1 |
type: security |
2 |
subject: Updated xml-security-c package fixes multiple security vulnerabilities |
3 |
CVE: |
4 |
- CVE-2013-2153 |
5 |
- CVE-2013-2154 |
6 |
- CVE-2013-2155 |
7 |
- CVE-2013-2156 |
8 |
- CVE-2013-2210 |
9 |
src: |
10 |
2: |
11 |
core: |
12 |
- xml-security-c-1.6.1-1.2.mga2 |
13 |
3: |
14 |
core: |
15 |
- xml-security-c-1.7.0-2.2.mga3 |
16 |
description: | |
17 |
The implementation of XML digital signatures in the Santuario-C++ library |
18 |
is vulnerable to a spoofing issue allowing an attacker to reuse existing |
19 |
signatures with arbitrary content (CVE-2013-2153). |
20 |
|
21 |
A stack overflow, possibly leading to arbitrary code execution, exists in |
22 |
the processing of malformed XPointer expressions in the XML Signature |
23 |
Reference processing code (CVE-2013-2154). |
24 |
|
25 |
A bug in the processing of the output length of an HMAC-based XML |
26 |
Signature would cause a denial of service when processing specially chosen |
27 |
input (CVE-2013-2155). |
28 |
|
29 |
A heap overflow exists in the processing of the PrefixList attribute |
30 |
optionally used in conjunction with Exclusive Canonicalization, potentially |
31 |
allowing arbitrary code execution (CVE-2013-2156). |
32 |
|
33 |
The attempted fix to address CVE-2013-2154 introduced the possibility of a |
34 |
heap overflow, possibly leading to arbitrary code execution, in the |
35 |
processing of malformed XPointer expressions in the XML Signature Reference |
36 |
processing code (CVE-2013-2210). |
37 |
references: |
38 |
- http://santuario.apache.org/secadv.html |
39 |
- http://www.debian.org/security/2013/dsa-2710 |
40 |
- https://bugs.mageia.org/show_bug.cgi?id=10563 |
41 |
ID: MGASA-2013-0193 |