Debian DSA-2277-1 : xml-security-c - stack-based buffer overflow

2011-07-12T00:00:00
ID DEBIAN_DSA-2277.NASL
Type nessus
Reporter Tenable
Modified 2018-11-10T00:00:00

Description

It has been discovered that xml-security-c, an implementation of the XML Digital Signature and Encryption specifications, is not properly handling RSA keys of sizes on the order of 8192 or more bits. This allows an attacker to crash applications using this functionality or potentially execute arbitrary code by tricking an application into verifying a signature created with a sufficiently long RSA key.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-2277. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(55555);
  script_version("1.10");
  script_cvs_date("Date: 2018/11/10 11:49:35");

  script_cve_id("CVE-2011-2516");
  script_bugtraq_id(48611);
  script_xref(name:"DSA", value:"2277");

  script_name(english:"Debian DSA-2277-1 : xml-security-c - stack-based buffer overflow");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"It has been discovered that xml-security-c, an implementation of the
XML Digital Signature and Encryption specifications, is not properly
handling RSA keys of sizes on the order of 8192 or more bits. This
allows an attacker to crash applications using this functionality or
potentially execute arbitrary code by tricking an application into
verifying a signature created with a sufficiently long RSA key."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632973"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/squeeze/xml-security-c"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2011/dsa-2277"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the xml-security-c packages.

For the oldstable distribution (lenny), this problem has been fixed in
version 1.4.0-3+lenny3.

For the stable distribution (squeeze), this problem has been fixed in
version 1.5.1-3+squeeze1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xml-security-c");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2011/07/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/12");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"5.0", prefix:"xml-security-c", reference:"1.4.0-3+lenny3")) flag++;
if (deb_check(release:"6.0", prefix:"libxml-security-c-dev", reference:"1.5.1-3+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"libxml-security-c15", reference:"1.5.1-3+squeeze1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");