- CVE-2008-2935 fix daniel
This commit is contained in:
parent
e511c9a641
commit
13ab25d3a5
173
libexslt-rc4.patch
Normal file
173
libexslt-rc4.patch
Normal file
@ -0,0 +1,173 @@
|
|||||||
|
Index: libexslt/crypto.c
|
||||||
|
===================================================================
|
||||||
|
--- libexslt/crypto.c (revision 1485)
|
||||||
|
+++ libexslt/crypto.c (working copy)
|
||||||
|
@@ -317,13 +317,13 @@ exsltCryptoCryptoApiRc4Decrypt (xmlXPath
|
||||||
|
#define PLATFORM_MD5 GCRY_MD_MD5
|
||||||
|
#define PLATFORM_SHA1 GCRY_MD_SHA1
|
||||||
|
|
||||||
|
-#ifdef HAVE_SYS_TYPES_H
|
||||||
|
-# include <sys/types.h>
|
||||||
|
-#endif
|
||||||
|
-#ifdef HAVE_STDINT_H
|
||||||
|
-# include <stdint.h>
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
+#ifdef HAVE_SYS_TYPES_H
|
||||||
|
+# include <sys/types.h>
|
||||||
|
+#endif
|
||||||
|
+#ifdef HAVE_STDINT_H
|
||||||
|
+# include <stdint.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#ifdef HAVE_SYS_SELECT_H
|
||||||
|
#include <sys/select.h> /* needed by gcrypt.h 4 Jul 04 */
|
||||||
|
#endif
|
||||||
|
@@ -595,11 +595,13 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
|
||||||
|
int str_len = 0, bin_len = 0, hex_len = 0;
|
||||||
|
xmlChar *key = NULL, *str = NULL, *padkey = NULL;
|
||||||
|
xmlChar *bin = NULL, *hex = NULL;
|
||||||
|
+ xsltTransformContextPtr tctxt = NULL;
|
||||||
|
|
||||||
|
- if ((nargs < 1) || (nargs > 3)) {
|
||||||
|
+ if (nargs != 2) {
|
||||||
|
xmlXPathSetArityError (ctxt);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
+ tctxt = xsltXPathGetTransformContext(ctxt);
|
||||||
|
|
||||||
|
str = xmlXPathPopString (ctxt);
|
||||||
|
str_len = xmlUTF8Strlen (str);
|
||||||
|
@@ -611,7 +613,7 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
|
||||||
|
}
|
||||||
|
|
||||||
|
key = xmlXPathPopString (ctxt);
|
||||||
|
- key_len = xmlUTF8Strlen (str);
|
||||||
|
+ key_len = xmlUTF8Strlen (key);
|
||||||
|
|
||||||
|
if (key_len == 0) {
|
||||||
|
xmlXPathReturnEmptyString (ctxt);
|
||||||
|
@@ -620,15 +622,33 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
- padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
|
||||||
|
+ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1);
|
||||||
|
+ if (padkey == NULL) {
|
||||||
|
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||||
|
+ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n");
|
||||||
|
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||||
|
+ xmlXPathReturnEmptyString (ctxt);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ memset(padkey, 0, RC4_KEY_LENGTH + 1);
|
||||||
|
+
|
||||||
|
key_size = xmlUTF8Strsize (key, key_len);
|
||||||
|
+ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) {
|
||||||
|
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||||
|
+ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n");
|
||||||
|
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||||
|
+ xmlXPathReturnEmptyString (ctxt);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
memcpy (padkey, key, key_size);
|
||||||
|
- memset (padkey + key_size, '\0', sizeof (padkey));
|
||||||
|
|
||||||
|
/* encrypt it */
|
||||||
|
bin_len = str_len;
|
||||||
|
bin = xmlStrdup (str);
|
||||||
|
if (bin == NULL) {
|
||||||
|
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||||
|
+ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n");
|
||||||
|
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||||
|
xmlXPathReturnEmptyString (ctxt);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
@@ -638,6 +658,9 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
|
||||||
|
hex_len = str_len * 2 + 1;
|
||||||
|
hex = xmlMallocAtomic (hex_len);
|
||||||
|
if (hex == NULL) {
|
||||||
|
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||||
|
+ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n");
|
||||||
|
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||||
|
xmlXPathReturnEmptyString (ctxt);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
@@ -670,11 +693,13 @@ exsltCryptoRc4DecryptFunction (xmlXPathP
|
||||||
|
int str_len = 0, bin_len = 0, ret_len = 0;
|
||||||
|
xmlChar *key = NULL, *str = NULL, *padkey = NULL, *bin =
|
||||||
|
NULL, *ret = NULL;
|
||||||
|
+ xsltTransformContextPtr tctxt = NULL;
|
||||||
|
|
||||||
|
- if ((nargs < 1) || (nargs > 3)) {
|
||||||
|
+ if (nargs != 2) {
|
||||||
|
xmlXPathSetArityError (ctxt);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
