Ubuntu
xml-security-c package

Fix for CVE-2013-2154 introduced another possible heap overflow

Bug #1199969 reported by Luke Faraone
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
xml-security-c (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned
Raring
Fix Released
Undecided
Unassigned
Saucy
Fix Released
High
Unassigned

Bug Description

From the new CVE:

The attempted fix to address CVE-2013-2154 introduced the
possibility of a heap overflow, possibly leading to arbitrary code
execution, in the processing of malformed XPointer expressions in the
XML Signature Reference processing code.

Revision history for this message
Luke Faraone (lfaraone) wrote :

This was fixed in 1.6.1-7.

Changed in xml-security-c (Ubuntu):
status: Triaged → Fix Released
no longer affects: xml-security-c (Ubuntu Lucid)
Revision history for this message
Luke Faraone (lfaraone) wrote :

See also bug 1192874.

Revision history for this message
Luke Faraone (lfaraone) wrote :

In addition to fakesyncing for raring/quantal, can we also do the same for precise?

Looking at the changelog: http://ftp-master.metadata.debian.org/changelogs//main/x/xml-security-c/xml-security-c_1.6.1-7_changelog

-2 and -3 enable hardening and multiarch. (former useful for security, the latter unlikely to cause problems as it would just be adding a new essentially leaf package)

The changes in -4 are reverted in -5, which besides that only contains a copyright fix.

-6 and -7 contain the security fixes we are concerned with.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in xml-security-c (Ubuntu Precise):
status: New → Confirmed
Changed in xml-security-c (Ubuntu Quantal):
status: New → Confirmed
Changed in xml-security-c (Ubuntu Raring):
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in xml-security-c (Ubuntu Raring):
status: Confirmed → Fix Committed
Changed in xml-security-c (Ubuntu Quantal):
status: Confirmed → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking the precise task as Invalid since it doesn't have the fix for CVE-2013-2154 yet. See bug #1192874 for details.

Changed in xml-security-c (Ubuntu Precise):
status: Confirmed → Invalid
Changed in xml-security-c (Ubuntu Quantal):
status: Fix Committed → Fix Released
Changed in xml-security-c (Ubuntu Raring):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Quantal now has 1.6.1-7~build0.12.10.1 and Raring has 1.6.1-7~build0.13.04.1.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xml-security-c - 1.6.1-1ubuntu0.1

---------------
xml-security-c (1.6.1-1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: (LP: #1192874).
    - Apply upstream patch to fix a spoofing vulnerability that allows an
      attacker to reuse existing signatures with arbitrary content.
      (CVE-2013-2153)
    - Apply upstream patch to fix a stack overflow in the processing of
      malformed XPointer expressions in the XML Signature Reference
      processing code. (CVE-2013-2154)
    - Apply upstream patch to fix processing of the output length of an
      HMAC-based XML Signature that could cause a denial of service when
      processing specially chosen input. (CVE-2013-2155)
    - Apply upstream patch to fix a heap overflow in the processing of the
      PrefixList attribute optionally used in conjunction with Exclusive
      Canonicalization, potentially allowing arbitrary code execution.
      (CVE-2013-2156)
  * SECURITY UPDATE: The attempted fix to address CVE-2013-2154 introduced
    the possibility of a heap overflow, possibly leading to arbitrary code
    execution, in the processing of malformed XPointer expressions in the
    XML Signature Reference processing code (LP: #1199969).
    - Apply upstream patch to fix that heap overflow. (CVE-2013-2210)
 -- Christian Biamont <email address hidden> Wed, 25 Sep 2013 10:27:27 +0200

Changed in xml-security-c (Ubuntu Precise):
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.