Debian Bug report logs -
#632973
xml-security-c: CVE-2011-2516: buffer overflows signing or verifying with large keys
Reported by: Dominic Hargreaves <dom@earth.li>
Date: Thu, 7 Jul 2011 14:15:01 UTC
Severity: grave
Tags: security
Found in versions 1.6.0-2, 1.5.1-3, 1.4.0-3
Fixed in versions xml-security-c/1.6.1-1, xml-security-c/1.5.1-3+squeeze1, xml-security-c/1.4.0-3+lenny3
Done: Russ Allbery <rra@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>:
Bug#632973; Package xml-security-c.
(Thu, 07 Jul 2011 14:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>.
(Thu, 07 Jul 2011 14:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: xml-security-c
Version: 1.6.0-2
Severity: grave
Tags: security
Justification: user security hole
Full advisory at
<http://santuario.apache.org/secadv/CVE-2011-2516.txt>
including links to patches in upstream SVN.
Also assumed to affect stable and oldstable.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>:
Bug#632973; Package xml-security-c.
(Thu, 07 Jul 2011 15:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>.
(Thu, 07 Jul 2011 15:42:03 GMT) (full text, mbox, link).
Message #10 received at 632973@bugs.debian.org (full text, mbox, reply):
Dominic Hargreaves <dom@earth.li> writes:
> Package: xml-security-c
> Version: 1.6.0-2
> Severity: grave
> Tags: security
> Justification: user security hole
> Full advisory at
> <http://santuario.apache.org/secadv/CVE-2011-2516.txt>
> including links to patches in upstream SVN.
> Also assumed to affect stable and oldstable.
Yup, thanks. Working on it now. Testing is going to be a bit of an issue
since migration to testing is still blocked by a g++ bug; I'll see if I
can work around that by disabling optimization on arm.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply sent
to Russ Allbery <rra@debian.org>:
You have taken responsibility.
(Thu, 07 Jul 2011 16:33:06 GMT) (full text, mbox, link).
Notification sent
to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer.
(Thu, 07 Jul 2011 16:33:06 GMT) (full text, mbox, link).
Message #15 received at 632973-close@bugs.debian.org (full text, mbox, reply):
Source: xml-security-c
Source-Version: 1.6.1-1
We believe that the bug you reported is fixed in the latest version of
xml-security-c, which is due to be installed in the Debian FTP archive:
libxml-security-c-dev_1.6.1-1_i386.deb
to main/x/xml-security-c/libxml-security-c-dev_1.6.1-1_i386.deb
libxml-security-c16_1.6.1-1_i386.deb
to main/x/xml-security-c/libxml-security-c16_1.6.1-1_i386.deb
xml-security-c_1.6.1-1.debian.tar.gz
to main/x/xml-security-c/xml-security-c_1.6.1-1.debian.tar.gz
xml-security-c_1.6.1-1.dsc
to main/x/xml-security-c/xml-security-c_1.6.1-1.dsc
xml-security-c_1.6.1.orig.tar.gz
to main/x/xml-security-c/xml-security-c_1.6.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 632973@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated xml-security-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 07 Jul 2011 09:10:33 -0700
Source: xml-security-c
Binary: libxml-security-c16 libxml-security-c-dev
Architecture: source i386
Version: 1.6.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description:
libxml-security-c-dev - C++ library for XML Digital Signatures (development)
libxml-security-c16 - C++ library for XML Digital Signatures (runtime)
Closes: 632973
Changes:
xml-security-c (1.6.1-1) unstable; urgency=high
.
* Urgency high for security fix.
* New upstream release.
- DSIGObject::load method crashes for ds:Object without Id attribute
- Buffer overflow when signing or verifying files with big asymmetric
keys (Closes: #632973, CVE-2011-2516)
- Memory bug inside XENCCipherImpl::deSerialise
- Function cleanURIEscapes always throws XSECException, when any
escape sequence occurs
- Function isHexDigit doesn't recognize invalid escape sequences
- Percent-encoded multibyte (UTF-8) sequences unrecognized
- RSA-OAEP handler only allows SHA-1 digests
* Update debian/watch for the new organization of Apache downloads.
