textprox/libxslt is vulnerable. see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935 etc. Fix: here is a patch, taken from debian. --- libxslt-1.1.19.orig/libexslt/crypto.c +++ libxslt-1.1.19/libexslt/crypto.c @@ -588,11 +588,13 @@ int str_len = 0, bin_len = 0, hex_len = 0; xmlChar *key = NULL, *str = NULL, *padkey = NULL; xmlChar *bin = NULL, *hex = NULL; + xsltTransformContextPtr tctxt = NULL; - if ((nargs < 1) || (nargs > 3)) { + if (nargs != 2) { xmlXPathSetArityError (ctxt); return; } + tctxt = xsltXPathGetTransformContext(ctxt); str = xmlXPathPopString (ctxt); str_len = xmlUTF8Strlen (str); @@ -604,7 +606,7 @@ } key = xmlXPathPopString (ctxt); - key_len = xmlUTF8Strlen (str); + key_len = xmlUTF8Strlen (key); if (key_len == 0) { xmlXPathReturnEmptyString (ctxt); @@ -613,15 +615,33 @@ return; } - padkey = xmlMallocAtomic (RC4_KEY_LENGTH); + padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1); + if (padkey == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } + memset(padkey, 0, RC4_KEY_LENGTH + 1); + key_size = xmlUTF8Strsize (key, key_len); + if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: key size too long or key broken\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } memcpy (padkey, key, key_size); - memset (padkey + key_size, '\0', sizeof (padkey)); /* encrypt it */ bin_len = str_len; bin = xmlStrdup (str); if (bin == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate string\n"); + tctxt->state = XSLT_STATE_STOPPED; xmlXPathReturnEmptyString (ctxt); goto done; } @@ -631,6 +651,9 @@ hex_len = str_len * 2 + 1; hex = xmlMallocAtomic (hex_len); if (hex == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate result\n"); + tctxt->state = XSLT_STATE_STOPPED; xmlXPathReturnEmptyString (ctxt); goto done; } @@ -663,11 +686,13 @@ int str_len = 0, bin_len = 0, ret_len = 0; xmlChar *key = NULL, *str = NULL, *padkey = NULL, *bin = NULL, *ret = NULL; + xsltTransformContextPtr tctxt = NULL; - if ((nargs < 1) || (nargs > 3)) { + if (nargs != 2) { xmlXPathSetArityError (ctxt); return; } + tctxt = xsltXPathGetTransformContext(ctxt); str = xmlXPathPopString (ctxt); str_len = xmlUTF8Strlen (str); @@ -679,7 +704,7 @@ } key = xmlXPathPopString (ctxt); - key_len = xmlUTF8Strlen (str); + key_len = xmlUTF8Strlen (key); if (key_len == 0) { xmlXPathReturnEmptyString (ctxt); @@ -688,22 +713,51 @@ return; } - padkey = xmlMallocAtomic (RC4_KEY_LENGTH); + padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1); + if (padkey == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } + memset(padkey, 0, RC4_KEY_LENGTH + 1); key_size = xmlUTF8Strsize (key, key_len); + if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: key size too long or key broken\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } memcpy (padkey, key, key_size); - memset (padkey + key_size, '\0', sizeof (padkey)); /* decode hex to binary */ bin_len = str_len; bin = xmlMallocAtomic (bin_len); + if (bin == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate string\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } ret_len = exsltCryptoHex2Bin (str, str_len, bin, bin_len); /* decrypt the binary blob */ ret = xmlMallocAtomic (ret_len); + if (ret == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate result\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } PLATFORM_RC4_DECRYPT (ctxt, padkey, bin, ret_len, ret, ret_len); xmlXPathReturnString (ctxt, ret); +done: if (key != NULL) xmlFree (key); if (str != NULL)
Responsible Changed From-To: freebsd-ports-bugs->gnome Over to maintainer (via the GNATS Auto Assign Tool)
mezz 2008-09-04 20:51:09 UTC FreeBSD ports repository Modified files: textproc/libxslt Makefile Added files: textproc/libxslt/files patch-exslt_crypt Log: Security fix libxslt heap overflow, bump the PORTREVISION. PR: ports/126869 Submitted by: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp> Obtained from: http://www.ocert.org/advisories/ocert-2008-009.html Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935 Revision Changes Path 1.89 +1 -1 ports/textproc/libxslt/Makefile 1.1 +152 -0 ports/textproc/libxslt/files/patch-exslt_crypt (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed, thanks!