[SCM] Debian packaging for OpenSAML 2.0 branch, lenny, updated. debian/2.0-2+lenny2-1-gcb36d78

Mon Jul 25 17:14:46 UTC 2011

The following commit has been merged in the lenny branch:
commit cb36d7846c3bbca3737584f5d089dffb9a124dda
Author: Russ Allbery <rra at debian.org>
Date:   Fri Jul 22 19:08:06 2011 -0700

    Add upstream patch for "wrapping attack" vulnerability
    
    * Fix vulnerability to a "wrapping attack" that could allow a remote,
      unauthenticated attacker to craft messages that can be successfully
      verified but contain arbitrary content.  This may allow an attacker to
      subvert the security of software using OpenSAML and supply an
      unauthenticated login identity and data under the guise of a trusted
      issuer.  (CVE-2011-1411)

diff --git a/debian/changelog b/debian/changelog
index be26efc..ef90363 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+opensaml2 (2.0-2+lenny3) oldstable-security; urgency=high
+
+  * SECURITY: Fix vulnerability to a "wrapping attack" that could allow a
+    remote, unauthenticated attacker to craft messages that can be
+    successfully verified but contain arbitrary content.  This may allow
+    an attacker to subvert the security of software using OpenSAML and
+    supply an unauthenticated login identity and data under the guise of a
+    trusted issuer.  (CVE-2011-1411)
+
+ -- Russ Allbery <rra at debian.org>  Fri, 22 Jul 2011 19:43:05 -0700
+
 opensaml2 (2.0-2+lenny2) stable-security; urgency=high
 
   * SECURITY: Partial fix for improper handling of URLs that could be
diff --git a/saml/signature/ContentReference.cpp b/saml/signature/ContentReference.cpp
index 80f248a..eba42e6 100644
--- a/saml/signature/ContentReference.cpp
+++ b/saml/signature/ContentReference.cpp
@@ -36,6 +36,7 @@ using namespace std;
 void ContentReference::createReferences(DSIGSignature* sig)
 {
     DSIGReference* ref=NULL;
+    sig->setIdByAttributeName(false);
     const XMLCh* id=m_signableObject.getXMLID();
     if (!id || !*id)
         ref=sig->createReference(&chNull);  // whole doc reference
diff --git a/saml/signature/SignatureProfileValidator.cpp b/saml/signature/SignatureProfileValidator.cpp
index a3159a6..6e979e2 100644
--- a/saml/signature/SignatureProfileValidator.cpp
+++ b/saml/signature/SignatureProfileValidator.cpp
@@ -24,6 +24,7 @@
 #include "exceptions.h"
 #include "signature/SignatureProfileValidator.h"
 
+#include <xmltooling/logging.h>
 #include <xmltooling/signature/Signature.h>
 
 #include <xercesc/util/XMLUniDefs.hpp>
@@ -33,6 +34,7 @@
 
 using namespace opensaml;
 using namespace xmlsignature;
+using namespace xmltooling::logging;
 using namespace xmltooling;
 using namespace std;
 
@@ -53,7 +55,14 @@ void SignatureProfileValidator::validateSignature(const Signature& sigObj) const
     const SignableObject* signableObj=dynamic_cast<const SignableObject*>(sigObj.getParent());
     if (!signableObj)
         throw ValidationException("Signature is not a child of a signable SAML object.");
-    
+
+    if (sig->getObjectLength() != 0) {
+        Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained an embedded <Object> element");
+        throw ValidationException("Invalid signature profile for SAML object.");
+    }
+
+    sig->setIdByAttributeName(false);
+
     bool valid=false;
     DSIGReferenceList* refs=sig->getReferenceList();
     if (refs && refs->getSize()==1) {
@@ -70,13 +79,33 @@ void SignatureProfileValidator::validateSignature(const Signature& sigObj) const
                         else if (tlist->item(i)->getTransformType()!=TRANSFORM_EXC_C14N &&
                                  tlist->item(i)->getTransformType()!=TRANSFORM_C14N) {
                             valid=false;
+                            Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained an invalid transform");
                             break;
                         }
                     }
                 }
+
+                if (valid && URI && *URI) {
+                    valid = false;
+                    if (sigObj.getDOM() && signableObj->getDOM()) {
+                        DOMElement* signedNode = sigObj.getDOM()->getOwnerDocument()->getElementById(ID);
+                        if (signedNode && signedNode->isSameNode(signableObj->getDOM())) {
+                            valid = true;
+                        }
+                        else {
+                            Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature reference does not match parent object node");
+                        }
+                    }
+                }
+            }
+            else {
+                Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature reference does not match parent object ID");
             }
         }
     }
+    else {
+        Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained multiple or zero references");
+    }
     
     if (!valid)
         throw ValidationException("Invalid signature profile for SAML object.");

-- 
Debian packaging for OpenSAML 2.0

