Debian Security Advisory
DSA-2277-1 xml-security-c -- stack-based buffer overflow
- Date Reported:
- 10 Jul 2011
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 632973.
In Mitre's CVE dictionary: CVE-2011-2516.
- More information:
It has been discovered that xml-security-c, an implementation of the XML Digital Signature and Encryption specifications, is not properly handling RSA keys of sizes on the order of 8192 or more bits. This allows an attacker to crash applications using this functionality or potentially execute arbitrary code by tricking an application into verifying a signature created with a sufficiently long RSA key.
For the oldstable distribution (lenny), this problem has been fixed in version 1.4.0-3+lenny3.
For the stable distribution (squeeze), this problem has been fixed in version 1.5.1-3+squeeze1.
For the testing distribution (wheezy), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in version 1.6.1-1.
We recommend that you upgrade your xml-security-c packages.