Ubuntu
xml-security-c package

Merge lp:~choffee/ubuntu/lucid/xml-security-c/xml-security-c-fix-807414 into lp:ubuntu/lucid/xml-security-c

  1. Lucid (10.04)
  2. xml-security-c-fix-807414
  3. Merge into lucid
Proposed by John Cooper
Status: Needs review
Proposed branch: lp:~choffee/ubuntu/lucid/xml-security-c/xml-security-c-fix-807414
Merge into: lp:ubuntu/lucid/xml-security-c
Diff against target: 300 lines (+73/-41)
8 files modified
debian/changelog (+16/-5)
debian/compat (+1/-1)
debian/control (+10/-10)
debian/rules (+1/-1)
debian/source/format (+1/-0)
src/dsig/DSIGAlgorithmHandlerDefault.cpp (+27/-11)
src/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp (+10/-5)
src/enc/OpenSSL/OpenSSLCryptoKeyRSA.cpp (+7/-8)
To merge this branch: bzr merge lp:~choffee/ubuntu/lucid/xml-security-c/xml-security-c-fix-807414
Reviewer Review Type Date Requested Status
Marc Deslauriers Needs Fixing
Review via email: mp+69071@code.launchpad.net

Description of the change

Fixes Buffer overflow bugs CVE-2011-2516 as detailed in LP: #807414

This is just a pull across of the the Debian fix.

To post a comment you must log in.
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the merge request.

Please just include the security fix, and none of the other packaging changes and changelogs.
See the following wiki page for the process on submitting changes appropriate for Ubuntu security fixes:

https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation

Thanks!

review: Needs Fixing
Reply

Unmerged revisions

9. By John Cooper <email address hidden>

Apply upstream patch to fix buffer overflow when signing or verifying
files with big asymmetric keys. (Closes: #632973, CVE-2011-2516)

8. By John Cooper <email address hidden>

* Force source format 1.0 for now since it makes backporting easier.
* Add ${misc:Depends} to all package dependencies.
* Update debhelper compatibility level to V7.
  - Use dh_prep instead of dh_clean -k.
* Update standards version to 3.8.4 (no changes required).

