Braden Thomas of the Apple Security Team reported a signature verification bypass vulnerability in xar. xar_open assumes that the checksum is stored at offset 0, however xar_signature_copy_signed_data uses the xar property "checksum/offset" to find the offset to the checksum when validating the signature. Because of this, a modified xar archive can pass signature validation by putting the checksum for the modified TOC at offset 0, pointing "checksum/offset" to the non-modified checksum at a higher offset, and using the original, non-modified, signature. The fix was incorported upstream with revision 225: http://code.google.com/p/xar/source/detail?r=225
This vulnerability affects all current releases of Fedora, as well as rawhide, EPEL4, and EPEL5.
xar-1.5.2-6.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/xar-1.5.2-6.fc12
xar-1.5.2-6.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/xar-1.5.2-6.fc13
xar-1.5.2-6.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/xar-1.5.2-6.fc11
xar-1.5.2-6.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/xar-1.5.2-6.el5
xar-1.5.2-6.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
xar-1.5.2-6.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
xar-1.5.2-6.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
xar-1.5.2-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.