Bug#922984: xml-security-c: ECDSA XML signature generation segmentation fault
Alejandro Claro Mosqueda
alejandro.claro at smartmatic.com
Sun Feb 24 13:56:42 GMT 2019
Good evening Mr. Wagner,
Thank you very much.
We have not validated a scenario like you mention. Our use cases, related to this XML signature generation, are not susceptible to exploit such vulnerability; but I think it could be possible in other use cases. In our use case, we experience inestability of the system due to an unpredictable segmentation fault in the library.
Get Outlook for Android<https://aka.ms/ghei36>
From: Ferenc Wagner,,, <wferi at niif.hu> on behalf of wferi at niif.hu <wferi at niif.hu>
Sent: Sunday, February 24, 2019 2:17:03 PM
To: Alejandro Claro Mosqueda
Cc: 922984 at bugs.debian.org
Subject: Re: Bug#922984: xml-security-c: ECDSA XML signature generation segmentation fault
Alejandro Claro <alejandro.claro at smartmatic.com> writes:
> We found a bug in Apache Santuario C, related to ECDSA signature
> generation, few years ego. We provide the fix to the Apache team, and
> Scott Cantor kindly accepted the fix in the project. How ever the fix
> was introduced in series 2.x of the the library.
I can propose your fix for the next stable update, but I don't know when
that will be released. On the other hand, if this buffer overflow leads
to an exploitable vulnerability, the Security Team could fast-track the
fix. Have you got such a scenario?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pkg-shibboleth-devel