Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 474992 (CVE-2013-2210) - <dev-libs/xml-security-c-1.7.3: Multiple vulnerabilities (CVE-2013-{2153,2154,2155,2156,2210})
Summary: <dev-libs/xml-security-c-1.7.3: Multiple vulnerabilities (CVE-2013-{2153,2154...
Status: RESOLVED FIXED
Alias: CVE-2013-2210
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-27 15:53 UTC by Agostino Sarubbo
Modified: 2015-04-02 19:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-06-27 15:53:56 UTC 
From ${URL} :

A heap-based buffer overflow flaw was found in the way xml-security-c, a C++ implementation of the 
XML Digital Signature specification, used to evaluate certain XPointer expressions. The fix to 
address CVE-2013-2154 flaw introduced a possibility of a heap-based buffer overflow, in the 
processing of malformed XPointer expression in the XML Signature References processing code. A 
remote attacker could provide a specially-crafted XML file to an application linked against 
xml-security-c that, when processed would lead to that application crash or, potentially, arbitrary 
code execution with the privileges of the user running the application.

References:
[1] http://santuario.apache.org/secadv.data/CVE-2013-2210.txt

Relevant upstream patch:


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 03:36:29 UTC 
CVE-2013-2210 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2210):
  Heap-based buffer overflow in the XML Signature Reference functionality in
  Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.2
  allows context-dependent attackers to cause a denial of service (crash) and
  possibly execute arbitrary code via malformed XPointer expressions.  NOTE:
  this is due to an incorrect fix for CVE-2013-2154.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-27 17:10:01 UTC 
@maintainers: version 1.7.2 is released upstream fixing multiple security vulnerabilities. Please bump

http://santuario.apache.org/download.html
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-09-10 01:29:50 UTC 
Here are the versions that the CVE's Address.

CVE-2013-2153 - 1.7.1
CVE-2013-2154 - 1.7.1
CVE-2013-2155 - 1.7.1
CVE-2013-2156 - 1.7.1
CVE-2013-2210 - 1.7.2

Recommendation to bump to 1.7.2 the current stable version. Stable since June 2013.

Please advise when the bump is done.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 18:40:02 UTC 
Ping on the ebuild for the package?
Comment 5 Oleg Gawriloff 2015-03-24 16:37:26 UTC 
Ebuild for 1.7.3 available at my overlay at 
https://github.com/barzog/barzog-gentoo-overlay/blob/master/dev-libs/xml-security-c/xml-security-c-1.7.3.ebuild
Comment 6 Sergey Popov gentoo-dev 2015-04-02 19:31:11 UTC 
+*xml-security-c-1.7.3 (02 Apr 2015)
+
+  02 Apr 2015; Sergey Popov <pinkbyte@gentoo.org> -xml-security-c-1.6.1.ebuild,
+  +xml-security-c-1.7.3.ebuild:
+  Version bump, drop old, wrt bugs #454706 and #474992