mirror of
https://git.FreeBSD.org/ports.git
synced 2024-12-29 05:38:00 +00:00
Security fix libxslt heap overflow, bump the PORTREVISION.
PR: ports/126869 Submitted by: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp> Obtained from: http://www.ocert.org/advisories/ocert-2008-009.html Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935
This commit is contained in:
parent
874ad54ef4
commit
74c487cc60
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=219863
@ -7,7 +7,7 @@
|
||||
|
||||
PORTNAME= libxslt
|
||||
PORTVERSION= 1.1.24
|
||||
PORTREVISION?= 0
|
||||
PORTREVISION?= 1
|
||||
CATEGORIES?= textproc gnome
|
||||
MASTER_SITES= ftp://fr.rpmfind.net/pub/libxml/ \
|
||||
ftp://gd.tuwien.ac.at/pub/libxml/ \
|
||||
|
152
textproc/libxslt/files/patch-exslt_crypt
Normal file
152
textproc/libxslt/files/patch-exslt_crypt
Normal file
@ -0,0 +1,152 @@
|
||||
Index: libexslt/crypto.c
|
||||
===================================================================
|
||||
--- libexslt/crypto.c (revision 1479)
|
||||
+++ libexslt/crypto.c (working copy)
|
||||
@@ -595,11 +595,13 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
|
||||
int str_len = 0, bin_len = 0, hex_len = 0;
|
||||
xmlChar *key = NULL, *str = NULL, *padkey = NULL;
|
||||
xmlChar *bin = NULL, *hex = NULL;
|
||||
+ xsltTransformContextPtr tctxt = NULL;
|
||||
|
||||
- if ((nargs < 1) || (nargs > 3)) {
|
||||
+ if (nargs != 2) {
|
||||
xmlXPathSetArityError (ctxt);
|
||||
return;
|
||||
}
|
||||
+ tctxt = xsltXPathGetTransformContext(ctxt);
|
||||
|
||||
str = xmlXPathPopString (ctxt);
|
||||
str_len = xmlUTF8Strlen (str);
|
||||
@@ -611,7 +613,7 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
|
||||
}
|
||||
|
||||
key = xmlXPathPopString (ctxt);
|
||||
- key_len = xmlUTF8Strlen (str);
|
||||
+ key_len = xmlUTF8Strlen (key);
|
||||
|
||||
if (key_len == 0) {
|
||||
xmlXPathReturnEmptyString (ctxt);
|
||||
@@ -620,15 +622,33 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
|
||||
return;
|
||||
}
|
||||
|
||||
- padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
|
||||
+ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1);
|
||||
+ if (padkey == NULL) {
|
||||
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||
+ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n");
|
||||
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||
+ xmlXPathReturnEmptyString (ctxt);
|
||||
+ goto done;
|
||||
+ }
|
||||
+ memset(padkey, 0, RC4_KEY_LENGTH + 1);
|
||||
+
|
||||
key_size = xmlUTF8Strsize (key, key_len);
|
||||
+ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) {
|
||||
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||
+ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n");
|
||||
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||
+ xmlXPathReturnEmptyString (ctxt);
|
||||
+ goto done;
|
||||
+ }
|
||||
memcpy (padkey, key, key_size);
|
||||
- memset (padkey + key_size, '\0', sizeof (padkey));
|
||||
|
||||
/* encrypt it */
|
||||
bin_len = str_len;
|
||||
bin = xmlStrdup (str);
|
||||
if (bin == NULL) {
|
||||
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||
+ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n");
|
||||
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||
xmlXPathReturnEmptyString (ctxt);
|
||||
goto done;
|
||||
}
|
||||
@@ -638,6 +658,9 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
|
||||
hex_len = str_len * 2 + 1;
|
||||
hex = xmlMallocAtomic (hex_len);
|
||||
if (hex == NULL) {
|
||||
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||
+ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n");
|
||||
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||
xmlXPathReturnEmptyString (ctxt);
|
||||
goto done;
|
||||
}
|
||||
@@ -670,11 +693,13 @@ exsltCryptoRc4DecryptFunction (xmlXPathP
|
||||
int str_len = 0, bin_len = 0, ret_len = 0;
|
||||
xmlChar *key = NULL, *str = NULL, *padkey = NULL, *bin =
|
||||
NULL, *ret = NULL;
|
||||
+ xsltTransformContextPtr tctxt = NULL;
|
||||
|
||||
- if ((nargs < 1) || (nargs > 3)) {
|
||||
+ if (nargs != 2) {
|
||||
xmlXPathSetArityError (ctxt);
|
||||
return;
|
||||
}
|
||||
+ tctxt = xsltXPathGetTransformContext(ctxt);
|
||||
|
||||
str = xmlXPathPopString (ctxt);
|
||||
str_len = xmlUTF8Strlen (str);
|
||||
@@ -686,7 +711,7 @@ exsltCryptoRc4DecryptFunction (xmlXPathP
|
||||
}
|
||||
|
||||
key = xmlXPathPopString (ctxt);
|
||||
- key_len = xmlUTF8Strlen (str);
|
||||
+ key_len = xmlUTF8Strlen (key);
|
||||
|
||||
if (key_len == 0) {
|
||||
xmlXPathReturnEmptyString (ctxt);
|
||||
@@ -695,22 +720,51 @@ exsltCryptoRc4DecryptFunction (xmlXPathP
|
||||
return;
|
||||
}
|
||||
|
||||
- padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
|
||||
+ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1);
|
||||
+ if (padkey == NULL) {
|
||||
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||
+ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n");
|
||||
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||
+ xmlXPathReturnEmptyString (ctxt);
|
||||
+ goto done;
|
||||
+ }
|
||||
+ memset(padkey, 0, RC4_KEY_LENGTH + 1);
|
||||
key_size = xmlUTF8Strsize (key, key_len);
|
||||
+ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) {
|
||||
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||
+ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n");
|
||||
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||
+ xmlXPathReturnEmptyString (ctxt);
|
||||
+ goto done;
|
||||
+ }
|
||||
memcpy (padkey, key, key_size);
|
||||
- memset (padkey + key_size, '\0', sizeof (padkey));
|
||||
|
||||
/* decode hex to binary */
|
||||
bin_len = str_len;
|
||||
bin = xmlMallocAtomic (bin_len);
|
||||
+ if (bin == NULL) {
|
||||
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||
+ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n");
|
||||
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||
+ xmlXPathReturnEmptyString (ctxt);
|
||||
+ goto done;
|
||||
+ }
|
||||
ret_len = exsltCryptoHex2Bin (str, str_len, bin, bin_len);
|
||||
|
||||
/* decrypt the binary blob */
|
||||
ret = xmlMallocAtomic (ret_len);
|
||||
+ if (ret == NULL) {
|
||||
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||
+ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n");
|
||||
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||
+ xmlXPathReturnEmptyString (ctxt);
|
||||
+ goto done;
|
||||
+ }
|
||||
PLATFORM_RC4_DECRYPT (ctxt, padkey, bin, ret_len, ret, ret_len);
|
||||
|
||||
xmlXPathReturnString (ctxt, ret);
|
||||
|
||||
+done:
|
||||
if (key != NULL)
|
||||
xmlFree (key);
|
||||
if (str != NULL)
|
Loading…
Reference in New Issue
Block a user