Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29494
HistoryJul 01, 2013 - 12:00 a.m.

CVE-2013-2154: Apache Santuario C++ stack overflow vulnerability

2013-07-0100:00:00
vulners.com
9
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2013-2154: Apache Santuario XML Security for C++ contains a stack
overflow during XPointer evaluation

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache Santuario XML Security for C++ library versions
prior to V1.7.1

Description: A stack overflow, possibly leading to arbitrary code
execution, exists in the processing of malformed XPointer expressions
in the XML Signature Reference processing code.

An attacker could use this to exploit an application performing
signature verification if the application does not block the
evaluation of such references prior to performing the verification
step. The exploit would occur prior to the actual verification of
the signature, so does not require authenticated content.

Mitigation: Applications that do not otherwise prevent the evaluation of
XPointer expressions during signature verification and are using library
versions older than V1.7.1 should upgrade as soon as possible. Distributors
of older versions should apply the patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=r1493959

The first chunk of the patch to DSIGReference.cpp is the relevant portion.

Credit: This issue was reported by James Forshaw, Context Information
Security

References: http://santuario.apache.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)

iQIcBAEBCgAGBQJRv9OYAAoJEDeLhFQCJ3li8IgP/1kbxVPOdSXDqx4ER9oBU877
7Z8XwGw3vL1CUoyt1AWlElqJpgrUMP723fcLWJa3sfXiY6Pnp/+dxfiaoUCAa+OJ
qJS2/TUmc/1EwGc+hawvCJlItuKb7aOHhdPlOX3KuriTHnqnigTXkpF0n5oUd7Md
e0+XOIFcTpoudUUEfdiigBtJHBxv8Jfq3dvjCOD2aOpRCreEBEinykdxdXWX2onw
Ugj7b+FxH/d4eVSYS1vuIxLAVqJpgN4AlVV7kNzyp0ivPE3NgKYb946Kq5YNkYN3
Xj3uq+VW7NxWMzWn/Gl5GEgPGNdzTPVZ80dy/bOIw4dDUtA362axfO24I+Lmrobx
2/JhgeovwCbIrbeMVZOtWeSYoRFSFtf9WxKDVi+9a+53UtZOWCNhky48D9iU2OuA
fxEAeTmDH+Dx23w/bXezwI0X4l2hItBHd4+V59BP7p/90Vu3iBw9jez8lzQXWJ8G
hzUyxCdGN0hB3K+1pOesKTmD1zdy8u3L/FUz91gbB7ciivmvzsx5a5zB3BLzWSJF
3jgAwWaay4DZdL4YmCW3khr5xa05nR0LUqlS3xpTukrWfPqLdjJzBfeeDWWxMGib
N5dPaf+DMB9Q5TmLXb6j3tsEfCS+xqky+ryqsS8rGrrIcL1zW9HAlG+QELAC/t6q
bVctGmNMu7i+o9xXqUJ0
=7xZa
-----END PGP SIGNATURE-----

Related

prion 2
osv 2
cve 2
debiancve 2
securityvulns 4
debian 4
freebsd 1
openvas 5
nessus 4
ubuntucve 2
seebug 1
mageia 1
prion
prion
Stack overflow
2013-08-20 22:55:00
Heap overflow
2013-08-20 22:55:00
osv
osv
xml-security-c - heap overflow
2013-06-28 00:00:00
xml-security-c - several
2013-06-18 00:00:00
cve
cve
CVE-2013-2154
2013-08-20 22:55:00
CVE-2013-2210
2013-08-20 22:55:00
debiancve
debiancve
CVE-2013-2154
2013-08-20 22:55:00
CVE-2013-2210
2013-08-20 22:55:00
securityvulns
securityvulns
CVE-2013-2210
2013-07-01 00:00:00
[SECURITY] [DSA 2717-1] xml-security-c security update
2013-07-01 00:00:00
[SECURITY] [DSA 2710-1] xml-security-c security update
2013-07-01 00:00:00
debian
debian
[SECURITY] [DSA 2717-1] xml-security-c security update
2013-06-28 15:17:18
[SECURITY] [DSA 2717-1] xml-security-c security update
2013-06-28 15:17:18
[SECURITY] [DSA 2710-1] xml-security-c security update
2013-06-18 15:44:22
freebsd
freebsd
apache-xml-security-c -- heap overflow during XPointer evaluation
2013-06-27 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-2717-1)
2013-06-27 00:00:00
Debian Security Advisory DSA 2717-1 (xml-security-c - heap overflow)
2013-06-28 00:00:00
Debian Security Advisory DSA 2710-1 (xml-security-c - several vulnerabilities)
2013-06-18 00:00:00
nessus
nessus
FreeBSD : apache-xml-security-c -- heap overflow during XPointer evaluation (81da673e-dfe1-11e2-9389-08002798f6ff)
2013-06-29 00:00:00
Debian DSA-2717-1 : xml-security-c - heap overflow
2013-06-29 00:00:00
Debian DSA-2710-1 : xml-security-c - several vulnerabilities
2013-06-19 00:00:00
ubuntucve
ubuntucve
CVE-2013-2210
2013-08-20 00:00:00
CVE-2013-2154
2013-08-20 00:00:00
seebug
seebug
Apache Santuario XML Security for C++ 堆缓冲区溢出漏洞
2013-06-28 00:00:00
mageia
mageia
Updated xml-security-c package fixes multiple security vulnerabilities
2013-07-01 23:12:07
JSON
Related for SECURITYVULNS:DOC:29494
prion2osv2cve2debiancve2securityvulns4debian4freebsd1openvas5nessus4ubuntucve2seebug1mageia1