processor was effectively losing the start of the string, setting
-it to NULL. This caused a cascade of errors trying to parse both
-the next token and in handling errors if a new token was not found.
-
-This handles both those cases but not the underlying reason why
-the pointer to inputStart is lost.
-
-Trying to backport the libexpat changes to address the performance
-issue would be enormous since the xmlrpc-c custom version of libexpat
-is extremely old. Since xmlrpc-c is mostly used as a client passing
-in random values is less of an issue.
-
-Include the libexpat upstream benchmark test to validate that the
-tests pass, albeit slowly.
-
-To run the benchmarks:
- extract the sources
- cd xmlrpc-c-1.51.0
- make
- cd test
- make
- cd benchmark
- for file in *.xml; do ./benchmark $file 4096 1; done
-
-One test will error out but this is expected as part of the fix.
-
-The tests will be extracted as a Source because of their
-uncompressed size (~48M)
-
-Fixes: RHEL-24226
----
- lib/expat/xmlparse/xmlparse.c  | 3 +++
- lib/expat/xmltok/xmltok_impl.c | 4 ++++
- test/Makefile                  | 7 +++++--
- 3 files changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
-index 16ab82a..6621d18 100644
---- a/lib/expat/xmlparse/xmlparse.c
-+++ b/lib/expat/xmlparse/xmlparse.c
-@@ -35,6 +35,9 @@ extractXmlSample(const char * const start,
-                  size_t       const maximumLen) {
- 
-     size_t const len = MIN(maximumLen, (size_t)(end - start));
-+    if (start == NULL) {
-+        return strdup("");
-+    }
-     
-     return xmlrpc_makePrintable_lp(start, len);
- }
-diff --git a/lib/expat/xmltok/xmltok_impl.c b/lib/expat/xmltok/xmltok_impl.c
-index bae79b9..80da94f 100644
---- a/lib/expat/xmltok/xmltok_impl.c
-+++ b/lib/expat/xmltok/xmltok_impl.c
-@@ -871,6 +871,10 @@ PREFIX(contentTok)(const ENCODING * const enc,
-             */
-         PREFIX(chopToWholeCharacters)(inputStart, inputEnd, &end);
- 
-+        if (inputStart == NULL) {
-+            *nextTokPtr = NULL;
-+            return XML_TOK_INVALID;
-+        }
-         if (end == inputStart) {
-             *nextTokPtr = inputStart;
-             return XML_TOK_PARTIAL;
-diff --git a/test/Makefile b/test/Makefile
-index 4fce824..1242910 100644
---- a/test/Makefile
-+++ b/test/Makefile
-@@ -7,7 +7,7 @@ SUBDIR := test
- 
- include $(BLDDIR)/config.mk
- 
--SUBDIRS = cpp
-+SUBDIRS = cpp benchmark
- 
- XMLRPC_C_CONFIG = $(BLDDIR)/xmlrpc-c-config.test
- 
-@@ -98,11 +98,14 @@ runtests_local: test cgitest1
- 	./test
- 
- .PHONY: runtests
--runtests: runtests_local cpp/runtests
-+runtests: runtests_local cpp/runtests benchmark/runtests
- 
- cpp/runtests: FORCE
- 	$(MAKE) -C $(dir $@) $(notdir $@)
- 
-+benchmark/runtests:
-+	$(MAKE) -C $(dir $@) $(notdir $@)
-+
- .PHONY: install
- install:
- 
--- 
-2.42.0
-

SPECS/xmlrpc-c.spec

@@ -6,7 +6,7 @@
 
 Name:           xmlrpc-c
 Version:        1.51.0
-Release:        9%{?dist}
+Release:        8%{?dist}
 Summary:        Lightweight RPC library based on XML and HTTP
 # See doc/COPYING for details.
 # The Python 1.5.2 license used by a few files is just BSD.
@@ -17,7 +17,6 @@ URL:            http://xmlrpc-c.sourceforge.net/
 # upstream does not tag versions so we must fetch from the branch and
 # check which version was used for it
 %{?advanced_branch:Source0: xmlrpc-c-%version.tar.xz}
-%{?advanced_branch:Source1: benchmark-tests.tar.xz}
 
 # Upstreamable patches
 Patch101:       0001-xmlrpc_server_abyss-use-va_args-properly.patch
@@ -28,7 +27,6 @@ Patch103:       0003-allow-30x-redirections.patch
 Patch104:       0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
 Patch105:       0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
 Patch106:       0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
-Patch107:       0007-Address-segfault-found-in-CVE-2023-52425.patch
 
 # Backported patches
 # https://sourceforge.net/p/xmlrpc-c/code/2981/
@@ -131,7 +129,6 @@ This package contains some handy XML-RPC demo applications.
 
 %prep
 %autosetup -Sgit
-tar xf %{SOURCE1}
 
 %build
 %meson %{?with_libxml2:-Dlibxml2-backend=true}
@@ -197,9 +194,6 @@ tar xf %{SOURCE1}
 %{_bindir}/xmlrpc_dumpserver
 
 %changelog
-* Thu Apr 25 2024 Rob Crittenden <rcritten@redhat.com> - 1.51.0-9
-- Address segfault found in CVE-2023-52425 (RHEL-24226)
-
 * Thu Apr 14 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-8
 - Address some Coverity issues in the patch set
 

sources

@@ -1,2 +0,0 @@
-SHA512 (benchmark-tests.tar.xz) = 1c15947e0b9ab8d8698ae1ca716b6a87506bf4ca468d863e50d0d96d8a4127055acf1ef6f64d9a91d037bd07640827bdab31c93e567d9e65fad526f5a56e8c15
-SHA512 (xmlrpc-c-1.51.0.tar.xz) = 23b0a2fd15ee8ee48d19ed2e329d1a81d3f5ed9b9c0948da736202dddcada1c0fdd378013392ef8e1a2380a2e83ea779d4d3f4f925ca7aab82d335f5c74c211e