Bug#922984: xml-security-c: ECDSA XML signature generation segmentation fault

Alejandro Claro alejandro.claro at smartmatic.com
Fri Feb 22 15:44:51 GMT 2019

Package: xml-security-c
Version: 1.7.2-2
Severity: important
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu disco ubuntu-patch

Dear Maintainer,

We found a bug in Apache Santuario C, related to ECDSA signature
generation, few years ego. We provide the fix to the Apache team, and
Scott Cantor kindly accepted the fix in the project. How ever the fix
was introduced in series 2.x of the the library.

The fix we provide was for the version 1.7.x (xml-security-c17) found in
Ubuntu 14.04 and looks like Ubuntu 18.04 is still including a version
from series 1.7.x. The commit with the fix for the bug can be found here:


In Ubuntu, the attached patch was applied to achieve the following:

  * debian/patches/99-xsecsafebuffer.patch: Fix undefined behavior in
    XSECSafeBuffer that affect ECDSA signature generation. This fix was
    introduced in serie 2.x, but it was not backported to serie 1.7.x.

Thanks for considering the patch.

-- System Information:
Debian Release: jessie/sid
  APT prefers trusty-updates
  APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty'), (100, 'trusty-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-130-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xml-security-c_1.7.2-2ubuntu3.debdiff
Type: text/x-diff
Size: 2018 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-shibboleth-devel/attachments/20190222/53813542/attachment.diff>

More information about the Pkg-shibboleth-devel mailing list