Security update for xml-security-c

Scott Cantor cantor.2 at osu.edu
Sat Jul 25 22:20:20 UTC 2009


Russ Allbery wrote:
>> I'm not sure if this is entirely correct.  Can't
>> mp_signedInfo->getHMACOutputLength() return a negative value?
> 
> Hm, that's a good question.  I can trace the value down atoi run on the
> result of an XML parse, but at that point I get lost in the code and can't
> figure out if negative numbers would have been rejected somewhere else.

The data type is broken in the surrounding code, which I couldn't fix in 
this patch, but the parameter signature in the functions that actually use 
it is an unsigned int.

-- Scott




More information about the Pkg-shibboleth-devel mailing list