ports/126869: security fix for textprox/libxslt
Tsurutani Naoki
turutani at scphys.kyoto-u.ac.jp
Wed Aug 27 02:50:02 UTC 2008
>Number: 126869
>Category: ports
>Synopsis: security fix for textprox/libxslt
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 27 02:50:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Tsurutani Naoki
>Release: FreeBSD 7.0-STABLE i386
>Organization:
>Environment:
System: FreeBSD h120.65.226.10.32118.vlan.kuins.net 7.0-STABLE FreeBSD 7.0-STABLE #15: Sun Jul 20 21:06:33 JST 2008 turutani at h120.65.226.10.32118.vlan.kuins.net:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386
>Description:
textprox/libxslt is vulnerable.
see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935 etc.
>How-To-Repeat:
>Fix:
here is a patch, taken from debian.
--- libxslt-1.1.19.orig/libexslt/crypto.c
+++ libxslt-1.1.19/libexslt/crypto.c
@@ -588,11 +588,13 @@
int str_len = 0, bin_len = 0, hex_len = 0;
xmlChar *key = NULL, *str = NULL, *padkey = NULL;
xmlChar *bin = NULL, *hex = NULL;
+ xsltTransformContextPtr tctxt = NULL;
- if ((nargs < 1) || (nargs > 3)) {
+ if (nargs != 2) {
xmlXPathSetArityError (ctxt);
return;
}
+ tctxt = xsltXPathGetTransformContext(ctxt);
str = xmlXPathPopString (ctxt);
str_len = xmlUTF8Strlen (str);
@@ -604,7 +606,7 @@
}
key = xmlXPathPopString (ctxt);
- key_len = xmlUTF8Strlen (str);
+ key_len = xmlUTF8Strlen (key);
if (key_len == 0) {
xmlXPathReturnEmptyString (ctxt);
@@ -613,15 +615,33 @@
return;
}
- padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
+ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1);
+ if (padkey == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
+ memset(padkey, 0, RC4_KEY_LENGTH + 1);
+
key_size = xmlUTF8Strsize (key, key_len);
+ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
memcpy (padkey, key, key_size);
- memset (padkey + key_size, '\0', sizeof (padkey));
/* encrypt it */
bin_len = str_len;
bin = xmlStrdup (str);
if (bin == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n");
+ tctxt->state = XSLT_STATE_STOPPED;
xmlXPathReturnEmptyString (ctxt);
goto done;
}
@@ -631,6 +651,9 @@
hex_len = str_len * 2 + 1;
hex = xmlMallocAtomic (hex_len);
if (hex == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n");
+ tctxt->state = XSLT_STATE_STOPPED;
xmlXPathReturnEmptyString (ctxt);
goto done;
}
@@ -663,11 +686,13 @@
int str_len = 0, bin_len = 0, ret_len = 0;
xmlChar *key = NULL, *str = NULL, *padkey = NULL, *bin =
NULL, *ret = NULL;
+ xsltTransformContextPtr tctxt = NULL;
- if ((nargs < 1) || (nargs > 3)) {
+ if (nargs != 2) {
xmlXPathSetArityError (ctxt);
return;
}
+ tctxt = xsltXPathGetTransformContext(ctxt);
str = xmlXPathPopString (ctxt);
str_len = xmlUTF8Strlen (str);
@@ -679,7 +704,7 @@
}
key = xmlXPathPopString (ctxt);
- key_len = xmlUTF8Strlen (str);
+ key_len = xmlUTF8Strlen (key);
if (key_len == 0) {
xmlXPathReturnEmptyString (ctxt);
@@ -688,22 +713,51 @@
return;
}
- padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
+ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1);
+ if (padkey == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
+ memset(padkey, 0, RC4_KEY_LENGTH + 1);
key_size = xmlUTF8Strsize (key, key_len);
+ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
memcpy (padkey, key, key_size);
- memset (padkey + key_size, '\0', sizeof (padkey));
/* decode hex to binary */
bin_len = str_len;
bin = xmlMallocAtomic (bin_len);
+ if (bin == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
ret_len = exsltCryptoHex2Bin (str, str_len, bin, bin_len);
/* decrypt the binary blob */
ret = xmlMallocAtomic (ret_len);
+ if (ret == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
PLATFORM_RC4_DECRYPT (ctxt, padkey, bin, ret_len, ret, ret_len);
xmlXPathReturnString (ctxt, ret);
+done:
if (key != NULL)
xmlFree (key);
if (str != NULL)
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list