[xml-security-c/el6] Backported a patch to fix CVE-2011-2516 (#719698)
Antti Andreimann
anttix at fedoraproject.org
Fri Jul 8 08:53:06 UTC 2011
commit 0593ae468b585cc6f43a105abf39440aec604a4c
Author: Antti Andreimann <Antti.Andreimann at mail.ee>
Date: Fri Jul 8 10:18:40 2011 +0300
Backported a patch to fix CVE-2011-2516 (#719698)
xml-security-c-CVE-2011-2516.patch | 261 ++++++++++++++++++++++++++++++++++++
xml-security-c.spec | 7 +-
2 files changed, 267 insertions(+), 1 deletions(-)
---
diff --git a/xml-security-c-CVE-2011-2516.patch b/xml-security-c-CVE-2011-2516.patch
new file mode 100644
index 0000000..ac4bd69
--- /dev/null
+++ b/xml-security-c-CVE-2011-2516.patch
@@ -0,0 +1,261 @@
+Index: xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.cpp
+===================================================================
+--- xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.cpp (revision 1125751)
++++ xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.cpp (revision 1125752)
+@@ -189,21 +189,20 @@
+ "OpenSSL:RSA - Attempt to validate signature with empty key");
+ }
+
+- unsigned char sigVal[1024];
+- int sigValLen;
+-
+- EVP_ENCODE_CTX m_dctx;
+- int rc;
+-
+- char * cleanedBase64Signature;
++ char* cleanedBase64Signature;
+ unsigned int cleanedBase64SignatureLen = 0;
+
+ cleanedBase64Signature =
+ XSECCryptoBase64::cleanBuffer(base64Signature, sigLen, cleanedBase64SignatureLen);
+ ArrayJanitor<char> j_cleanedBase64Signature(cleanedBase64Signature);
+
++ int sigValLen;
++ unsigned char* sigVal = new unsigned char[sigLen + 1];
++ ArrayJanitor<unsigned char> j_sigVal(sigVal);
++
++ EVP_ENCODE_CTX m_dctx;
+ EVP_DecodeInit(&m_dctx);
+- rc = EVP_DecodeUpdate(&m_dctx,
++ int rc = EVP_DecodeUpdate(&m_dctx,
+ sigVal,
+ &sigValLen,
+ (unsigned char *) cleanedBase64Signature,
+Index: xsec/enc/OpenSSL/OpenSSLCryptoKeyEC.cpp
+===================================================================
+--- xsec/enc/OpenSSL/OpenSSLCryptoKeyEC.cpp (revision 1125751)
++++ xsec/enc/OpenSSL/OpenSSLCryptoKeyEC.cpp (revision 1125752)
+@@ -158,8 +158,9 @@
+ XSECCryptoBase64::cleanBuffer(base64Signature, sigLen, cleanedBase64SignatureLen);
+ ArrayJanitor<char> j_cleanedBase64Signature(cleanedBase64Signature);
+
+- unsigned char sigVal[512];
+ int sigValLen;
++ unsigned char* sigVal = new unsigned char[sigLen + 1];
++ ArrayJanitor<unsigned char> j_sigVal(sigVal);
+
+ EVP_ENCODE_CTX m_dctx;
+ EVP_DecodeInit(&m_dctx);
+@@ -237,14 +238,13 @@
+ }
+
+ // Now turn the signature into a base64 string
++ unsigned char* rawSigBuf = new unsigned char[(BN_num_bits(dsa_sig->r) + BN_num_bits(dsa_sig->s)) / 8];
++ ArrayJanitor<unsigned char> j_sigbuf(rawSigBuf);
+
+- unsigned char rawSigBuf[256];
+- unsigned int rawLen;
++ unsigned int rawLen = BN_bn2bin(dsa_sig->r, rawSigBuf);
+
+- rawLen = BN_bn2bin(dsa_sig->r, rawSigBuf);
++ if (rawLen <= 0) {
+
+- if (rawLen <= 0) {
+-
+ throw XSECCryptoException(XSECCryptoException::ECError,
+ "OpenSSL:EC - Error converting signature to raw buffer");
+
+@@ -252,7 +252,7 @@
+
+ unsigned int rawLenS = BN_bn2bin(dsa_sig->s, (unsigned char *) &rawSigBuf[rawLen]);
+
+- if (rawLenS <= 0) {
++ if (rawLenS <= 0) {
+
+ throw XSECCryptoException(XSECCryptoException::ECError,
+ "OpenSSL:EC - Error converting signature to raw buffer");
+Index: xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp
+===================================================================
+--- xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp (revision 1125751)
++++ xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp (revision 1125752)
+@@ -164,15 +164,16 @@
+ "OpenSSL:DSA - Attempt to validate signature with empty key");
+ }
+
+- char * cleanedBase64Signature;
++ char* cleanedBase64Signature;
+ unsigned int cleanedBase64SignatureLen = 0;
+
+ cleanedBase64Signature =
+ XSECCryptoBase64::cleanBuffer(base64Signature, sigLen, cleanedBase64SignatureLen);
+ ArrayJanitor<char> j_cleanedBase64Signature(cleanedBase64Signature);
+
+- unsigned char sigVal[512];
+ int sigValLen;
++ unsigned char* sigVal = new unsigned char[sigLen + 1];
++ ArrayJanitor<unsigned char> j_sigVal(sigVal);
+
+ EVP_ENCODE_CTX m_dctx;
+ EVP_DecodeInit(&m_dctx);
+@@ -276,11 +277,11 @@
+
+ // Now turn the signature into a base64 string
+
+- unsigned char rawSigBuf[256];
+- unsigned int rawLen;
++ unsigned char* rawSigBuf = new unsigned char[(BN_num_bits(dsa_sig->r) + BN_num_bits(dsa_sig->s)) / 8];
++ ArrayJanitor<unsigned char> j_sigbuf(rawSigBuf);
++
++ unsigned int rawLen = BN_bn2bin(dsa_sig->r, rawSigBuf);
+
+- rawLen = BN_bn2bin(dsa_sig->r, rawSigBuf);
+-
+ if (rawLen <= 0) {
+
+ throw XSECCryptoException(XSECCryptoException::DSAError,
+Index: xsec/dsig/DSIGAlgorithmHandlerDefault.cpp
+===================================================================
+--- xsec/dsig/DSIGAlgorithmHandlerDefault.cpp (revision 1125751)
++++ xsec/dsig/DSIGAlgorithmHandlerDefault.cpp (revision 1125752)
+@@ -45,6 +45,7 @@
+
+ XERCES_CPP_NAMESPACE_USE
+
++#define MAXB64BUFSIZE 2048
+
+ // --------------------------------------------------------------------------------
+ // Some useful utility functions
+@@ -56,10 +57,10 @@
+ unsigned int rawLen,
+ unsigned int maxCompare = 0) {
+ // Decode a base64 buffer and then compare the result to a raw buffer
+- // Compare at most maxCompare bits (if maxComare > 0)
++ // Compare at most maxCompare bits (if maxCompare > 0)
+ // Note - whilst the other parameters are bytes, maxCompare is bits
+
+- unsigned char outputStr[1024];
++ unsigned char outputStr[MAXB64BUFSIZE];
+ unsigned int outputLen = 0;
+
+ XSECCryptoBase64 * b64 = XSECPlatformUtils::g_cryptoProvider->base64();
+@@ -74,8 +75,8 @@
+ Janitor<XSECCryptoBase64> j_b64(b64);
+
+ b64->decodeInit();
+- outputLen = b64->decode((unsigned char *) b64Str, (unsigned int) strlen((char *) b64Str), outputStr, 1024);
+- outputLen += b64->decodeFinish(&outputStr[outputLen], 1024 - outputLen);
++ outputLen = b64->decode((unsigned char *) b64Str, (unsigned int) strlen((char *) b64Str), outputStr, MAXB64BUFSIZE);
++ outputLen += b64->decodeFinish(&outputStr[outputLen], MAXB64BUFSIZE - outputLen);
+
+ // Compare
+
+@@ -147,7 +148,7 @@
+ // Translate the rawbuffer (at most maxBits or rawLen - whichever is smaller)
+ // to a base64 string
+
+- unsigned char b64Str[1024];
++ unsigned char b64Str[MAXB64BUFSIZE];
+ unsigned int outputLen = 0;
+
+ XSECCryptoBase64 * b64 = XSECPlatformUtils::g_cryptoProvider->base64();
+@@ -178,8 +179,8 @@
+ size = rawLen;
+
+ b64->encodeInit();
+- outputLen = b64->encode((unsigned char *) raw, rawLen, b64Str, 1024);
+- outputLen += b64->encodeFinish(&b64Str[outputLen], 1024 - outputLen);
++ outputLen = b64->encode((unsigned char *) raw, rawLen, b64Str, MAXB64BUFSIZE - 1);
++ outputLen += b64->encodeFinish(&b64Str[outputLen], MAXB64BUFSIZE - outputLen - 1);
+ b64Str[outputLen] = '\0';
+
+ // Copy out
+@@ -383,7 +384,10 @@
+
+ // Now check the calculated hash
+
+- char b64Buf[1024];
++ // For now, use a fixed length buffer, but expand it,
++ // and detect if the signature size exceeds what we can
++ // handle.
