From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Aug 27 02:50:02 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46C491065678 for ; Wed, 27 Aug 2008 02:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 008E68FC1D for ; Wed, 27 Aug 2008 02:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m7R2o1qA040249 for ; Wed, 27 Aug 2008 02:50:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m7R2o1YC040248; Wed, 27 Aug 2008 02:50:01 GMT (envelope-from gnats) Resent-Date: Wed, 27 Aug 2008 02:50:01 GMT Resent-Message-Id: <200808270250.m7R2o1YC040248@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Tsurutani Naoki Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 66B28106564A for ; Wed, 27 Aug 2008 02:49:16 +0000 (UTC) (envelope-from turutani@scphys.kyoto-u.ac.jp) Received: from proxy2.aams.jp (proxy2.aams.jp [202.189.147.98]) by mx1.freebsd.org (Postfix) with ESMTP id F1AB18FC17 for ; Wed, 27 Aug 2008 02:49:15 +0000 (UTC) (envelope-from turutani@scphys.kyoto-u.ac.jp) Received: from h120.65.226.10.32118.vlan.kuins.net (softbank218183189199.bbtec.net [218.183.189.199]) (authenticated bits=0) by proxy2.aams.jp (Switch-3.2.7/Switch-3.1.7) with ESMTP id m7R2nCEQ001762 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 27 Aug 2008 11:49:13 +0900 Received: from h120.65.226.10.32118.vlan.kuins.net (localhost [127.0.0.1]) by h120.65.226.10.32118.vlan.kuins.net (8.14.2/8.14.2/20071004-1) with ESMTP id m7R2mwqa001272; Wed, 27 Aug 2008 11:48:59 +0900 (JST) (envelope-from turutani@h120.65.226.10.32118.vlan.kuins.net) Received: (from turutani@localhost) by h120.65.226.10.32118.vlan.kuins.net (8.14.2/8.14.2/Submit) id m7R2mwcg001271; Wed, 27 Aug 2008 11:48:58 +0900 (JST) (envelope-from turutani) Message-Id: <200808270248.m7R2mwcg001271@h120.65.226.10.32118.vlan.kuins.net> Date: Wed, 27 Aug 2008 11:48:58 +0900 (JST) From: Tsurutani Naoki To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: turutani@scphys.kyoto-u.ac.jp Subject: ports/126869: security fix for textprox/libxslt X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Tsurutani Naoki List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2008 02:50:02 -0000 >Number: 126869 >Category: ports >Synopsis: security fix for textprox/libxslt >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Aug 27 02:50:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Tsurutani Naoki >Release: FreeBSD 7.0-STABLE i386 >Organization: >Environment: System: FreeBSD h120.65.226.10.32118.vlan.kuins.net 7.0-STABLE FreeBSD 7.0-STABLE #15: Sun Jul 20 21:06:33 JST 2008 turutani@h120.65.226.10.32118.vlan.kuins.net:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386 >Description: textprox/libxslt is vulnerable. see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935 etc. >How-To-Repeat: >Fix: here is a patch, taken from debian. --- libxslt-1.1.19.orig/libexslt/crypto.c +++ libxslt-1.1.19/libexslt/crypto.c @@ -588,11 +588,13 @@ int str_len = 0, bin_len = 0, hex_len = 0; xmlChar *key = NULL, *str = NULL, *padkey = NULL; xmlChar *bin = NULL, *hex = NULL; + xsltTransformContextPtr tctxt = NULL; - if ((nargs < 1) || (nargs > 3)) { + if (nargs != 2) { xmlXPathSetArityError (ctxt); return; } + tctxt = xsltXPathGetTransformContext(ctxt); str = xmlXPathPopString (ctxt); str_len = xmlUTF8Strlen (str); @@ -604,7 +606,7 @@ } key = xmlXPathPopString (ctxt); - key_len = xmlUTF8Strlen (str); + key_len = xmlUTF8Strlen (key); if (key_len == 0) { xmlXPathReturnEmptyString (ctxt); @@ -613,15 +615,33 @@ return; } - padkey = xmlMallocAtomic (RC4_KEY_LENGTH); + padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1); + if (padkey == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } + memset(padkey, 0, RC4_KEY_LENGTH + 1); + key_size = xmlUTF8Strsize (key, key_len); + if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: key size too long or key broken\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } memcpy (padkey, key, key_size); - memset (padkey + key_size, '\0', sizeof (padkey)); /* encrypt it */ bin_len = str_len; bin = xmlStrdup (str); if (bin == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate string\n"); + tctxt->state = XSLT_STATE_STOPPED; xmlXPathReturnEmptyString (ctxt); goto done; } @@ -631,6 +651,9 @@ hex_len = str_len * 2 + 1; hex = xmlMallocAtomic (hex_len); if (hex == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate result\n"); + tctxt->state = XSLT_STATE_STOPPED; xmlXPathReturnEmptyString (ctxt); goto done; } @@ -663,11 +686,13 @@ int str_len = 0, bin_len = 0, ret_len = 0; xmlChar *key = NULL, *str = NULL, *padkey = NULL, *bin = NULL, *ret = NULL; + xsltTransformContextPtr tctxt = NULL; - if ((nargs < 1) || (nargs > 3)) { + if (nargs != 2) { xmlXPathSetArityError (ctxt); return; } + tctxt = xsltXPathGetTransformContext(ctxt); str = xmlXPathPopString (ctxt); str_len = xmlUTF8Strlen (str); @@ -679,7 +704,7 @@ } key = xmlXPathPopString (ctxt); - key_len = xmlUTF8Strlen (str); + key_len = xmlUTF8Strlen (key); if (key_len == 0) { xmlXPathReturnEmptyString (ctxt); @@ -688,22 +713,51 @@ return; } - padkey = xmlMallocAtomic (RC4_KEY_LENGTH); + padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1); + if (padkey == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } + memset(padkey, 0, RC4_KEY_LENGTH + 1); key_size = xmlUTF8Strsize (key, key_len); + if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: key size too long or key broken\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } memcpy (padkey, key, key_size); - memset (padkey + key_size, '\0', sizeof (padkey)); /* decode hex to binary */ bin_len = str_len; bin = xmlMallocAtomic (bin_len); + if (bin == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate string\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } ret_len = exsltCryptoHex2Bin (str, str_len, bin, bin_len); /* decrypt the binary blob */ ret = xmlMallocAtomic (ret_len); + if (ret == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate result\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } PLATFORM_RC4_DECRYPT (ctxt, padkey, bin, ret_len, ret, ret_len); xmlXPathReturnString (ctxt, ret); +done: if (key != NULL) xmlFree (key); if (str != NULL) >Release-Note: >Audit-Trail: >Unformatted: