1. Ubuntu Security Notices
  2. USN-1527-2

USN-1527-2: XML-RPC for C and C++ vulnerabilities

Publication date

10 September 2012

Overview

XML-RPC for C and C++ could be made to cause a denial of service by consuming excessive CPU and memory resources.

Releases

Packages

  • xmlrpc-c - Lightweight RPC library based on XML and HTTP

Details

USN-1527-1 fixed vulnerabilities in Expat. This update provides the
corresponding updates for XML-RPC for C and C++. Both issues described in the
original advisory affected XML-RPC for C and C++ in Ubuntu 10.04 LTS, 11.04,
11.10 and 12.04 LTS.

Original advisory details:

It was discovered that Expat computed hash values without restricting the
ability to trigger hash collisions predictably. If a user or application
linked against Expat were tricked into opening a crafted XML file, an attacker
could cause a denial of service by consuming excessive CPU resources.
(CVE-2012-0876)

Tim Boddy discovered that Expat did not properly handle memory reallocation
when processing XML files. If a user or application linked against Expat were
tricked into opening a crafted XML file, an attacker could cause a denial of
service by consuming excessive memory resources. This issue only...

USN-1527-1 fixed vulnerabilities in Expat. This update provides the
corresponding updates for XML-RPC for C and C++. Both issues described in the
original advisory affected XML-RPC for C and C++ in Ubuntu 10.04 LTS, 11.04,
11.10 and 12.04 LTS.

Original advisory details:

It was discovered that Expat computed hash values without restricting the
ability to trigger hash collisions predictably. If a user or application
linked against Expat were tricked into opening a crafted XML file, an attacker
could cause a denial of service by consuming excessive CPU resources.
(CVE-2012-0876)

Tim Boddy discovered that Expat did not properly handle memory reallocation
when processing XML files. If a user or application linked against Expat were
tricked into opening a crafted XML file, an attacker could cause a denial of
service by consuming excessive memory resources. This issue only affected
Ubuntu 8.04 LTS, 10.04 LTS, 11.04 and 11.10. (CVE-2012-1148)

Update instructions

After a standard system upgrade you need to restart any applications linked against XML-RPC for C and C++ to effect the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
12.04 precise libxmlrpc-core-c3 –  1.16.33-3.1ubuntu5.1
11.10 oneiric libxmlrpc-core-c3-0 –  1.16.32-0ubuntu4.1
11.04 natty libxmlrpc-core-c3-0 –  1.16.32-0ubuntu3.1
10.04 lucid libxmlrpc-core-c3 –  1.06.27-1ubuntu7.1

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›