A lightweight RPC library based on XML and HTTP
a8bddf83d5
The embedded libexpat library is vulnerable to a stack overflow due to uncontrolled recursion when processing deeply nested XML entities. This can cause the application to crash, resulting in a denial of service (DoS) or potentially leading to memory corruption, depending on the user's environment and how the library is used. The issue is triggered by supplying a specially crafted XML document designed to create a long chain of recursive entities. libexpat addressed this upstream in https://github.com/libexpat/libexpat/pull/973 but the embedded copy within xmlrpc-c is so old there is no chance of applying this without rebasing it. Instead a recursion counter is added to the parser to limit the depth. Resolves: RHEL-57536 |
||
|---|---|---|
| .gitignore | ||
| 0001-add-meson-buildsystem-definitions.patch | ||
| 0001-Remove-trace-statements-accidentally-committed-with-.patch | ||
| 0001-xmlrpc_server_abyss-use-va_args-properly.patch | ||
| 0002-chmod-x-xml-rpc-api2txt.patch | ||
| 0002-Use-proper-datatypes-for-long-long.patch | ||
| 0003-allow-30x-redirections.patch | ||
| 0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch | ||
| 0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch | ||
| 0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch | ||
| 0007-Address-segfault-found-in-CVE-2023-52425.patch | ||
| 0008-Prevent-integer-overflow-or-wraparound-CVE-2024-4549.patch | ||
| 0009-Restrict-XML-Entity-Expansion-Depth-in-libexpat-CVE-.patch | ||
| 0010-Add-missing-files-for-the-benchmark-tests.patch | ||
| sources | ||
| xmlrpc-c.spec | ||