Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3798 to the following vulnerability: Name: CVE-2010-3798 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3798 Assigned: 20101007 Reference: CONFIRM: http://support.apple.com/kb/HT4435 [Open URL] Reference: APPLE:APPLE-SA-2010-11-10-1 Reference: URL: http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html Heap-based buffer overflow in xar in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted xar archive. This also affects xar on Fedora. Information from Apple indicates that this is not exploitable on 32-bit architectures, but it is potentially exploitable on 64-bit architectures.
Created xar tracking bugs for this issue Affects: fedora-all [bug 654486]
Apple provided the following patch (sorry, it's inline; that's how it was provided to us and I suspect their client munged it somewhat): Index: xar/lib/signature.c =================================================================== --- xar/lib/signature.c (revision 115) +++ xar/lib/signature.c (working copy) @@ -279,7 +279,7 @@ const xmlChar *value = NULL; const xmlChar *name = NULL; int type; - unsigned int outputLength; + size_t outputLength = 0; ret = malloc(sizeof(struct __xar_signature_t)); Index: xar/lib/b64.c =================================================================== --- xar/lib/b64.c (revision 114) +++ xar/lib/b64.c (working copy) @@ -42,7 +42,7 @@ 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/' }; -unsigned char* xar_to_base64(const unsigned char* input, int len) +unsigned char* xar_to_base64(const unsigned char* input, size_t len) { unsigned char b6; /*UNUSED unsigned char tmp; */ @@ -50,6 +50,7 @@ int i=0; unsigned char* output; int outsize = (((float)len)*4/3)+5; + output = malloc(outsize); if( !output ) @@ -149,17 +150,17 @@ #define B64_INPUT_BLOCK_OFFSET ((inputIndex - 1 - ignorableCharacterCount) % 4) static unsigned int raw_base64_decode( - const unsigned char *input, unsigned char *output, int inLengthToDecode, - unsigned int *outputDecodedLength) + const unsigned char *input, unsigned char *output, size_t inLengthToDecode, + size_t *outputDecodedLength) { int currentBase64Value; unsigned int inputIndex = 0; - unsigned int *decodedCharacterCount; - unsigned int dummyValue; unsigned int ignorableCharacterCount = 0; unsigned int i; unsigned char decodedBuffer[3]; unsigned char currentInputBlockPaddingCharacterCount = 0; + size_t *decodedCharacterCount; + size_t dummyValue; if (outputDecodedLength == NULL) { // do this so that if caller passes in NULL for outputDecodedLength @@ -246,7 +247,7 @@ return B64_noError; } -unsigned char* xar_from_base64(const unsigned char* input, int inputLength, unsigned int *outputLength) +unsigned char* xar_from_base64(const unsigned char* input, size_t inputLength, size_t *outputLength) { int err; unsigned char *output; Index: xar/lib/b64.h =================================================================== --- xar/lib/b64.h (revision 114) +++ xar/lib/b64.h (working copy) @@ -7,7 +7,7 @@ #ifndef _XAR_BASE64_H_ #define _XAR_BASE64_H_ -unsigned char* xar_to_base64(const unsigned char* input, int len); -unsigned char* xar_from_base64(const unsigned char* input, int inputLength, unsigned int *outputLength); +unsigned char* xar_to_base64(const unsigned char* input, size_t len); +unsigned char* xar_from_base64(const unsigned char* input, size_t inputLength, size_t *outputLength); #endif /* _XAR_BASE64_H_ */
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Fixed in xar-1.8.0.417.1-1