--- /dev/null
+--- src/dsig/DSIGAlgorithmHandlerDefault.cpp 2009/07/14 18:55:07 794016
++++ src/dsig/DSIGAlgorithmHandlerDefault.cpp 2009/07/14 19:03:52 794017
+@@ -459,6 +459,12 @@
+ }
+
+ // Signature already created, so just translate to base 64 and enter string
++
++ // FIX: CVE-2009-0217
++ if (outputLength > 0 && (outputLength < 80 || outputLength < hashLen / 2)) {
++ throw XSECException(XSECException::AlgorithmMapperError,
++ "HMACOutputLength set to unsafe value.");
++ }
+
+ convertRawToBase64String(b64SB,
+ hash,
+@@ -560,7 +566,14 @@
+ case (XSECCryptoKey::KEY_HMAC) :
+
+ // Already done - just compare calculated value with read value
+- sigVfyRet = compareBase64StringToRaw(sig,
++
++ // FIX: CVE-2009-0217
++ if (outputLength > 0 && (outputLength < 80 || outputLength < hashLen / 2)) {
++ throw XSECException(XSECException::AlgorithmMapperError,
++ "HMACOutputLength set to unsafe value.");
++ }
++
++ sigVfyRet = compareBase64StringToRaw(sig,
+ hash,
+ hashLen,
+ outputLength);
+--- src/dsig/DSIGSignature.cpp 2009/07/14 18:55:07 794016
++++ src/dsig/DSIGSignature.cpp 2009/07/14 19:03:52 794017
+@@ -1042,6 +1042,13 @@
+
+ }
+
++ // FIX: CVE-2009-0217
++
++ if (mp_signedInfo->getHMACOutputLength() > 0 && mp_signedInfo->getHMACOutputLength() < 80) {
++ throw XSECException(XSECException::SigVfyError,
++ "DSIGSignature::verify() - HMACOutputLength is unsafe");
++ }
++
+ // Try to find a key
+ if (mp_signingKey == NULL) {
+
+--- src/framework/XSECW32Config.hpp 2009/07/14 18:55:07 794016
++++ src/framework/XSECW32Config.hpp 2009/07/14 19:03:52 794017
+@@ -38,7 +38,7 @@
+
+ #define XSEC_VERSION_MAJOR 1
+ #define XSEC_VERSION_MEDIUM 5
+-#define XSEC_VERSION_MINOR 0
++#define XSEC_VERSION_MINOR 1
+
+ /*
+ * Because we don't have a configure script, we need to rely on version
+--- configure.ac 2009/07/14 18:55:07 794016
++++ configure.ac 2009/07/14 19:03:52 794017
+@@ -19,12 +19,12 @@
+
+ # Process this file with autoconf to produce a configure script
+
+-AC_INIT([[XML-Security-C]], [1.5.0], [security-dev@xml.apache.org], [xml-security-c])
++AC_INIT([[XML-Security-C]], [1.5.1], [security-dev@xml.apache.org], [xml-security-c])
+ AC_CONFIG_AUX_DIR([config])
+
+ # kick off automake
+
+-AM_INIT_AUTOMAKE(xml-security-c, 1.5.0)
++AM_INIT_AUTOMAKE(xml-security-c, 1.5.1)
+ sinclude(m4/acx_pthread.m4)
+ AM_PROG_LIBTOOL
+
+--- src/framework/version.rc 2009/07/14 18:55:07 794016
++++ src/framework/version.rc 2009/07/14 19:03:52 794017
+@@ -54,8 +54,8 @@
+ //
+
+ VS_VERSION_INFO VERSIONINFO
+- FILEVERSION 1,5,0,0
+- PRODUCTVERSION 1,5,0,0
++ FILEVERSION 1,5,1,0
++ PRODUCTVERSION 1,5,1,0
+ FILEFLAGSMASK 0x3fL
+ #ifdef _DEBUG
+ FILEFLAGS 0x1L
+@@ -73,7 +73,7 @@
+ VALUE "Comments", "\0"
+ VALUE "CompanyName", "The Apache Software Foundation\0"
+ VALUE "FileDescription", "XML Security C++ Library\0"
+- VALUE "FileVersion", "1, 5, 0, 0\0"
++ VALUE "FileVersion", "1, 5, 1, 0\0"
+ #ifdef _DEBUG
+ VALUE "InternalName", "xsec_1_5D\0"
+ #else
+@@ -88,7 +88,7 @@
+ #endif
+ VALUE "PrivateBuild", "\0"
+ VALUE "ProductName", "XML-Security-C - C++ XML Security Library\0"
+- VALUE "ProductVersion", "1, 5, 0, 0\0"
++ VALUE "ProductVersion", "1, 5, 1, 0\0"
+ VALUE "SpecialBuild", "\0"
+ END
+ END
+--- xml-security-c.spec 2009/07/14 18:55:07 794016
++++ xml-security-c.spec 2009/07/14 19:03:52 794017
+@@ -1,5 +1,5 @@
+ Name: xml-security-c
+-Version: 1.5.0
++Version: 1.5.1
+ Release: 1
+ Summary: C++ XML security library
+
projects / ~andy / sunrise / commitdiff