xmlrpc-c bundles a (very old and) vulnerable copy of libexpat

[Sebastian Pipping <sebastian () pipping org>]

Hello oss-security!


Red Hat and OpenWrt [1] and Gentoo [2] are already aware, but maybe this
matter is of interest to more of you:

It has come to my attention through [0] that xmlrpc-c bundles a (very
old and) vulnerable copy of libexpat.  I reached out to upstream and
they made a few minor related changes:

- The configure script started to default to libxml2 rather than
  libexpat at [3].

- Also there is a new readme now [4] that warns that the bundled Expat
  is "unfit for use in a setting where the communication partner is not
  friendly" and a similar new note [5] in the main readme saying…

    "When the Expat developer pointed out in 2025 the likelihood that
    the Xmlrpc-c fork of Expat contained dozens of security exposure
    bugs, the Xmlrpc-c maintainer decided to make external Libxml2 the
    default."

So upstream has no plans of deleting that super vulnerable bundle in 
favor of using system libexpat.

I did offer a patch to use system libexpat [6] to the point where folder
lib/expat/ could be fully deleted in packaging (to be accident proof),
but there was no interest from upstream.  That patch hence went into
Gentoo packaging downstream [6] instead.

If you need help with porting that patch to different versions of
xmlrpc-c, I may be able to help.

Best



Sebastian


[0] https://github.com/signalwire/freeswitch/pull/2768
[1] https://github.com/openwrt/packages/issues/26263
[2] https://bugs.gentoo.org/952113
[3] 
https://sourceforge.net/p/xmlrpc-c/code/3290/tree//trunk/configure.ac?diff=50c5155b5fcbc9098bb77a4a:3289
[4] 
https://sourceforge.net/p/xmlrpc-c/code/3307/tree//trunk/lib/expat/README
[5] 
https://sourceforge.net/p/xmlrpc-c/code/3290/tree//trunk/README?diff=50c5155b5fcbc9098bb77a4a:3289
[6] 
https://raw.githubusercontent.com/gentoo/gentoo/61b6130343a41b49da1ffe7376ab5d2077a37411/dev-libs/xmlrpc-c/files/xmlrpc-c-1.59.03-use-system-expat.patch