Fwd: shibboleth-sp security upload
Matthew Vernon
matthew at debian.org
Wed Mar 25 14:10:16 UTC 2015
Hi all (sorry for the large CC),
Apropos Ferenc's wheezy fix, I have built a binary package based on his
source package (and I saw the commits go past in the alioth repo), and
checked his changes against the previous version in wheezy (debdiff
attached FYI). I built this in my wheezy sbuild chroot.
On 25/03/15 10:25, Ferenc Wagner wrote:
> -------------------- Start of forwarded message --------------------
> Subject: Re: shibboleth-sp security upload
> From: Yves-Alexis Perez <corsac at debian.org>
> To: Ferenc Wagner <wferi at niif.hu>
> Cc: team at security.debian.org
> Date: Wed, 25 Mar 2015 08:12:26 +0100
>
> On mar., 2015-03-24 at 09:57 +0100, Ferenc Wagner wrote:
>
>> Yves-Alexis Perez <corsac at debian.org> writes:
>>> You can also build the wheezy fix (remember to build in a clean wheezy
>>> chroot with dpkg-buildpackage -sa since it was never uploaded to
>>> wheezy-security). Then upload to security-master.
Can you (security team) confirm that you're happy for me to upload a
sponsored build of Ferenc's package to security-master?
Thanks,
Matthew
-------------- next part --------------
diff -Nru shibboleth-sp2-2.4.3+dfsg/debian/changelog shibboleth-sp2-2.4.3+dfsg/debian/changelog
--- shibboleth-sp2-2.4.3+dfsg/debian/changelog 2012-02-16 19:26:25.000000000 +0000
+++ shibboleth-sp2-2.4.3+dfsg/debian/changelog 2015-03-24 07:15:29.000000000 +0000
@@ -1,3 +1,11 @@
+shibboleth-sp2 (2.4.3+dfsg-5+deb7u1) wheezy-security; urgency=high
+
+ * Backport security fix from V2.5.4 for CVE-2015-2684: authenticated
+ denial of service vulnerability that results in a crash on certain
+ kinds of malformed SAML messages.
+
+ -- Ferenc Wagner <wferi at niif.hu> Tue, 24 Mar 2015 08:14:42 +0100
+
shibboleth-sp2 (2.4.3+dfsg-5) unstable; urgency=low
* Fix syntax error in the update-rc.d invocation for shibd, which was
diff -Nru shibboleth-sp2-2.4.3+dfsg/debian/patches/debian-changes shibboleth-sp2-2.4.3+dfsg/debian/patches/debian-changes
--- shibboleth-sp2-2.4.3+dfsg/debian/patches/debian-changes 2012-02-16 19:26:42.000000000 +0000
+++ shibboleth-sp2-2.4.3+dfsg/debian/patches/debian-changes 2015-03-24 07:17:55.000000000 +0000
@@ -8,28 +8,52 @@
For full commit history and separated commits, see the packaging Git
repository.
---- shibboleth-sp2-2.4.3+dfsg.orig/schemas/Makefile.am
-+++ shibboleth-sp2-2.4.3+dfsg/schemas/Makefile.am
-@@ -13,8 +13,7 @@ schemafiles = \
- shibboleth-2.0-afp.xsd \
- shibboleth-2.0-afp-mf-basic.xsd \
- shibboleth-2.0-afp-mf-saml.xsd \
-- shibboleth-2.0-attribute-map.xsd \
-- WS-Trust.xsd
-+ shibboleth-2.0-attribute-map.xsd
+--- shibboleth-sp2-2.4.3+dfsg.orig/configs/Makefile.am
++++ shibboleth-sp2-2.4.3+dfsg/configs/Makefile.am
+@@ -4,8 +4,8 @@ AUTOMAKE_OPTIONS = foreign
+
+ pkglibdir = ${libdir}/@PACKAGE@
+ pkglogdir = ${localstatedir}/log/@PACKAGE@
+-pkgdocdir = $(datadir)/doc/@PACKAGE at -@PACKAGE_VERSION@
+-shirelogdir = ${localstatedir}/log/httpd
++pkgdocdir = ${datadir}/doc/@PACKAGE@
++shirelogdir = ${localstatedir}/log/apache2
+ pkgxmldir = $(datadir)/xml/@PACKAGE@
+ pkgrundir = $(localstatedir)/run/@PACKAGE@
+ pkgsysconfdir = $(sysconfdir)/@PACKAGE@
+--- shibboleth-sp2-2.4.3+dfsg.orig/configs/keygen.sh
++++ shibboleth-sp2-2.4.3+dfsg/configs/keygen.sh
+@@ -1,5 +1,11 @@
+ #! /bin/sh
+
++# Defaults added for Debian. They can still be overridden by command-line
++# options.
++OUT=/etc/shibboleth
++USER=_shibd
++GROUP=_shibd
++
+ while getopts h:u:g:o:e:y:bf c
+ do
+ case $c in
+@@ -32,8 +38,9 @@ if [ -s $OUT/sp-key.pem -o -s $OUT/sp-c
+ exit 0
+ fi
+
++# --fqdn flag added for Debian to generate better names for certificates.
+ if [ -z "$FQDN" ] ; then
+- FQDN=`hostname`
++ FQDN=`hostname --fqdn`
+ fi
+
+ if [ -z "$YEARS" ] ; then
+--- shibboleth-sp2-2.4.3+dfsg.orig/configs/metagen.sh
++++ shibboleth-sp2-2.4.3+dfsg/configs/metagen.sh
+@@ -1,4 +1,4 @@
+-#! /bin/sh
++#! /bin/bash
+
+ DECLS=1
- pkgxml_DATA = \
- catalog.xml \
---- shibboleth-sp2-2.4.3+dfsg.orig/schemas/catalog.xml.in
-+++ shibboleth-sp2-2.4.3+dfsg/schemas/catalog.xml.in
-@@ -9,5 +9,7 @@
- <system systemId="urn:mace:shibboleth:2.0:afp:mf:saml" uri="@-PKGXMLDIR-@/shibboleth-2.0-afp-mf-saml.xsd"/>
- <system systemId="urn:mace:shibboleth:2.0:attribute-map" uri="@-PKGXMLDIR-@/shibboleth-2.0-attribute-map.xsd"/>
- <system systemId="urn:mace:shibboleth:1.0" uri="@-PKGXMLDIR-@/shibboleth.xsd"/>
-+ <!-- WS-Trust.xsd has been removed from the Debian package because of license problems
- <system systemId="http://schemas.xmlsoap.org/ws/2005/02/trust" uri="@-PKGXMLDIR-@/WS-Trust.xsd"/>
-+ -->
- </catalog>
--- shibboleth-sp2-2.4.3+dfsg.orig/configs/native.logger.in
+++ shibboleth-sp2-2.4.3+dfsg/configs/native.logger.in
@@ -26,17 +26,29 @@ log4j.category.XMLTooling.libcurl=INFO
@@ -75,19 +99,6 @@
+log4j.appender.native_log.syslogName=shibboleth-sp
+log4j.appender.native_log.facility=3
+log4j.appender.native_log.layout=org.apache.log4j.BasicLayout
---- shibboleth-sp2-2.4.3+dfsg.orig/configs/Makefile.am
-+++ shibboleth-sp2-2.4.3+dfsg/configs/Makefile.am
-@@ -4,8 +4,8 @@ AUTOMAKE_OPTIONS = foreign
-
- pkglibdir = ${libdir}/@PACKAGE@
- pkglogdir = ${localstatedir}/log/@PACKAGE@
--pkgdocdir = $(datadir)/doc/@PACKAGE at -@PACKAGE_VERSION@
--shirelogdir = ${localstatedir}/log/httpd
-+pkgdocdir = ${datadir}/doc/@PACKAGE@
-+shirelogdir = ${localstatedir}/log/apache2
- pkgxmldir = $(datadir)/xml/@PACKAGE@
- pkgrundir = $(localstatedir)/run/@PACKAGE@
- pkgsysconfdir = $(sysconfdir)/@PACKAGE@
--- shibboleth-sp2-2.4.3+dfsg.orig/configs/shibd-debian.in
+++ shibboleth-sp2-2.4.3+dfsg/configs/shibd-debian.in
@@ -1,18 +1,20 @@
@@ -270,39 +281,6 @@
exit 1
;;
esac
---- shibboleth-sp2-2.4.3+dfsg.orig/configs/keygen.sh
-+++ shibboleth-sp2-2.4.3+dfsg/configs/keygen.sh
-@@ -1,5 +1,11 @@
- #! /bin/sh
-
-+# Defaults added for Debian. They can still be overridden by command-line
-+# options.
