[shibboleth-sp2] 01/01: Incorporate security fix from V2.5.4 for CVE-2015-2684

Ferenc Wágner wferi-guest at moszumanska.debian.org
Tue Mar 24 15:10:06 UTC 2015 

This is an automated email from the git hooks/post-receive script.

wferi-guest pushed a commit to branch wheezy-backports
in repository shibboleth-sp2.

commit 6c00a9954e7ca0c91afea59f1401a6557ba67835
Author: Ferenc Wágner <wferi at niif.hu>
Date:   Tue Mar 17 15:13:32 2015 +0100

    Incorporate security fix from V2.5.4 for CVE-2015-2684
---
 debian/changelog                                   | 10 +++-
 ...ecurity-fix-from-V2.5.4-for-CVE-2015-2684.patch | 56 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 65 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index d1617e0..aaf018f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,16 @@
-shibboleth-sp2 (2.5.3+dfsg-1~bpo70+3) UNRELEASED; urgency=medium
+shibboleth-sp2 (2.5.3+dfsg-2) wheezy-backports; urgency=high
 
+  [ Ferenc Wagner ]
+  * Incorporate security fix from V2.5.4 for CVE-2015-2684: authenticated
+    denial of service vulnerability that results in a crash on certain
+    kinds of malformed SAML messages.
+
+  [ Russ Allbery ]
   * Move enabling of the Apache module from the postinst script of
     shibboleth-sp2-utils to libapache2-mod-shib2, which is only used with
     Apache, and add a dependency on apache2.2-common.
 
- -- Russ Allbery <rra at debian.org>  Thu, 27 Nov 2014 18:34:30 -0800
+ -- Ferenc Wagner <wferi at niif.hu>  Tue, 24 Mar 2015 13:54:16 +0100
 
 shibboleth-sp2 (2.5.3+dfsg-1~bpo70+2) wheezy-backports; urgency=medium
 
diff --git a/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch b/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch
new file mode 100644
index 0000000..a8e9f42
--- /dev/null
+++ b/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch
@@ -0,0 +1,56 @@
+From: =?utf-8?q?Ferenc_W=C3=A1gner?= <wferi at niif.hu>
+Date: Tue, 17 Mar 2015 15:09:39 +0100
+Subject: Security fix from V2.5.4 for CVE-2015-2684
+
+Shibboleth SP software crashes on malformed input messages
+===============================================================
+The SP software includes an authenticated denial of service
+vulnerability that results in a crash on certain kinds of malformed
+SAML messages. The vulnerability is only triggered when special
+conditions are met and after a message or assertion signature
+has been verified, so exploitation requires a message produced
+under a trusted key, limiting the impact.
+
+URL for the full Security Advisory:
+https://shibboleth.net/community/advisories/secadv_20150319.txt
+---
+ shibsp/handler/impl/SAML2Consumer.cpp      |    4 ++++
+ shibsp/impl/StorageServiceSessionCache.cpp |    3 ++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/shibsp/handler/impl/SAML2Consumer.cpp b/shibsp/handler/impl/SAML2Consumer.cpp
+index ec62384..be2397c 100644
+--- a/shibsp/handler/impl/SAML2Consumer.cpp
++++ b/shibsp/handler/impl/SAML2Consumer.cpp
+@@ -44,6 +44,7 @@
+ # include <xmltooling/XMLToolingConfig.h>
+ # include <xmltooling/io/HTTPRequest.h>
+ # include <xmltooling/util/DateTime.h>
++# include <xmltooling/validation/ValidatorSuite.h>
+ using namespace opensaml::saml2;
+ using namespace opensaml::saml2p;
+ using namespace opensaml::saml2md;
+@@ -312,6 +313,9 @@ void SAML2Consumer::implementProtocol(
+             if (!decrypted->getSignature() && requireSignedAssertions.first && requireSignedAssertions.second)
+                 throw SecurityPolicyException("The incoming assertion was unsigned, violating local security policy.");
+ 
++            // Run the schema validators against the assertion, since it was hidden by encryption.
++            SchemaValidators.validate(decrypted.get());
++
+             // We clear the security flag, so we can tell whether the token was secured on its own.
+             policy.setAuthenticated(false);
+             policy.reset(true);
+diff --git a/shibsp/impl/StorageServiceSessionCache.cpp b/shibsp/impl/StorageServiceSessionCache.cpp
+index 9e5d48d..b816624 100644
+--- a/shibsp/impl/StorageServiceSessionCache.cpp
++++ b/shibsp/impl/StorageServiceSessionCache.cpp
+@@ -1233,7 +1233,8 @@ void SSCache::insert(
+         throw FatalProfileException("Attempted to create a session with a duplicate key.");
+ 
+     // Store the reverse mapping for logout.
+-    if (nameid && m_reverseIndex && (m_excludedNames.size() == 0 || m_excludedNames.count(nameid->getName()) == 0)) {
++    if (name.get() && *name.get() && m_reverseIndex
++            && (m_excludedNames.size() == 0 || m_excludedNames.count(nameid->getName()) == 0)) {
+         try {
+             insert(key.get(), expires, name.get(), index.get());
+         }
diff --git a/debian/patches/series b/debian/patches/series
index 164c6a3..34f4537 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
 0004-Shire-log-path-for-Debian.patch
 0005-Default-native-logger-to-syslog.patch
 0006-Remove-WSTrust-schema-references.patch
+0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git

More information about the Pkg-shibboleth-devel mailing list