[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#572556: CVE-2010-0055: Signature verification bypass

Package: xar
Severity: grave
Tags: security

The following was reported to us by Braden Thomas of the Apple Security Team:

>> Description:
>> We've discovered a signature verification bypass issue in xar.  The
>> issue is that xar_open assumes that the checksum is stored at offset
>> 0, but xar_signature_copy_signed_data uses xar property
>> "checksum/offset" to find the offset to the checksum when validating
>> the signature.  As a result, a modified xar archive can pass signature
>> validation by putting the checksum for the modified TOC at offset 0,
>> pointing "checksum/offset" at the non-modified checksum at a higher
>> offset, and using the original non-modified signature.
>> CVE-ID:  CVE-2010-0055
>> Timing:
>> Proposed embargo date is March 3rd
>> Fix:
>> This issue was fixed in xar r225 ? patch available from:
>> http://code.google.com/p/xar/source/detail?r=225


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages xar depends on:
ii  libc6                   2.10.2-5         Embedded GNU C Library: Shared lib
ii  libssl0.9.8             0.9.8k-8         SSL shared libraries
pn  libxar1                 <none>           (no description available)
ii  libxml2                 2.7.6.dfsg-2+b1  GNOME XML library
ii  zlib1g                  1: compression library - runtime

xar recommends no packages.

xar suggests no packages.

Reply to: