1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-29 05:38:00 +00:00

Security fix libxslt heap overflow, bump the PORTREVISION.

PR:		ports/126869
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Obtained from:	http://www.ocert.org/advisories/ocert-2008-009.html
Security:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935
This commit is contained in:
Jeremy Messenger 2008-09-04 20:51:09 +00:00
parent 874ad54ef4
commit 74c487cc60
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=219863
2 changed files with 153 additions and 1 deletions

View File

@ -7,7 +7,7 @@
PORTNAME= libxslt
PORTVERSION= 1.1.24
PORTREVISION?= 0
PORTREVISION?= 1
CATEGORIES?= textproc gnome
MASTER_SITES= ftp://fr.rpmfind.net/pub/libxml/ \
ftp://gd.tuwien.ac.at/pub/libxml/ \

View File

@ -0,0 +1,152 @@
Index: libexslt/crypto.c
===================================================================
--- libexslt/crypto.c (revision 1479)
+++ libexslt/crypto.c (working copy)
@@ -595,11 +595,13 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
int str_len = 0, bin_len = 0, hex_len = 0;
xmlChar *key = NULL, *str = NULL, *padkey = NULL;
xmlChar *bin = NULL, *hex = NULL;
+ xsltTransformContextPtr tctxt = NULL;
- if ((nargs < 1) || (nargs > 3)) {
+ if (nargs != 2) {
xmlXPathSetArityError (ctxt);
return;
}
+ tctxt = xsltXPathGetTransformContext(ctxt);
str = xmlXPathPopString (ctxt);
str_len = xmlUTF8Strlen (str);
@@ -611,7 +613,7 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
}
key = xmlXPathPopString (ctxt);
- key_len = xmlUTF8Strlen (str);
+ key_len = xmlUTF8Strlen (key);
if (key_len == 0) {
xmlXPathReturnEmptyString (ctxt);
@@ -620,15 +622,33 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
return;
}
- padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
+ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1);
+ if (padkey == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
+ memset(padkey, 0, RC4_KEY_LENGTH + 1);
+
key_size = xmlUTF8Strsize (key, key_len);
+ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
memcpy (padkey, key, key_size);
- memset (padkey + key_size, '\0', sizeof (padkey));
/* encrypt it */
bin_len = str_len;
bin = xmlStrdup (str);
if (bin == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n");
+ tctxt->state = XSLT_STATE_STOPPED;
xmlXPathReturnEmptyString (ctxt);
goto done;
}
@@ -638,6 +658,9 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
hex_len = str_len * 2 + 1;
hex = xmlMallocAtomic (hex_len);
if (hex == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n");
+ tctxt->state = XSLT_STATE_STOPPED;
xmlXPathReturnEmptyString (ctxt);
goto done;
}
@@ -670,11 +693,13 @@ exsltCryptoRc4DecryptFunction (xmlXPathP
int str_len = 0, bin_len = 0, ret_len = 0;
xmlChar *key = NULL, *str = NULL, *padkey = NULL, *bin =
NULL, *ret = NULL;
+ xsltTransformContextPtr tctxt = NULL;
- if ((nargs < 1) || (nargs > 3)) {
+ if (nargs != 2) {
xmlXPathSetArityError (ctxt);
return;
}
+ tctxt = xsltXPathGetTransformContext(ctxt);
str = xmlXPathPopString (ctxt);
str_len = xmlUTF8Strlen (str);
@@ -686,7 +711,7 @@ exsltCryptoRc4DecryptFunction (xmlXPathP
}
key = xmlXPathPopString (ctxt);
- key_len = xmlUTF8Strlen (str);
+ key_len = xmlUTF8Strlen (key);
if (key_len == 0) {
xmlXPathReturnEmptyString (ctxt);
@@ -695,22 +720,51 @@ exsltCryptoRc4DecryptFunction (xmlXPathP
return;
}
- padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
+ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1);
+ if (padkey == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
+ memset(padkey, 0, RC4_KEY_LENGTH + 1);
key_size = xmlUTF8Strsize (key, key_len);
+ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
memcpy (padkey, key, key_size);
- memset (padkey + key_size, '\0', sizeof (padkey));
/* decode hex to binary */
bin_len = str_len;
bin = xmlMallocAtomic (bin_len);
+ if (bin == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
ret_len = exsltCryptoHex2Bin (str, str_len, bin, bin_len);
/* decrypt the binary blob */
ret = xmlMallocAtomic (ret_len);
+ if (ret == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
PLATFORM_RC4_DECRYPT (ctxt, padkey, bin, ret_len, ret, ret_len);
xmlXPathReturnString (ctxt, ret);
+done:
if (key != NULL)
xmlFree (key);
if (str != NULL)