From 56837821136410eeb111aeaaf2c6707477b83a5d Mon Sep 17 00:00:00 2001 From: drochner Date: Thu, 7 Aug 2008 10:47:43 +0000 Subject: add patch from upstream CVS to fix buffer overflow in RC4 crypto code (CVE-2008-2935), bump PKGREVISION --- textproc/libxslt/Makefile | 3 +- textproc/libxslt/distinfo | 3 +- textproc/libxslt/patches/patch-af | 173 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 177 insertions(+), 2 deletions(-) create mode 100644 textproc/libxslt/patches/patch-af (limited to 'textproc') diff --git a/textproc/libxslt/Makefile b/textproc/libxslt/Makefile index e8d7890faa1..14cbbd84715 100644 --- a/textproc/libxslt/Makefile +++ b/textproc/libxslt/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.81 2008/05/22 16:03:10 recht Exp $ +# $NetBSD: Makefile,v 1.82 2008/08/07 10:47:43 drochner Exp $ DISTNAME= libxslt-1.1.24 +PKGREVISION= 1 CATEGORIES= textproc MASTER_SITES+= ftp://xmlsoft.org/libxslt/ #MASTER_SITES= ${MASTER_SITE_GNOME:=sources/libxslt/1.1/} diff --git a/textproc/libxslt/distinfo b/textproc/libxslt/distinfo index 20f858bf63a..ba5fe028b19 100644 --- a/textproc/libxslt/distinfo +++ b/textproc/libxslt/distinfo @@ -1,7 +1,8 @@ -$NetBSD: distinfo,v 1.49 2008/05/22 16:03:10 recht Exp $ +$NetBSD: distinfo,v 1.50 2008/08/07 10:47:43 drochner Exp $ SHA1 (libxslt-1.1.24.tar.gz) = b5402e24abff5545ed76f6a55049cbebc664bd58 RMD160 (libxslt-1.1.24.tar.gz) = 41e7721eeed722c45310877d045422b47ab32973 Size (libxslt-1.1.24.tar.gz) = 3363961 bytes SHA1 (patch-aa) = 7351945ab86addef9b5a69be887252fc0b3c1aa5 SHA1 (patch-ae) = ea154e23704cbd73e3199271e2d0d4a80b2832e8 +SHA1 (patch-af) = 9d4ac9266323a0127bc466d4c3e5e1d814142f96 diff --git a/textproc/libxslt/patches/patch-af b/textproc/libxslt/patches/patch-af new file mode 100644 index 00000000000..4efca0f43a7 --- /dev/null +++ b/textproc/libxslt/patches/patch-af @@ -0,0 +1,173 @@ +$NetBSD: patch-af,v 1.3 2008/08/07 10:47:43 drochner Exp $ + +--- libexslt/crypto.c.orig 2007-01-17 14:17:25.000000000 +0100 ++++ libexslt/crypto.c +@@ -317,13 +317,13 @@ exsltCryptoCryptoApiRc4Decrypt (xmlXPath + #define PLATFORM_MD5 GCRY_MD_MD5 + #define PLATFORM_SHA1 GCRY_MD_SHA1 + +-#ifdef HAVE_SYS_TYPES_H +-# include +-#endif +-#ifdef HAVE_STDINT_H +-# include +-#endif +- ++#ifdef HAVE_SYS_TYPES_H ++# include ++#endif ++#ifdef HAVE_STDINT_H ++# include ++#endif ++ + #ifdef HAVE_SYS_SELECT_H + #include /* needed by gcrypt.h 4 Jul 04 */ + #endif +@@ -595,11 +595,13 @@ exsltCryptoRc4EncryptFunction (xmlXPathP + int str_len = 0, bin_len = 0, hex_len = 0; + xmlChar *key = NULL, *str = NULL, *padkey = NULL; + xmlChar *bin = NULL, *hex = NULL; ++ xsltTransformContextPtr tctxt = NULL; + +- if ((nargs < 1) || (nargs > 3)) { ++ if (nargs != 2) { + xmlXPathSetArityError (ctxt); + return; + } ++ tctxt = xsltXPathGetTransformContext(ctxt); + + str = xmlXPathPopString (ctxt); + str_len = xmlUTF8Strlen (str); +@@ -611,7 +613,7 @@ exsltCryptoRc4EncryptFunction (xmlXPathP + } + + key = xmlXPathPopString (ctxt); +- key_len = xmlUTF8Strlen (str); ++ key_len = xmlUTF8Strlen (key); + + if (key_len == 0) { + xmlXPathReturnEmptyString (ctxt); +@@ -620,15 +622,33 @@ exsltCryptoRc4EncryptFunction (xmlXPathP + return; + } + +- padkey = xmlMallocAtomic (RC4_KEY_LENGTH); ++ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1); ++ if (padkey == NULL) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n"); ++ tctxt->state = XSLT_STATE_STOPPED; ++ xmlXPathReturnEmptyString (ctxt); ++ goto done; ++ } ++ memset(padkey, 0, RC4_KEY_LENGTH + 1); ++ + key_size = xmlUTF8Strsize (key, key_len); ++ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n"); ++ tctxt->state = XSLT_STATE_STOPPED; ++ xmlXPathReturnEmptyString (ctxt); ++ goto done; ++ } + memcpy (padkey, key, key_size); +- memset (padkey + key_size, '\0', sizeof (padkey)); + + /* encrypt it */ + bin_len = str_len; + bin = xmlStrdup (str); + if (bin == NULL) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n"); ++ tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } +@@ -638,6 +658,9 @@ exsltCryptoRc4EncryptFunction (xmlXPathP + hex_len = str_len * 2 + 1; + hex = xmlMallocAtomic (hex_len); + if (hex == NULL) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n"); ++ tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } +@@ -670,11 +693,13 @@ exsltCryptoRc4DecryptFunction (xmlXPathP + int str_len = 0, bin_len = 0, ret_len = 0; + xmlChar *key = NULL, *str = NULL, *padkey = NULL, *bin = + NULL, *ret = NULL; ++ xsltTransformContextPtr tctxt = NULL; + +- if ((nargs < 1) || (nargs > 3)) { ++ if (nargs != 2) { + xmlXPathSetArityError (ctxt); + return; + } ++ tctxt = xsltXPathGetTransformContext(ctxt); + + str = xmlXPathPopString (ctxt); + str_len = xmlUTF8Strlen (str); +@@ -686,7 +711,7 @@ exsltCryptoRc4DecryptFunction (xmlXPathP + } + + key = xmlXPathPopString (ctxt); +- key_len = xmlUTF8Strlen (str); ++ key_len = xmlUTF8Strlen (key); + + if (key_len == 0) { + xmlXPathReturnEmptyString (ctxt); +@@ -695,22 +720,51 @@ exsltCryptoRc4DecryptFunction (xmlXPathP + return; + } + +- padkey = xmlMallocAtomic (RC4_KEY_LENGTH); ++ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1); ++ if (padkey == NULL) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n"); ++ tctxt->state = XSLT_STATE_STOPPED; ++ xmlXPathReturnEmptyString (ctxt); ++ goto done; ++ } ++ memset(padkey, 0, RC4_KEY_LENGTH + 1); + key_size = xmlUTF8Strsize (key, key_len); ++ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n"); ++ tctxt->state = XSLT_STATE_STOPPED; ++ xmlXPathReturnEmptyString (ctxt); ++ goto done; ++ } + memcpy (padkey, key, key_size); +- memset (padkey + key_size, '\0', sizeof (padkey)); + + /* decode hex to binary */ + bin_len = str_len; + bin = xmlMallocAtomic (bin_len); ++ if (bin == NULL) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n"); ++ tctxt->state = XSLT_STATE_STOPPED; ++ xmlXPathReturnEmptyString (ctxt); ++ goto done; ++ } + ret_len = exsltCryptoHex2Bin (str, str_len, bin, bin_len); + + /* decrypt the binary blob */ + ret = xmlMallocAtomic (ret_len); ++ if (ret == NULL) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n"); ++ tctxt->state = XSLT_STATE_STOPPED; ++ xmlXPathReturnEmptyString (ctxt); ++ goto done; ++ } + PLATFORM_RC4_DECRYPT (ctxt, padkey, bin, ret_len, ret, ret_len); + + xmlXPathReturnString (ctxt, ret); + ++done: + if (key != NULL) + xmlFree (key); + if (str != NULL) -- cgit v1.2.3