-+OUT=/etc/shibboleth
-+USER=_shibd
-+GROUP=_shibd
-+
- while getopts h:u:g:o:e:y:bf c
- do
- case $c in
-@@ -32,8 +38,9 @@ if [ -s $OUT/sp-key.pem -o -s $OUT/sp-c
- exit 0
- fi
-
-+# --fqdn flag added for Debian to generate better names for certificates.
- if [ -z "$FQDN" ] ; then
-- FQDN=`hostname`
-+ FQDN=`hostname --fqdn`
- fi
-
- if [ -z "$YEARS" ] ; then
---- shibboleth-sp2-2.4.3+dfsg.orig/configs/metagen.sh
-+++ shibboleth-sp2-2.4.3+dfsg/configs/metagen.sh
-@@ -1,4 +1,4 @@
--#! /bin/sh
-+#! /bin/bash
-
- DECLS=1
-
--- shibboleth-sp2-2.4.3+dfsg.orig/memcache-store/memcache-store.cpp
+++ shibboleth-sp2-2.4.3+dfsg/memcache-store/memcache-store.cpp
@@ -308,7 +308,7 @@ bool MemcacheBase::deleteMemcache(const
@@ -350,3 +328,56 @@
log.error(error);
throw IOException(error);
} else {
+--- shibboleth-sp2-2.4.3+dfsg.orig/schemas/Makefile.am
++++ shibboleth-sp2-2.4.3+dfsg/schemas/Makefile.am
+@@ -13,8 +13,7 @@ schemafiles = \
+ shibboleth-2.0-afp.xsd \
+ shibboleth-2.0-afp-mf-basic.xsd \
+ shibboleth-2.0-afp-mf-saml.xsd \
+- shibboleth-2.0-attribute-map.xsd \
+- WS-Trust.xsd
++ shibboleth-2.0-attribute-map.xsd
+
+ pkgxml_DATA = \
+ catalog.xml \
+--- shibboleth-sp2-2.4.3+dfsg.orig/schemas/catalog.xml.in
++++ shibboleth-sp2-2.4.3+dfsg/schemas/catalog.xml.in
+@@ -9,5 +9,7 @@
+ <system systemId="urn:mace:shibboleth:2.0:afp:mf:saml" uri="@-PKGXMLDIR-@/shibboleth-2.0-afp-mf-saml.xsd"/>
+ <system systemId="urn:mace:shibboleth:2.0:attribute-map" uri="@-PKGXMLDIR-@/shibboleth-2.0-attribute-map.xsd"/>
+ <system systemId="urn:mace:shibboleth:1.0" uri="@-PKGXMLDIR-@/shibboleth.xsd"/>
++ <!-- WS-Trust.xsd has been removed from the Debian package because of license problems
+ <system systemId="http://schemas.xmlsoap.org/ws/2005/02/trust" uri="@-PKGXMLDIR-@/WS-Trust.xsd"/>
++ -->
+ </catalog>
+--- shibboleth-sp2-2.4.3+dfsg.orig/shibsp/handler/impl/SAML2Consumer.cpp
++++ shibboleth-sp2-2.4.3+dfsg/shibsp/handler/impl/SAML2Consumer.cpp
+@@ -42,6 +42,7 @@
+ # include <xmltooling/XMLToolingConfig.h>
+ # include <xmltooling/io/HTTPRequest.h>
+ # include <xmltooling/util/DateTime.h>
++# include <xmltooling/validation/ValidatorSuite.h>
+ using namespace opensaml::saml2;
+ using namespace opensaml::saml2p;
+ using namespace opensaml::saml2md;
+@@ -294,6 +295,9 @@ void SAML2Consumer::implementProtocol(
+ continue;
+
+ try {
++ // Run the schema validators against the assertion, since it was hidden by encryption.
++ SchemaValidators.validate(decrypted);
++
+ // We clear the security flag, so we can tell whether the token was secured on its own.
+ policy.setAuthenticated(false);
+ policy.reset(true);
+--- shibboleth-sp2-2.4.3+dfsg.orig/shibsp/impl/StorageServiceSessionCache.cpp
++++ shibboleth-sp2-2.4.3+dfsg/shibsp/impl/StorageServiceSessionCache.cpp
+@@ -1038,7 +1038,7 @@ void SSCache::insert(
+
+ // Store the reverse mapping for logout.
+ try {
+- if (nameid)
++ if (name.get() && *name.get())
+ insert(key.get(), expires, name.get(), index.get());
+ }
+ catch (exception& ex) {
More information about the Pkg-shibboleth-devel
mailing list