|Summary:||<dev-libs/xmlsec-1.2.17: Arbitrary file creation or overwrite vulnerability (CVE-2011-1425)|
|Product:||Gentoo Security||Reporter:||Tim Sammut (RETIRED) <underling>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||alexanderyt, c1pher, dragonheart|
|Package list:||Runtime testing required:||---|
Description Tim Sammut (RETIRED) 2011-03-30 22:21:15 UTC
* * We have been asked to treat this as a CONFIDENTIAL issue until * upstream releases a fix package. Please do not share any information * from within this bug, until the Security team makes this bug public. * * Thank you. * From the inbound email: We've been notified by xmlsec upstream about the issue in xmlsec reported by Nicolas Grégoire that causes xmlsec to create or overwrite arbitrary file when trying to verify signature of the XML file. This happens when XML includes XSLT transform using output extension (xmlsec must have XSLT support enabled, which is default), file name and content is chosen by the XML file author. Upstream git has the fix already: http://git.gnome.org/browse/xmlsec/commit/?id=35eaacde6093d6711339754fc2146341b8b9f5fa Issue should be considered public only once new upstream xmlsec version is released later this week. Aleksey and Nicolas pointed out few possible mitigations that programs using xmlsec library can use: - disable XSLT transform it no used in struct xmlSecTransformCtx - explicitly call xsltNewSecurityPrefs() and forbid any access
Comment 1 Tim Sammut (RETIRED) 2011-03-30 22:31:41 UTC
Hi, Daniel and Dane. Given the short time line before this is planned to go public, it would be fantastic if we could either: - Create an ebuild for 1.2.16-r1 including a patch based on the commit at $URL, or - Create an ebuild for 1.2.17, that we can test after it is released. If you are able to do this before this issue is made public, please attach the ebuild to this bug *without* committing to CVS. Thank you.
Comment 2 Tim Sammut (RETIRED) 2011-04-01 00:15:54 UTC
This now public. http://www.aleksey.com/xmlsec/download.html
Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) 2011-04-03 22:32:03 UTC
Comment 4 Andreas Schürch 2011-04-04 06:47:54 UTC
Tested on x86, looks good over here.
Comment 5 Thomas Kahle (RETIRED) 2011-04-04 12:41:25 UTC
x86 stable. Thanks Andreas.
Comment 6 Agostino Sarubbo 2011-04-04 18:55:42 UTC
Comment 7 Christoph Mende (RETIRED) 2011-04-05 07:39:42 UTC
amd64 done, thanks Agostino
Comment 8 Tim Sammut (RETIRED) 2011-04-05 15:15:07 UTC
Thanks, folks. GLSA request filed.
Comment 9 Alon Bar-Lev (RETIRED) 2012-12-15 19:25:56 UTC
security: Any reason to keep this open?
Comment 10 GLSAMaker/CVETool Bot 2012-12-16 16:16:42 UTC
CVE-2011-1425 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1425): xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification.
Comment 11 GLSAMaker/CVETool Bot 2014-12-12 00:37:33 UTC
This issue was resolved and addressed in GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml by GLSA coordinator Sean Amoss (ackle).