Bug 126869 - security fix for textproc/libxslt
Summary: security fix for textproc/libxslt
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-gnome (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-27 03:50 UTC by TsurutaniNaoki
Modified: 2008-09-04 22:00 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description TsurutaniNaoki 2008-08-27 03:50:01 UTC
	textprox/libxslt is vulnerable.
	see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935 etc.

Fix: 

here is a patch, taken from debian.

--- libxslt-1.1.19.orig/libexslt/crypto.c
+++ libxslt-1.1.19/libexslt/crypto.c
@@ -588,11 +588,13 @@
     int str_len = 0, bin_len = 0, hex_len = 0;
     xmlChar *key = NULL, *str = NULL, *padkey = NULL;
     xmlChar *bin = NULL, *hex = NULL;
+    xsltTransformContextPtr tctxt = NULL;
 
-    if ((nargs < 1) || (nargs > 3)) {
+    if (nargs != 2) {
 	xmlXPathSetArityError (ctxt);
 	return;
     }
+    tctxt = xsltXPathGetTransformContext(ctxt);
 
     str = xmlXPathPopString (ctxt);
     str_len = xmlUTF8Strlen (str);
@@ -604,7 +606,7 @@
     }
 
     key = xmlXPathPopString (ctxt);
-    key_len = xmlUTF8Strlen (str);
+    key_len = xmlUTF8Strlen (key);
 
     if (key_len == 0) {
 	xmlXPathReturnEmptyString (ctxt);
@@ -613,15 +615,33 @@
 	return;
     }
 
-    padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
+    padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1);
+    if (padkey == NULL) {
+	xsltTransformError(tctxt, NULL, tctxt->inst,
+	    "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n");
+	tctxt->state = XSLT_STATE_STOPPED;
+	xmlXPathReturnEmptyString (ctxt);
+	goto done;
+    }
+    memset(padkey, 0, RC4_KEY_LENGTH + 1);
+
     key_size = xmlUTF8Strsize (key, key_len);
+    if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) {
+	xsltTransformError(tctxt, NULL, tctxt->inst,
+	    "exsltCryptoRc4EncryptFunction: key size too long or key broken\n");
+	tctxt->state = XSLT_STATE_STOPPED;
+	xmlXPathReturnEmptyString (ctxt);
+	goto done;
+    }
     memcpy (padkey, key, key_size);
-    memset (padkey + key_size, '\0', sizeof (padkey));
 
 /* encrypt it */
     bin_len = str_len;
     bin = xmlStrdup (str);
     if (bin == NULL) {
+	xsltTransformError(tctxt, NULL, tctxt->inst,
+	    "exsltCryptoRc4EncryptFunction: Failed to allocate string\n");
+	tctxt->state = XSLT_STATE_STOPPED;
 	xmlXPathReturnEmptyString (ctxt);
 	goto done;
     }
@@ -631,6 +651,9 @@
     hex_len = str_len * 2 + 1;
     hex = xmlMallocAtomic (hex_len);
     if (hex == NULL) {
+	xsltTransformError(tctxt, NULL, tctxt->inst,
+	    "exsltCryptoRc4EncryptFunction: Failed to allocate result\n");
+	tctxt->state = XSLT_STATE_STOPPED;
 	xmlXPathReturnEmptyString (ctxt);
 	goto done;
     }
@@ -663,11 +686,13 @@
     int str_len = 0, bin_len = 0, ret_len = 0;
     xmlChar *key = NULL, *str = NULL, *padkey = NULL, *bin =
 	NULL, *ret = NULL;
+    xsltTransformContextPtr tctxt = NULL;
 
-    if ((nargs < 1) || (nargs > 3)) {
+    if (nargs != 2) {
 	xmlXPathSetArityError (ctxt);
 	return;
     }
+    tctxt = xsltXPathGetTransformContext(ctxt);
 
     str = xmlXPathPopString (ctxt);
     str_len = xmlUTF8Strlen (str);
@@ -679,7 +704,7 @@
     }
 
     key = xmlXPathPopString (ctxt);
-    key_len = xmlUTF8Strlen (str);
+    key_len = xmlUTF8Strlen (key);
 
     if (key_len == 0) {
 	xmlXPathReturnEmptyString (ctxt);
@@ -688,22 +713,51 @@
 	return;
     }
 
-    padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
+    padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1);
+    if (padkey == NULL) {
+	xsltTransformError(tctxt, NULL, tctxt->inst,
+	    "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n");
+	tctxt->state = XSLT_STATE_STOPPED;
+	xmlXPathReturnEmptyString (ctxt);
+	goto done;
+    }
+    memset(padkey, 0, RC4_KEY_LENGTH + 1);
     key_size = xmlUTF8Strsize (key, key_len);
+    if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) {
+	xsltTransformError(tctxt, NULL, tctxt->inst,
+	    "exsltCryptoRc4EncryptFunction: key size too long or key broken\n");
+	tctxt->state = XSLT_STATE_STOPPED;
+	xmlXPathReturnEmptyString (ctxt);
+	goto done;
+    }
     memcpy (padkey, key, key_size);
-    memset (padkey + key_size, '\0', sizeof (padkey));
 
 /* decode hex to binary */
     bin_len = str_len;
     bin = xmlMallocAtomic (bin_len);
+    if (bin == NULL) {
+	xsltTransformError(tctxt, NULL, tctxt->inst,
+	    "exsltCryptoRc4EncryptFunction: Failed to allocate string\n");
+	tctxt->state = XSLT_STATE_STOPPED;
+	xmlXPathReturnEmptyString (ctxt);
+	goto done;
+    }
     ret_len = exsltCryptoHex2Bin (str, str_len, bin, bin_len);
 
 /* decrypt the binary blob */
     ret = xmlMallocAtomic (ret_len);
+    if (ret == NULL) {
+	xsltTransformError(tctxt, NULL, tctxt->inst,
+	    "exsltCryptoRc4EncryptFunction: Failed to allocate result\n");
+	tctxt->state = XSLT_STATE_STOPPED;
+	xmlXPathReturnEmptyString (ctxt);
+	goto done;
+    }
     PLATFORM_RC4_DECRYPT (ctxt, padkey, bin, ret_len, ret, ret_len);
 
     xmlXPathReturnString (ctxt, ret);
 
+done:
     if (key != NULL)
 	xmlFree (key);
     if (str != NULL)
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2008-08-27 05:26:57 UTC
Responsible Changed
From-To: freebsd-ports-bugs->gnome

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dfilter service freebsd_committer freebsd_triage 2008-09-04 21:51:23 UTC
mezz        2008-09-04 20:51:09 UTC

  FreeBSD ports repository

  Modified files:
    textproc/libxslt     Makefile 
  Added files:
    textproc/libxslt/files patch-exslt_crypt 
  Log:
  Security fix libxslt heap overflow, bump the PORTREVISION.
  
  PR:             ports/126869
  Submitted by:   Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
  Obtained from:  http://www.ocert.org/advisories/ocert-2008-009.html
  Security:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935
  
  Revision  Changes    Path
  1.89      +1 -1      ports/textproc/libxslt/Makefile
  1.1       +152 -0    ports/textproc/libxslt/files/patch-exslt_crypt (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Jeremy Messenger freebsd_committer freebsd_triage 2008-09-04 21:51:37 UTC
State Changed
From-To: open->closed

Committed, thanks!