Proposed security patch for opensaml2

Russ Allbery rra at debian.org
Tue Sep 22 21:04:30 UTC 2009 

This one is much smaller.  I think this is all that's required for the 2.x
series.  (I'm working on security patches for the 1.x series now.)

diff --git a/debian/changelog b/debian/changelog
index 14a08fc..493b54a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+opensaml2 (2.0-2+lenny1) UNRELEASED; urgency=low
+
+  * SECURITY: Correctly honor the "use" attribute of <KeyDescriptor> SAML
+    metadata to honor restrictions to signing or encryption.  This is a
+    partial fix; the complete fix also requires a new version of the
+    xmltooling library.
+    See <http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt>
+
+ -- Russ Allbery <rra at debian.org>  Thu, 17 Sep 2009 14:23:39 -0700
+
 opensaml2 (2.0-2) unstable; urgency=low
 
   * Include fix for https://bugs.internet2.edu/jira/browse/CPPOST-7
diff --git a/saml/saml2/metadata/MetadataCredentialCriteria.h b/saml/saml2/metadata/MetadataCredentialCriteria.h
index 7d57810..5d3a1c7 100644
--- a/saml/saml2/metadata/MetadataCredentialCriteria.h
+++ b/saml/saml2/metadata/MetadataCredentialCriteria.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2007 Internet2
+ *  Copyright 2001-2009 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -64,10 +64,10 @@ namespace opensaml {
                 const MetadataCredentialContext* context = dynamic_cast<const MetadataCredentialContext*>(credential.getCredentalContext());
                 if (context) {
                     // Check for a usage mismatch.
-                    if ((getUsage() | (xmltooling::Credential::SIGNING_CREDENTIAL & xmltooling::Credential::TLS_CREDENTIAL)) &&
+                    if ((getUsage() & (xmltooling::Credential::SIGNING_CREDENTIAL | xmltooling::Credential::TLS_CREDENTIAL)) &&
                             XMLString::equals(context->getKeyDescriptor().getUse(),KeyDescriptor::KEYTYPE_ENCRYPTION))
                         return false;
-                    else if ((getUsage() | xmltooling::Credential::ENCRYPTION_CREDENTIAL) &&
+                    else if ((getUsage() & xmltooling::Credential::ENCRYPTION_CREDENTIAL) &&
                             XMLString::equals(context->getKeyDescriptor().getUse(),KeyDescriptor::KEYTYPE_SIGNING))
                         return false;
                 }

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the Pkg-shibboleth-devel mailing list