However it does not look like this has been applyed to "advanced", "Stable" or "Super Stable". Instead it looks like the xml parser has be re-written but still based on Expat. Is this correct?
I have compile the head of stable (1.43.6) and run the test app:
Hi,
I have been looking at the CVE's that have been found since xmlrpc-c 1.25.30 and one that look importent is CVE-2016-0718.
I have found that Ubuntu have created a patch for this:
https://usn.ubuntu.com/usn/USN-3013-1/
https://launchpadlibrarian.net/265742082/xmlrpc-c_1.16.33-3.1ubuntu5_1.16.33-3.1ubuntu5.2.diff.gz
However it does not look like this has been applyed to "advanced", "Stable" or "Super Stable". Instead it looks like the xml parser has be re-written but still based on Expat. Is this correct?
I have compile the head of stable (1.43.6) and run the test app:
./xmlrpc_sample_add_server 8080
I have used the overflow.xml file available from http://seclists.org/fulldisclosure/2017/Feb/68 and the following command:
curl -v -X POST -H 'Content-type: application/xml' --data-binary "@overflow.xml" http://172.16.30.98:8080/RPC2
And it causes the XMLRPC server to segfault. This means that the stable branch still has the same CVE.
I have also checked out TRUNK (1.49.0) and run the same command and it also causes a SegFault:
Running XML-RPC server...
Segmentation fault
Mark.