Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 361397 (CVE-2011-1425) - <dev-libs/xmlsec-1.2.17: Arbitrary file creation or overwrite vulnerability (CVE-2011-1425)
Summary: <dev-libs/xmlsec-1.2.17: Arbitrary file creation or overwrite vulnerability (...
Status: RESOLVED FIXED
Alias: CVE-2011-1425
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://git.gnome.org/browse/xmlsec/co...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-30 22:21 UTC by Tim Sammut (RETIRED)
Modified: 2014-12-12 00:37 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-03-30 22:21:15 UTC
*
* We have been asked to treat this as a CONFIDENTIAL issue until 
* upstream releases a fix package. Please do not share any information
* from within this bug, until the Security team makes this bug public.
*
* Thank you.
*

From the inbound email:

We've been notified by xmlsec upstream about the issue in xmlsec
reported by Nicolas Grégoire that causes xmlsec to create or overwrite
arbitrary file when trying to verify signature of the XML file.  This
happens when XML includes XSLT transform using output extension (xmlsec
must have XSLT support enabled, which is default), file name and
content is chosen by the XML file author.

Upstream git has the fix already:
http://git.gnome.org/browse/xmlsec/commit/?id=35eaacde6093d6711339754fc2146341b8b9f5fa

Issue should be considered public only once new upstream xmlsec version
is released later this week.

Aleksey and Nicolas pointed out few possible mitigations that programs
using xmlsec library can use:
- disable XSLT transform it no used in struct xmlSecTransformCtx
- explicitly call xsltNewSecurityPrefs() and forbid any access
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-03-30 22:31:41 UTC
Hi, Daniel and Dane.

Given the short time line before this is planned to go public, it would be fantastic if we could either:
 - Create an ebuild for 1.2.16-r1 including a patch based on the commit at $URL, or
 - Create an ebuild for 1.2.17, that we can test after it is released.

If you are able to do this before this issue is made public, please attach the ebuild to this bug *without* committing to CVS. Thank you.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-04-01 00:15:54 UTC
This now public.

http://www.aleksey.com/xmlsec/download.html
Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-04-03 22:32:03 UTC
Stabilize dev-libs/xmlsec-1.2.17.
Comment 4 Andreas Schürch gentoo-dev 2011-04-04 06:47:54 UTC
Tested on x86, looks good over here.
Comment 5 Thomas Kahle (RETIRED) gentoo-dev 2011-04-04 12:41:25 UTC
x86 stable. Thanks Andreas.
Comment 6 Agostino Sarubbo gentoo-dev 2011-04-04 18:55:42 UTC
amd64 ok
Comment 7 Christoph Mende (RETIRED) gentoo-dev 2011-04-05 07:39:42 UTC
amd64 done, thanks Agostino
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-04-05 15:15:07 UTC
Thanks, folks. GLSA request filed.
Comment 9 Alon Bar-Lev (RETIRED) gentoo-dev 2012-12-15 19:25:56 UTC
security: Any reason to keep this open?
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-12-16 16:16:42 UTC
CVE-2011-1425 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1425):
  xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in WebKit
  and other products, when XSLT is enabled, allows remote attackers to create
  or overwrite arbitrary files via vectors involving the libxslt output
  extension and a ds:Transform element during signature verification.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:37:33 UTC
This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).