xar
Page content
- Author: Miklos Vajna
- Vulnerable: 1.5.2-1
- Unaffected: 1.5.2-2locris1
Braden Thomas from Apple has discovered a signature verification bypass issue in xar. The issue is that xar_open assumes that the checksum is stored at offset 0, but xar_signature_copy_signed_data uses xar property “checksum/offset” to find the offset to the checksum when validating the signature. As a result, a modified xar archive can pass signature validation by putting the checksum for the modified TOC at offset 0, pointing “checksum/offset” at the non-modified checksum at a higher offset, and using the original non-modified signature.
- Bug Tracker URL: http://bugs.frugalware.org/task/4128