{"id":"MGASA-2013-0193","summary":"Updated xml-security-c package fixes multiple security vulnerabilities","details":"The implementation of XML digital signatures in the Santuario-C++ library\nis vulnerable to a spoofing issue allowing an attacker to reuse existing\nsignatures with arbitrary content (CVE-2013-2153).\n\nA stack overflow, possibly leading to arbitrary code execution, exists in\nthe processing of malformed XPointer expressions in the XML Signature\nReference processing code (CVE-2013-2154).\n\nA bug in the processing of the output length of an HMAC-based XML\nSignature would cause a denial of service when processing specially chosen\ninput (CVE-2013-2155).\n\nA heap overflow exists in the processing of the PrefixList attribute\noptionally used in conjunction with Exclusive Canonicalization, potentially\nallowing arbitrary code execution (CVE-2013-2156).\n\nThe attempted fix to address CVE-2013-2154 introduced the possibility of a\nheap overflow, possibly leading to arbitrary code execution, in the\nprocessing of malformed XPointer expressions in the XML Signature Reference\nprocessing code (CVE-2013-2210).\n","modified":"2026-04-16T01:49:12.528178442Z","published":"2013-07-01T19:12:07Z","upstream":["CVE-2013-2153","CVE-2013-2154","CVE-2013-2155","CVE-2013-2156","CVE-2013-2210"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2013-0193.html"},{"type":"WEB","url":"http://santuario.apache.org/secadv.html"},{"type":"WEB","url":"http://www.debian.org/security/2013/dsa-2710"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=10563"}],"affected":[{"package":{"name":"xml-security-c","ecosystem":"Mageia:2","purl":"pkg:rpm/mageia/xml-security-c?arch=source&distro=mageia-2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.1-1.2.mga2"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0193.json"}},{"package":{"name":"xml-security-c","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/xml-security-c?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.7.0-2.2.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0193.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}