Bug 10563 - xml-security-c new security issues CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156, CVE-2013-2210
: xml-security-c new security issues CVE-2013-2153, CVE-2013-2154, CVE-2013-215...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/555448/
: MGA2TOO mga3-64-ok mga3-32-ok mga2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-19 07:08 CEST by Oden Eriksson
Modified: 2014-05-08 18:06 CEST (History)
4 users (show)

See Also:
Source RPM: xml-security-c
CVE:


Attachments

Description Oden Eriksson 2013-06-19 07:08:49 CEST
CVE-2013-2153
The implementation of XML digital signatures in the Santuario-C++ library is vulnerable to a spoofing issue allowing an attacker to reuse existing signatures with arbitrary content.

CVE-2013-2154
A stack overflow, possibly leading to arbitrary code execution, exists in the processing of malformed XPointer expressions in the XML Signature Reference processing code.

CVE-2013-2155
A bug in the processing of the output length of an HMAC-based XML Signature would cause a denial of service when processing specially chosen input.

CVE-2013-2156
A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution.


Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-06-19 07:11:35 CEST
http://santuario.apache.org/secadv.html

CVE-2013-2153: Apache Santuario XML Security for C++ contains an XML Signature Bypass issue

CVE-2013-2154: Apache Santuario XML Security for C++ contains a stack overflow during XPointer evaluation

CVE-2013-2155: Apache Santuario XML Security for C++ contains denial of service and hash length bypass issues while processing HMAC signatures

CVE-2013-2156: Apache Santuario XML Security for C++ contains heap overflow while processing InclusiveNamespace PrefixList
Comment 3 Oden Eriksson 2013-06-19 07:50:57 CEST
Patched packages has been submitted. Cauldron was silently fixed here: 
http://svnweb.mageia.org/packages?view=revision&revision=444705
Comment 4 David Walser 2013-06-19 20:36:14 CEST
Debian has issued an advisory for this on June 18:
http://www.debian.org/security/2013/dsa-2710

Thanks Oden!  Assigning to QA.

Advisory:
========================

Updated xml-security-c packages fix security vulnerabilities:

The implementation of XML digital signatures in the Santuario-C++ library is
vulnerable to a spoofing issue allowing an attacker to reuse existing
signatures with arbitrary content (CVE-2013-2153).

A stack overflow, possibly leading to arbitrary code execution, exists in the
processing of malformed XPointer expressions in the XML Signature Reference
processing code (CVE-2013-2154).

A bug in the processing of the output length of an HMAC-based XML Signature
would cause a denial of service when processing specially chosen input
(CVE-2013-2155).

A heap overflow exists in the processing of the PrefixList attribute
optionally used in conjunction with Exclusive Canonicalization, potentially
allowing arbitrary code execution (CVE-2013-2156).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156
http://santuario.apache.org/secadv.html
http://www.debian.org/security/2013/dsa-2710
========================

Updated packages in core/updates_testing:
========================
xml-security-c-1.6.1-1.1.mga2
xml-security-c-devel-1.6.1-1.1.mga2
xml-security-c-1.7.0-2.1.mga3
xml-security-c-devel-1.7.0-2.1.mga3

from SRPMS:
xml-security-c-1.6.1-1.1.mga2.src.rpm
xml-security-c-1.7.0-2.1.mga3.src.rpm
Comment 5 martyn vidler 2013-06-22 22:04:37 CEST
MGA3 32

Tested 
Opened digidoc (qdigidoc) with xml-sercurity-c-1.7.0-2 mga3

Uninstalled digidoc (qdigidoc) upgraded to xml-security-c-1.7.0-2.1.mga3
installed xml-security-c-devel-1.7.0-2.1.mga3
reinstalled digidoc (qdigidoc)

Digidoc opened ok no errors reported.
Comment 6 David Walser 2013-06-22 22:09:17 CEST
Did you test any functionality of digidoc?  Not sure how easy it is to test.
Comment 7 martyn vidler 2013-06-22 22:23:39 CEST
Digidoc requires the use of a id card (security keys) which I dont have so no, if some knows of using without id
Comment 8 David Walser 2013-06-22 22:28:13 CEST
Thanks, this should be sufficient then.
Comment 9 Sander Lepik 2013-06-22 22:31:49 CEST
qdigidoc actually doesn't use xml-security-c 'til you configure it to use bdoc format which is currently not suggested.
Comment 10 martyn vidler 2013-06-22 22:52:48 CEST
If there is a better option to test this with, I,ll wait before testing other arch's.
Comment 11 David Walser 2013-06-22 22:58:18 CEST
Nothing else uses it.  As long as it's dynamically linked to the library and is actually loading it, unless there's an easy way to test functionality using it, there's nothing else that can be done.

You can make sure it's loading the library, similar to the libxml2 test procedure (see strace example at the bottom):
https://wiki.mageia.org/en/QA_procedure:Libxml2

It should be loading:
/usr/lib/libxml-security-c.so.16 (mageia 2)
/usr/lib/libxml-security-c.so.17 (mageia 3)
Comment 12 martyn vidler 2013-06-23 20:37:06 CEST
If I run the command strace as in example
https://wiki.mageia.org/en/QA_procedure:Libxml2

It dosn't show anything to do with "libxml-security-c"
Google not helping either.
Comment 13 David Walser 2013-06-23 21:12:09 CEST
Please show the exact commands you ran in cases like this.