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2010-03-22 21:58:17 +0000
3+++ debian/changelog 2011-07-25 11:10:26 +0000
4@@ -1,8 +1,19 @@
5-xml-security-c (1.5.1-2build1) lucid; urgency=low
6-
7- * No-change rebuild for libxerces-c3.0 -> libxerces-c3.1 transition.
8-
9- -- Ilya Barygin <barygin@gmail.com> Mon, 22 Mar 2010 21:58:17 +0300
10+xml-security-c (1.5.1-3+squeeze1) stable-security; urgency=high
11+
12+ * Apply upstream patch to fix buffer overflow when signing or verifying
13+ files with big asymmetric keys. (Closes: #632973, CVE-2011-2516)
14+
15+ -- Russ Allbery <rra@debian.org> Thu, 07 Jul 2011 10:45:08 -0700
16+
17+xml-security-c (1.5.1-3) unstable; urgency=low
18+
19+ * Force source format 1.0 for now since it makes backporting easier.
20+ * Add ${misc:Depends} to all package dependencies.
21+ * Update debhelper compatibility level to V7.
22+ - Use dh_prep instead of dh_clean -k.
23+ * Update standards version to 3.8.4 (no changes required).
24+
25+ -- Russ Allbery <rra@debian.org> Wed, 12 May 2010 20:59:25 -0700
26
27 xml-security-c (1.5.1-2) unstable; urgency=low
28
29
30=== modified file 'debian/compat'
31--- debian/compat 2007-04-12 21:37:45 +0000
32+++ debian/compat 2011-07-25 11:10:26 +0000
33@@ -1,1 +1,1 @@
34-5
35+7
36
37=== modified file 'debian/control'
38--- debian/control 2009-08-06 08:32:16 +0000
39+++ debian/control 2011-07-25 11:10:26 +0000
40@@ -3,9 +3,9 @@
41 Priority: extra
42 Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
43 Uploaders: Russ Allbery <rra@debian.org>
44-Build-Depends: debhelper (>= 5), autoconf, automake, libtool, libssl-dev,
45+Build-Depends: debhelper (>= 7), autoconf, automake, libtool, libssl-dev,
46 libxerces-c-dev
47-Standards-Version: 3.8.2
48+Standards-Version: 3.8.4
49 Homepage: http://xml.apache.org/security/
50 Vcs-Git: git://git.debian.org/git/pkg-shibboleth/xml-security-c.git
51 Vcs-Browser: http://git.debian.org/?p=pkg-shibboleth/xml-security-c.git
52@@ -14,9 +14,9 @@
53 Architecture: any
54 Depends: ${shlibs:Depends}, ${misc:Depends}
55 Description: C++ library for XML Digital Signatures (runtime)
56- XML-Security-C is a library for the XML Digital Security specification. It
57- provides processing and handling of XML Key Management Specifications (XKMS)
58- messages.
59+ XML-Security-C is a library for the XML Digital Security specification.
60+ It provides processing and handling of XML Key Management Specifications
61+ (XKMS) messages.
62 .
63 This package contains the files necessary for running applications that
64 use the XML-Security-C library.
65@@ -24,11 +24,11 @@
66 Package: libxml-security-c-dev
67 Section: libdevel
68 Architecture: any
69-Depends: libxml-security-c15 (= ${binary:Version}), libxerces-c-dev,
70- libssl-dev
71+Depends: ${misc:Depends}, libxml-security-c15 (= ${binary:Version}),
72+ libxerces-c-dev, libssl-dev
73 Description: C++ library for XML Digital Signatures (development)
74- XML-Security-C is a library for the XML Digital Security specification. It
75- provides processing and handling of XML Key Management Specifications (XKMS)
76- messages.
77+ XML-Security-C is a library for the XML Digital Security specification.
78+ It provides processing and handling of XML Key Management Specifications
79+ (XKMS) messages.
80 .
81 This package contains the XML-Security-C development files.
82
83=== modified file 'debian/rules'
84--- debian/rules 2009-08-05 14:11:52 +0000
85+++ debian/rules 2011-07-25 11:10:26 +0000
86@@ -62,7 +62,7 @@
87 install: build-stamp
88 dh_testdir
89 dh_testroot
90- dh_clean -k
91+ dh_prep
92 $(MAKE) install DESTDIR=$(CURDIR)/debian/tmp
93 dh_install --sourcedir=debian/tmp
94
95
96=== added directory 'debian/source'
97=== added file 'debian/source/format'
98--- debian/source/format 1970-01-01 00:00:00 +0000
99+++ debian/source/format 2011-07-25 11:10:26 +0000
100@@ -0,0 +1,1 @@
101+1.0
102
103=== modified file 'src/dsig/DSIGAlgorithmHandlerDefault.cpp'
104--- src/dsig/DSIGAlgorithmHandlerDefault.cpp 2009-08-05 14:11:52 +0000
105+++ src/dsig/DSIGAlgorithmHandlerDefault.cpp 2011-07-25 11:10:26 +0000
106@@ -42,6 +42,7 @@
107
108 XERCES_CPP_NAMESPACE_USE
109
110+#define MAXB64BUFSIZE 2048
111
112 // --------------------------------------------------------------------------------
113 // Some useful utility functions
114@@ -53,10 +54,10 @@
115 unsigned int rawLen,
116 unsigned int maxCompare = 0) {
117 // Decode a base64 buffer and then compare the result to a raw buffer
118- // Compare at most maxCompare bits (if maxComare > 0)
119+ // Compare at most maxCompare bits (if maxCompare > 0)
120 // Note - whilst the other parameters are bytes, maxCompare is bits
121
122- unsigned char outputStr[1024];
123+ unsigned char outputStr[MAXB64BUFSIZE];
124 unsigned int outputLen = 0;
125
126 XSECCryptoBase64 * b64 = XSECPlatformUtils::g_cryptoProvider->base64();
127@@ -71,8 +72,8 @@
128 Janitor<XSECCryptoBase64> j_b64(b64);
129
130 b64->decodeInit();
131- outputLen = b64->decode((unsigned char *) b64Str, (unsigned int) strlen((char *) b64Str), outputStr, 1024);
