/[packages]/updates/3/libdigidoc/current/SOURCES/libdigidoc-3.6.0.0-security-fix-DataFile-name-tag.patch
ViewVC logotype

Contents of /updates/3/libdigidoc/current/SOURCES/libdigidoc-3.6.0.0-security-fix-DataFile-name-tag.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 472660 - (show annotations) (download)
Wed Aug 28 17:29:43 2013 UTC (11 months ago) by sander85
File size: 2210 byte(s)
Fix security vulnerability (mga#11100)
1 diff -uNr libdigidoc-3.6.0.0/libdigidoc/DigiDocError.c libdigidoc-3.6.0.0p/libdigidoc/DigiDocError.c
2 --- libdigidoc-3.6.0.0/libdigidoc/DigiDocError.c 2012-07-02 08:57:22.000000000 +0300
3 +++ libdigidoc-3.6.0.0p/libdigidoc/DigiDocError.c 2013-08-28 19:08:10.109888635 +0300
4 @@ -182,6 +182,7 @@
5 /* ERR_DATAFILE_NOT_MANIFEST */ { "Datafile is not described in manifest.xml!", USER },
6 /* ERR_SIG_INVALID_PROFILE */ { "Signature does not correspond to profile in manifest.xml!", USER },
7 /* ERR_SIGNERS_CERT_NON_REPU */ { "Signers cert does not have non-repudiation bit set!", USER },
8 +/* ERR_DF_NAME */ { "Failed to parse DataFile name. Invalid file name!", USER },
9
10 /* */ {"", NO_ERRORS}
11 };
12 diff -uNr libdigidoc-3.6.0.0/libdigidoc/DigiDocError.h libdigidoc-3.6.0.0p/libdigidoc/DigiDocError.h
13 --- libdigidoc-3.6.0.0/libdigidoc/DigiDocError.h 2012-07-02 08:57:22.000000000 +0300
14 +++ libdigidoc-3.6.0.0p/libdigidoc/DigiDocError.h 2013-08-28 19:10:30.239884113 +0300
15 @@ -200,8 +200,9 @@
16 #define ERR_DATAFILE_NOT_MANIFEST 160
17 #define ERR_SIG_INVALID_PROFILE 161
18 #define ERR_SIGNERS_CERT_NON_REPU 162
19 +#define ERR_DF_NAME 163
20
21 -#define ERR_MAX 164 //number of error codes. Increment, if you add a new error code
22 +#define ERR_MAX 165 //number of error codes. Increment, if you add a new error code
23
24 #define ERROR_BUF_LENGTH 20
25
26 diff -uNr libdigidoc-3.6.0.0/libdigidoc/DigiDocSAXParser.c libdigidoc-3.6.0.0p/libdigidoc/DigiDocSAXParser.c
27 --- libdigidoc-3.6.0.0/libdigidoc/DigiDocSAXParser.c 2012-07-02 08:57:22.000000000 +0300
28 +++ libdigidoc-3.6.0.0p/libdigidoc/DigiDocSAXParser.c 2013-08-28 19:18:20.440567740 +0300
29 @@ -327,6 +327,11 @@
30 free(p); p = 0;
31 ddocDebug(4, "handleStartDataFile", "Filename in: \'%s\' out: \'%s\'",
32 atts[i+1], (char*)mbuf1.pMem);
33 + if(strchr((char*)mbuf1.pMem, '/') || strchr((char*)mbuf1.pMem, '\\')) {
34 + ddocDebug(1, "handleStartDataFile", "Invalid filename: \'%s\'", (char*)mbuf1.pMem);
35 + SET_LAST_ERROR(ERR_DF_NAME);
36 + return;
37 + }
38 }
39 if(!strcmp((const char*)atts[i], "MimeType"))
40 mime = (const char*)atts[i+1];

  ViewVC Help
Powered by ViewVC 1.1.15