Debian has issued an advisory on August 5:
Mageia 5 and Mageia 6 are also affected.
Assigning to the registered maintainer.
I have uploaded a patched package for Mageia 6 (cauldron was fixed by new version from guillomovitch).
I have no idea how to test the patch...
Updated xml-security-c packages fix security vulnerability:
It was discovered that the Apache XML Security for C++ library performed insufficient validation of KeyInfo hints, which could result in denial of service via NULL pointer dereferences when processing malformed XML data.
Updated packages in core/updates_testing:
Mageia 6, x86_64
No idea about testing the patch either. Nothing upstream.
Installed qdigidoc and ran strace on the gui via qdigidocclient.
$ strace -o trace.qdig qdigidocclient
This presented the DigiDoc3 interface where documents can be signed or opened. There is a third option which looks like an opportunity to encrypt the signage:
"Open DigiDoc3 Crypto"
Pressed "Open signed document" which led to a file manager.
Retreated - just giving the application something to do.
The language options work.
Closed down and checked the trace file.
$ grep xml-security trace.qdig
open("/lib64/libxml-security-c.so.17", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libxml-security-c.so.17.0.3", O_RDONLY) = 3
open("/usr/lib64/libxml-security-c.so.17.0.3", O_RDONLY) = 24
Updated xml-security-c and tinkered with qdigidocclient.
Picked a PDF document rather than XML and the DigiDoc stated that PDF signing would be forwarded to the Estonian authority and a form was presented for the user to enter details. Backed out at that point.
Just have to assume that it is all working. No crashes or errors reported.
Sounds like the best we can do. Validating...
An update for this issue has been pushed to the Mageia Updates repository.