Merturbation / xar

Automatically exported from code.google.com/p/xar
0 stars 0 forks source link

SECURITY: please release 1.5.3 (CVE-2010-0055: Signature verification bypass) #73

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
There is a serious security bug in xar, which seems to be fixed in the 
repository. Please release official 1.5.3 so that new xar can be packaged 
for Linux distributions.

CVE: http://security-tracker.debian.org/tracker/CVE-2010-0055
C.f. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572556

The following was reported to us by Braden Thomas of the Apple Security 
Team:

>> Description:
>> We've discovered a signature verification bypass issue in xar.  The
>> issue is that xar_open assumes that the checksum is stored at offset
>> 0, but xar_signature_copy_signed_data uses xar property
>> "checksum/offset" to find the offset to the checksum when validating
>> the signature.  As a result, a modified xar archive can pass signature
>> validation by putting the checksum for the modified TOC at offset 0,
>> pointing "checksum/offset" at the non-modified checksum at a higher
>> offset, and using the original non-modified signature.
>>
>> CVE-ID:  CVE-2010-0055
>>
>> Timing:
>> Proposed embargo date is March 3rd
>>
>> Fix:
>> This issue was fixed in xar r225 ? patch available from:
>> http://code.google.com/p/xar/source/detail?r=225

Original issue reported on code.google.com by jari.aalto.fi@gmail.com on 16 Mar 2010 at 5:40