132- outputLen += b64->decodeFinish(&outputStr[outputLen], 1024 - outputLen);
133+ outputLen = b64->decode((unsigned char *) b64Str, (unsigned int) strlen((char *) b64Str), outputStr, MAXB64BUFSIZE);
134+ outputLen += b64->decodeFinish(&outputStr[outputLen], MAXB64BUFSIZE - outputLen);
135
136 // Compare
137
138@@ -144,7 +145,7 @@
139 // Translate the rawbuffer (at most maxBits or rawLen - whichever is smaller)
140 // to a base64 string
141
142- unsigned char b64Str[1024];
143+ unsigned char b64Str[MAXB64BUFSIZE];
144 unsigned int outputLen = 0;
145
146 XSECCryptoBase64 * b64 = XSECPlatformUtils::g_cryptoProvider->base64();
147@@ -175,8 +176,8 @@
148 size = rawLen;
149
150 b64->encodeInit();
151- outputLen = b64->encode((unsigned char *) raw, rawLen, b64Str, 1024);
152- outputLen += b64->encodeFinish(&b64Str[outputLen], 1024 - outputLen);
153+ outputLen = b64->encode((unsigned char *) raw, rawLen, b64Str, MAXB64BUFSIZE - 1);
154+ outputLen += b64->encodeFinish(&b64Str[outputLen], MAXB64BUFSIZE - outputLen - 1);
155 b64Str[outputLen] = '\0';
156
157 // Copy out
158@@ -380,7 +381,10 @@
159
160 // Now check the calculated hash
161
162- char b64Buf[1024];
163+ // For now, use a fixed length buffer, but expand it,
164+ // and detect if the signature size exceeds what we can
165+ // handle.
166+ char b64Buf[MAXB64BUFSIZE];
167 unsigned int b64Len;
168 safeBuffer b64SB;
169
170@@ -400,7 +404,7 @@
171 hash,
172 hashLen,
173 (char *) b64Buf,
174- 1024);
175+ MAXB64BUFSIZE);
176
177 if (b64Len <= 0) {
178
179@@ -408,6 +412,12 @@
180 "Unknown error occured during a DSA Signing operation");
181
182 }
183+ else if (b64Len >= MAXB64BUFSIZE) {
184+
185+ throw XSECException(XSECException::AlgorithmMapperError,
186+ "DSA Signing operation exceeded size of buffer");
187+
188+ }
189
190 if (b64Buf[b64Len-1] == '\n')
191 b64Buf[b64Len-1] = '\0';
192@@ -430,7 +440,7 @@
193 hash,
194 hashLen,
195 (char *) b64Buf,
196- 1024,
197+ MAXB64BUFSIZE,
198 hm);
199
200 if (b64Len <= 0) {
201@@ -439,6 +449,12 @@
202 "Unknown error occured during a RSA Signing operation");
203
204 }
205+ else if (b64Len >= MAXB64BUFSIZE) {
206+
207+ throw XSECException(XSECException::AlgorithmMapperError,
208+ "RSA Signing operation exceeded size of buffer");
209+
210+ }
211
212 // Clean up some "funnies" and make sure the string is NULL terminated
213
214@@ -471,7 +487,7 @@
215 hashLen,
216 outputLength);
217
218- strncpy(b64Buf, (char *) b64SB.rawBuffer(), 1024);
219+ strncpy(b64Buf, (char *) b64SB.rawBuffer(), MAXB64BUFSIZE);
220 break;
221
222 default :
223
224=== modified file 'src/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp'
225--- src/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp 2009-08-05 14:11:52 +0000
226+++ src/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp 2011-07-25 11:10:26 +0000
227@@ -33,6 +33,10 @@
228 #include <xsec/enc/XSECCryptoUtils.hpp>
229 #include <xsec/framework/XSECError.hpp>
230
231+#include <xercesc/util/Janitor.hpp>
232+
233+XERCES_CPP_NAMESPACE_USE
234+
235 #include <openssl/dsa.h>
236
237 OpenSSLCryptoKeyDSA::OpenSSLCryptoKeyDSA() : mp_dsaKey(NULL) {
238@@ -157,12 +161,13 @@
239 "OpenSSL:DSA - Attempt to validate signature with empty key");
240 }
241
242- unsigned char sigVal[512];
243 int sigValLen;
244 int err;
245
246 EVP_ENCODE_CTX m_dctx;
247 int rc;
248+ unsigned char* sigVal = new unsigned char[sigLen + 1];
249+ ArrayJanitor<unsigned char> j_sigVal(sigVal);
250
251 EVP_DecodeInit(&m_dctx);
252 rc = EVP_DecodeUpdate(&m_dctx,
253@@ -271,10 +276,10 @@
254
255 // Now turn the signature into a base64 string
256
257- unsigned char rawSigBuf[256];
258- unsigned int rawLen;
259-
260- rawLen = BN_bn2bin(dsa_sig->r, rawSigBuf);
261+ unsigned char* rawSigBuf = new unsigned char[(BN_num_bits(dsa_sig->r) + BN_num_bits(dsa_sig->s)) / 8];
262+ ArrayJanitor<unsigned char> j_sigbuf(rawSigBuf);
263+
264+ unsigned int rawLen = BN_bn2bin(dsa_sig->r, rawSigBuf);
265
266 if (rawLen <= 0) {
267
268
269=== modified file 'src/enc/OpenSSL/OpenSSLCryptoKeyRSA.cpp'
270--- src/enc/OpenSSL/OpenSSLCryptoKeyRSA.cpp 2009-08-05 14:11:52 +0000
271+++ src/enc/OpenSSL/OpenSSLCryptoKeyRSA.cpp 2011-07-25 11:10:26 +0000
272@@ -186,21 +186,20 @@
273 "OpenSSL:RSA - Attempt to validate signature with empty key");
274 }
275
276- unsigned char sigVal[1024];
277- int sigValLen;
278-
279- EVP_ENCODE_CTX m_dctx;
280- int rc;
281-
282- char * cleanedBase64Signature;
283+ char* cleanedBase64Signature;
284 unsigned int cleanedBase64SignatureLen = 0;
285
286 cleanedBase64Signature =
287 XSECCryptoBase64::cleanBuffer(base64Signature, sigLen, cleanedBase64SignatureLen);
288 ArrayJanitor<char> j_cleanedBase64Signature(cleanedBase64Signature);
289
290+ int sigValLen;
291+ unsigned char* sigVal = new unsigned char[sigLen + 1];
292+ ArrayJanitor<unsigned char> j_sigVal(sigVal);
293+
294+ EVP_ENCODE_CTX m_dctx;
295 EVP_DecodeInit(&m_dctx);
296- rc = EVP_DecodeUpdate(&m_dctx,
297+ int rc = EVP_DecodeUpdate(&m_dctx,
298 sigVal,
299 &sigValLen,
300 (unsigned char *) cleanedBase64Signature,

Subscribers

People subscribed via source and target branches

to all changes: