Bug 654485 (CVE-2010-3798)
Summary: | CVE-2010-3798 xar: arbitrary code execution via crafted xar archive | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Mosaab Alzoubi <moceap> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | matthias, moceap |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | xar-1.8.0.417.1-1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-01-25 02:09:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 654486 | ||
Bug Blocks: |
Description
Vincent Danen
2010-11-17 23:44:57 UTC
Created xar tracking bugs for this issue Affects: fedora-all [bug 654486] Apple provided the following patch (sorry, it's inline; that's how it was provided to us and I suspect their client munged it somewhat): Index: xar/lib/signature.c =================================================================== --- xar/lib/signature.c (revision 115) +++ xar/lib/signature.c (working copy) @@ -279,7 +279,7 @@ const xmlChar *value = NULL; const xmlChar *name = NULL; int type; - unsigned int outputLength; + size_t outputLength = 0; ret = malloc(sizeof(struct __xar_signature_t)); Index: xar/lib/b64.c =================================================================== --- xar/lib/b64.c (revision 114) +++ xar/lib/b64.c (working copy) @@ -42,7 +42,7 @@ 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/' }; -unsigned char* xar_to_base64(const unsigned char* input, int len) +unsigned char* xar_to_base64(const unsigned char* input, size_t len) { unsigned char b6; /*UNUSED unsigned char tmp; */ @@ -50,6 +50,7 @@ int i=0; unsigned char* output; int outsize = (((float)len)*4/3)+5; + output = malloc(outsize); if( !output ) @@ -149,17 +150,17 @@ #define B64_INPUT_BLOCK_OFFSET ((inputIndex - 1 - ignorableCharacterCount) % 4) static unsigned int raw_base64_decode( - const unsigned char *input, unsigned char *output, int inLengthToDecode, - unsigned int *outputDecodedLength) + const unsigned char *input, unsigned char *output, size_t inLengthToDecode, + size_t *outputDecodedLength) { int currentBase64Value; unsigned int inputIndex = 0; - unsigned int *decodedCharacterCount; - unsigned int dummyValue; unsigned int ignorableCharacterCount = 0; unsigned int i; unsigned char decodedBuffer[3]; unsigned char currentInputBlockPaddingCharacterCount = 0; + size_t *decodedCharacterCount; + size_t dummyValue; if (outputDecodedLength == NULL) { // do this so that if caller passes in NULL for outputDecodedLength @@ -246,7 +247,7 @@ return B64_noError; } -unsigned char* xar_from_base64(const unsigned char* input, int inputLength, unsigned int *outputLength) +unsigned char* xar_from_base64(const unsigned char* input, size_t inputLength, size_t *outputLength) { int err; unsigned char *output; Index: xar/lib/b64.h =================================================================== --- xar/lib/b64.h (revision 114) +++ xar/lib/b64.h (working copy) @@ -7,7 +7,7 @@ #ifndef _XAR_BASE64_H_ #define _XAR_BASE64_H_ -unsigned char* xar_to_base64(const unsigned char* input, int len); -unsigned char* xar_from_base64(const unsigned char* input, int inputLength, unsigned int *outputLength); +unsigned char* xar_to_base64(const unsigned char* input, size_t len); +unsigned char* xar_from_base64(const unsigned char* input, size_t inputLength, size_t *outputLength); #endif /* _XAR_BASE64_H_ */ This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. Fixed in xar-1.8.0.417.1-1 |