Ubuntu
xmlrpc-c package

[Quantal] xmlrpc-c is vulnerable to CVE-2012-0876 and CVE-2012-1148

Bug #1048835 reported by Tyler Hicks
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xmlrpc-c (Ubuntu)
Fix Released
Medium
Micah Gersten
Quantal
Fix Released
Medium
Micah Gersten

Bug Description

XML-RPC for C and C++ could be made to cause a denial of service by consuming excessive CPU and memory resources.

Here is the USN for the stable releases:

http://www.ubuntu.com/usn/usn-1527-2/

and the security team CVE tracker links:

http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-0876
http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1148

Related branches

lp:ubuntu/quantal/xmlrpc-c

CVE References

Revision history for this message
Tyler Hicks (tyhicks) wrote :
Changed in xmlrpc-c (Ubuntu):
assignee: Tyler Hicks (tyhicks) → nobody
status: Triaged → Confirmed
Revision history for this message
Micah Gersten (micahg) wrote :

Taking a look

Changed in xmlrpc-c (Ubuntu Quantal):
assignee: nobody → Micah Gersten (micahg)
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xmlrpc-c - 1.16.33-3.1ubuntu6

---------------
xmlrpc-c (1.16.33-3.1ubuntu6) quantal; urgency=low

  * Run the tests as part of the build process
    - debian/patches/FTBFS-tests.patch: Fix issues when running make check.
      Based on upstream patches.
    - debian/rules: Run make check after building
  * Fix dependencies of xmlrpc-api-utils
    - debian/control: xml-rcp-api2cpp needs libxmlrpc_cpp.so.4, so depend on
      libxmlrpc-c++4
  * SECURITY UPDATE: Denial of service via hash collisions (LP: #1048835)
    - debian/patches/CVE-2012-0876.patch: Add random salt value to
      hash inputs. Based on upstream patch.
    - CVE-2012-0876
  * SECURITY UPDATE: Denial of service via memory leak (LP: #1048835)
    - debian/patches/CVE-2012-1148.patch: Properly reallocate memory.
      Based on upstream patch.
    - CVE-2012-1148
 -- Tyler Hicks <email address hidden> Mon, 10 Sep 2012 14:57:29 -0700

Changed in xmlrpc-c (Ubuntu Quantal):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.