Bug 10563

Summary: xml-security-c new security issues CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156, CVE-2013-2210
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: luigiwalser, mageia, martynvidler, sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/555448/
Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok mga2-64-ok mga2-32-ok
Source RPM: xml-security-c CVE:
Status comment:

Description Oden Eriksson 2013-06-19 07:08:49 CEST 
CVE-2013-2153
The implementation of XML digital signatures in the Santuario-C++ library is vulnerable to a spoofing issue allowing an attacker to reuse existing signatures with arbitrary content.

CVE-2013-2154
A stack overflow, possibly leading to arbitrary code execution, exists in the processing of malformed XPointer expressions in the XML Signature Reference processing code.

CVE-2013-2155
A bug in the processing of the output length of an HMAC-based XML Signature would cause a denial of service when processing specially chosen input.

CVE-2013-2156
A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution.


Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-06-19 07:11:35 CEST 
http://santuario.apache.org/secadv.html

CVE-2013-2153: Apache Santuario XML Security for C++ contains an XML Signature Bypass issue

CVE-2013-2154: Apache Santuario XML Security for C++ contains a stack overflow during XPointer evaluation

CVE-2013-2155: Apache Santuario XML Security for C++ contains denial of service and hash length bypass issues while processing HMAC signatures

CVE-2013-2156: Apache Santuario XML Security for C++ contains heap overflow while processing InclusiveNamespace PrefixList
Comment 3 Oden Eriksson 2013-06-19 07:50:57 CEST 
Patched packages has been submitted. Cauldron was silently fixed here: 
http://svnweb.mageia.org/packages?view=revision&revision=444705
Comment 4 David Walser 2013-06-19 20:36:14 CEST 
Debian has issued an advisory for this on June 18:
http://www.debian.org/security/2013/dsa-2710

Thanks Oden!  Assigning to QA.

Advisory:
========================

Updated xml-security-c packages fix security vulnerabilities:

The implementation of XML digital signatures in the Santuario-C++ library is
vulnerable to a spoofing issue allowing an attacker to reuse existing
signatures with arbitrary content (CVE-2013-2153).

A stack overflow, possibly leading to arbitrary code execution, exists in the
processing of malformed XPointer expressions in the XML Signature Reference
processing code (CVE-2013-2154).

A bug in the processing of the output length of an HMAC-based XML Signature
would cause a denial of service when processing specially chosen input
(CVE-2013-2155).

A heap overflow exists in the processing of the PrefixList attribute
optionally used in conjunction with Exclusive Canonicalization, potentially
allowing arbitrary code execution (CVE-2013-2156).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156
http://santuario.apache.org/secadv.html
http://www.debian.org/security/2013/dsa-2710
========================

Updated packages in core/updates_testing:
========================
xml-security-c-1.6.1-1.1.mga2
xml-security-c-devel-1.6.1-1.1.mga2
xml-security-c-1.7.0-2.1.mga3
xml-security-c-devel-1.7.0-2.1.mga3

from SRPMS:
xml-security-c-1.6.1-1.1.mga2.src.rpm
xml-security-c-1.7.0-2.1.mga3.src.rpm

URL: http://www.debian.org/security/2013/dsa-2710.en.html => http://lwn.net/Vulnerabilities/555448/
CC: (none) => luigiwalser
Version: 2 => 3
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA2TOO

David Walser 2013-06-19 20:36:34 CEST

Summary: Multiple vulnerabilities in xml-security-c (CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156) => xml-security-c new security issues CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156

Comment 5 martyn vidler 2013-06-22 22:04:37 CEST 
MGA3 32

Tested 
Opened digidoc (qdigidoc) with xml-sercurity-c-1.7.0-2 mga3

Uninstalled digidoc (qdigidoc) upgraded to xml-security-c-1.7.0-2.1.mga3
installed xml-security-c-devel-1.7.0-2.1.mga3
reinstalled digidoc (qdigidoc)

Digidoc opened ok no errors reported.

CC: (none) => martynvidler

martyn vidler 2013-06-22 22:05:12 CEST

Whiteboard: MGA2TOO => MGA2TOO MGA3 -32-ok

Comment 6 David Walser 2013-06-22 22:09:17 CEST 
Did you test any functionality of digidoc?  Not sure how easy it is to test.

