Bug#922984: xml-security-c: ECDSA XML signature generation segmentation fault
Alejandro Claro
alejandro.claro at smartmatic.com
Fri Feb 22 15:44:51 GMT 2019
Package: xml-security-c
Version: 1.7.2-2
Severity: important
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu disco ubuntu-patch
Dear Maintainer,
We found a bug in Apache Santuario C, related to ECDSA signature
generation, few years ego. We provide the fix to the Apache team, and
Scott Cantor kindly accepted the fix in the project. How ever the fix
was introduced in series 2.x of the the library.
The fix we provide was for the version 1.7.x (xml-security-c17) found in
Ubuntu 14.04 and looks like Ubuntu 18.04 is still including a version
from series 1.7.x. The commit with the fix for the bug can be found here:
http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/utils/XSECSafeBuffer.cpp?r1=1806212&r2=1807280&diff_format=h
In Ubuntu, the attached patch was applied to achieve the following:
* debian/patches/99-xsecsafebuffer.patch: Fix undefined behavior in
XSECSafeBuffer that affect ECDSA signature generation. This fix was
introduced in serie 2.x, but it was not backported to serie 1.7.x.
Thanks for considering the patch.
-- System Information:
Debian Release: jessie/sid
APT prefers trusty-updates
APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty'), (100, 'trusty-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-130-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xml-security-c_1.7.2-2ubuntu3.debdiff
Type: text/x-diff
Size: 2018 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-shibboleth-devel/attachments/20190222/53813542/attachment.diff>
More information about the Pkg-shibboleth-devel
mailing list