Security update for xml-security-c
Florian Weimer
fw at deneb.enyo.de
Sun Jul 26 08:05:42 UTC 2009
* Russ Allbery:
> Scott Cantor <cantor.2 at osu.edu> writes:
>> Russ Allbery wrote:
>
>>> Hm, that's a good question. I can trace the value down atoi run on the
>>> result of an XML parse, but at that point I get lost in the code and
>>> can't figure out if negative numbers would have been rejected somewhere
>>> else.
>
>> The data type is broken in the surrounding code, which I couldn't fix in
>> this patch, but the parameter signature in the functions that actually
>> use it is an unsigned int.
>
> Ah, yes, that should make it fine. Any negative values will turn into
> very large positive values, which avoids the problem range.
Good, thanks for the clarification.
Russ, could you upload this, please? (Don't forget to build with
-sa. 8-)
More information about the Pkg-shibboleth-devel
mailing list