Debian Bug report logs - #572556
CVE-2010-0055: Signature verification bypass

version graph

Package: xar; Maintainer for xar is (unknown);

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Thu, 4 Mar 2010 21:03:01 UTC

Severity: grave

Tags: lenny, patch, security

Fixed in version 1.5.2-2+rm

Done: Sandro Tosi <morph@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#572556; Package xar. (Thu, 04 Mar 2010 21:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QA Group <packages@qa.debian.org>. (Thu, 04 Mar 2010 21:03:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2010-0055: Signature verification bypass
Date: Thu, 04 Mar 2010 22:00:19 +0100
Package: xar
Severity: grave
Tags: security

The following was reported to us by Braden Thomas of the Apple Security Team:

>> Description:
>> We've discovered a signature verification bypass issue in xar.  The
>> issue is that xar_open assumes that the checksum is stored at offset
>> 0, but xar_signature_copy_signed_data uses xar property
>> "checksum/offset" to find the offset to the checksum when validating
>> the signature.  As a result, a modified xar archive can pass signature
>> validation by putting the checksum for the modified TOC at offset 0,
>> pointing "checksum/offset" at the non-modified checksum at a higher
>> offset, and using the original non-modified signature.
>>
>> CVE-ID:  CVE-2010-0055
>>
>> Timing:
>> Proposed embargo date is March 3rd
>>
>> Fix:
>> This issue was fixed in xar r225 ? patch available from:
>> http://code.google.com/p/xar/source/detail?r=225

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages xar depends on:
ii  libc6                   2.10.2-5         Embedded GNU C Library: Shared lib
ii  libssl0.9.8             0.9.8k-8         SSL shared libraries
pn  libxar1                 <none>           (no description available)
ii  libxml2                 2.7.6.dfsg-2+b1  GNOME XML library
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

xar recommends no packages.

xar suggests no packages.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#572556; Package xar. (Tue, 16 Mar 2010 07:09:19 GMT) Full text and rfc822 format available.

Acknowledgement sent to chatchai jantaraprim <chatchai.j@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Tue, 16 Mar 2010 07:09:19 GMT) Full text and rfc822 format available.

Message #10 received at 572556@bugs.debian.org (full text, mbox):

From: chatchai jantaraprim <chatchai.j@gmail.com>
To: 572556@bugs.debian.org, control@bugs.debian.org
Cc: cj@coe.psu.ac.th
Subject: Re: CVE-2010-0055: Signature verification bypass
Date: Tue, 16 Mar 2010 13:56:50 +0700
[Message part 1 (text/plain, inline)]
tags 572556 + patch
thanks

Hello,

      I backported patch in attached file from xar svn revision 225 to
1.5.2 branch.

Thank you
Chatchai Jantaraprim
[CVE-2010-0055.patch (text/x-patch, attachment)]

Added tag(s) patch. Request was from chatchai jantaraprim <chatchai.j@gmail.com> to control@bugs.debian.org. (Tue, 16 Mar 2010 07:09:36 GMT) Full text and rfc822 format available.

Reply sent to Sandro Tosi <morph@debian.org>:
You have taken responsibility. (Wed, 17 Mar 2010 16:48:10 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Wed, 17 Mar 2010 16:48:10 GMT) Full text and rfc822 format available.

Message #17 received at 572556-done@bugs.debian.org (full text, mbox):

From: Sandro Tosi <morph@debian.org>
To: 446003-done@bugs.debian.org, 572556-done@bugs.debian.org
Subject: Package removed from Debian unstable
Date: Wed, 17 Mar 2010 17:45:04 +0100
Version: 1.5.2-2+rm

Package removed from Debian unstable: http://bugs.debian.org/574023

-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi




Added tag(s) lenny. Request was from Touko Korpela <tkorpela@phnet.fi> to control@bugs.debian.org. (Thu, 18 Mar 2010 00:12:11 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 15 Apr 2010 07:39:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 21:07:03 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.