Nicolas Grégoire discovered that xmlsec1 can create a file with attacker-specified path name and content when xmlsec1 is used to verify a signature of a specially-crafted XML file specifying XSLT transformation. This may be used to create or overwrite arbitrary file writeable to the user running xmlsec1.
This issue was addressed upstream via following commit, which disables XSLT read/write by default:
Red Hat would like to thank Nicolas Grégoire and Aleksey Sanin for reporting this issue.
Public now via xmlsec upstream release 1.2.17:
Created xmlsec1 tracking bugs for this issue
Affects: fedora-all [bug 692792]
Affects: epel-6 [bug 692793]
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2011:0486 https://rhn.redhat.com/errata/RHSA-2011-0486.html