Checksums-Sha1:
fd7a3f73e53120fab3d7c99e43097d63db6103d3 1689 xml-security-c_1.6.1-1.dsc
239304659752eb214f3516b6c457c99f0e6467c7 864366 xml-security-c_1.6.1.orig.tar.gz
6874daf4e6ad0421ce34ee1f3e833923d79ca547 7285 xml-security-c_1.6.1-1.debian.tar.gz
2dd5e68cdee7b76567cf0a6fd912d0d9adaea8e9 372064 libxml-security-c16_1.6.1-1_i386.deb
5dbe7bede14e1cb0fc01a050c7a7425cab5f61b5 150394 libxml-security-c-dev_1.6.1-1_i386.deb
Checksums-Sha256:
74c60ca69966f246e40f3a10b1f61f1b84fdd0a58f3cda0b29eb2b0e1d484575 1689 xml-security-c_1.6.1-1.dsc
73931a55d6925a82416ea48f8d6f1b8ed591368e1dfc30574fe43904b7c62fcd 864366 xml-security-c_1.6.1.orig.tar.gz
ae82090ad6f81811de165fb795e8b5b84285e3f4f42cc19320eb73452a47297a 7285 xml-security-c_1.6.1-1.debian.tar.gz
140594585d9912644494c4d3a6d12fc31ae8972df3ae8b9b64905909d5b2623d 372064 libxml-security-c16_1.6.1-1_i386.deb
c202edb2f3e5b9ae7f8790bc7d0a8fcc86e8f2e5bd877764c42f03de41f6ae99 150394 libxml-security-c-dev_1.6.1-1_i386.deb
Files:
239ad9504d7326e84e8c49bb48f5c764 1689 libs extra xml-security-c_1.6.1-1.dsc
808316c80a7453b6d50a0bceb7ebe9bc 864366 libs extra xml-security-c_1.6.1.orig.tar.gz
7dbad386fb00cdb401ffc1210592148a 7285 libs extra xml-security-c_1.6.1-1.debian.tar.gz
2b7e014d7727c17fd301fa209b374d80 372064 libs extra libxml-security-c16_1.6.1-1_i386.deb
382d66533e1bc31680a2762c8f3786f4 150394 libdevel extra libxml-security-c-dev_1.6.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBCAAGBQJOFdxjAAoJEH2AMVxXNt513h4IAMABgV5q0rNDu/xQ5eGUU0D4
W/zHxiY57/k5mNqLkyE1fFWP86S3adv/0vrAW9yk/8LorMXE7zxvvC+yFe/49BDV
ESVvfd0wVP25a+rjUyq5/LWZb+IvT99uhRAiBpVvhNFY85VZ3aKIViNuHJJgBibs
2/J33BqpH5PwvMhL2iL+UeHniNR0EOjLOvIB2uuFR7zP77HcuiGx1Mqpzw4cvspf
BJQBp4gIJX2CEHVBEpB+/+dYCy+AerCYe8lwCIE4hMhzl/33sG6mYCls5MioWec8
cLh0FO4ZfuudifkYemzynkwjC5RbGoaNEnzLpok0ZG2AQg+gUgzex4FzsVE/ijg=
=+cse
-----END PGP SIGNATURE-----
Bug Marked as found in versions 1.5.1-3.
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(Thu, 07 Jul 2011 18:45:03 GMT) (full text, mbox, link).
Bug Marked as found in versions 1.4.0-3.
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(Thu, 07 Jul 2011 18:51:04 GMT) (full text, mbox, link).
Reply sent
to Russ Allbery <rra@debian.org>:
You have taken responsibility.
(Sun, 17 Jul 2011 01:57:07 GMT) (full text, mbox, link).
Notification sent
to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer.
(Sun, 17 Jul 2011 01:57:07 GMT) (full text, mbox, link).
Message #24 received at 632973-close@bugs.debian.org (full text, mbox, reply):
Source: xml-security-c
Source-Version: 1.5.1-3+squeeze1
We believe that the bug you reported is fixed in the latest version of
xml-security-c, which is due to be installed in the Debian FTP archive:
libxml-security-c-dev_1.5.1-3+squeeze1_i386.deb
to main/x/xml-security-c/libxml-security-c-dev_1.5.1-3+squeeze1_i386.deb
libxml-security-c15_1.5.1-3+squeeze1_i386.deb
to main/x/xml-security-c/libxml-security-c15_1.5.1-3+squeeze1_i386.deb
xml-security-c_1.5.1-3+squeeze1.diff.gz
to main/x/xml-security-c/xml-security-c_1.5.1-3+squeeze1.diff.gz
xml-security-c_1.5.1-3+squeeze1.dsc
to main/x/xml-security-c/xml-security-c_1.5.1-3+squeeze1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 632973@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated xml-security-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 07 Jul 2011 10:45:08 -0700
Source: xml-security-c
Binary: libxml-security-c15 libxml-security-c-dev
Architecture: source i386
Version: 1.5.1-3+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description:
libxml-security-c-dev - C++ library for XML Digital Signatures (development)
libxml-security-c15 - C++ library for XML Digital Signatures (runtime)
Closes: 632973
Changes:
xml-security-c (1.5.1-3+squeeze1) stable-security; urgency=high
.
