rpms/glib2/devel glib2-CVE-2008-4316.patch, NONE, 1.1 glib2.spec, 1.200, 1.201

Matthias Clasen mclasen at fedoraproject.org
Thu Mar 12 13:42:08 UTC 2009 

Author: mclasen

Update of /cvs/pkgs/rpms/glib2/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21376

Modified Files:
	glib2.spec 
Added Files:
	glib2-CVE-2008-4316.patch 
Log Message:
Avoid integer overflows in the base64 handing functions


glib2-CVE-2008-4316.patch:

--- NEW FILE glib2-CVE-2008-4316.patch ---
--- glib/gbase64.c.orig	2008-12-04 12:07:21.000000000 +0100
+++ glib/gbase64.c	2009-01-12 14:08:31.000000000 +0100
@@ -54,8 +54,9 @@ static const char base64_alphabet[] =
  *
  * The output buffer must be large enough to fit all the data that will
  * be written to it. Due to the way base64 encodes you will need
- * at least: @len * 4 / 3 + 6 bytes. If you enable line-breaking you will
- * need at least: @len * 4 / 3 + @len * 4 / (3 * 72) + 7 bytes.
+ * at least: (@len / 3 + 1) * 4 + 4 bytes (+ 4 may be needed in case of
+ * non-zero state). If you enable line-breaking you will need at least:
+ * ((@len / 3 + 1) * 4 + 4) / 72 + 1 bytes of extra space.
  *
  * @break_lines is typically used when putting base64-encoded data in emails.
  * It breaks the lines at 72 columns instead of putting all of the text on 
@@ -233,8 +234,14 @@ g_base64_encode (const guchar *data, 
   g_return_val_if_fail (data != NULL, NULL);
   g_return_val_if_fail (len > 0, NULL);
 
-  /* We can use a smaller limit here, since we know the saved state is 0 */
-  out = g_malloc (len * 4 / 3 + 4);
+  /* We can use a smaller limit here, since we know the saved state is 0,
+     +1 is needed for trailing \0, also check for unlikely integer overflow */
+  if (len >= ((G_MAXSIZE - 1) / 4 - 1) * 3)
+    g_error("%s: input too large for Base64 encoding (%"G_GSIZE_FORMAT" chars)",
+        G_STRLOC, len);
+
+  out = g_malloc ((len / 3 + 1) * 4 + 1);
+
   outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save);
   outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save);
   out[outlen] = '\0';
@@ -275,7 +282,8 @@ static const unsigned char mime_base64_r
  *
  * The output buffer must be large enough to fit all the data that will
  * be written to it. Since base64 encodes 3 bytes in 4 chars you need
- * at least: @len * 3 / 4 bytes.
+ * at least: (@len / 4) * 3 + 3 bytes (+ 3 may be needed in case of non-zero
+ * state).
  * 
  * Return value: The number of bytes of output that was written
  *
@@ -358,7 +366,8 @@ g_base64_decode (const gchar *text,
 		 gsize       *out_len)
 {
   guchar *ret;
-  gint input_length, state = 0;
+  gsize input_length;
+  gint state = 0;
   guint save = 0;
   
   g_return_val_if_fail (text != NULL, NULL);
@@ -368,7 +377,9 @@ g_base64_decode (const gchar *text,
 
   g_return_val_if_fail (input_length > 1, NULL);
 
-  ret = g_malloc0 (input_length * 3 / 4);
+  /* We can use a smaller limit here, since we know the saved state is 0,
+     +1 used to avoid calling g_malloc0(0), and hence retruning NULL */
+  ret = g_malloc0 ((input_length / 4) * 3 + 1);
   
   *out_len = g_base64_decode_step (text, input_length, ret, &state, &save);
   


Index: glib2.spec
===================================================================
RCS file: /cvs/pkgs/rpms/glib2/devel/glib2.spec,v
retrieving revision 1.200
retrieving revision 1.201
diff -u -r1.200 -r1.201
--- glib2.spec	2 Mar 2009 07:02:04 -0000	1.200
+++ glib2.spec	12 Mar 2009 13:41:37 -0000	1.201
@@ -3,7 +3,7 @@
 Summary: A library of handy utility functions
 Name: glib2
 Version: 2.19.10
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: LGPLv2+
 Group: System Environment/Libraries
 URL: http://www.gtk.org
@@ -22,11 +22,13 @@
 # this patch requires autoreconf
 BuildRequires: autoconf automake libtool gettext-devel gtk-doc
 
-%description 
+Patch0: glib2-CVE-2008-4316.patch
+
+%description
 GLib is the low-level core library that forms the basis
 for projects such as GTK+ and GNOME. It provides data structure
 handling for C, portability wrappers, and interfaces for such runtime
-functionality as an event loop, threads, dynamic loading, and an 
+functionality as an event loop, threads, dynamic loading, and an
 object system.
 
 This package provides version 2 of GLib.
@@ -38,8 +40,8 @@
 Requires: %{name} = %{version}-%{release}
 
 %description devel
-The glib2-devel package includes the header files for 
-version 2 of the GLib library. 
+The glib2-devel package includes the header files for
+version 2 of the GLib library.
 
 # anaconda needs static libs, see RH bug #193143
 %package static
@@ -49,16 +51,17 @@
 
 %description static
 The glib2-static package includes static libraries
-of version 2 of the GLib library. 
+of version 2 of the GLib library.
 
 %prep
 %setup -q -n glib-%{version}
+%patch0 -p1 -b .CVE-2008-4316
 
 libtoolize --force --copy
 autoreconf
 
 %build
-%configure --disable-gtk-doc --enable-static 
+%configure --disable-gtk-doc --enable-static
 make %{?_smp_mflags}
 
 %install
@@ -66,7 +69,7 @@
 
 make install DESTDIR=$RPM_BUILD_ROOT
 
-# we build into /usr/lib, but we want the libraries (but not 
+# we build into /usr/lib, but we want the libraries (but not
 # the devel stuff) in /lib
 ./mkinstalldirs $RPM_BUILD_ROOT/%{_lib}
 pushd $RPM_BUILD_ROOT%{_libdir}
@@ -123,6 +126,9 @@
 %{_libdir}/lib*.a
 
 %changelog
+* Thu Mar 12 2009 Matthias Clasen <mclasen at redhat.com> - 2.19.10-2
+- Fix integer overflows in the base64 handling functions. CVE-2008-4316
+
 * Mon Mar  2 2009 Matthias Clasen <mclasen at redhat.com> - 2.19.10-1
 - Update to 2.19.10

More information about the fedora-extras-commits mailing list