Good evening Mr. Wagner, Thank you very much.
We have not validated a scenario like you mention. Our use cases, related to this XML signature generation, are not susceptible to exploit such vulnerability; but I think it could be possible in other use cases. In our use case, we experience inestability of the system due to an unpredictable segmentation fault in the library. Thanks, Alejandro. Get Outlook for Android<https://aka.ms/ghei36> ________________________________ From: Ferenc Wagner,,, <wf...@niif.hu> on behalf of wf...@niif.hu <wf...@niif.hu> Sent: Sunday, February 24, 2019 2:17:03 PM To: Alejandro Claro Mosqueda Cc: 922...@bugs.debian.org Subject: Re: Bug#922984: xml-security-c: ECDSA XML signature generation segmentation fault Alejandro Claro <alejandro.cl...@smartmatic.com> writes: > We found a bug in Apache Santuario C, related to ECDSA signature > generation, few years ego. We provide the fix to the Apache team, and > Scott Cantor kindly accepted the fix in the project. How ever the fix > was introduced in series 2.x of the the library. Dear Alejandro, I can propose your fix for the next stable update, but I don't know when that will be released. On the other hand, if this buffer overflow leads to an exploitable vulnerability, the Security Team could fast-track the fix. Have you got such a scenario? -- Thanks, Feri
