Security update for xml-security-c
Russ Allbery
rra at debian.org
Sat Jul 25 22:54:22 UTC 2009
Scott Cantor <cantor.2 at osu.edu> writes:
> Russ Allbery wrote:
>> Hm, that's a good question. I can trace the value down atoi run on the
>> result of an XML parse, but at that point I get lost in the code and
>> can't figure out if negative numbers would have been rejected somewhere
>> else.
> The data type is broken in the surrounding code, which I couldn't fix in
> this patch, but the parameter signature in the functions that actually
> use it is an unsigned int.
Ah, yes, that should make it fine. Any negative values will turn into
very large positive values, which avoids the problem range.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-shibboleth-devel
mailing list