CVE-2013-2153: Apache Santuario XML Security for C++ contains an
XML Signature Bypass issue

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache Santuario XML Security for C++ library versions
prior to V1.7.1

Description: The implementation of XML digital signatures in the
Santuario-C++ library is vulnerable to a spoofing issue allowing an
attacker to reuse existing signatures with arbitrary content.

The vulnerability affects only applications that do not perform
proper checking/analysis of the content of the Reference elements
in the Signature, but the bug exacerbates this problem by opening
such applications to attacks using arbitrary content, instead of
just attacks involving malicious, but signed, content.


Mitigation: Applications using library versions older than V1.7.1 should
upgrade as soon as possible. Distributors of older versions should apply
the
patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=r1493959

Applications that appropriately examine the content of the signatures
they accept are immune to this issue. The only API provided for
this purpose in the library is to examine the individual Reference
elements to enforce limitations over their content, and doing so will
prevent this vulnerability. Developers with questions about this should
inquire on the Santuario project's mailing list.

Credit: This issue was reported by James Forshaw, Context Information
Security

References: http://santuario.apache.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)

iQIcBAEBCgAGBQJRv9NrAAoJEDeLhFQCJ3liPjMQAL24TiWH2gr5O1cXSjoxjJwp
WqfKGUvIE2tYY5fx8X8dE5jkLNSDefD517HsEJgebIllDuqwzC8sakcwh7yrCX9x
eGimv9RY9q0FdFk9bGnYNAB01f4ILGB+YV8yI8+J8um1dfUne0GWSxn1NWG4M4Zp
iEBUcxaBcU9IUF1uNiDD3gcR+47wzTz6kMnWFxDNEl62FpIeUvvt0d6nwY7MZL7h
q2FDP1Bt3cYWvsbUS47CKC+Ep+H5DybYAWK+jtvOkfEbFT9x4dynG1nMCPDNuRCz
UMczJ+a48UpYZGu5lN2YHDjU5ZJOExhWfeXxwnbNxAg50HVkU0LsOjSP8feUSkki
WFhQjbBMnpv7LJS7GWd08CaIrkYYH2/aUmEKkQeIODKCrfbys19XHtENeWIfS6lM
uSQlKG+GTg8h/lADbLhbtCRK5n6mRI2Icb7PHI+r1fuJx7TpESregPST0HcPWroD
nKoeFz+oS5v9BDMGqjMxbNvgA38fhBnPwfvbpH6yzPnL8XDZAKiFytBC/ZWO/0JX
yc+RDdasJBEghlZwjXrk1l/GR1h87kMbwIBFUE0stmByT9x5SUzrghgP9U0lXWah
ykUVDyICd97YryJWhRrRLnQW78US4PVDA0hm4sIOlEqVdiWHCOkQ1+yDmXjbFKca
C56YjpUEMmP6CCsMfmhq
=x8kA
-----END PGP SIGNATURE-----