=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN289
_____________________________________________________________________

DATE                      : 04/04/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running XML Security Library version prior to 1.2.17.

======================================================================
http://www.aleksey.com/pipermail/xmlsec/2011/009120.html
______________________________________________________________________

The new XML Security Library 1.2.17 release available at
the usual place:

     http://www.aleksey.com/xmlsec/download.html

This release includes a fix for an important security issue
with XSLT transforms (CVE-2011-1425, reported by Nicolas Gregoire):

When using XML Security Library prior to 1.2.17, it is possible
to create or overwrite arbitrary files during signature verification,
if XSLT is present and enabled (which is the default mode). The attack
uses the libxslt extension "output" or its aliases, inside a
<ds:Transform> element.

It is strongly recommended to upgrade to the new version of XML
Security Library as soon as possible. If the upgrade can not be
performed, you can do one of the following:

- Explicitly call xsltNewSecurityPrefs() in your application and
    forbid any access to file system as it is done in the following
    commits:


http://git.gnome.org/browse/xmlsec/commit/?id=2d5eddcc4163ea050cf3a3a1a25452bb5124f780
     http://trac.webkit.org/changeset/79159

- Recompile xmlsec library with disabled xslt support using

    ./configure --without-libxslt command

- Disable XSLT transform if it is not used (see enabledUris field
    in struct xmlSecTransformCtx)



Thanks to everyone for the contribution, patches and bug reports!

Aleksey Sanin


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================