Ubuntu
xml-security-c package

Buffer overflow bugs CVE-2011-2516

Bug #807414 reported by John Cooper
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
xml-security-c (Debian)
Fix Released
Unknown
xml-security-c (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned
Natty
Fix Released
Undecided
Unassigned
Oneiric
Fix Released
Undecided
Unassigned

Bug Description

There is a buffer overflow in this library.

http://santuario.apache.org/secadv/CVE-2011-2516.txt

This also affects the shibboleth single sign on library as mentioned here and I will add a seperate bug for this:

http://shibboleth.internet2.edu/secadv/secadv_20110706.txt

CVE References

John Cooper (choffee)
visibility: private → public
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Revision history for this message
John Cooper (choffee) wrote :

This has now been fixed in Debian

http://anonscm.debian.org/gitweb/?p=pkg-shibboleth/xml-security-c.git;a=tag;h=4b2d1f0c34d472d396f8103be7421c291af5f6a4

Can this patch be applied to the Ubuntu package as well please?

Revision history for this message
John Cooper (choffee) wrote :

I have proposed merging in the fix from Debian

https://code.launchpad.net/~choffee/ubuntu/lucid/xml-security-c/xml-security-c-fix-807414/+merge/69071

Revision history for this message
Joshua Daniel Franklin (joshuadfranklin) wrote :

I'd love to see this security update synced from debian.

Launchpad Janitor (janitor)
Changed in xml-security-c (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in xml-security-c (Ubuntu Oneiric):
status: Confirmed → Fix Released
Changed in xml-security-c (Ubuntu Lucid):
status: New → Triaged
Changed in xml-security-c (Ubuntu Maverick):
status: New → Fix Committed
Changed in xml-security-c (Ubuntu Natty):
status: New → Fix Committed
Jamie Strandboge (jdstrand)
Changed in xml-security-c (Ubuntu Lucid):
status: Triaged → Fix Committed
Jamie Strandboge (jdstrand)
Changed in xml-security-c (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in xml-security-c (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in xml-security-c (Ubuntu Natty):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in xml-security-c (Debian):
status: Unknown → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I've commented in the merge request. I am unsubscribing ubuntu-security-sponsors for now since there's nothing to do. Once you've fixed the merge request, or have attached a debdiff to correct the issue, please re-subscribe ubuntu-security-sponsors. Thanks!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.