diff --git a/libexslt-rc4.patch b/libexslt-rc4.patch new file mode 100644 index 0000000..0fbf8f6 --- /dev/null +++ b/libexslt-rc4.patch @@ -0,0 +1,173 @@ +Index: libexslt/crypto.c +=================================================================== +--- libexslt/crypto.c (revision 1485) ++++ libexslt/crypto.c (working copy) +@@ -317,13 +317,13 @@ exsltCryptoCryptoApiRc4Decrypt (xmlXPath + #define PLATFORM_MD5 GCRY_MD_MD5 + #define PLATFORM_SHA1 GCRY_MD_SHA1 + +-#ifdef HAVE_SYS_TYPES_H +-# include +-#endif +-#ifdef HAVE_STDINT_H +-# include +-#endif +- ++#ifdef HAVE_SYS_TYPES_H ++# include ++#endif ++#ifdef HAVE_STDINT_H ++# include ++#endif ++ + #ifdef HAVE_SYS_SELECT_H + #include /* needed by gcrypt.h 4 Jul 04 */ + #endif +@@ -595,11 +595,13 @@ exsltCryptoRc4EncryptFunction (xmlXPathP + int str_len = 0, bin_len = 0, hex_len = 0; + xmlChar *key = NULL, *str = NULL, *padkey = NULL; + xmlChar *bin = NULL, *hex = NULL; ++ xsltTransformContextPtr tctxt = NULL; + +- if ((nargs < 1) || (nargs > 3)) { ++ if (nargs != 2) { + xmlXPathSetArityError (ctxt); + return; + } ++ tctxt = xsltXPathGetTransformContext(ctxt); + + str = xmlXPathPopString (ctxt); + str_len = xmlUTF8Strlen (str); +@@ -611,7 +613,7 @@ exsltCryptoRc4EncryptFunction (xmlXPathP + } + + key = xmlXPathPopString (ctxt); +- key_len = xmlUTF8Strlen (str); ++ key_len = xmlUTF8Strlen (key); + + if (key_len == 0) { + xmlXPathReturnEmptyString (ctxt); +@@ -620,15 +622,33 @@ exsltCryptoRc4EncryptFunction (xmlXPathP + return; + } + +- padkey = xmlMallocAtomic (RC4_KEY_LENGTH); ++ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1); ++ if (padkey == NULL) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n"); ++ tctxt->state = XSLT_STATE_STOPPED; ++ xmlXPathReturnEmptyString (ctxt); ++ goto done; ++ } ++ memset(padkey, 0, RC4_KEY_LENGTH + 1); ++ + key_size = xmlUTF8Strsize (key, key_len); ++ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n"); ++ tctxt->state = XSLT_STATE_STOPPED; ++ xmlXPathReturnEmptyString (ctxt); ++ goto done; ++ } + memcpy (padkey, key, key_size); +- memset (padkey + key_size, '\0', sizeof (padkey)); + + /* encrypt it */ + bin_len = str_len; + bin = xmlStrdup (str); + if (bin == NULL) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n"); ++ tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } +@@ -638,6 +658,9 @@ exsltCryptoRc4EncryptFunction (xmlXPathP + hex_len = str_len * 2 + 1; + hex = xmlMallocAtomic (hex_len); + if (hex == NULL) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n"); ++ tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } +@@ -670,11 +693,13 @@ exsltCryptoRc4DecryptFunction (xmlXPathP + int str_len = 0, bin_len = 0, ret_len = 0; + xmlChar *key = NULL, *str = NULL, *padkey = NULL, *bin = + NULL, *ret = NULL; ++ xsltTransformContextPtr tctxt = NULL; + +- if ((nargs < 1) || (nargs > 3)) { ++ if (nargs != 2) { + xmlXPathSetArityError (ctxt); + return; + } ++ tctxt = xsltXPathGetTransformContext(ctxt); + + str = xmlXPathPopString (ctxt); + str_len = xmlUTF8Strlen (str); +@@ -686,7 +711,7 @@ exsltCryptoRc4DecryptFunction (xmlXPathP + } + + key = xmlXPathPopString (ctxt); +- key_len = xmlUTF8Strlen (str); ++ key_len = xmlUTF8Strlen (key); + + if (key_len == 0) { + xmlXPathReturnEmptyString (ctxt); +@@ -695,22 +720,51 @@ exsltCryptoRc4DecryptFunction (xmlXPathP + return; + } + +- padkey = xmlMallocAtomic (RC4_KEY_LENGTH); ++ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1); ++ if (padkey == NULL) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n"); ++ tctxt->state = XSLT_STATE_STOPPED; ++ xmlXPathReturnEmptyString (ctxt); ++ goto done; ++ } ++ memset(padkey, 0, RC4_KEY_LENGTH + 1); + key_size = xmlUTF8Strsize (key, key_len); ++ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n"); ++ tctxt->state = XSLT_STATE_STOPPED; ++ xmlXPathReturnEmptyString (ctxt); ++ goto done; ++ } + memcpy (padkey, key, key_size); +- memset (padkey + key_size, '\0', sizeof (padkey)); + + /* decode hex to binary */ + bin_len = str_len; + bin = xmlMallocAtomic (bin_len); ++ if (bin == NULL) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n"); ++ tctxt->state = XSLT_STATE_STOPPED; ++ xmlXPathReturnEmptyString (ctxt); ++ goto done; ++ } + ret_len = exsltCryptoHex2Bin (str, str_len, bin, bin_len); + + /* decrypt the binary blob */ + ret = xmlMallocAtomic (ret_len); ++ if (ret == NULL) { ++ xsltTransformError(tctxt, NULL, tctxt->inst, ++ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n"); ++ tctxt->state = XSLT_STATE_STOPPED; ++ xmlXPathReturnEmptyString (ctxt); ++ goto done; ++ } + PLATFORM_RC4_DECRYPT (ctxt, padkey, bin, ret_len, ret, ret_len); + + xmlXPathReturnString (ctxt, ret); + ++done: + if (key != NULL) + xmlFree (key); + if (str != NULL) diff --git a/libxslt.spec b/libxslt.spec index d273f3e..4414413 100644 --- a/libxslt.spec +++ b/libxslt.spec @@ -1,7 +1,7 @@ Summary: Library providing the Gnome XSLT engine Name: libxslt Version: 1.1.24 -Release: 1%{?dist}%{?extra_release} +Release: 2%{?dist}%{?extra_release} License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/XSLT/libxslt-%{version}.tar.gz @@ -15,6 +15,7 @@ BuildRequires: libgcrypt-devel Prefix: %{_prefix} Docdir: %{_docdir} Patch0: multilib.patch +Patch1: libexslt-rc4.patch %description This C library allows to transform XML files into other XML files @@ -56,6 +57,7 @@ with XPath functions written in Python. %prep %setup -q %patch0 -p1 +%patch1 -p0 %build %configure @@ -125,6 +127,9 @@ rm -fr %{buildroot} %doc python/tests/*.xsl %changelog +* Wed Oct 8 2008 Daniel Veillard 1.1.24-2.fc10 +- CVE-2008-2935 fix + * Tue May 13 2008 Daniel Veillard 1.1.24-1.fc10 - release of 1.1.24 - fixes a few bugs including the key initialization problem