From ${URL} : A heap-based buffer overflow flaw was found in the way xml-security-c, a C++ implementation of the XML Digital Signature specification, used to evaluate certain XPointer expressions. The fix to address CVE-2013-2154 flaw introduced a possibility of a heap-based buffer overflow, in the processing of malformed XPointer expression in the XML Signature References processing code. A remote attacker could provide a specially-crafted XML file to an application linked against xml-security-c that, when processed would lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running the application. References: [1] http://santuario.apache.org/secadv.data/CVE-2013-2210.txt Relevant upstream patch: @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
CVE-2013-2210 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2210): Heap-based buffer overflow in the XML Signature Reference functionality in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.2 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via malformed XPointer expressions. NOTE: this is due to an incorrect fix for CVE-2013-2154.
@maintainers: version 1.7.2 is released upstream fixing multiple security vulnerabilities. Please bump http://santuario.apache.org/download.html
Here are the versions that the CVE's Address. CVE-2013-2153 - 1.7.1 CVE-2013-2154 - 1.7.1 CVE-2013-2155 - 1.7.1 CVE-2013-2156 - 1.7.1 CVE-2013-2210 - 1.7.2 Recommendation to bump to 1.7.2 the current stable version. Stable since June 2013. Please advise when the bump is done.
Ping on the ebuild for the package?
Ebuild for 1.7.3 available at my overlay at https://github.com/barzog/barzog-gentoo-overlay/blob/master/dev-libs/xml-security-c/xml-security-c-1.7.3.ebuild
+*xml-security-c-1.7.3 (02 Apr 2015) + + 02 Apr 2015; Sergey Popov <pinkbyte@gentoo.org> -xml-security-c-1.6.1.ebuild, + +xml-security-c-1.7.3.ebuild: + Version bump, drop old, wrt bugs #454706 and #474992