CVE-2013-2153 The implementation of XML digital signatures in the Santuario-C++ library is vulnerable to a spoofing issue allowing an attacker to reuse existing signatures with arbitrary content. CVE-2013-2154 A stack overflow, possibly leading to arbitrary code execution, exists in the processing of malformed XPointer expressions in the XML Signature Reference processing code. CVE-2013-2155 A bug in the processing of the output length of an HMAC-based XML Signature would cause a denial of service when processing specially chosen input. CVE-2013-2156 A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. Reproducible: Steps to Reproduce:
http://santuario.apache.org/secadv.html CVE-2013-2153: Apache Santuario XML Security for C++ contains an XML Signature Bypass issue CVE-2013-2154: Apache Santuario XML Security for C++ contains a stack overflow during XPointer evaluation CVE-2013-2155: Apache Santuario XML Security for C++ contains denial of service and hash length bypass issues while processing HMAC signatures CVE-2013-2156: Apache Santuario XML Security for C++ contains heap overflow while processing InclusiveNamespace PrefixList
http://patch-tracker.debian.org/patch/series/dl/xml-security-c/1.6.1-6/debian-changes
Patched packages has been submitted. Cauldron was silently fixed here: http://svnweb.mageia.org/packages?view=revision&revision=444705
Debian has issued an advisory for this on June 18: http://www.debian.org/security/2013/dsa-2710 Thanks Oden! Assigning to QA. Advisory: ======================== Updated xml-security-c packages fix security vulnerabilities: The implementation of XML digital signatures in the Santuario-C++ library is vulnerable to a spoofing issue allowing an attacker to reuse existing signatures with arbitrary content (CVE-2013-2153). A stack overflow, possibly leading to arbitrary code execution, exists in the processing of malformed XPointer expressions in the XML Signature Reference processing code (CVE-2013-2154). A bug in the processing of the output length of an HMAC-based XML Signature would cause a denial of service when processing specially chosen input (CVE-2013-2155). A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution (CVE-2013-2156). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156 http://santuario.apache.org/secadv.html http://www.debian.org/security/2013/dsa-2710 ======================== Updated packages in core/updates_testing: ======================== xml-security-c-1.6.1-1.1.mga2 xml-security-c-devel-1.6.1-1.1.mga2 xml-security-c-1.7.0-2.1.mga3 xml-security-c-devel-1.7.0-2.1.mga3 from SRPMS: xml-security-c-1.6.1-1.1.mga2.src.rpm xml-security-c-1.7.0-2.1.mga3.src.rpm
URL: http://www.debian.org/security/2013/dsa-2710.en.html => http://lwn.net/Vulnerabilities/555448/CC: (none) => luigiwalserVersion: 2 => 3Assignee: bugsquad => qa-bugsWhiteboard: (none) => MGA2TOO
Summary: Multiple vulnerabilities in xml-security-c (CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156) => xml-security-c new security issues CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156
MGA3 32 Tested Opened digidoc (qdigidoc) with xml-sercurity-c-1.7.0-2 mga3 Uninstalled digidoc (qdigidoc) upgraded to xml-security-c-1.7.0-2.1.mga3 installed xml-security-c-devel-1.7.0-2.1.mga3 reinstalled digidoc (qdigidoc) Digidoc opened ok no errors reported.
CC: (none) => martynvidler
Whiteboard: MGA2TOO => MGA2TOO MGA3 -32-ok
Did you test any functionality of digidoc? Not sure how easy it is to test.
Whiteboard: MGA2TOO MGA3 -32-ok => MGA2TOO MGA3-32-ok
Digidoc requires the use of a id card (security keys) which I dont have so no, if some knows of using without id
Thanks, this should be sufficient then.
qdigidoc actually doesn't use xml-security-c 'til you configure it to use bdoc format which is currently not suggested.
CC: (none) => mageia
If there is a better option to test this with, I,ll wait before testing other arch's.
Nothing else uses it. As long as it's dynamically linked to the library and is actually loading it, unless there's an easy way to test functionality using it, there's nothing else that can be done. You can make sure it's loading the library, similar to the libxml2 test procedure (see strace example at the bottom): https://wiki.mageia.org/en/QA_procedure:Libxml2 It should be loading: /usr/lib/libxml-security-c.so.16 (mageia 2) /usr/lib/libxml-security-c.so.17 (mageia 3)
If I run the command strace as in example https://wiki.mageia.org/en/QA_procedure:Libxml2 It dosn't show anything to do with "libxml-security-c" Google not helping either.
