Secure testing team - Mar 2010 - Bug#572556: CVE-2010-0055: Signature verification bypass

Package: xar
Severity: grave
Tags: security

The following was reported to us by Braden Thomas of the Apple Security Team:
>> Description:
>> We''ve discovered a signature verification bypass issue in xar.
The
>> issue is that xar_open assumes that the checksum is stored at offset
>> 0, but xar_signature_copy_signed_data uses xar property
>> "checksum/offset" to find the offset to the checksum when
validating
>> the signature.  As a result, a modified xar archive can pass signature
>> validation by putting the checksum for the modified TOC at offset 0,
>> pointing "checksum/offset" at the non-modified checksum at a
higher
>> offset, and using the original non-modified signature.
>>
>> CVE-ID:  CVE-2010-0055
>>
>> Timing:
>> Proposed embargo date is March 3rd
>>
>> Fix:
>> This issue was fixed in xar r225 ? patch available from:
>> http://code.google.com/p/xar/source/detail?r=225
Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, ''unstable'')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages xar depends on:
ii  libc6                   2.10.2-5         Embedded GNU C Library: Shared lib
ii  libssl0.9.8             0.9.8k-8         SSL shared libraries
pn  libxar1                 <none>           (no description available)
ii  libxml2                 2.7.6.dfsg-2+b1  GNOME XML library
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

xar recommends no packages.

xar suggests no packages.