Bug#698946: marked as done (Security update broke php-cas, wrong call to setSslCaCert())

[Debian Bug Tracking System]

Your message dated Sat, 26 Jan 2013 15:17:52 +0000
with message-id <e1tz7vw-0006wi...@franck.debian.org>
and subject line Bug#698946: fixed in php-cas 1.3.1-4
has caused the Debian Bug report #698946,
regarding Security update broke php-cas, wrong call to setSslCaCert()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
698946: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698946
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: php-cas
Version: 1.3.1-2
Severity: grave
Tags: patch

Hi Olivier,

The security update in 1.3.1-2 broke php-cas. The problem is in this hunk:

@@ -2418,6 +2428,7 @@ class CAS_Client
         }
         if ($this->_cas_server_ca_cert != '') {
             $request->setSslCaCert($this->_cas_server_ca_cert);
+            $request->setSslCaCert($this->_cas_server_cn_validate);
         }

         // add extra stuff if SAML

As you can see, the code now sets setSslCaCert first with the correct CA
cert, but then sets it again with a boolean value. This makes all CA
validation fail and thus renders php-cas unusable.

The intended change, which is also upstream, is what is in attached patch.
Can you provide a fixed package? Let me know if my help is needed.


Thanks,
Thijs

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (400, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

--- php-cas-1.3.1.orig/CAS-1.3.1/CAS/Client.php
+++ php-cas-1.3.1/CAS-1.3.1/CAS/Client.php
@@ -2427,8 +2427,7 @@ class CAS_Client
             phpCAS::error('one of the methods phpCAS::setCasServerCACert() or phpCAS::setNoCasServerValidation() must be called.');
         }
         if ($this->_cas_server_ca_cert != '') {
-            $request->setSslCaCert($this->_cas_server_ca_cert);
-            $request->setSslCaCert($this->_cas_server_cn_validate);
+            $request->setSslCaCert($this->_cas_server_ca_cert, $this->_cas_server_cn_validate);
         }
 
         // add extra stuff if SAML

--- End Message ---

--- Begin Message ---

Source: php-cas
Source-Version: 1.3.1-4

We believe that the bug you reported is fixed in the latest version of
php-cas, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 698...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Olivier Berger <ober...@debian.org> (supplier of updated php-cas package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 26 Jan 2013 15:43:53 +0100
Source: php-cas
Binary: php-cas
Architecture: source all
Version: 1.3.1-4
Distribution: unstable
Urgency: high
Maintainer: Olivier Berger <ober...@debian.org>
Changed-By: Olivier Berger <ober...@debian.org>
Description: 
 php-cas    - ${phppear:summary}
Closes: 698946
Changes: 
 php-cas (1.3.1-4) unstable; urgency=high
 .
   * Fix wrong call to setSslCaCert() thanks to Thijs Kinkhorst (Closes:
     #698946).
Checksums-Sha1: 
 a26259b08bf6b01e5ddf9a3aa262af6aa2b12611 1930 php-cas_1.3.1-4.dsc
 a4593b28697bb4d9808c1e179081abbc9096ddf6 6588 php-cas_1.3.1-4.debian.tar.gz
 1acc943c93a549e5d7e9fe5d86c7e7115eb3e3fc 79286 php-cas_1.3.1-4_all.deb
Checksums-Sha256: 
 7e323f069e776f3f5281ac61446d6d23f573f42a0479cf3b04dfdfbb77524add 1930 
php-cas_1.3.1-4.dsc
 124677f4c2e56d4e40ff36b11c4895c4bc75d1001ff0cc673ae6fd0d8acba79d 6588 
php-cas_1.3.1-4.debian.tar.gz
 7c556a85e11821998d1cf8295ad2f3c9d57877d9b7742d3c7b31fafa1fc0f001 79286 
php-cas_1.3.1-4_all.deb
Files: 
 fff2206a331662203327048dd6bd1974 1930 php optional php-cas_1.3.1-4.dsc
 b1d7589528babaac67d4c8ef09a44ed3 6588 php optional 
php-cas_1.3.1-4.debian.tar.gz
 033ac347c5c750d187bd349eda04521a 79286 php optional php-cas_1.3.1-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRA+61AAoJEOlB3tp8W7alg1wQAKNFuJtxKlOzeOUksLD8JqWB
rZQNvHLHA0kfMGzXVvWbiUZyrCK7L8UZ5AaTCdH9xPZPeJvBQ9v2K5MbfBJsHUyh
bMfT3VbyFz9OdimH03FDiWJt5SjoNeAWZ0RIYdiW+o2A7ycNlKRHbVX5qDGbUt4i
vVMe7IX0ZJZSiBSvvoCUNubQ7jWLdfPxLJnIJepo2wJdN7LDHZvN/By6nZ4aEGXB
i2pLBjgMB6abStaYF579jzNDw2J4xQYi+QoSvpeibBOOC/h+cGZIERbqv8Sk3tuT
XNDFF48F6/afmq/OIcaxJ3b2bjypCmifahZnA2xu6W29wwE4ZzBPcNOTKz9nnR8b
OHqgSP7Dyz7HPNSLkhNiBilKjpX+Bzc/r2c+qAVRolrFQ4smTsqn2x/XobhoQ5Cn
KdaoIAkNvOxaBUTTn3mi7r4+Kf4nW3mss+p5QfKvEad+VLfyrg+bPb2BaxMx1uJq
ikR89v4bcUKn+scelJShj/8vuDm2p0e901XrKRL8J68gs49CKUyg2pbyD2zLR+up
vZwc/SPYrny3FAc1CL97Ag8Bb67i7r8p7iNj7H4YmevIKz3O3tRdzjrPNX2rrNNY
Z9N9Rirq5AYHRy3rg+BWIsmTNB63CCbGcYJM/Tsm+WRr4E1I/2EmDHXf90OOE+Hq
Qxg9vXhy+RfV99OhHawQ
=cFoB
-----END PGP SIGNATURE-----

--- End Message ---