Информационная безопасность
[RU] switch to English


Уязвимости безопасности в xml-security-c
Опубликовано:1 июля 2013 г.
Источник:
SecurityVulns ID:13142
Тип:библиотека
Уровень опасности:
6/10
Описание:Переполнение стека, переполнение буфера динамической памяти.
Затронутые продукты:APACHE : xml-security-c 1.7
CVE:CVE-2013-2210 (Heap-based buffer overflow in the XML Signature Reference functionality in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.2 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via malformed XPointer expressions. NOTE: this is due to an incorrect fix for CVE-2013-2154.)
 CVE-2013-2156 (Heap-based buffer overflow in the Exclusive Canonicalization functionality (xsec/canon/XSECC14n20010315.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PrefixList attribute.)
 CVE-2013-2155 (Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 does not properly validate length values, which allows remote attackers to cause a denial of service or bypass the CVE-2009-0217 protection mechanism and spoof a signature via crafted length values to the (1) compareBase64StringToRaw, (2) DSIGAlgorithmHandlerDefault, or (3) DSIGAlgorithmHandlerDefault::verify functions.)
 CVE-2013-2154 (Stack-based buffer overflow in the XML Signature Reference functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via malformed XPointer expressions, probably related to the DSIGReference::getURIBaseTXFM function.)
 CVE-2013-2153 (The XML digital signature functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows context-dependent attackers to reuse signatures and spoof arbitrary content via crafted Reference elements in the Signature, aka "XML Signature Bypass issue.")
Оригинальный текстdocumentCantor, Scott E., Re: CVE-2013-2156: Apache Santuario C++ heap overflow vulnerability (01.07.2013)
 documentCantor, Scott E., CVE-2013-2155: Apache Santuario C++ denial of service vulnerability (01.07.2013)
 documentCantor, Scott E., CVE-2013-2154: Apache Santuario C++ stack overflow vulnerability (01.07.2013)
 documentCantor, Scott E., CVE-2013-2153: Apache Santuario C++ signature bypass vulnerability (01.07.2013)
 documentCantor, Scott E., CVE-2013-2210 (01.07.2013)
 documentDEBIANAN, [SECURITY] [DSA 2710-1] xml-security-c security update (01.07.2013)
 documentDEBIANAN, [SECURITY] [DSA 2717-1] xml-security-c security update (01.07.2013)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород