Ubuntu
xml-security-c package

ECDSA XML signature generation segmentation fault

  1. Bionic (18.04)
  2. Bug #1816040
Bug #1816040 reported by Alejandro Claro
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xml-security-c (Ubuntu)
Fix Released
Medium
Eduardo Barretto
Bionic
New
Medium
Unassigned

Bug Description

We found a bug in Apache Santuario C, related to ECDSA signature generation, few years ego. We provide the fix to the Apache team, and Scott Cantor kindly accepted the fix in the project. How ever the fix was introduced in series 2.x of the the library.

The fix we provide was for the version 1.7.x (xml-security-c17) found in Ubuntu 14.04 and looks like Ubuntu 18.04 is still including a version from series 1.7.x. Our products goes trough certification processes where using source code without patches is something very well seen.

We are interesting in exploring the possibility to start a communication with Ubuntu maintainers team, in order to request including some patches or version upgrades in libraries we are contributing and we are using in products based in Ubuntu minimal 14.04 and 18.04.

The commit with the fix for the bug can be found here:

http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/utils/XSECSafeBuffer.cpp?r1=1806212&r2=1807280&diff_format=h

Alejandro Claro (aclaro)
summary: - ECDSA signature generation segmentation fault
+ ECDSA XML signature generation segmentation fault
Matthias Klose (doko)
information type: Public → Public Security
Revision history for this message
Alejandro Claro (aclaro) wrote :

Here is the debdiff in case it could help the maintainers to solve the bug.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "1.7.2-2ubuntu1.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Eduardo Barretto (ebarretto)
Changed in xml-security-c (Ubuntu):
assignee: nobody → Eduardo dos Santos Barretto (ebarretto)
Mathew Hodson (mhodson)
tags: added: bionic trusty xenial
Changed in xml-security-c (Ubuntu):
status: New → Fix Released
importance: Undecided → Medium
Changed in xml-security-c (Ubuntu Bionic):
importance: Undecided → Medium
Eduardo Barretto (ebarretto)
Changed in xml-security-c (Ubuntu):
assignee: Eduardo dos Santos Barretto (ebarretto) → nobody
Eduardo Barretto (ebarretto)
Changed in xml-security-c (Ubuntu):
assignee: nobody → Eduardo dos Santos Barretto (ebarretto)
status: Fix Released → New
Eduardo Barretto (ebarretto)
Changed in xml-security-c (Ubuntu):
status: New → In Progress
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hey Alejandro,

Thanks for providing the patch.

Could you please test the versions that I've built?

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=xml-security-c&field.status_filter=published&field.series_filter=

Thanks

Eduardo Barretto (ebarretto)
Changed in xml-security-c (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Alejandro Claro (aclaro) wrote :

Hi Eduardo,

We have tested and it seems to be working correctly.

Thanks

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Unsubscribing the Ubuntu Security Sponsors Team as there is nothing left to sponsor.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.