Bug#684045: pre-approval simplesamlphp/1.9.1-1

Thijs Kinkhorst Mon, 06 Aug 2012 06:24:32 -0700

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock


Hi,

I would like to upload simplesamlphp/1.9.1-1: an upstream security release
that only fixes a security issue and adds some minor documentation fixes.
The debdiff is attached.

The security issue is described here:
http://www.nds.rub.de/research/publications/breaking-xml-encryption-pkcs15/

Please let me know if I can upload this to unstable so it will end up in
wheezy.


thanks,
Thijs

-- System Information:
Debian Release: 6.0.5
  APT prefers stable
  APT policy: (500, 'stable'), (400, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

diff -Nru simplesamlphp-1.9.0/debian/changelog simplesamlphp-1.9.1/debian/changelog
--- simplesamlphp-1.9.0/debian/changelog	2012-06-13 12:38:24.000000000 +0200
+++ simplesamlphp-1.9.1/debian/changelog	2012-08-06 14:58:01.000000000 +0200
@@ -1,3 +1,10 @@
+simplesamlphp (1.9.1-1) unstable; urgency=medium
+
+  * New upstream security release:
+    Fix for an attack against PKCS 1.5 in XML encryption.
+
+ -- Thijs Kinkhorst <[email protected]>  Mon, 06 Aug 2012 12:57:02 +0000
+
 simplesamlphp (1.9.0-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru simplesamlphp-1.9.0/docs/simplesamlphp-changelog.txt simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt
--- simplesamlphp-1.9.0/docs/simplesamlphp-changelog.txt	2012-06-13 08:30:49.000000000 +0200
+++ simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt	2012-08-02 08:25:33.000000000 +0200
@@ -6,6 +6,12 @@
 This document lists the changes between versions of simpleSAMLphp.
 See the upgrade notes for specific information about upgrading.
 
+## Version 1.9.1
+
+Released 2012-08-02.
+
+  * Fix for a new attack against PKCS 1.5 in XML encryption.
+
 ## Version 1.9
 
 Released 2012-06-13.
@@ -170,6 +176,7 @@
   * Allow ISO8601 durations with subsecond precision.
   * Add support for parsing and serializing the &lt;mdrpi:PublicationInfo> metadata extension.
   * Ignore cacheDuration when validating metadata.
+  * Add support for the Holder-of-Key profile, on both the [SP](./simplesamlphp-hok-sp) and [IdP](./simplesamlphp-hok-idp).
   * Better error handling when receiving a SAML 2.0 artifact from an unknown entity.
   * Fix parsing of &lt;md:AssertionIDRequestService> metadata elements.
   * IdP: Do not always trigger reauthentication when the authentication request contains a IdPList-element.
diff -Nru simplesamlphp-1.9.0/docs/simplesamlphp-reference-idp-hosted.txt simplesamlphp-1.9.1/docs/simplesamlphp-reference-idp-hosted.txt
--- simplesamlphp-1.9.0/docs/simplesamlphp-reference-idp-hosted.txt	2012-04-12 14:40:08.000000000 +0200
+++ simplesamlphp-1.9.1/docs/simplesamlphp-reference-idp-hosted.txt	2012-06-18 14:01:46.000000000 +0200
@@ -293,6 +293,16 @@
     metadata overrides the one configured in the IdP metadata.
 
 
+Metadata extensions
+-------------------
+
+SimpleSAMLphp supports generating metadata with the MDUI and EntityAttributes metadata extensions.
+See the documentation for those extensions for more details:
+
+  * [MDUI extension](./simplesamlphp-metadata-extensions-ui)
+  * [EntityAttributes](./simplesamlphp-metadata-extensions-attributes)
+
+
 Examples
 --------
 
diff -Nru simplesamlphp-1.9.0/docs/simplesamlphp-ukaccess.txt simplesamlphp-1.9.1/docs/simplesamlphp-ukaccess.txt
--- simplesamlphp-1.9.0/docs/simplesamlphp-ukaccess.txt	2011-01-12 15:25:46.000000000 +0100
+++ simplesamlphp-1.9.1/docs/simplesamlphp-ukaccess.txt	2012-06-28 10:40:27.000000000 +0200
@@ -7,7 +7,7 @@
 	http://daringfireball.net/projects/markdown/syntax
 -->
 
-  * Version: `$Id: simplesamlphp-ukaccess.txt 2711 2011-01-12 14:25:46Z olavmrk $`
+  * Version: `$Id: simplesamlphp-ukaccess.txt 3127 2012-06-28 08:40:27Z olavmrk $`
 
 <!-- {{TOC}} -->
 
@@ -26,7 +26,7 @@
   * [Service Provider QuickStart](simplesamlphp-sp)
   * [Configuration Reference](./saml:sp)
 
-### Enablig a certificate for your Service Provider
+### Enabling a certificate for your Service Provider
 
 UK Access Federation and InCommon probably requires that you enable a certificate for your SP. Other federations do not always require that you do.
 