* Apply upstream patch to fix buffer overflow when signing or verifying
files with big asymmetric keys. (Closes: #632973, CVE-2011-2516)
Checksums-Sha1:
d501669c624b384bc2947f2ec3dc7b88e132d361 1667 xml-security-c_1.5.1-3+squeeze1.dsc
e51d3dca7f32cfcc2090d4d20cf8a1d032d95d79 957928 xml-security-c_1.5.1.orig.tar.gz
67b726b85c1c13495c88d9d64041c7b932147fc7 8057 xml-security-c_1.5.1-3+squeeze1.diff.gz
1e2e95254b5b6226ce05d98b412d6e47808284eb 352216 libxml-security-c15_1.5.1-3+squeeze1_i386.deb
183f2fa2a072a2d95aebf8a79dfc88d3ec775ae6 141456 libxml-security-c-dev_1.5.1-3+squeeze1_i386.deb
Checksums-Sha256:
d4978a2d32c3411717d3108f1df91e760896f2f4849a96a9ad666ce582f66f07 1667 xml-security-c_1.5.1-3+squeeze1.dsc
f31d7efbc1a2d708e82fb7237dca29e4e5552d8a4ca510cfe94c9998055b801f 957928 xml-security-c_1.5.1.orig.tar.gz
0108726f6aed3b964918d0599e8ab5d395a03689d64a88500a816335f386f32b 8057 xml-security-c_1.5.1-3+squeeze1.diff.gz
5caedbcfc4855072c4caab6753a68b5423233ab68c23777f82f4615ecd580f2e 352216 libxml-security-c15_1.5.1-3+squeeze1_i386.deb
ce33a0f0223392b6a0ab3eb55d2fdc7d95237c965eaf8982daf9bcae03f96744 141456 libxml-security-c-dev_1.5.1-3+squeeze1_i386.deb
Files:
699dc0c2220df307c0d4d5feba97c5d3 1667 libs extra xml-security-c_1.5.1-3+squeeze1.dsc
2c47c4ec12e8d6abe967aa5e5e99000c 957928 libs extra xml-security-c_1.5.1.orig.tar.gz
abea41b8d230574fecb7639ddf81a26a 8057 libs extra xml-security-c_1.5.1-3+squeeze1.diff.gz
67f53d15c4c582949934e6b7f279feed 352216 libs extra libxml-security-c15_1.5.1-3+squeeze1_i386.deb
4dd1aadabac65f5409869b84f3cd63a9 141456 libdevel extra libxml-security-c-dev_1.5.1-3+squeeze1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBCAAGBQJOFhb5AAoJEH2AMVxXNt51wisIAIpkkugaQJvhvE+X9FXuLgvO
GY6jaJQYYhxPUsRJ8ZHghGH8mOaYtykj2yHKXN6OL8qzeiwPOCKHJ6cTIC5VourR
TzHam/BuqCiDbg3jtSM/d0VT5VDpmWFzrcuekT+BNvf4Cx7DcCZO9tUDrn+nSSUB
mVYNpAD8Aziht8SgLiF+Ifrj3gBFwG+HYlxXBxwU4ZQREkbUx4Thd8LEM6uvPE0Z
k7rPZp6T2aEYIplCq5xAEifs6pu4YAYtJQeWWv5DMyGnd33zlg6A0LjEgmg/gWQN
UMCHfe4i3xJV464J0gwXqDAqWsUTEqRR2LqP0iFbZVaSWHkpTyr9uQ7L0CZYHY4=
=FQYP
-----END PGP SIGNATURE-----
Reply sent
to Russ Allbery <rra@debian.org>:
You have taken responsibility.
(Fri, 22 Jul 2011 01:57:03 GMT) (full text, mbox, link).
Notification sent
to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer.
(Fri, 22 Jul 2011 01:57:03 GMT) (full text, mbox, link).
