[SCM] Debian packaging for XML-Security-C branch, lenny, updated. debian/1.4.0-3-5-gf28d3f5
Russ Allbery
rra at debian.org
Thu Jul 7 20:30:50 UTC 2011
The following commit has been merged in the lenny branch:
commit f28d3f5af1bb825589621cdfe3c2d3615fab3b46
Author: Russ Allbery <rra at debian.org>
Date: Thu Jul 7 10:55:02 2011 -0700
Apply upstream patch to close buffer overflow vulnerability
* Apply upstream patch to fix buffer overflow when signing or verifying
files with big asymmetric keys. (Closes: #632973, CVE-2011-2516)
diff --git a/debian/changelog b/debian/changelog
index 4cedcfa..6fd01fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+xml-security-c (1.4.0-3+lenny3) oldstable-security; urgency=high
+
+ * Apply upstream patch to fix buffer overflow when signing or verifying
+ files with big asymmetric keys. (Closes: #632973, CVE-2011-2516)
+
+ -- Russ Allbery <rra at debian.org> Thu, 07 Jul 2011 11:43:25 -0700
+
xml-security-c (1.4.0-3+lenny2) stable-security; urgency=high
* Bump version number to correct the upload queue. No source changes.
diff --git a/src/dsig/DSIGAlgorithmHandlerDefault.cpp b/src/dsig/DSIGAlgorithmHandlerDefault.cpp
index f4fcb70..3c633f4 100644
--- a/src/dsig/DSIGAlgorithmHandlerDefault.cpp
+++ b/src/dsig/DSIGAlgorithmHandlerDefault.cpp
@@ -42,6 +42,7 @@
XERCES_CPP_NAMESPACE_USE
+#define MAXB64BUFSIZE 2048
// --------------------------------------------------------------------------------
// Some useful utility functions
@@ -53,10 +54,10 @@ bool compareBase64StringToRaw(const char * b64Str,
unsigned int rawLen,
unsigned int maxCompare = 0) {
// Decode a base64 buffer and then compare the result to a raw buffer
- // Compare at most maxCompare bits (if maxComare > 0)
+ // Compare at most maxCompare bits (if maxCompare > 0)
// Note - whilst the other parameters are bytes, maxCompare is bits
- unsigned char outputStr[1024];
+ unsigned char outputStr[MAXB64BUFSIZE];
unsigned int outputLen = 0;
XSECCryptoBase64 * b64 = XSECPlatformUtils::g_cryptoProvider->base64();
@@ -71,8 +72,8 @@ bool compareBase64StringToRaw(const char * b64Str,
Janitor<XSECCryptoBase64> j_b64(b64);
b64->decodeInit();
- outputLen = b64->decode((unsigned char *) b64Str, (unsigned int) strlen((char *) b64Str), outputStr, 1024);
- outputLen += b64->decodeFinish(&outputStr[outputLen], 1024 - outputLen);
+ outputLen = b64->decode((unsigned char *) b64Str, (unsigned int) strlen((char *) b64Str), outputStr, MAXB64BUFSIZE);
+ outputLen += b64->decodeFinish(&outputStr[outputLen], MAXB64BUFSIZE - outputLen);
// Compare
@@ -144,7 +145,7 @@ void convertRawToBase64String(safeBuffer &b64SB,
// Translate the rawbuffer (at most maxBits or rawLen - whichever is smaller)
// to a base64 string
- unsigned char b64Str[1024];
+ unsigned char b64Str[MAXB64BUFSIZE];
unsigned int outputLen = 0;
XSECCryptoBase64 * b64 = XSECPlatformUtils::g_cryptoProvider->base64();
@@ -175,8 +176,8 @@ void convertRawToBase64String(safeBuffer &b64SB,
size = rawLen;
b64->encodeInit();
- outputLen = b64->encode((unsigned char *) raw, rawLen, b64Str, 1024);
- outputLen += b64->encodeFinish(&b64Str[outputLen], 1024 - outputLen);
+ outputLen = b64->encode((unsigned char *) raw, rawLen, b64Str, MAXB64BUFSIZE - 1);
+ outputLen += b64->encodeFinish(&b64Str[outputLen], MAXB64BUFSIZE - outputLen - 1);
b64Str[outputLen] = '\0';
// Copy out
@@ -380,7 +381,10 @@ unsigned int DSIGAlgorithmHandlerDefault::signToSafeBuffer(
// Now check the calculated hash
- char b64Buf[1024];
+ // For now, use a fixed length buffer, but expand it,
+ // and detect if the signature size exceeds what we can
+ // handle.
+ char b64Buf[MAXB64BUFSIZE];
unsigned int b64Len;
safeBuffer b64SB;
@@ -400,7 +404,7 @@ unsigned int DSIGAlgorithmHandlerDefault::signToSafeBuffer(
hash,
hashLen,
(char *) b64Buf,
- 1024);
+ MAXB64BUFSIZE);
if (b64Len <= 0) {
@@ -408,6 +412,12 @@ unsigned int DSIGAlgorithmHandlerDefault::signToSafeBuffer(
"Unknown error occured during a DSA Signing operation");
}
+ else if (b64Len >= MAXB64BUFSIZE) {
+
+ throw XSECException(XSECException::AlgorithmMapperError,
+ "DSA Signing operation exceeded size of buffer");
+
+ }
if (b64Buf[b64Len-1] == '\n')
b64Buf[b64Len-1] = '\0';
@@ -430,7 +440,7 @@ unsigned int DSIGAlgorithmHandlerDefault::signToSafeBuffer(
hash,
hashLen,
(char *) b64Buf,
- 1024,
+ MAXB64BUFSIZE,
hm);
if (b64Len <= 0) {
@@ -439,6 +449,12 @@ unsigned int DSIGAlgorithmHandlerDefault::signToSafeBuffer(
"Unknown error occured during a RSA Signing operation");
}
+ else if (b64Len >= MAXB64BUFSIZE) {
+
+ throw XSECException(XSECException::AlgorithmMapperError,
+ "RSA Signing operation exceeded size of buffer");
+
+ }
// Clean up some "funnies" and make sure the string is NULL terminated
@@ -471,7 +487,7 @@ unsigned int DSIGAlgorithmHandlerDefault::signToSafeBuffer(
hashLen,
outputLength);
- strncpy(b64Buf, (char *) b64SB.rawBuffer(), 1024);
+ strncpy(b64Buf, (char *) b64SB.rawBuffer(), MAXB64BUFSIZE);
break;
default :
diff --git a/src/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp b/src/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp
index 04206f4..d1b9efb 100644
--- a/src/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp
+++ b/src/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp
@@ -33,6 +33,10 @@
#include <xsec/enc/XSECCryptoUtils.hpp>
#include <xsec/framework/XSECError.hpp>
+#include <xercesc/util/Janitor.hpp>
+
+XERCES_CPP_NAMESPACE_USE
+
#include <openssl/dsa.h>
OpenSSLCryptoKeyDSA::OpenSSLCryptoKeyDSA() {
@@ -161,12 +165,13 @@ bool OpenSSLCryptoKeyDSA::verifyBase64Signature(unsigned char * hashBuf,
"OpenSSL:DSA - Attempt to validate signature with empty key");
}
- unsigned char sigVal[512];
int sigValLen;
int err;
EVP_ENCODE_CTX m_dctx;
int rc;
+ unsigned char* sigVal = new unsigned char[sigLen + 1];
+ ArrayJanitor<unsigned char> j_sigVal(sigVal);
EVP_DecodeInit(&m_dctx);
rc = EVP_DecodeUpdate(&m_dctx,
@@ -275,11 +280,11 @@ unsigned int OpenSSLCryptoKeyDSA::signBase64Signature(unsigned char * hashBuf,
// Now turn the signature into a base64 string
- unsigned char rawSigBuf[256];
- unsigned int rawLen;
-
- rawLen = BN_bn2bin(dsa_sig->r, rawSigBuf);
+ unsigned char* rawSigBuf = new unsigned char[(BN_num_bits(dsa_sig->r) + BN_num_bits(dsa_sig->s)) / 8];
+ ArrayJanitor<unsigned char> j_sigbuf(rawSigBuf);
+ unsigned int rawLen = BN_bn2bin(dsa_sig->r, rawSigBuf);
+
if (rawLen <= 0) {
throw XSECCryptoException(XSECCryptoException::DSAError,
diff --git a/src/enc/OpenSSL/OpenSSLCryptoKeyRSA.cpp b/src/enc/OpenSSL/OpenSSLCryptoKeyRSA.cpp
index ddaeaac..6dfa008 100644
--- a/src/enc/OpenSSL/OpenSSLCryptoKeyRSA.cpp
+++ b/src/enc/OpenSSL/OpenSSLCryptoKeyRSA.cpp
@@ -189,24 +189,23 @@ bool OpenSSLCryptoKeyRSA::verifySHA1PKCS1Base64Signature(const unsigned char * h
"OpenSSL:RSA - Attempt to validate signature with empty key");
}
- unsigned char sigVal[1024];
- int sigValLen;
-
- EVP_ENCODE_CTX m_dctx;
- int rc;
-
- char * cleanedBase64Signature;
+ char* cleanedBase64Signature;
unsigned int cleanedBase64SignatureLen = 0;
cleanedBase64Signature =
XSECCryptoBase64::cleanBuffer(base64Signature, sigLen, cleanedBase64SignatureLen);
ArrayJanitor<char> j_cleanedBase64Signature(cleanedBase64Signature);
+ int sigValLen;
+ unsigned char* sigVal = new unsigned char[sigLen + 1];
+ ArrayJanitor<unsigned char> j_sigVal(sigVal);
+
+ EVP_ENCODE_CTX m_dctx;
EVP_DecodeInit(&m_dctx);
- rc = EVP_DecodeUpdate(&m_dctx,
- sigVal,
- &sigValLen,
- (unsigned char *) cleanedBase64Signature,
+ int rc = EVP_DecodeUpdate(&m_dctx,
+ sigVal,
+ &sigValLen,
+ (unsigned char *) cleanedBase64Signature,
cleanedBase64SignatureLen);
if (rc < 0) {
--
Debian packaging for XML-Security-C
More information about the Pkg-shibboleth-devel
mailing list