[shibboleth-sp2] 02/03: New patch Security-fix-from-V2.6.1-SSPCPP-763.patch

[Ferenc Wágner]

This is an automated email from the git hooks/post-receive script.

wferi pushed a commit to branch debian/stretch
in repository shibboleth-sp2.

commit bf25c5f543b54f60d5e88d9ed972efa7740ad470
Author: Ferenc Wágner <wferi at debian.org>
Date:   Tue Nov 14 22:50:34 2017 +0100

    New patch Security-fix-from-V2.6.1-SSPCPP-763.patch
    
    Security fix from V2.6.1 (SSPCPP-763)
    Thanks: Scott Cantor
---
 .../Security-fix-from-V2.6.1-SSPCPP-763.patch      | 46 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 47 insertions(+)

diff --git a/debian/patches/from-upstream/Security-fix-from-V2.6.1-SSPCPP-763.patch b/debian/patches/from-upstream/Security-fix-from-V2.6.1-SSPCPP-763.patch
new file mode 100644
index 0000000..2658dc9
--- /dev/null
+++ b/debian/patches/from-upstream/Security-fix-from-V2.6.1-SSPCPP-763.patch
@@ -0,0 +1,46 @@
+From: Scott Cantor <cantor.2 at osu.edu>
+Date: Mon, 13 Nov 2017 13:56:53 -0500
+Subject: Security fix from V2.6.1 (SSPCPP-763)
+
+(cherry picked from commit b66cceb0e992c351ad5e2c665229ede82f261b16)
+
+Dynamic MetadataProvider fails to install security filters
+============================================================
+The Shibboleth Service Provider software includes a MetadataProvider
+plugin with the plugin type "Dynamic" to obtain metadata on demand
+from a query server, in place of the more typical mode of downloading
+aggregates separately containing all of the metadata to load.
+
+All the plugin types rely on MetadataFilter plugins to perform critical
+security checks such as signature verification, enforcement of validity
+periods, and other checks specific to deployments.
+
+Due to a coding error, the "Dynamic" plugin fails to configure itself
+with the filters provided to it and thus omits whatever checks they are
+intended to perform, which will typically leave deployments vulnerable
+to active attacks involving the substitution of metadata if the network
+path to the query service is compromised.
+
+Credits
+=========
+Rod Widdowson, Steading System Software LLP
+
+URL for the full Security Advisory:
+http://shibboleth.internet2.edu/secadv/secadv_20171115.txt
+---
+ shibsp/metadata/DynamicMetadataProvider.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shibsp/metadata/DynamicMetadataProvider.cpp b/shibsp/metadata/DynamicMetadataProvider.cpp
+index 8853acb..d416a00 100644
+--- a/shibsp/metadata/DynamicMetadataProvider.cpp
++++ b/shibsp/metadata/DynamicMetadataProvider.cpp
+@@ -95,7 +95,7 @@ namespace shibsp {
+ };
+ 
+ DynamicMetadataProvider::DynamicMetadataProvider(const DOMElement* e)
+-    : saml2md::DynamicMetadataProvider(e),
++    : saml2md::DynamicMetadataProvider(e), MetadataProvider(e),
+         m_verifyHost(XMLHelper::getAttrBool(e, true, verifyHost)),
+         m_ignoreTransport(XMLHelper::getAttrBool(e, false, ignoreTransport)),
+         m_encoded(true), m_trust(nullptr)
diff --git a/debian/patches/series b/debian/patches/series
index 9008fc6..2369886 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ Use-pkg-config-for-GSSAPI.patch
 The-plugins-use-GSSAPI-only-if-the-naming-extensions.patch
 Enable-the-dot-feature-of-Doxygen.patch
 Increase-the-timeouts-in-the-shibd-service-file.patch
+from-upstream/Security-fix-from-V2.6.1-SSPCPP-763.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git