Don't know if it is realy relevant, but: xmlrpc_datetime.c:164:17: warning: the value of the size argument in 'strncat' is too large, might lead to a buffer overflow [-Wstrncat-size] STRSCAT(dtString, usecString); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ blddir/include/xmlrpc-c/string_int.h:125:24: note: expanded from macro 'STRSCAT' and xmlrpc_serialize.c:308:13: warning: the value of the size argument in 'strncat' is too large, might lead to a buffer overflow [-Wstrncat-size] STRSCAT(dtString, usecString); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ blddir/include/xmlrpc-c/string_int.h:125:24: note: expanded from macro 'STRSCAT' -- macro is defined in net/xmlrpc-c/work/xmlrpc-c-1.39.08/src/blddir/include/xmlrpc-c/string_int.h 124 #define STRSCAT(A,B) \ 125 (strncat((A), (B), sizeof(A)-strlen(A)), *((A)+sizeof(A)-1) = '\0')
I think this is the cause: -#define STRSCAT(A,B) \ - (strncat((A), (B), sizeof(A)-strlen(A)), *((A)+sizeof(A)-1) = '\0') +#define STRNSCAT(A,B) \ (strncat((A), (B), sizeof(A)-strlen(A)-1), *((A)+sizeof(A)-1) = '\0') I renamed the STRSCAT macro to STRNSCAT, cause of an "redefined" error message. It had to changed in include/xmlrpc-c/string_int.h and src/xmlrpc_serialize.c also. I attached a svn-diff.
Created attachment 173178 [details] svn-diff_net_xmlrpc-c
I mailed it Bryan Henderson from xmlrpc-c. He confirmed it is a wrong or bad code, and said he will change it, with next stable version in "a few" weeks. Tell me, if I should this PR keep open, or close it.
Created attachment 174313 [details] svn-diff_xmlrpc-c-1.39.10
Fixed upstream with update to 1.39.10.
ChangeLog: Fix possible buffer overrun. Introduced in Xmlrpc-c 1.15 (June 2008). Build: fix missing thread libraries in libutil++ link. Install: fix bug: xmlrpc_expat.pc not installed. portlint ok.
Created attachment 174314 [details] svn-diff_xmlrpc-c-1.39.10
Overlooked distinfo.
Testbuild with poudriere on 103amd64/i386 and 93amd64/i386 ok.
Additional to the ChangeLog; 1.39.09 A release by this name was never properly released, but a copy of Release 1.39.08 was accidentally distributed with a filename indicating it was 1.39.09 between mid-July and August 23, 2016.
A commit references this bug: Author: garga Date: Mon Sep 5 17:23:11 UTC 2016 New revision: 421381 URL: https://svnweb.freebsd.org/changeset/ports/421381 Log: Update net/xmlrpc to 1.39.10 This version if a buffer overflow in STRSCAT PR: 211257 Submitted by: w.schwarzenfeld@utanet.at MFH: 2016Q3 Changes: head/net/xmlrpc-c/Makefile head/net/xmlrpc-c/distinfo
A commit references this bug: Author: garga Date: Tue Sep 6 16:51:49 UTC 2016 New revision: 421442 URL: https://svnweb.freebsd.org/changeset/ports/421442 Log: MFH: r421381 Update net/xmlrpc to 1.39.10 This version if a buffer overflow in STRSCAT PR: 211257 Submitted by: w.schwarzenfeld@utanet.at Approved by: ports-secteam (feld) Changes: _U branches/2016Q3/ branches/2016Q3/net/xmlrpc-c/Makefile branches/2016Q3/net/xmlrpc-c/distinfo