Bug#572556: marked as done (CVE-2010-0055: Signature verification bypass)

Debian Bug Tracking System Wed, 17 Mar 2010 09:52:31 -0700

Your message dated Wed, 17 Mar 2010 17:45:04 +0100
with message-id <8b2d7b4d1003170945y52668b0egfff30e00d3ce7...@mail.gmail.com>
and subject line Package removed from Debian unstable
has caused the Debian Bug report #572556,
regarding CVE-2010-0055: Signature verification bypass
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
572556: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572556
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: xar
Severity: grave
Tags: security

The following was reported to us by Braden Thomas of the Apple Security Team:

>> Description:
>> We've discovered a signature verification bypass issue in xar.  The
>> issue is that xar_open assumes that the checksum is stored at offset
>> 0, but xar_signature_copy_signed_data uses xar property
>> "checksum/offset" to find the offset to the checksum when validating
>> the signature.  As a result, a modified xar archive can pass signature
>> validation by putting the checksum for the modified TOC at offset 0,
>> pointing "checksum/offset" at the non-modified checksum at a higher
>> offset, and using the original non-modified signature.
>>
>> CVE-ID:  CVE-2010-0055
>>
>> Timing:
>> Proposed embargo date is March 3rd
>>
>> Fix:
>> This issue was fixed in xar r225 ? patch available from:
>> http://code.google.com/p/xar/source/detail?r=225

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-2-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages xar depends on:
ii  libc6                   2.10.2-5         Embedded GNU C Library: Shared lib
ii  libssl0.9.8             0.9.8k-8         SSL shared libraries
pn  libxar1                 <none>           (no description available)
ii  libxml2                 2.7.6.dfsg-2+b1  GNOME XML library
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

xar recommends no packages.

xar suggests no packages.

--- End Message ---

--- Begin Message ---

Version: 1.5.2-2+rm

Package removed from Debian unstable: http://bugs.debian.org/574023

-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi

--- End Message ---

Bug#572556: marked as done (CVE-2010-0055: Signature verification bypass)

Reply via email to