CVE-2013-2153: Apache Santuario XML Security for C++ contains an
XML Signature Bypass issue

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache Santuario XML Security for C++ library versions
prior to V1.7.1

Description: The implementation of XML digital signatures in the
Santuario-C++ library is vulnerable to a spoofing issue allowing an
attacker to reuse existing signatures with arbitrary content.

The vulnerability affects only applications that do not perform
proper checking/analysis of the content of the Reference elements
in the Signature, but the bug exacerbates this problem by opening
such applications to attacks using arbitrary content, instead of
just attacks involving malicious, but signed, content.


Mitigation: Applications using library versions older than V1.7.1 should
upgrade as soon as possible. Distributors of older versions should apply
the
patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=r1493959

Applications that appropriately examine the content of the signatures
they accept are immune to this issue. The only API provided for
this purpose in the library is to examine the individual Reference
elements to enforce limitations over their content, and doing so will
prevent this vulnerability. Developers with questions about this should
inquire on the Santuario project's mailing list.

Credit: This issue was reported by James Forshaw, Context Information
Security