++ char b64Buf[MAXB64BUFSIZE];
+ unsigned int b64Len;
+ safeBuffer b64SB;
+
+@@ -403,7 +407,7 @@
+ hash,
+ hashLen,
+ (char *) b64Buf,
+- 1024);
++ MAXB64BUFSIZE);
+
+ if (b64Len <= 0) {
+
+@@ -411,7 +415,13 @@
+ "Unknown error occured during a DSA Signing operation");
+
+ }
++ else if (b64Len >= MAXB64BUFSIZE) {
+
++ throw XSECException(XSECException::AlgorithmMapperError,
++ "DSA Signing operation exceeded size of buffer");
++
++ }
++
+ if (b64Buf[b64Len-1] == '\n')
+ b64Buf[b64Len-1] = '\0';
+ else
+@@ -433,7 +443,7 @@
+ hash,
+ hashLen,
+ (char *) b64Buf,
+- 1024,
++ MAXB64BUFSIZE,
+ hm);
+
+ if (b64Len <= 0) {
+@@ -442,7 +452,13 @@
+ "Unknown error occured during a RSA Signing operation");
+
+ }
++ else if (b64Len >= MAXB64BUFSIZE) {
+
++ throw XSECException(XSECException::AlgorithmMapperError,
++ "RSA Signing operation exceeded size of buffer");
++
++ }
++
+ // Clean up some "funnies" and make sure the string is NULL terminated
+
+ if (b64Buf[b64Len-1] == '\n')
+@@ -466,7 +482,7 @@
+ hash,
+ hashLen,
+ (char *) b64Buf,
+- 1024);
++ MAXB64BUFSIZE);
+
+ if (b64Len <= 0) {
+
+@@ -474,7 +490,13 @@
+ "Unknown error occured during an ECDSA Signing operation");
+
+ }
++ else if (b64Len >= MAXB64BUFSIZE) {
+
++ throw XSECException(XSECException::AlgorithmMapperError,
++ "ECDSA Signing operation exceeded size of buffer");
++
++ }
++
+ if (b64Buf[b64Len-1] == '\n')
+ b64Buf[b64Len-1] = '\0';
+ else
+@@ -504,7 +526,7 @@
+ hashLen,
+ outputLength);
+
+- strncpy(b64Buf, (char *) b64SB.rawBuffer(), 1024);
++ strncpy(b64Buf, (char *) b64SB.rawBuffer(), MAXB64BUFSIZE);
+ break;
+
+ default :
diff --git a/xml-security-c.spec b/xml-security-c.spec
index a60ab57..4c9d636 100644
--- a/xml-security-c.spec
+++ b/xml-security-c.spec
@@ -1,12 +1,13 @@
Name: xml-security-c
Version: 1.6.0
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: C++ Implementation of W3C security standards for XML
Group: System Environment/Libraries
License: ASL 2.0
URL: http://santuario.apache.org/c/
Source: http://santuario.apache.org/dist/c-library/%{name}-%{version}.tar.gz
+Patch0: xml-security-c-CVE-2011-2516.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: xerces-c-devel xalan-c-devel openssl-devel
@@ -39,6 +40,7 @@ XML Digital Signatures.
%prep
%setup -q
+%patch0 -p0
# Remove bogus "-O2" from CXXFLAGS to avoid overriding RPM_OPT_FLAGS.
sed -i -e 's/-O2 -DNDEBUG/-DNDEBUG/g' configure
@@ -83,6 +85,9 @@ rm -rf $RPM_BUILD_ROOT
%doc CHANGELOG.txt LICENSE.txt NOTICE.txt INSTALL
%changelog
+* Fri Jul 08 2011 Antti Andreimann <Antti.Andreimann at mail.ee> - 1.6.0-2
+- Backported a patch to fix CVE-2011-2516 (#719698)
+
* Tue Apr 26 2011 Antti Andreimann <Antti.Andreimann at mail.ee> - 1.6.0-1
- Do not build on PPC64 due to missing dependencies (#699707)
- New upstream release
More information about the scm-commits
mailing list