[wss4j] 03/05: Fixed CVE-2015-0227: WSS4J is still vulnerable to Bleichenbacher's attack
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Thu Feb 12 09:01:13 UTC 2015
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch master
in repository wss4j.
commit a02e4e4a1081564baa0da40d57ffbbe79201b0ee
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Thu Feb 12 09:42:47 2015 +0100
Fixed CVE-2015-0227: WSS4J is still vulnerable to Bleichenbacher's attack
---
debian/changelog | 3 +
debian/patches/02-CVE-2015-0227.patch | 137 ++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 141 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 10b8c9c..7a7fc24 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
wss4j (1.6.15-2) UNRELEASED; urgency=medium
+ * Fixed security issues (Closes: #777741):
+ - CVE-2015-0227: WSS4J is still vulnerable to Bleichenbacher's attack
+ (incomplete fix for CVE-2011-2487)
* Standards-Version updated to 3.9.6 (no changes)
-- Emmanuel Bourg <ebourg at apache.org> Thu, 12 Feb 2015 09:11:29 +0100
diff --git a/debian/patches/02-CVE-2015-0227.patch b/debian/patches/02-CVE-2015-0227.patch
new file mode 100644
index 0000000..464a1a7
--- /dev/null
+++ b/debian/patches/02-CVE-2015-0227.patch
@@ -0,0 +1,137 @@
+Description: Fix CVE-2015-0227: WSS4J is still vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)
+Origin: backport, http://svn.apache.org/r1619359
+Bug-Debian: http://bugs.debian.org/777741
+--- a/src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java
++++ b/src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java
+@@ -91,7 +91,7 @@
+ );
+
+ if (elem != null && request.isRequireSignedEncryptedDataElements()) {
+- WSSecurityUtil.verifySignedElement(elem, elem.getOwnerDocument(), wsDocInfo.getSecurityHeader());
++ WSSecurityUtil.verifySignedElement(elem, wsDocInfo);
+ }
+
+ SecretKey key = null;
+--- a/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
++++ b/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
+@@ -403,7 +403,7 @@
+ Element encryptedDataElement =
+ ReferenceListProcessor.findEncryptedDataElement(doc, docInfo, dataRefURI);
+ if (encryptedDataElement != null && data.isRequireSignedEncryptedDataElements()) {
+- WSSecurityUtil.verifySignedElement(encryptedDataElement, doc, docInfo.getSecurityHeader());
++ WSSecurityUtil.verifySignedElement(encryptedDataElement, docInfo);
+ }
+ //
+ // Prepare the SecretKey object to decrypt EncryptedData
+--- a/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java
++++ b/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java
+@@ -132,7 +132,7 @@
+ Element encryptedDataElement = findEncryptedDataElement(doc, wsDocInfo, dataRefURI);
+
+ if (encryptedDataElement != null && asymBinding && data.isRequireSignedEncryptedDataElements()) {
+- WSSecurityUtil.verifySignedElement(encryptedDataElement, doc, wsDocInfo.getSecurityHeader());
++ WSSecurityUtil.verifySignedElement(encryptedDataElement, wsDocInfo);
+ }
+ //
+ // Prepare the SecretKey object to decrypt EncryptedData
+--- a/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
++++ b/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
+@@ -24,6 +24,7 @@
+ import org.apache.ws.security.SOAPConstants;
+ import org.apache.ws.security.WSConstants;
+ import org.apache.ws.security.WSDataRef;
++import org.apache.ws.security.WSDocInfo;
+ import org.apache.ws.security.WSEncryptionPart;
+ import org.apache.ws.security.WSSecurityEngineResult;
+ import org.apache.ws.security.WSSecurityException;
+@@ -50,10 +51,8 @@
+ import java.security.SecureRandom;
+ import java.util.ArrayList;
+ import java.util.Collections;
+-import java.util.HashSet;
+ import java.util.Iterator;
+ import java.util.List;
+-import java.util.Set;
+
+ /**
+ * WS-Security Utility methods. <p/>
+@@ -1350,56 +1349,39 @@
+ }
+ }
+
+- public static void verifySignedElement(Element elem, Document doc, Element securityHeader)
+- throws WSSecurityException {
+- final Element envelope = doc.getDocumentElement();
+- final Set<String> signatureRefIDs = getSignatureReferenceIDs(securityHeader);
+- if (!signatureRefIDs.isEmpty()) {
+- Node cur = elem;
+- while (!cur.isSameNode(envelope)) {
+- if (cur.getNodeType() == Node.ELEMENT_NODE) {
+- if (WSConstants.SIG_LN.equals(cur.getLocalName())
+- && WSConstants.SIG_NS.equals(cur.getNamespaceURI())) {
+- throw new WSSecurityException(WSSecurityException.FAILED_CHECK,
+- "requiredElementNotSigned", new Object[] {elem});
+- } else if (isLinkedBySignatureRefs((Element)cur, signatureRefIDs)) {
+- return;
++ public static void verifySignedElement(Element elem, WSDocInfo wsDocInfo) throws WSSecurityException {
++ List<WSSecurityEngineResult> signedResults = wsDocInfo.getResultsByTag(WSConstants.SIGN);
++ if (signedResults != null) {
++ for (WSSecurityEngineResult signedResult : signedResults) {
++ @SuppressWarnings("unchecked")
++ List<WSDataRef> dataRefs = (List<WSDataRef>) signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
++ if (dataRefs != null) {
++ for (WSDataRef dataRef : dataRefs) {
++ if (isElementOrAncestorSigned(elem, dataRef.getProtectedElement())) {
++ return;
++ }
+ }
+ }
+- cur = cur.getParentNode();
+ }
+ }
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_CHECK, "requiredElementNotSigned", new Object[] {elem});
+ }
+
+- private static boolean isLinkedBySignatureRefs(Element elem, Set<String> allIDs) {
+- // Try the wsu:Id first
+- String attributeNS = elem.getAttributeNS(WSConstants.WSU_NS, "Id");
+- if (!"".equals(attributeNS) && allIDs.contains(attributeNS)) {
+- return true;
+- }
+- attributeNS = elem.getAttributeNS(null, "Id");
+- return (!"".equals(attributeNS) && allIDs.contains(attributeNS));
+- }
+-
+- private static Set<String> getSignatureReferenceIDs(Element wsseHeader) throws WSSecurityException {
+- final Set<String> refs = new HashSet<String>();
+- final List<Element> signatures = WSSecurityUtil.getDirectChildElements(wsseHeader, WSConstants.SIG_LN, WSConstants.SIG_NS);
+- for (Element signature : signatures) {
+- Element sigInfo = WSSecurityUtil.getDirectChildElement(signature, WSConstants.SIG_INFO_LN, WSConstants.SIG_NS);
+- List<Element> references = WSSecurityUtil.getDirectChildElements(sigInfo, WSConstants.REF_LN, WSConstants.SIG_NS);
+- for (Element reference : references) {
+- String uri = reference.getAttributeNS(null, "URI");
+- if (!"".equals(uri)) {
+- boolean added = refs.add(WSSecurityUtil.getIDFromReference(uri));
+- if (!added) {
+- log.warn("Duplicated reference uri: " + uri);
+- }
+- }
++ /**
++ * Does the current element or some ancestor of it correspond to the known "signedElement"?
++ */
++ private static boolean isElementOrAncestorSigned(Element elem, Element signedElement) throws WSSecurityException {
++ final Element envelope = elem.getOwnerDocument().getDocumentElement();
++ Node cur = elem;
++ while (!cur.isSameNode(envelope)) {
++ if (cur.getNodeType() == Node.ELEMENT_NODE && cur.equals(signedElement)) {
++ return true;
+ }
++ cur = cur.getParentNode();
+ }
+- return refs;
++
++ return false;
+ }
+
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 1591d9b..446e128 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
01-no-saml.patch
+02-CVE-2015-0227.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/wss4j.git
More information about the pkg-java-commits
mailing list