+ tctxt = xsltXPathGetTransformContext(ctxt);
|
||||||
|
|
||||||
|
str = xmlXPathPopString (ctxt);
|
||||||
|
str_len = xmlUTF8Strlen (str);
|
||||||
|
@@ -686,7 +711,7 @@ exsltCryptoRc4DecryptFunction (xmlXPathP
|
||||||
|
}
|
||||||
|
|
||||||
|
key = xmlXPathPopString (ctxt);
|
||||||
|
- key_len = xmlUTF8Strlen (str);
|
||||||
|
+ key_len = xmlUTF8Strlen (key);
|
||||||
|
|
||||||
|
if (key_len == 0) {
|
||||||
|
xmlXPathReturnEmptyString (ctxt);
|
||||||
|
@@ -695,22 +720,51 @@ exsltCryptoRc4DecryptFunction (xmlXPathP
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
- padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
|
||||||
|
+ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1);
|
||||||
|
+ if (padkey == NULL) {
|
||||||
|
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||||
|
+ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n");
|
||||||
|
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||||
|
+ xmlXPathReturnEmptyString (ctxt);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ memset(padkey, 0, RC4_KEY_LENGTH + 1);
|
||||||
|
key_size = xmlUTF8Strsize (key, key_len);
|
||||||
|
+ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) {
|
||||||
|
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||||
|
+ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n");
|
||||||
|
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||||
|
+ xmlXPathReturnEmptyString (ctxt);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
memcpy (padkey, key, key_size);
|
||||||
|
- memset (padkey + key_size, '\0', sizeof (padkey));
|
||||||
|
|
||||||
|
/* decode hex to binary */
|
||||||
|
bin_len = str_len;
|
||||||
|
bin = xmlMallocAtomic (bin_len);
|
||||||
|
+ if (bin == NULL) {
|
||||||
|
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||||
|
+ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n");
|
||||||
|
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||||
|
+ xmlXPathReturnEmptyString (ctxt);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
ret_len = exsltCryptoHex2Bin (str, str_len, bin, bin_len);
|
||||||
|
|
||||||
|
/* decrypt the binary blob */
|
||||||
|
ret = xmlMallocAtomic (ret_len);
|
||||||
|
+ if (ret == NULL) {
|
||||||
|
+ xsltTransformError(tctxt, NULL, tctxt->inst,
|
||||||
|
+ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n");
|
||||||
|
+ tctxt->state = XSLT_STATE_STOPPED;
|
||||||
|
+ xmlXPathReturnEmptyString (ctxt);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
PLATFORM_RC4_DECRYPT (ctxt, padkey, bin, ret_len, ret, ret_len);
|
||||||
|
|
||||||
|
xmlXPathReturnString (ctxt, ret);
|
||||||
|
|
||||||
|
+done:
|
||||||
|
if (key != NULL)
|
||||||
|
xmlFree (key);
|
||||||
|
if (str != NULL)
|
@ -1,7 +1,7 @@
|
|||||||
Summary: Library providing the Gnome XSLT engine
|
Summary: Library providing the Gnome XSLT engine
|
||||||
Name: libxslt
|
Name: libxslt
|
||||||
Version: 1.1.24
|
Version: 1.1.24
|
||||||
Release: 1%{?dist}%{?extra_release}
|
Release: 2%{?dist}%{?extra_release}
|
||||||
License: MIT
|
License: MIT
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
Source: ftp://xmlsoft.org/XSLT/libxslt-%{version}.tar.gz
|
Source: ftp://xmlsoft.org/XSLT/libxslt-%{version}.tar.gz
|
||||||
@ -15,6 +15,7 @@ BuildRequires: libgcrypt-devel
|
|||||||
Prefix: %{_prefix}
|
Prefix: %{_prefix}
|
||||||
Docdir: %{_docdir}
|
Docdir: %{_docdir}
|
||||||
Patch0: multilib.patch
|
Patch0: multilib.patch
|
||||||
|
Patch1: libexslt-rc4.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This C library allows to transform XML files into other XML files
|
This C library allows to transform XML files into other XML files
|
||||||
@ -56,6 +57,7 @@ with XPath functions written in Python.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
|
%patch1 -p0
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure
|
%configure
|
||||||
@ -125,6 +127,9 @@ rm -fr %{buildroot}
|
|||||||
%doc python/tests/*.xsl
|
%doc python/tests/*.xsl
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Oct 8 2008 Daniel Veillard <veillard@redhat.com> 1.1.24-2.fc10
|
||||||
|
- CVE-2008-2935 fix
|
||||||
|
|
||||||
* Tue May 13 2008 Daniel Veillard <veillard@redhat.com> 1.1.24-1.fc10
|
* Tue May 13 2008 Daniel Veillard <veillard@redhat.com> 1.1.24-1.fc10
|
||||||
- release of 1.1.24
|
- release of 1.1.24
|
||||||
- fixes a few bugs including the key initialization problem
|
- fixes a few bugs including the key initialization problem
|
||||||
|
Loading…
Reference in New Issue
Block a user