[shibboleth-sp2] 01/01: Security fix from V2.5.4 for CVE-2015-2684 backported to V2.3.1

[Ferenc Wágner]

This is an automated email from the git hooks/post-receive script.

wferi-guest pushed a commit to branch squeeze
in repository shibboleth-sp2.

commit 9c09d750ff1ca37fe480582feca16cdc07a9c75a
Author: Ferenc Wágner <wferi at niif.hu>
Date:   Tue Mar 17 15:09:39 2015 +0100

    Security fix from V2.5.4 for CVE-2015-2684 backported to V2.3.1
    
    Shibboleth SP software crashes on malformed input messages
    ===============================================================
    The SP software includes an authenticated denial of service
    vulnerability that results in a crash on certain kinds of malformed
    SAML messages. The vulnerability is only triggered when special
    conditions are met and after a message or assertion signature
    has been verified, so exploitation requires a message produced
    under a trusted key, limiting the impact.
    
    URL for the full Security Advisory:
    http://shibboleth.net/community/advisories/secadv_20150319.txt
---
 debian/changelog                           | 8 ++++++++
 shibsp/handler/impl/SAML2Consumer.cpp      | 4 ++++
 shibsp/impl/StorageServiceSessionCache.cpp | 2 +-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 39b695d..74dec45 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+shibboleth-sp2 (2.3.1+dfsg-5+deb6u1) squeeze-lts; urgency=high
+
+  * Backport security fix from V2.5.4 for CVE-2015-2684: authenticated
+    denial of service vulnerability that results in a crash on certain
+    kinds of malformed SAML messages.
+
+ -- Ferenc Wagner <wferi at niif.hu>  Mon, 13 Apr 2015 21:09:55 +0200
+
 shibboleth-sp2 (2.3.1+dfsg-5) unstable; urgency=high
 
   * Merge the forgotten pidfile fix from branch bug/unlink-pidfile after
diff --git a/shibsp/handler/impl/SAML2Consumer.cpp b/shibsp/handler/impl/SAML2Consumer.cpp
index 1c7af13..a1792dc 100644
--- a/shibsp/handler/impl/SAML2Consumer.cpp
+++ b/shibsp/handler/impl/SAML2Consumer.cpp
@@ -38,6 +38,7 @@
 # include <xmltooling/XMLToolingConfig.h>
 # include <xmltooling/io/HTTPRequest.h>
 # include <xmltooling/util/DateTime.h>
+# include <xmltooling/validation/ValidatorSuite.h>
 using namespace opensaml::saml2;
 using namespace opensaml::saml2p;
 using namespace opensaml::saml2md;
@@ -275,6 +276,9 @@ void SAML2Consumer::implementProtocol(
             continue;
 
         try {
+            // Run the schema validators against the assertion, since it was hidden by encryption.
+            SchemaValidators.validate(decrypted);
+
             // We clear the security flag, so we can tell whether the token was secured on its own.
             policy.setAuthenticated(false);
             policy.reset(true);
diff --git a/shibsp/impl/StorageServiceSessionCache.cpp b/shibsp/impl/StorageServiceSessionCache.cpp
index 16cf5e5..a22f2e3 100644
--- a/shibsp/impl/StorageServiceSessionCache.cpp
+++ b/shibsp/impl/StorageServiceSessionCache.cpp
@@ -1040,7 +1040,7 @@ void SSCache::insert(
 
     // Store the reverse mapping for logout.
     try {
-        if (nameid)
+        if (name.get() && *name.get())
             insert(key.get(), expires, name.get(), index.get());
     }
     catch (exception& ex) {

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git