It should be something like this:
strace -o strace.out qdigidoc
grep xml strace.out
Comment 14 martyn vidler 2013-06-23 21:34:47 CEST
OK got it now. MGA3 32

strace -o strace.out qdigidocclient

output
open("/lib/libxml-security-c.so.17", O_RDONLY|O_CLOEXEC) = 3

So now we can see it loading
Comment 15 martyn vidler 2013-06-23 21:57:14 CEST
Tested on MGA3 64

Carried out same test as comment 14

same results

output
open("/lib/libxml-security-c.so.17", O_RDONLY|O_CLOEXEC) = 3
Comment 16 martyn vidler 2013-06-26 22:12:20 CEST
Tested MGA2 64

Test run as expected as comment 14
Comment 17 martyn vidler 2013-06-26 22:39:11 CEST
Testing complete on MGA2 32

Validating

Can sysadmin push from core/updates_testing to core/updates

Advisory and sprms comment 4
Comment 18 Oden Eriksson 2013-06-27 13:10:08 CEST
Another one:

http://santuario.apache.org/secadv.data/CVE-2013-2210.txt

CVE-2013-2210: Apache Santuario XML Security for C++ contains a heap
overflow during XPointer evaluation


Description: The attempted fix to address CVE-2013-2154 introduced the
possibility of a heap overflow, possibly leading to arbitrary code
execution, in the processing of malformed XPointer expressions in the
XML Signature Reference processing code.

An attacker could use this to exploit an application performing
signature verification if the application does not block the
evaluation of such references prior to performing the verification
step. The exploit would occur prior to the actual verification of
the signature, so does not require authenticated content.

Mitigation: Applications that do not otherwise prevent the evaluation of
XPointer expressions during signature verification and are using library
versions older than V1.7.2 should upgrade as soon as possible. Distributors
of older versions should apply the patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=r1496703

Credit: This issue was reported by Jon Erickson of iSIGHT Partners Labs
Comment 19 Oden Eriksson 2013-06-27 13:11:06 CEST
xml-security-c-1.6.1-1.2.mga2 + xml-security-c-1.7.0-2.2.mga3 has been submitted that fixes CVE-2013-2210.
Comment 20 Oden Eriksson 2013-06-27 13:15:24 CEST
Oh, forgot to mention xml-security-c-1.7.2-1.mga4 was submitted as well that also fixes all the above.
Comment 21 David Walser 2013-06-27 14:28:39 CEST
Unvalidating and updating the advisory.  This will need re-tested.

Advisory:
========================

Updated xml-security-c packages fix security vulnerabilities:

The implementation of XML digital signatures in the Santuario-C++ library is
vulnerable to a spoofing issue allowing an attacker to reuse existing
signatures with arbitrary content (CVE-2013-2153).

A stack overflow, possibly leading to arbitrary code execution, exists in the
processing of malformed XPointer expressions in the XML Signature Reference
processing code (CVE-2013-2154).

A bug in the processing of the output length of an HMAC-based XML Signature
would cause a denial of service when processing specially chosen input
(CVE-2013-2155).

A heap overflow exists in the processing of the PrefixList attribute
optionally used in conjunction with Exclusive Canonicalization, potentially
allowing arbitrary code execution (CVE-2013-2156).

The attempted fix to address CVE-2013-2154 introduced the possibility of a
heap overflow, possibly leading to arbitrary code execution, in the
processing of malformed XPointer expressions in the XML Signature Reference
processing code (CVE-2013-2210).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2210
http://santuario.apache.org/secadv.html
http://www.debian.org/security/2013/dsa-2710
========================

Updated packages in core/updates_testing:
========================
xml-security-c-1.6.1-1.2.mga2
xml-security-c-devel-1.6.1-1.2.mga2
xml-security-c-1.7.0-2.2.mga3
xml-security-c-devel-1.7.0-2.2.mga3

from SRPMS:
xml-security-c-1.6.1-1.2.mga2.src.rpm
xml-security-c-1.7.0-2.2.mga3.src.rpm
Comment 22 claire robinson 2013-06-27 16:54:11 CEST
Testing complete mga3 64

Just testing the library is loaded OK with qdigidocclient from qdigidoc package.

$ rpm -q xml-security-c
xml-security-c-1.7.0-2.2.mga3

$ strace -o strace.out qdigidocclient

$ grep xml-security strace.out | grep -v ENOENT
open("/lib64/libxml-security-c.so.17", O_RDONLY|O_CLOEXEC) = 3

Testing mga3 32 shortly
Comment 23 claire robinson 2013-06-27 16:58:49 CEST
Testing complete mga3 32
Comment 24 claire robinson 2013-06-27 17:25:38 CEST
Testing complete mga2 64
Comment 25 claire robinson 2013-06-27 17:37:54 CEST
Testing complete mga2 32

Validating, advisory & srpms in comment 21 will be uploaded

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks
Comment 26 claire robinson 2013-06-27 18:00:04 CEST
advisory uploaded
Comment 27 David Walser 2013-06-28 18:44:43 CEST
Debian has issued an advisory for the new issue today (June 28):
http://www.debian.org/security/2013/dsa-2717

from http://lwn.net/Vulnerabilities/556775/
Comment 28 Nicolas Vigier 2013-07-01 21:21:43 CEST
http://advisories.mageia.org/MGASA-2013-0193.html

Note You need to log in before you can comment on or make changes to this bug.