[xmltooling] 03/05: New patch CVE-2018-0486-vulnerability-to-forged-user-attribute-data.patch

Ferenc Wágner wferi at moszumanska.debian.org
Sat Jan 13 00:20:14 UTC 2018 

This is an automated email from the git hooks/post-receive script.

wferi pushed a commit to branch debian/jessie
in repository xmltooling.

commit 91e7acb33e857d74b522bc854c4272633abd0a86
Author: Ferenc Wágner <wferi at debian.org>
Date:   Fri Jan 12 11:51:56 2018 +0100

    New patch CVE-2018-0486-vulnerability-to-forged-user-attribute-data.patch
    
    CVE-2018-0486: vulnerability to forged user attribute data
    
    The Service Provider software relies on a generic XML parser to process
    SAML responses and there are limitations in older versions of the parser
    that make it impossible to fully disable Document Type Definition (DTD)
    processing.
    
    Through addition/manipulation of a DTD, it's possible to make changes
    to an XML document that do not break a digital signature but are
    mishandled by the SP and its libraries. These manipulations can alter
    the user data passed through to applications behind the SP and result
    in impersonation attacks and exposure of protected information.
    
    While the use of XML Encryption can serve as a mitigation for this bug,
    it may still be possible to construct attacks in such cases, and the SP
    does not provide a means to enforce its use.
    
    CPPXT-127 - Block entity reference nodes during unmarshalling.
    https://issues.shibboleth.net/jira/browse/CPPXT-127
    
    Thanks: Scott Cantor
---
 ...lnerability-to-forged-user-attribute-data.patch | 38 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 39 insertions(+)

diff --git a/debian/patches/CVE-2018-0486-vulnerability-to-forged-user-attribute-data.patch b/debian/patches/CVE-2018-0486-vulnerability-to-forged-user-attribute-data.patch
new file mode 100644
index 0000000..30d40a9
--- /dev/null
+++ b/debian/patches/CVE-2018-0486-vulnerability-to-forged-user-attribute-data.patch
@@ -0,0 +1,38 @@
+From: Scott Cantor <cantor.2 at osu.edu>
+Date: Wed, 10 Jan 2018 12:20:07 -0500
+Subject: CVE-2018-0486: vulnerability to forged user attribute data
+
+The Service Provider software relies on a generic XML parser to process
+SAML responses and there are limitations in older versions of the parser
+that make it impossible to fully disable Document Type Definition (DTD)
+processing.
+
+Through addition/manipulation of a DTD, it's possible to make changes
+to an XML document that do not break a digital signature but are
+mishandled by the SP and its libraries. These manipulations can alter
+the user data passed through to applications behind the SP and result
+in impersonation attacks and exposure of protected information.
+
+While the use of XML Encryption can serve as a mitigation for this bug,
+it may still be possible to construct attacks in such cases, and the SP
+does not provide a means to enforce its use.
+
+CPPXT-127 - Block entity reference nodes during unmarshalling.
+https://issues.shibboleth.net/jira/browse/CPPXT-127
+---
+ xmltooling/io/AbstractXMLObjectUnmarshaller.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp b/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
+index ae2709e..487348e 100644
+--- a/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
++++ b/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
+@@ -206,6 +206,8 @@ void AbstractXMLObjectUnmarshaller::unmarshallContent(const DOMElement* domEleme
+         else if (childNode->getNodeType() == DOMNode::TEXT_NODE || childNode->getNodeType() == DOMNode::CDATA_SECTION_NODE) {
+             m_log.debug("processing text content at position (%d)", position);
+             setTextContent(childNode->getNodeValue(), position);
++        } else if (childNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE || childNode->getNodeType() == DOMNode::ENTITY_NODE) {
++            throw UnmarshallingException("Unmarshaller found Entity/Reference node.");
+         }
+         
+         childNode = childNode->getNextSibling();
diff --git a/debian/patches/series b/debian/patches/series
index 5c4aea5..e61a6be 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 CVE-2015-0851-crash-on-well-formed-but-invalid-XML.patch
+CVE-2018-0486-vulnerability-to-forged-user-attribute-data.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/xmltooling.git

More information about the Pkg-shibboleth-devel mailing list