MGASA-2013-0193

Source
https://advisories.mageia.org/MGASA-2013-0193.html
Import Source
https://advisories.mageia.org/MGASA-2013-0193.json
JSON Data
https://api.test.osv.dev/v1/vulns/MGASA-2013-0193
Related
Published
2013-07-01T19:12:07Z
Modified
2013-07-01T19:11:43Z
Summary
Updated xml-security-c package fixes multiple security vulnerabilities
Details

The implementation of XML digital signatures in the Santuario-C++ library is vulnerable to a spoofing issue allowing an attacker to reuse existing signatures with arbitrary content (CVE-2013-2153).

A stack overflow, possibly leading to arbitrary code execution, exists in the processing of malformed XPointer expressions in the XML Signature Reference processing code (CVE-2013-2154).

A bug in the processing of the output length of an HMAC-based XML Signature would cause a denial of service when processing specially chosen input (CVE-2013-2155).

A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution (CVE-2013-2156).

The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary code execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code (CVE-2013-2210).

References
Credits

Affected packages

Mageia:3 / xml-security-c

Package

Name
xml-security-c
Purl
pkg:rpm/mageia/xml-security-c?distro=mageia-3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.0-2.2.mga3

Ecosystem specific

{
    "section": "core"
}

Mageia:2 / xml-security-c

Package

Name
xml-security-c
Purl
pkg:rpm/mageia/xml-security-c?distro=mageia-2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.1-1.2.mga2

Ecosystem specific

{
    "section": "core"
}