Please show the exact commands you ran in cases like this. It should be something like this: strace -o strace.out qdigidoc grep xml strace.out
OK got it now. MGA3 32 strace -o strace.out qdigidocclient output open("/lib/libxml-security-c.so.17", O_RDONLY|O_CLOEXEC) = 3 So now we can see it loading
Tested on MGA3 64 Carried out same test as comment 14 same results output open("/lib/libxml-security-c.so.17", O_RDONLY|O_CLOEXEC) = 3
Whiteboard: MGA2TOO MGA3-32-ok => MGA2TOO MGA3-32-ok MGA3-64-ok
Tested MGA2 64 Test run as expected as comment 14
Whiteboard: MGA2TOO MGA3-32-ok MGA3-64-ok => MGA2TOO MGA3-32-ok MGA3-64-ok MGA2-64-ok
Testing complete on MGA2 32 Validating Can sysadmin push from core/updates_testing to core/updates Advisory and sprms comment 4
Keywords: (none) => validated_updateWhiteboard: MGA2TOO MGA3-32-ok MGA3-64-ok MGA2-64-ok => MGA2TOO MGA3-32-ok MGA3-64-ok MGA2-64-ok MGA2-32-okCC: (none) => sysadmin-bugs
Summary: xml-security-c new security issues CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156 => xml-security-c new security issues CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156, CVE-2013-2210
Another one: http://santuario.apache.org/secadv.data/CVE-2013-2210.txt CVE-2013-2210: Apache Santuario XML Security for C++ contains a heap overflow during XPointer evaluation Description: The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. An attacker could use this to exploit an application performing signature verification if the application does not block the evaluation of such references prior to performing the verification step. The exploit would occur prior to the actual verification of the signature, so does not require authenticated content. Mitigation: Applications that do not otherwise prevent the evaluation of XPointer expressions during signature verification and are using library versions older than V1.7.2 should upgrade as soon as possible. Distributors of older versions should apply the patches from this subversion revision: http://svn.apache.org/viewvc?view=revision&revision=r1496703 Credit: This issue was reported by Jon Erickson of iSIGHT Partners Labs
xml-security-c-1.6.1-1.2.mga2 + xml-security-c-1.7.0-2.2.mga3 has been submitted that fixes CVE-2013-2210.
Oh, forgot to mention xml-security-c-1.7.2-1.mga4 was submitted as well that also fixes all the above.
Unvalidating and updating the advisory. This will need re-tested. Advisory: ======================== Updated xml-security-c packages fix security vulnerabilities: The implementation of XML digital signatures in the Santuario-C++ library is vulnerable to a spoofing issue allowing an attacker to reuse existing signatures with arbitrary content (CVE-2013-2153). A stack overflow, possibly leading to arbitrary code execution, exists in the processing of malformed XPointer expressions in the XML Signature Reference processing code (CVE-2013-2154). A bug in the processing of the output length of an HMAC-based XML Signature would cause a denial of service when processing specially chosen input (CVE-2013-2155). A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution (CVE-2013-2156). The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code (CVE-2013-2210). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2154 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2155 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2156 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2210 http://santuario.apache.org/secadv.html http://www.debian.org/security/2013/dsa-2710 ======================== Updated packages in core/updates_testing: ======================== xml-security-c-1.6.1-1.2.mga2 xml-security-c-devel-1.6.1-1.2.mga2 xml-security-c-1.7.0-2.2.mga3 xml-security-c-devel-1.7.0-2.2.mga3 from SRPMS: xml-security-c-1.6.1-1.2.mga2.src.rpm xml-security-c-1.7.0-2.2.mga3.src.rpm
Keywords: validated_update => (none)Whiteboard: MGA2TOO MGA3-32-ok MGA3-64-ok MGA2-64-ok MGA2-32-ok => MGA2TOO
Testing complete mga3 64 Just testing the library is loaded OK with qdigidocclient from qdigidoc package. $ rpm -q xml-security-c xml-security-c-1.7.0-2.2.mga3 $ strace -o strace.out qdigidocclient $ grep xml-security strace.out | grep -v ENOENT open("/lib64/libxml-security-c.so.17", O_RDONLY|O_CLOEXEC) = 3 Testing mga3 32 shortly
Whiteboard: MGA2TOO => MGA2TOO mga3-64-ok
Testing complete mga3 32
Whiteboard: MGA2TOO mga3-64-ok => MGA2TOO mga3-64-ok mga3-32-ok
Testing complete mga2 64
Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok => MGA2TOO mga3-64-ok mga3-32-ok mga2-64-ok
Testing complete mga2 32 Validating, advisory & srpms in comment 21 will be uploaded Could sysadmin please push from 2 & 3 core/updates_testing to core/updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA2TOO mga3-64-ok mga3-32-ok mga2-64-ok => MGA2TOO mga3-64-ok mga3-32-ok mga2-64-ok mga2-32-ok
advisory uploaded
Debian has issued an advisory for the new issue today (June 28): http://www.debian.org/security/2013/dsa-2717 from http://lwn.net/Vulnerabilities/556775/
http://advisories.mageia.org/MGASA-2013-0193.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)