Bug 1075975 - (CVE-2018-0486) VUL-0: CVE-2018-0486: xmltooling: Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service Providerbefore 2.6.0 on Windows and other products, mishandles digital signatures ofuser attribute data
(CVE-2018-0486)
VUL-0: CVE-2018-0486: xmltooling: Shibboleth XMLTooling-C before 1.6.3, as us...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/198267/
CVSSv3:SUSE:CVE-2018-0486:4.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-15 11:22 UTC by Matthias Gerstner
Modified: 2018-01-23 23:43 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2018-01-15 11:22:50 UTC
CVE-2018-0486

Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service Provider
before 2.6.0 on Windows and other products, mishandles digital signatures of
user attribute data, which allows remote attackers to obtain sensitive
information or conduct impersonation attacks via a crafted DTD.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0486
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-0486.html
http://www.debian.org/security/2018/dsa-4085
http://www.cvedetails.com/cve/CVE-2018-0486/
http://www.securitytracker.com/id/1040177
https://lists.debian.org/debian-security-announce/2018/msg00007.html
https://shibboleth.net/community/advisories/secadv_20180112.txt
https://www.debian.org/security/2018/dsa-4085
Comment 1 Matthias Gerstner 2018-01-15 11:27:02 UTC
The upstream commit that fixes this is found here:

https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=a02314e96d6746d29c5697b504d37f2e04a6e6cd

The only codestream SUSE:SLE-12-SP1:Update is affected in

  xmltooling-1.5.6/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp:209
Comment 2 Kristyna Streitova 2018-01-15 12:40:41 UTC
Submitted:

|    Codestream    |  Request  |
|------------------|-----------|
| SLE12SP1         | #151171   |
| openSUSE:Leap    | via SLE12 |
| openSUSE:Factory | #565311   |

We are done here, I'm reassigning it to the security-team.
Comment 5 Swamp Workflow Management 2018-01-19 17:09:28 UTC
SUSE-SU-2018:0140-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1075975
CVE References: CVE-2018-0486
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xmltooling-1.5.6-3.3.2
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xmltooling-1.5.6-3.3.2
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    xmltooling-1.5.6-3.3.2
SUSE Linux Enterprise Server 12-SP3 (src):    xmltooling-1.5.6-3.3.2
SUSE Linux Enterprise Server 12-SP2 (src):    xmltooling-1.5.6-3.3.2
Comment 6 Andreas Stieger 2018-01-20 13:20:47 UTC
done
Comment 7 Swamp Workflow Management 2018-01-20 17:15:48 UTC
openSUSE-SU-2018:0158-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1075975
CVE References: CVE-2018-0486
Sources used:
openSUSE Leap 42.3 (src):    xmltooling-1.5.6-6.1
openSUSE Leap 42.2 (src):    xmltooling-1.5.6-3.3.1