Message #29 received at 632973-close@bugs.debian.org (full text, mbox, reply):
Source: xml-security-c
Source-Version: 1.4.0-3+lenny3
We believe that the bug you reported is fixed in the latest version of
xml-security-c, which is due to be installed in the Debian FTP archive:
libxml-security-c-dev_1.4.0-3+lenny3_i386.deb
to main/x/xml-security-c/libxml-security-c-dev_1.4.0-3+lenny3_i386.deb
libxml-security-c14_1.4.0-3+lenny3_i386.deb
to main/x/xml-security-c/libxml-security-c14_1.4.0-3+lenny3_i386.deb
xml-security-c_1.4.0-3+lenny3.diff.gz
to main/x/xml-security-c/xml-security-c_1.4.0-3+lenny3.diff.gz
xml-security-c_1.4.0-3+lenny3.dsc
to main/x/xml-security-c/xml-security-c_1.4.0-3+lenny3.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 632973@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated xml-security-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 07 Jul 2011 11:43:25 -0700
Source: xml-security-c
Binary: libxml-security-c14 libxml-security-c-dev
Architecture: source i386
Version: 1.4.0-3+lenny3
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description:
libxml-security-c-dev - C++ library for XML Digital Signatures (development)
libxml-security-c14 - C++ library for XML Digital Signatures (runtime)
Closes: 632973
Changes:
xml-security-c (1.4.0-3+lenny3) oldstable-security; urgency=high
.
* Apply upstream patch to fix buffer overflow when signing or verifying
files with big asymmetric keys. (Closes: #632973, CVE-2011-2516)
Checksums-Sha1:
e31239a9fddc7849b9e9ee23b8cfd4e5eef1607d 1673 xml-security-c_1.4.0-3+lenny3.dsc
e8e87afbca57492e033da33ffb6410038d44fa44 7886 xml-security-c_1.4.0-3+lenny3.diff.gz
b4c31c6aa8f4cca612bdb0c6ecef2af645625425 370058 libxml-security-c14_1.4.0-3+lenny3_i386.deb
3f031126fcd92eaeb5f65a68ee483eb4c4413d3e 139866 libxml-security-c-dev_1.4.0-3+lenny3_i386.deb
Checksums-Sha256:
ff74e64ef726b51aff113802d05b4196e8a02fb2c7f8621ce708f4f8a7bc9294 1673 xml-security-c_1.4.0-3+lenny3.dsc
3089f0abb69fa7f480805271d9b0dfb54f67f1c5523b88c2d03da85b9a3c6bff 7886 xml-security-c_1.4.0-3+lenny3.diff.gz
5d807b67849dbcccc6423bf95189516d3981742a24f689746ff0464b020e183b 370058 libxml-security-c14_1.4.0-3+lenny3_i386.deb
a7782f3881ec3b6f011796f404974670e2672d874e6b656bac0d43a84642330f 139866 libxml-security-c-dev_1.4.0-3+lenny3_i386.deb
Files:
cc88a76161f90ec729acbcbcf769d83b 1673 libs extra xml-security-c_1.4.0-3+lenny3.dsc
c41f4046c8907d4fae630cf73db5b618 7886 libs extra xml-security-c_1.4.0-3+lenny3.diff.gz
2a374cef29a0c3fa80beb2ee01982e9a 370058 libs extra libxml-security-c14_1.4.0-3+lenny3_i386.deb
65641174cc5cca4b0370e7a50bb7203d 139866 libdevel extra libxml-security-c-dev_1.4.0-3+lenny3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBCAAGBQJOFhcCAAoJEH2AMVxXNt51EYwH/0O0OueL+0W4QZF0vIZ37GIu
BSALQ8wzJL7KjwRZN4VoF9Kpg1Hxz0wxFmnctvcO8tZrK+zyIJKI9mvnrvMU2wIb
rwZ2PNn879NR3m0uE/lr2Fnh7g7yo5zqpsD1FAzgfm5pFUc3LjMqZQ8eHML223Dx
o1/3sp3tzQ/mQen2m/Qzf09UfNTZmov3meaCR0273HrdJ910KsC/n1t1+GfYciLZ
Hok0OoMwjyFuVFoGnHlr6WeCbtW6R21wCK1yQWavy3e3fMR1zNaKrSywZkGFd/2a
5EK3s721+G5Uq1ObGQT88+GkPri2YpvDTYQW/b1iHxp5Q61DF3Aj4+ruOyKQvRw=
=buIu
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 09 Oct 2011 07:36:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:07:28 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon