Security fixes for opensaml2 and xmltooling
Scott Cantor
cantor.2 at osu.edu
Wed Sep 23 15:28:19 UTC 2009
Russ Allbery wrote on 2009-09-23:
>> Is 20090826 remotely exploitable? Is authentication required?
>
> My guess, although I'm not certain, is that this is potentially remotely
> exploitable without authentication because it's in the low level URL
> parsing code, which may used for any data passed to the SP via a URL. All
> you need to know is an end point that can take information via GET.
The exploit is a classic buffer overrun caused by the URL parsing code, so
it "merely" requires injecting binary data onto the malformed URL and
getting the OS to execute it. Definitely doesn't require authentication, no.
>> Are those issues already public? Then we can't assign CVEs.
>
> Oh, I didn't realize that. Okay, thank you. I'll keep that in mind for
> the future.
In the future it looks like I'll be requesting CVEs from Debian for my
advisories, so we'll get it right then.
> The underlying problem, as I understand it, is that the necessary
> information to apply key usage checks was not being correctly released
> because the virtual function override didn't happen due to the mismatch
> in spelling.
And I can't correct the function name without going to library version 2.x
(bumping opensaml to 3.x, etc.) The patch fix is to propagate the
misspelling and then change them all later.
-- Scott
More information about the Pkg-shibboleth-devel
mailing list