CVE-2013-2156: Apache Santuario XML Security for C++ contains heap
overflow while processing InclusiveNamespace PrefixList

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache Santuario XML Security for C++ library versions
prior to V1.7.1

Description: A heap overflow exists in the processing of the PrefixList
attribute optionally used in conjunction with Exclusive Canonicalization,
potentially allowing arbitary code execution. If verification of
the signature occurs prior to actual evaluation of a signing key,
this could be exploited by an unauthenticated attacker.


Mitigation: Applications using library versions older than V1.7.1 should
upgrade as soon as possible. Distributors of older versions should apply
the
patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=1493961

Applications that prevent the use of Exclusive Canonicalization through
the examination of signature content prior to verification are immune
to this issue.

Credit: This issue was reported by James Forshaw, Context Information
Security

References: http://santuario.apache.org/