squeeze update of shibboleth-sp2?

Ferenc Wagner wferi at niif.hu
Mon Apr 13 19:42:31 UTC 2015 

Raphael Hertzog <hertzog at debian.org> writes:

> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of shibboleth-sp2:
> https://security-tracker.debian.org/tracker/CVE-2015-2684
>
> Would you like to take care of this yourself? We are still understaffed so
> any help is always highly appreciated.

Hi Raphaël,

I will help you as far as I can, but I'm no DD, so most of the
administrative work will stay on your shoulders.  And I'm somewhat
uncertain whether a squeeze update would do much good without a
corresponding squeeze-backports fix.  What do you think?

Anyway, I pushed the backported fix to the squeeze branch of
http://anonscm.debian.org/cgit/pkg-shibboleth/shibboleth-sp2.git.  You
can find the corresponding source package at http://apt.niif.hu/lts/
(debdiff below).  Unfortunately, I couldn't test the package, but in
case I find a way, I'll inform you.
-- 
Regards,
Feri.


$ debdiff shibboleth-sp2_2.3.1+dfsg-5.dsc shibboleth-sp2_2.3.1+dfsg-5+deb6u1.dsc
diff -u shibboleth-sp2-2.3.1+dfsg/debian/changelog shibboleth-sp2-2.3.1+dfsg/debian/changelog
--- shibboleth-sp2-2.3.1+dfsg/debian/changelog
+++ shibboleth-sp2-2.3.1+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+shibboleth-sp2 (2.3.1+dfsg-5+deb6u1) squeeze-lts; urgency=high
+
+  * Backport security fix from V2.5.4 for CVE-2015-2684: authenticated
+    denial of service vulnerability that results in a crash on certain
+    kinds of malformed SAML messages.
+
+ -- Ferenc Wagner <wferi at niif.hu>  Mon, 13 Apr 2015 21:09:55 +0200
+
 shibboleth-sp2 (2.3.1+dfsg-5) unstable; urgency=high
 
   * Merge the forgotten pidfile fix from branch bug/unlink-pidfile after
only in patch2:
unchanged:
--- shibboleth-sp2-2.3.1+dfsg.orig/shibsp/handler/impl/SAML2Consumer.cpp
+++ shibboleth-sp2-2.3.1+dfsg/shibsp/handler/impl/SAML2Consumer.cpp
@@ -38,6 +38,7 @@
 # include <xmltooling/XMLToolingConfig.h>
 # include <xmltooling/io/HTTPRequest.h>
 # include <xmltooling/util/DateTime.h>
+# include <xmltooling/validation/ValidatorSuite.h>
 using namespace opensaml::saml2;
 using namespace opensaml::saml2p;
 using namespace opensaml::saml2md;
@@ -275,6 +276,9 @@
             continue;
 
         try {
+            // Run the schema validators against the assertion, since it was hidden by encryption.
+            SchemaValidators.validate(decrypted);
+
             // We clear the security flag, so we can tell whether the token was secured on its own.
             policy.setAuthenticated(false);
             policy.reset(true);
only in patch2:
unchanged:
<VirtualHost *:80>
        ServerAdmin wferi at niif.hu

        DocumentRoot /var/www
        <Directory />
--- shibboleth-sp2-2.3.1+dfsg.orig/shibsp/impl/StorageServiceSessionCache.cpp
+++ shibboleth-sp2-2.3.1+dfsg/shibsp/impl/StorageServiceSessionCache.cpp
@@ -1040,7 +1040,7 @@
 
     // Store the reverse mapping for logout.
     try {
-        if (nameid)
+        if (name.get() && *name.get())
             insert(key.get(), expires, name.get(), index.get());
     }
     catch (exception& ex) {

More information about the Pkg-shibboleth-devel mailing list