Security fixes for opensaml2 and xmltooling

Russ Allbery rra at debian.org
Wed Sep 23 22:58:52 UTC 2009


Florian Weimer <fw at deneb.enyo.de> writes:
> * Scott Cantor:
>> Russ Allbery wrote on 2009-09-23:

>>>> Is 20090826 remotely exploitable?  Is authentication required?

>>> My guess, although I'm not certain, is that this is potentially
>>> remotely exploitable without authentication because it's in the low
>>> level URL parsing code, which may used for any data passed to the SP
>>> via a URL.  All you need to know is an end point that can take
>>> information via GET.

>> The exploit is a classic buffer overrun caused by the URL parsing code,
>> so it "merely" requires injecting binary data onto the malformed URL
>> and getting the OS to execute it. Definitely doesn't require
>> authentication, no.

> Okay, so this should probably get a DSA.

Oh, I should mention for the purposes of the security advisory: after
upgrading to the fixed library, the user should restart Apache and shibd
(I'm not sure if restarting shibd is strictly necessary, but it can't
hurt).  The library packages don't try to do this for a variety of
reasons, but the security fix is not effective until the Apache Shibboleth
module is reloaded.

I know this is typical for library security updates, but in this case
because we know what the user of the library is, we can give explicit
instructions on how to make the patch effective (namely just restarting
any Apache processes that load the Shibboleth module and the shibd
daemon).

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>



More information about the Pkg-shibboleth-devel mailing list