Whiteboard: MGA2TOO MGA3 -32-ok => MGA2TOO MGA3-32-ok

Comment 7 martyn vidler 2013-06-22 22:23:39 CEST 
Digidoc requires the use of a id card (security keys) which I dont have so no, if some knows of using without id
Comment 8 David Walser 2013-06-22 22:28:13 CEST 
Thanks, this should be sufficient then.
Comment 9 Sander Lepik 2013-06-22 22:31:49 CEST 
qdigidoc actually doesn't use xml-security-c 'til you configure it to use bdoc format which is currently not suggested.

CC: (none) => mageia

Comment 10 martyn vidler 2013-06-22 22:52:48 CEST 
If there is a better option to test this with, I,ll wait before testing other arch's.
Comment 11 David Walser 2013-06-22 22:58:18 CEST 
Nothing else uses it.  As long as it's dynamically linked to the library and is actually loading it, unless there's an easy way to test functionality using it, there's nothing else that can be done.

You can make sure it's loading the library, similar to the libxml2 test procedure (see strace example at the bottom):
https://wiki.mageia.org/en/QA_procedure:Libxml2

It should be loading:
/usr/lib/libxml-security-c.so.16 (mageia 2)
/usr/lib/libxml-security-c.so.17 (mageia 3)
Comment 12 martyn vidler 2013-06-23 20:37:06 CEST 
If I run the command strace as in example
https://wiki.mageia.org/en/QA_procedure:Libxml2

It dosn't show anything to do with "libxml-security-c"
Google not helping either.
Comment 13 David Walser 2013-06-23 21:12:09 CEST 
Please show the exact commands you ran in cases like this.

It should be something like this:
strace -o strace.out qdigidoc
grep xml strace.out
Comment 14 martyn vidler 2013-06-23 21:34:47 CEST 
OK got it now. MGA3 32

strace -o strace.out qdigidocclient

output
open("/lib/libxml-security-c.so.17", O_RDONLY|O_CLOEXEC) = 3

So now we can see it loading
Comment 15 martyn vidler 2013-06-23 21:57:14 CEST 
Tested on MGA3 64

Carried out same test as comment 14

same results

output
open("/lib/libxml-security-c.so.17", O_RDONLY|O_CLOEXEC) = 3
martyn vidler 2013-06-23 21:57:56 CEST

Whiteboard: MGA2TOO MGA3-32-ok => MGA2TOO MGA3-32-ok MGA3-64-ok

Comment 16 martyn vidler 2013-06-26 22:12:20 CEST 
Tested MGA2 64

Test run as expected as comment 14

Whiteboard: MGA2TOO MGA3-32-ok MGA3-64-ok => MGA2TOO MGA3-32-ok MGA3-64-ok MGA2-64-ok

Comment 17 martyn vidler 2013-06-26 22:39:11 CEST 
Testing complete on MGA2 32

Validating

Can sysadmin push from core/updates_testing to core/updates

Advisory and sprms comment 4

Keywords: (none) => validated_update
Whiteboard: MGA2TOO MGA3-32-ok MGA3-64-ok MGA2-64-ok => MGA2TOO MGA3-32-ok MGA3-64-ok MGA2-64-ok MGA2-32-ok
CC: (none) => sysadmin-bugs

Oden Eriksson 2013-06-27 13:08:24 CEST

Summary: xml-security-c new security issues CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156 => xml-security-c new security issues CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156, CVE-2013-2210

Comment 18 Oden Eriksson 2013-06-27 13:10:08 CEST 
Another one:

http://santuario.apache.org/secadv.data/CVE-2013-2210.txt

CVE-2013-2210: Apache Santuario XML Security for C++ contains a heap
overflow during XPointer evaluation


Description: The attempted fix to address CVE-2013-2154 introduced the
possibility of a heap overflow, possibly leading to arbitrary code
execution, in the processing of malformed XPointer expressions in the
XML Signature Reference processing code.

An attacker could use this to exploit an application performing
signature verification if the application does not block the
evaluation of such references prior to performing the verification
step. The exploit would occur prior to the actual verification of
the signature, so does not require authenticated content.

