Nicolas Grégoire discovered that xmlsec1 can create a file with attacker-specified path name and content when xmlsec1 is used to verify a signature of a specially-crafted XML file specifying XSLT transformation. This may be used to create or overwrite arbitrary file writeable to the user running xmlsec1. This issue was addressed upstream via following commit, which disables XSLT read/write by default: http://git.gnome.org/browse/xmlsec/commit/?id=35eaacde6093d6711339754fc2146341b8b9f5fa Acknowledgements: Red Hat would like to thank Nicolas Grégoire and Aleksey Sanin for reporting this issue.
Public now via xmlsec upstream release 1.2.17: http://www.aleksey.com/pipermail/xmlsec/2011/009120.html
Created xmlsec1 tracking bugs for this issue Affects: fedora-all [bug 692792] Affects: epel-6 [bug 692793]
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2011:0486 https://rhn.redhat.com/errata/RHSA-2011-0486.html