There is a serious security bug in xar, which seems to be fixed in the
repository. Please release official 1.5.3 so that new xar can be packaged
for Linux distributions.
CVE: http://security-tracker.debian.org/tracker/CVE-2010-0055
C.f. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572556
The following was reported to us by Braden Thomas of the Apple Security
Team:
>> Description:
>> We've discovered a signature verification bypass issue in xar. The
>> issue is that xar_open assumes that the checksum is stored at offset
>> 0, but xar_signature_copy_signed_data uses xar property
>> "checksum/offset" to find the offset to the checksum when validating
>> the signature. As a result, a modified xar archive can pass signature
>> validation by putting the checksum for the modified TOC at offset 0,
>> pointing "checksum/offset" at the non-modified checksum at a higher
>> offset, and using the original non-modified signature.
>>
>> CVE-ID: CVE-2010-0055
>>
>> Timing:
>> Proposed embargo date is March 3rd
>>
>> Fix:
>> This issue was fixed in xar r225 ? patch available from:
>> http://code.google.com/p/xar/source/detail?r=225
Original issue reported on code.google.com by jari.aalto.fi@gmail.com on 16 Mar 2010 at 5:40
Original issue reported on code.google.com by
jari.aalto.fi@gmail.com
on 16 Mar 2010 at 5:40