DSA-2710-1 xml-security-c -- severalID: oval:org.secpod.oval:def:601057 | Date: (C)2013-06-19 (M)2022-10-10 |
Class: PATCH | Family: unix |
James Forshaw from Context Information Security discovered several vulnerabilities in xml-security-c, an implementation of the XML Digital Security specification. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-2153 The implementation of XML digital signatures in the Santuario-C++ library is vulnerable to a spoofing issue allowing an attacker to reuse existing signatures with arbitrary content. CVE-2013-2154 A stack overflow, possibly leading to arbitrary code execution, exists in the processing of malformed XPointer expressions in the XML Signature Reference processing code. CVE-2013-2155 A bug in the processing of the output length of an HMAC-based XML Signature would cause a denial of service when processing specially chosen input. CVE-2013-2156 A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitary code execution.
Platform: |
Debian 7.0 |
Debian 6.0 |
Product: |
libxml-security-c15 |