[Secure-testing-team] Bug#572556: CVE-2010-0055: Signature verification bypass
Moritz Muehlenhoff
jmm at debian.org
Thu Mar 4 21:00:19 UTC 2010
Package: xar
Severity: grave
Tags: security
The following was reported to us by Braden Thomas of the Apple Security Team:
>> Description:
>> We've discovered a signature verification bypass issue in xar. The
>> issue is that xar_open assumes that the checksum is stored at offset
>> 0, but xar_signature_copy_signed_data uses xar property
>> "checksum/offset" to find the offset to the checksum when validating
>> the signature. As a result, a modified xar archive can pass signature
>> validation by putting the checksum for the modified TOC at offset 0,
>> pointing "checksum/offset" at the non-modified checksum at a higher
>> offset, and using the original non-modified signature.
>>
>> CVE-ID: CVE-2010-0055
>>
>> Timing:
>> Proposed embargo date is March 3rd
>>
>> Fix:
>> This issue was fixed in xar r225 ? patch available from:
>> http://code.google.com/p/xar/source/detail?r=225
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages xar depends on:
ii libc6 2.10.2-5 Embedded GNU C Library: Shared lib
ii libssl0.9.8 0.9.8k-8 SSL shared libraries
pn libxar1 <none> (no description available)
ii libxml2 2.7.6.dfsg-2+b1 GNOME XML library
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
xar recommends no packages.
xar suggests no packages.
More information about the Secure-testing-team
mailing list