Security update for xml-security-c
Russ Allbery
rra at debian.org
Sat Jul 25 17:41:49 UTC 2009
I typoed the team mailing list in my mail to security, so fixing that so
that it makes it to the mailing list.
Florian Weimer <fw at deneb.enyo.de> writes:
> * Russ Allbery:
>
>> I've prepared a security update for xml-security-c and am looking for
>> permission to upload to stable-security. Attached below is the diff. I'm
>> working on a patch for oldstable now.
>
>> + // FIX: CVE-2009-0217
>> +
>> + if (mp_signedInfo->getHMACOutputLength() > 0 && mp_signedInfo->getHMACOutputLength() < 80) {
>> + throw XSECException(XSECException::SigVfyError,
>> + "DSIGSignature::verify() - HMACOutputLength is unsafe");
>> + }
>> +
>
> I'm not sure if this is entirely correct. Can't
> mp_signedInfo->getHMACOutputLength() return a negative value?
Hm, that's a good question. I can trace the value down atoi run on the
result of an XML parse, but at that point I get lost in the code and can't
figure out if negative numbers would have been rejected somewhere else.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-shibboleth-devel
mailing list