A heap-based buffer overflow flaw was found in the way xml-security-c, a C++ implementation of the XML Digital Signature specification, used to evaluate certain XPointer expressions. The fix to address CVE-2013-2154 flaw introduced a possibility of a heap-based buffer overflow, in the processing of malformed XPointer expression in the XML Signature References processing code. A remote attacker could provide a specially-crafted XML file to an application linked against xml-security-c that, when processed would lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running the application. References: [1] http://santuario.apache.org/secadv.data/CVE-2013-2210.txt Relevant upstream patch: [2] http://svn.apache.org/viewvc?view=revision&revision=r1496703
Created xml-security-c tracking bugs for this issue: Affects: fedora-all [bug 978990] Affects: epel-all [bug 978991]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.