Bug 11045

Summary: multiple vulnerabilities in xml-security-c (CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156, CVE-2013-2210)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: 2   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: xml-security-c CVE:
Status comment:

Description Oden Eriksson 2013-08-21 09:25:07 CEST 
======================================================
Name: CVE-2013-2153
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: FULLDISC:20130617 CVE-2013-2153: Apache Santuario C++ signature bypass vulnerability
Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0140.html
Reference: MISC:http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/dsig/DSIGReference.cpp?r1=1125514&r2=1493959&pathrev=1493959&diff_format=h
Reference: CONFIRM:http://santuario.apache.org/secadv.data/CVE-2013-2153.txt
Reference: DEBIAN:DSA-2710
Reference: URL:http://www.debian.org/security/2013/dsa-2710

The XML digital signature functionality (xsec/dsig/DSIGReference.cpp)
in Apache Santuario XML Security for C++ (aka xml-security-c) before
1.7.1 allows context-dependent attackers to reuse signatures and spoof
arbitrary content via crafted Reference elements in the Signature, aka
"XML Signature Bypass issue."



======================================================
Name: CVE-2013-2154
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: FULLDISC:20130617 CVE-2013-2154: Apache Santuario C++ stack overflow vulnerability
Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0141.html
Reference: MISC:http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/dsig/DSIGReference.cpp?r1=1125514&r2=1493959&pathrev=1493959&diff_format=h
Reference: CONFIRM:http://santuario.apache.org/secadv.data/CVE-2013-2154.txt
Reference: DEBIAN:DSA-2710
Reference: URL:http://www.debian.org/security/2013/dsa-2710

Stack-based buffer overflow in the XML Signature Reference
functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML
Security for C++ (aka xml-security-c) before 1.7.1 allows
context-dependent attackers to cause a denial of service (crash) and
possibly execute arbitrary code via malformed XPointer expressions,
probably related to the DSIGReference::getURIBaseTXFM function.



======================================================
Name: CVE-2013-2155
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: FULLDISC:20130617 CVE-2013-2155: Apache Santuario C++ denial of service vulnerability
Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0142.html
Reference: MISC:http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/dsig/DSIGAlgorithmHandlerDefault.cpp?r1=1125752&r2=1493960&pathrev=1493960&diff_format=h
Reference: CONFIRM:http://santuario.apache.org/secadv.data/CVE-2013-2155.txt
Reference: DEBIAN:DSA-2710
Reference: URL:http://www.debian.org/security/2013/dsa-2710

Apache Santuario XML Security for C++ (aka xml-security-c) before
1.7.1 does not properly validate length values, which allows remote
attackers to cause a denial of service or bypass the CVE-2009-0217
protection mechanism and spoof a signature via crafted length values
to the (1) compareBase64StringToRaw, (2) DSIGAlgorithmHandlerDefault,
or (3) DSIGAlgorithmHandlerDefault::verify functions.



======================================================
Name: CVE-2013-2156
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: FULLDISC:20130617 Re: CVE-2013-2156: Apache Santuario C++ heap overflow vulnerability
Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0143.html
Reference: MISC:http://svn.apache.org/viewvc?view=revision&revision=1493961
Reference: CONFIRM:http://santuario.apache.org/secadv.data/CVE-2013-2156.txt
Reference: DEBIAN:DSA-2710
Reference: URL:http://www.debian.org/security/2013/dsa-2710

Heap-based buffer overflow in the Exclusive Canonicalization
functionality (xsec/canon/XSECC14n20010315.cpp) in Apache Santuario
XML Security for C++ (aka xml-security-c) before 1.7.1 allows remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via a crafted PrefixList attribute.



======================================================
Name: CVE-2013-2210
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2210
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: FULLDISC:20130626 CVE-2013-2210
Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0216.html
Reference: CONFIRM:http://santuario.apache.org/secadv.data/CVE-2013-2210.txt
Reference: DEBIAN:DSA-2717
Reference: URL:http://www.debian.org/security/2013/dsa-2717

Heap-based buffer overflow in the XML Signature Reference
functionality in Apache Santuario XML Security for C++ (aka
xml-security-c) before 1.7.2 allows context-dependent attackers to
cause a denial of service (crash) and possibly execute arbitrary code
via malformed XPointer expressions.  NOTE: this is due to an incorrect
fix for CVE-2013-2154.


Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-08-21 15:23:23 CEST 
Eh, he he he. Fixed by me Thu 27 Jun 2013. Memory like a gold fish.

http://advisories.mageia.org/MGASA-2013-0193.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED