[wss4j] 04/05: Fix CVE-2015-0226: WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Thu Feb 12 09:01:13 UTC 2015
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch master
in repository wss4j.
commit 60f3852ad426167811d1bae4758e3a17550e6cf4
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Thu Feb 12 09:50:17 2015 +0100
Fix CVE-2015-0226: WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property
---
debian/changelog | 2 ++
debian/patches/03-CVE-2015-0226.patch | 41 +++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 44 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 7a7fc24..109a381 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ wss4j (1.6.15-2) UNRELEASED; urgency=medium
* Fixed security issues (Closes: #777741):
- CVE-2015-0227: WSS4J is still vulnerable to Bleichenbacher's attack
(incomplete fix for CVE-2011-2487)
+ - CVE-2015-0226: WSS4J doesn't correctly enforce the
+ requireSignedEncryptedDataElements property
* Standards-Version updated to 3.9.6 (no changes)
-- Emmanuel Bourg <ebourg at apache.org> Thu, 12 Feb 2015 09:11:29 +0100
diff --git a/debian/patches/03-CVE-2015-0226.patch b/debian/patches/03-CVE-2015-0226.patch
new file mode 100644
index 0000000..395eaa6
--- /dev/null
+++ b/debian/patches/03-CVE-2015-0226.patch
@@ -0,0 +1,41 @@
+Description: Fix CVE-2015-0226: WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property
+Origin: backport, http://svn.apache.org/r1621329
+Bug-Debian: http://bugs.debian.org/777741
+--- a/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
++++ b/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
+@@ -19,6 +19,7 @@
+
+ package org.apache.ws.security.processor;
+
++import java.security.NoSuchAlgorithmException;
+ import java.security.PrivateKey;
+ import java.security.cert.X509Certificate;
+ import java.security.spec.MGF1ParameterSpec;
+@@ -209,7 +210,7 @@
+ private static byte[] getRandomKey(List<String> dataRefURIs, Document doc, WSDocInfo wsDocInfo) throws WSSecurityException {
+ try {
+ String alg = "AES";
+- int size = 128;
++ int size = 16;
+ if (!dataRefURIs.isEmpty()) {
+ String uri = dataRefURIs.iterator().next();
+ Element ee = ReferenceListProcessor.findEncryptedDataElement(doc, wsDocInfo, uri);
+@@ -221,8 +222,16 @@
+ kgen.init(size * 8);
+ SecretKey k = kgen.generateKey();
+ return k.getEncoded();
+- } catch (Exception ex) {
+- throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, ex);
++ } catch (Throwable ex) {
++ // Fallback to just using AES to avoid attacks on EncryptedData algorithms
++ try {
++ KeyGenerator kgen = KeyGenerator.getInstance("AES");
++ kgen.init(128);
++ SecretKey k = kgen.generateKey();
++ return k.getEncoded();
++ } catch (NoSuchAlgorithmException e) {
++ throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, e);
++ }
+ }
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 446e128..14e908c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
01-no-saml.patch
02-CVE-2015-0227.patch
+03-CVE-2015-0226.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/wss4j.git
More information about the pkg-java-commits
mailing list