Package: xar Severity: grave Tags: security The following was reported to us by Braden Thomas of the Apple Security Team:
>> Description: >> We've discovered a signature verification bypass issue in xar. The >> issue is that xar_open assumes that the checksum is stored at offset >> 0, but xar_signature_copy_signed_data uses xar property >> "checksum/offset" to find the offset to the checksum when validating >> the signature. As a result, a modified xar archive can pass signature >> validation by putting the checksum for the modified TOC at offset 0, >> pointing "checksum/offset" at the non-modified checksum at a higher >> offset, and using the original non-modified signature. >> >> CVE-ID: CVE-2010-0055 >> >> Timing: >> Proposed embargo date is March 3rd >> >> Fix: >> This issue was fixed in xar r225 ? patch available from: >> http://code.google.com/p/xar/source/detail?r=225 Cheers, Moritz -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-2-686 (SMP w/1 CPU core) Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages xar depends on: ii libc6 2.10.2-5 Embedded GNU C Library: Shared lib ii libssl0.9.8 0.9.8k-8 SSL shared libraries pn libxar1 <none> (no description available) ii libxml2 2.7.6.dfsg-2+b1 GNOME XML library ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime xar recommends no packages. xar suggests no packages. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
