Issue 73 in xar: SECURITY: please release 1.5.3 (CVE-2010-0055: Signature verification bypass)
codesite...@google.com
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 73 by jari.aalto.fi: SECURITY: please release 1.5.3
(CVE-2010-0055: Signature verification bypass)
http://code.google.com/p/xar/issues/detail?id=73
There is a serious security bug in xar, which seems to be fixed in the
repository. Please release official 1.5.3 so that new xar can be packaged
for Linux distributions.
CVE: http://security-tracker.debian.org/tracker/CVE-2010-0055
C.f. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572556
The following was reported to us by Braden Thomas of the Apple Security
Team:
>> Description:
>> We've discovered a signature verification bypass issue in xar. The
>> issue is that xar_open assumes that the checksum is stored at offset
>> 0, but xar_signature_copy_signed_data uses xar property
>> "checksum/offset" to find the offset to the checksum when validating
>> the signature. As a result, a modified xar archive can pass signature
>> validation by putting the checksum for the modified TOC at offset 0,
>> pointing "checksum/offset" at the non-modified checksum at a higher
>> offset, and using the original non-modified signature.
>> CVE-ID: CVE-2010-0055
>> Timing:
>> Proposed embargo date is March 3rd
>> Fix:
>> This issue was fixed in xar r225 ? patch available from:
>> http://code.google.com/p/xar/source/detail?r=225
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings