Lenny fixes for opensaml2 and shibboleth-sp2

Ferenc Wagner wferi at niif.hu
Fri Nov 27 12:44:33 UTC 2009

Moritz Muehlenhoff <jmm at inutil.org> writes:

> On Thu, Nov 26, 2009 at 05:23:20PM +0100, Ferenc Wagner wrote:
>> I'm backporting the fixes to #555608 (CVE-2009-3300) into Lenny.
>> Upstream solved the issue by introducing new static class members in
>> xmltooling, which lies at the bottom of the library stack, and invoking
>> them from the necessary places.  This resulted in soname changes in
>> libxmltooling, libsaml and libshibsp, which I'm trying to avoid.  It
>> seems readily possible in the opensaml library, but not quite in
>> libshibsp, so I ask for your opinion: may I add two new exported symbols
>> to libshibsp, or should I add the same function definitions to each
>> component?  Or even, should I add static functions into header files
>> (which would mostly go unused, raising warnings from GCC)?
> I'm adding Russ Allbery to CC, he wrote he was working on an update as
> well, we should agree on a common solution.

He's on Cc anyway via pkg-shibboleth-devel.  Actually, he's the one to
do the upload later. :)  (Hi Russ, and happy holidays!)

> Personally I'd be fine with new exported symbols, but we should let
> Russ comment first.

Pushing that, what about exporting opensaml::HTTPResponse_sanitizeURL
from libsaml2 to further reduce code duplication and the patch size?
libshibsp could use it from there, either via some public header or by
private declaration.  This would require a strict (build) dependency on
the fixed opensaml2 for the shibboleth-sp2 fix.  This could be carried
even further by putting all new functions into libsaml2, reducing the
number of touched source files.

Or I can commit the patches as-is if you prefer (and have no other
concerns), and we're ready to upload.

More information about the Pkg-shibboleth-devel mailing list