Mitigation: Applications that do not otherwise prevent the evaluation of
XPointer expressions during signature verification and are using library
versions older than V1.7.2 should upgrade as soon as possible. Distributors
of older versions should apply the patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=r1496703

Credit: This issue was reported by Jon Erickson of iSIGHT Partners Labs
Comment 19 Oden Eriksson 2013-06-27 13:11:06 CEST 
xml-security-c-1.6.1-1.2.mga2 + xml-security-c-1.7.0-2.2.mga3 has been submitted that fixes CVE-2013-2210.
Comment 20 Oden Eriksson 2013-06-27 13:15:24 CEST 
Oh, forgot to mention xml-security-c-1.7.2-1.mga4 was submitted as well that also fixes all the above.
Comment 21 David Walser 2013-06-27 14:28:39 CEST 
Unvalidating and updating the advisory.  This will need re-tested.

Advisory:
========================

Updated xml-security-c packages fix security vulnerabilities:

The implementation of XML digital signatures in the Santuario-C++ library is
vulnerable to a spoofing issue allowing an attacker to reuse existing
signatures with arbitrary content (CVE-2013-2153).

A stack overflow, possibly leading to arbitrary code execution, exists in the
processing of malformed XPointer expressions in the XML Signature Reference
processing code (CVE-2013-2154).

A bug in the processing of the output length of an HMAC-based XML Signature
would cause a denial of service when processing specially chosen input
(CVE-2013-2155).

A heap overflow exists in the processing of the PrefixList attribute
optionally used in conjunction with Exclusive Canonicalization, potentially
allowing arbitrary code execution (CVE-2013-2156).

The attempted fix to address CVE-2013-2154 introduced the possibility of a
heap overflow, possibly leading to arbitrary code execution, in the
processing of malformed XPointer expressions in the XML Signature Reference
processing code (CVE-2013-2210).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2210
http://santuario.apache.org/secadv.html
http://www.debian.org/security/2013/dsa-2710
========================

Updated packages in core/updates_testing:
========================
xml-security-c-1.6.1-1.2.mga2
xml-security-c-devel-1.6.1-1.2.mga2
xml-security-c-1.7.0-2.2.mga3
xml-security-c-devel-1.7.0-2.2.mga3

from SRPMS:
xml-security-c-1.6.1-1.2.mga2.src.rpm
xml-security-c-1.7.0-2.2.mga3.src.rpm

Keywords: validated_update => (none)
Whiteboard: MGA2TOO MGA3-32-ok MGA3-64-ok MGA2-64-ok MGA2-32-ok => MGA2TOO

Comment 22 claire robinson 2013-06-27 16:54:11 CEST 
Testing complete mga3 64

Just testing the library is loaded OK with qdigidocclient from qdigidoc package.

$ rpm -q xml-security-c
xml-security-c-1.7.0-2.2.mga3

$ strace -o strace.out qdigidocclient

$ grep xml-security strace.out | grep -v ENOENT
open("/lib64/libxml-security-c.so.17", O_RDONLY|O_CLOEXEC) = 3

Testing mga3 32 shortly

Whiteboard: MGA2TOO => MGA2TOO mga3-64-ok

Comment 23 claire robinson 2013-06-27 16:58:49 CEST 
Testing complete mga3 32

Whiteboard: MGA2TOO mga3-64-ok => MGA2TOO mga3-64-ok mga3-32-ok

Comment 24 claire robinson 2013-06-27 17:25:38 CEST 
Testing complete mga2 64

Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok => MGA2TOO mga3-64-ok mga3-32-ok mga2-64-ok

Comment 25 claire robinson 2013-06-27 17:37:54 CEST 
Testing complete mga2 32

Validating, advisory & srpms in comment 21 will be uploaded

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok mga2-64-ok => MGA2TOO mga3-64-ok mga3-32-ok mga2-64-ok mga2-32-ok

Comment 26 claire robinson 2013-06-27 18:00:04 CEST 
advisory uploaded
Comment 27 David Walser 2013-06-28 18:44:43 CEST 
Debian has issued an advisory for the new issue today (June 28):
http://www.debian.org/security/2013/dsa-2717

from http://lwn.net/Vulnerabilities/556775/
Comment 28 Nicolas Vigier 2013-07-01 21:21:43 CEST 
http://advisories.mageia.org/MGASA-2013-0193.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:06:21 CEST

CC: boklm => (none)