Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 160702 Details for
Bug 232172
dev-libs/libxslt >= 1.1.8 <= 1.1.24 heap overflow (CVE-2008-2935)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for CVE-2008-2935
exslt_crypt.patch (text/plain), 4.79 KB, created by
Matthias Geerdsen (RETIRED)
on 2008-07-18 09:38:23 UTC
(
hide
)
Description:
patch for CVE-2008-2935
Filename:
MIME Type:
Creator:
Matthias Geerdsen (RETIRED)
Created:
2008-07-18 09:38:23 UTC
Size:
4.79 KB
patch
obsolete
>Index: libexslt/crypto.c >=================================================================== >--- libexslt/crypto.c (revision 1479) >+++ libexslt/crypto.c (working copy) >@@ -595,11 +595,13 @@ exsltCryptoRc4EncryptFunction (xmlXPathP > int str_len = 0, bin_len = 0, hex_len = 0; > xmlChar *key = NULL, *str = NULL, *padkey = NULL; > xmlChar *bin = NULL, *hex = NULL; >+ xsltTransformContextPtr tctxt = NULL; > >- if ((nargs < 1) || (nargs > 3)) { >+ if (nargs != 2) { > xmlXPathSetArityError (ctxt); > return; > } >+ tctxt = xsltXPathGetTransformContext(ctxt); > > str = xmlXPathPopString (ctxt); > str_len = xmlUTF8Strlen (str); >@@ -611,7 +613,7 @@ exsltCryptoRc4EncryptFunction (xmlXPathP > } > > key = xmlXPathPopString (ctxt); >- key_len = xmlUTF8Strlen (str); >+ key_len = xmlUTF8Strlen (key); > > if (key_len == 0) { > xmlXPathReturnEmptyString (ctxt); >@@ -620,15 +622,33 @@ exsltCryptoRc4EncryptFunction (xmlXPathP > return; > } > >- padkey = xmlMallocAtomic (RC4_KEY_LENGTH); >+ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1); >+ if (padkey == NULL) { >+ xsltTransformError(tctxt, NULL, tctxt->inst, >+ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n"); >+ tctxt->state = XSLT_STATE_STOPPED; >+ xmlXPathReturnEmptyString (ctxt); >+ goto done; >+ } >+ memset(padkey, 0, RC4_KEY_LENGTH + 1); >+ > key_size = xmlUTF8Strsize (key, key_len); >+ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) { >+ xsltTransformError(tctxt, NULL, tctxt->inst, >+ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n"); >+ tctxt->state = XSLT_STATE_STOPPED; >+ xmlXPathReturnEmptyString (ctxt); >+ goto done; >+ } > memcpy (padkey, key, key_size); >- memset (padkey + key_size, '\0', sizeof (padkey)); > > /* encrypt it */ > bin_len = str_len; > bin = xmlStrdup (str); > if (bin == NULL) { >+ xsltTransformError(tctxt, NULL, tctxt->inst, >+ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n"); >+ tctxt->state = XSLT_STATE_STOPPED; > xmlXPathReturnEmptyString (ctxt); > goto done; > } >@@ -638,6 +658,9 @@ exsltCryptoRc4EncryptFunction (xmlXPathP > hex_len = str_len * 2 + 1; > hex = xmlMallocAtomic (hex_len); > if (hex == NULL) { >+ xsltTransformError(tctxt, NULL, tctxt->inst, >+ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n"); >+ tctxt->state = XSLT_STATE_STOPPED; > xmlXPathReturnEmptyString (ctxt); > goto done; > } >@@ -670,11 +693,13 @@ exsltCryptoRc4DecryptFunction (xmlXPathP > int str_len = 0, bin_len = 0, ret_len = 0; > xmlChar *key = NULL, *str = NULL, *padkey = NULL, *bin = > NULL, *ret = NULL; >+ xsltTransformContextPtr tctxt = NULL; > >- if ((nargs < 1) || (nargs > 3)) { >+ if (nargs != 2) { > xmlXPathSetArityError (ctxt); > return; > } >+ tctxt = xsltXPathGetTransformContext(ctxt); > > str = xmlXPathPopString (ctxt); > str_len = xmlUTF8Strlen (str); >@@ -686,7 +711,7 @@ exsltCryptoRc4DecryptFunction (xmlXPathP > } > > key = xmlXPathPopString (ctxt); >- key_len = xmlUTF8Strlen (str); >+ key_len = xmlUTF8Strlen (key); > > if (key_len == 0) { > xmlXPathReturnEmptyString (ctxt); >@@ -695,22 +720,51 @@ exsltCryptoRc4DecryptFunction (xmlXPathP > return; > } > >- padkey = xmlMallocAtomic (RC4_KEY_LENGTH); >+ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1); >+ if (padkey == NULL) { >+ xsltTransformError(tctxt, NULL, tctxt->inst, >+ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n"); >+ tctxt->state = XSLT_STATE_STOPPED; >+ xmlXPathReturnEmptyString (ctxt); >+ goto done; >+ } >+ memset(padkey, 0, RC4_KEY_LENGTH + 1); > key_size = xmlUTF8Strsize (key, key_len); >+ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) { >+ xsltTransformError(tctxt, NULL, tctxt->inst, >+ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n"); >+ tctxt->state = XSLT_STATE_STOPPED; >+ xmlXPathReturnEmptyString (ctxt); >+ goto done; >+ } > memcpy (padkey, key, key_size); >- memset (padkey + key_size, '\0', sizeof (padkey)); > > /* decode hex to binary */ > bin_len = str_len; > bin = xmlMallocAtomic (bin_len); >+ if (bin == NULL) { >+ xsltTransformError(tctxt, NULL, tctxt->inst, >+ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n"); >+ tctxt->state = XSLT_STATE_STOPPED; >+ xmlXPathReturnEmptyString (ctxt); >+ goto done; >+ } > ret_len = exsltCryptoHex2Bin (str, str_len, bin, bin_len); > > /* decrypt the binary blob */ > ret = xmlMallocAtomic (ret_len); >+ if (ret == NULL) { >+ xsltTransformError(tctxt, NULL, tctxt->inst, >+ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n"); >+ tctxt->state = XSLT_STATE_STOPPED; >+ xmlXPathReturnEmptyString (ctxt); >+ goto done; >+ } > PLATFORM_RC4_DECRYPT (ctxt, padkey, bin, ret_len, ret, ret_len); > > xmlXPathReturnString (ctxt, ret); > >+done: > if (key != NULL) > xmlFree (key); > if (str != NULL)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=160702">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 232172
: 160702 |
160719
|
160731
