Security fix diffs for 2.x
Scott Cantor
cantor.2 at osu.edu
Fri Nov 6 22:13:06 UTC 2009
The diffs related to the security fix for v2.3 of the SP are spread across
these changes.
The function implementing the fix was placed into xmltooling in this diff
(resulting in the soname bump to 1.3):
http://svn.middleware.georgetown.edu/view/cpp-xmltooling?view=rev&revision=6
76
The fix was then applied to form generation logic in opensaml in this diff:
http://svn.middleware.georgetown.edu/view/cpp-opensaml2?view=rev&revision=52
4
The soname bump to opensaml did not occur because of the fix, but because of
unrelated changes (getting rid of all those inlined functions) and because
the xmltooling soname was bumped anyway.
The SP diffs include the following:
The fix itself:
http://svn.middleware.georgetown.edu/view/cpp-sp?view=rev&revision=3183
http://svn.middleware.georgetown.edu/view/cpp-sp/branches/REL_2/apache/mod_a
pache.cpp?r1=3123&r2=3171
http://svn.middleware.georgetown.edu/view/cpp-sp/branches/REL_2/nsapi_shib/n
sapi_shib.cpp?r1=3135&r2=3171
http://svn.middleware.georgetown.edu/view/cpp-sp/branches/REL_2/isapi_shib/i
sapi_shib.cpp?r1=3135&r2=3171
http://svn.middleware.georgetown.edu/view/cpp-sp/branches/REL_2/fastcgi/shib
responder.cpp?r1=2902&r2=3171
http://svn.middleware.georgetown.edu/view/cpp-sp/branches/REL_2/fastcgi/shib
authorizer.cpp?r1=2993&r2=3171
Akin to the 1.3 diffs, a pair of changes are also needed to ensure the SP
doesn't generate any redirects that the fix would reject:
http://svn.middleware.georgetown.edu/view/cpp-sp?view=rev&revision=3090
http://svn.middleware.georgetown.edu/view/cpp-sp?view=rev&revision=3141
I believe that's everything.
Returning to the question that was raised about altering the backport, the
most likely approach would be to inline the changes to xmltooling in place
of all the calls to reuse that change in opensaml and the SP, with the
opensaml version probably being altered to avoid the dependency on SP
configuration.
It should be possible to avoid duplicating the code everywhere by
implementing the logic in static/globals that aren't exported but would be
declared by the internal.h header that's shared across all of the source
files in each project.
-- Scott
More information about the Pkg-shibboleth-devel
mailing list