@@ -51,7 +51,7 @@
 Consuming Federation Metadata
 -----------------------------
 
-In order to enable the functionality to automatically download and parse metadata from a remtote URL, enable the `metarefresh` and `cron` modules:
+In order to enable the functionality to automatically download and parse metadata from a remote URL, enable the `metarefresh` and `cron` modules:
 
 	touch modules/metarefresh/enable
 	cp modules/metarefresh/config-templates/*.php config/
@@ -86,7 +86,7 @@
 		),
 	);
 
-The example above is from **UK Acces Federation**. If you instead would like to get metadata from **InCommon**, use the following URL and fingerprint:
+The example above is from **UK Access Federation**. If you instead would like to get metadata from **InCommon**, use the following URL and fingerprint:
 
 	'src' => 'http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml',
 	'validateFingerprint' => '74278f967cf1bfcaaa1b41afb6336448a2150eb4',	
@@ -110,7 +110,7 @@
 
 Then the page should load for a while and show no errors, only a white page. (These URLs are meant to run from *cron*, hence no output). If this operation seems to run fine, navigate to the **SimpleSAMLphp Front page** › **Federation**. Here you should see a list of all trusted Identity Providers. The Identity Providers that are downloaded are listed with information about the valid cache duration, such as *(expires in 96.0 hours)*.
 
-For more details on how to configure automateed metadata:
+For more details on how to configure automated metadata:
 
   * [Automated Metadata Management](simplesamlphp-automated_metadata)
 
@@ -167,7 +167,7 @@
   * SimpleSAMLphp uses the SAML 2.0 HTTP-REDIRECT binding for authentication request.
   * SimpleSAMLphp by default sends unsigned authentication request, may be enabled by configuring a certificate.
   * SimpleSAMLphp supports the SAML 2.0 HTTP-POST binding for Response.
-  * SimpleSAMLphp do not support the SAML 2.0 Artifact binding for Response. Estimated to be available in SimpleSAMLphp 1.6.
+  * SimpleSAMLphp does not support the SAML 2.0 Artifact binding for Response. Estimated to be available in SimpleSAMLphp 1.6.
   * SimpleSAMLphp supports SAML 2.0 Attribute Queries, but these are not sent automatically during SSO.
   * SimpleSAMLphp supports receiving and decrypting EncryptedAssertions.
   * SimpleSAMLphp supports receiving and decrypting NameID, as enabled by default by Shibboleth 2.0 - 2.1.
@@ -191,5 +191,5 @@
 - [UK Access Federation](http://www.ukfederation.org.uk/)
 - [InCommon](http://www.incommonfederation.org/)
 
-If your questions are not related to simpleSAMLphp, but instead to procedures on how to deal with a specific federation, the support channels specific for that federation.
+If your questions are not related to simpleSAMLphp, but instead procedures on how to deal with a specific federation, visit the support channels specific for that federation.
 
diff -Nru simplesamlphp-1.9.0/lib/SAML2/Utils.php simplesamlphp-1.9.1/lib/SAML2/Utils.php
--- simplesamlphp-1.9.0/lib/SAML2/Utils.php	2012-03-30 13:12:48.000000000 +0200
+++ simplesamlphp-1.9.1/lib/SAML2/Utils.php	2012-08-02 08:25:23.000000000 +0200
@@ -398,9 +398,13 @@
 				SimpleSAML_Logger::error('Failed to decrypt symmetric key: ' . $e->getMessage());
 				/* Create a replacement key, so that it looks like we fail in the same way as if the key was correctly padded. */
 
-				/* We base the symmetric key on the encrypted key, so that we always behave the same way for a given input key. */
+				/* We base the symmetric key on the encrypted key and private key, so that we always behave the
+				 * same way for a given input key.
+				 */
 				$encryptedKey = $encKey->getCipherValue();
-				$key = md5($encryptedKey, TRUE);
+				$pkey = openssl_pkey_get_details($symmetricKeyInfo->key);
+				$pkey = sha1(serialize($pkey), TRUE);
+				$key = sha1($encryptedKey . $pkey, TRUE);
 
 				/* Make sure that the key has the correct length. */
 				if (strlen($key) > $keySize) {
@@ -431,7 +435,7 @@
 		 */
 		$xml = '<root xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>'.$decrypted.'</root>';
 		$newDoc = new DOMDocument();
-		if (!$newDoc->loadXML($xml)) {
+		if (!@$newDoc->loadXML($xml)) {
 			throw new Exception('Failed to parse decrypted XML. Maybe the wrong sharedkey was used?');
 		}
 		$decryptedElement = $newDoc->firstChild->firstChild;
diff -Nru simplesamlphp-1.9.0/lib/SimpleSAML/Configuration.php simplesamlphp-1.9.1/lib/SimpleSAML/Configuration.php
--- simplesamlphp-1.9.0/lib/SimpleSAML/Configuration.php	2012-06-13 08:38:44.000000000 +0200
+++ simplesamlphp-1.9.1/lib/SimpleSAML/Configuration.php	2012-08-02 08:28:37.000000000 +0200
@@ -5,7 +5,7 @@
  *
  * @author Andreas Aakre Solberg, UNINETT AS. <[email protected]>
  * @package simpleSAMLphp
- * @version $Id: Configuration.php 3120 2012-06-13 06:38:44Z olavmrk $
+ * @version $Id: Configuration.php 3136 2012-08-02 06:28:37Z olavmrk $
  */
 class SimpleSAML_Configuration {
 
@@ -295,7 +295,7 @@
 	 * @return string
 	 */
 	public function getVersion() {
-		return '1.9.0';
+		return '1.9.1';
 	}

Bug#684045: pre-approval simplesamlphp/1.9.1-1

Reply via email to