On Wed, 29 Jan 2020 12:24:36 +0100 =?utf-8?q?Ferenc_W=C3=A1gner?= <[email protected]> wrote:
> I'm looking for guidance first: I'd like to fix #950135 (libxmltooling8: > Race condition bug in new session cookie feature leads to SP crash) in > buster. > [...] > Upstream cut a new release (3.0.5) for this fix specifically, but the > full diff between 3.0.4 and 3.0.5 is much longer due to changes in the > version number in several files, VC project files, generated Autotools > files, RPM spec file and Windows resource file. Still not huge, and > most of that is entirely irrelevant for Debian. But in the 3.0.5-1 > upload I included some packaging changes (mainly autopkgtest and Salsa > CI, but also a no-effect upgrade to debhelper compat 12). I guess you'd > rather not review all this in a stable update, right? Then I'll add a > quilt patch and submit that, as you prefer. Here's the minimal debdiff containing only a quilt patch: $ debdiff xmltooling_3.0.4-1.dsc xmltooling_3.0.4-1+deb10u1.dsc diff -Nru xmltooling-3.0.4/debian/changelog xmltooling-3.0.4/debian/changelog --- xmltooling-3.0.4/debian/changelog 2019-03-14 14:58:36.000000000 +0100 +++ xmltooling-3.0.4/debian/changelog 2020-01-31 23:06:07.000000000 +0100 @@ -1,3 +1,11 @@ +xmltooling (3.0.4-1+deb10u1) buster; urgency=medium + + * [7c6eb12] This branch is for buster updates + * [97e580e] New patch: CPPXT-145 - DataSealer is sharing non-thread safe keys. + Thanks to Scott Cantor (Closes: #950135) + + -- Ferenc Wágner <[email protected]> Fri, 31 Jan 2020 23:06:07 +0100 + xmltooling (3.0.4-1) unstable; urgency=high * [f185b26] New upstream security release: 3.0.4 diff -Nru xmltooling-3.0.4/debian/gbp.conf xmltooling-3.0.4/debian/gbp.conf --- xmltooling-3.0.4/debian/gbp.conf 2019-03-14 14:34:19.000000000 +0100 +++ xmltooling-3.0.4/debian/gbp.conf 2020-01-31 22:59:40.000000000 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/master +debian-branch = debian/buster upstream-branch = upstream/latest pristine-tar = True diff -Nru xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch --- xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch 1970-01-01 01:00:00.000000000 +0100 +++ xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch 2020-01-31 23:04:41.000000000 +0100 @@ -0,0 +1,42 @@ +From: Scott Cantor <[email protected]> +Date: Tue, 1 Oct 2019 19:16:19 -0400 +Subject: CPPXT-145 - DataSealer is sharing non-thread safe keys + +Xmltooling versions 3.0.0 to 3.0.4 suffer from a race condition bug that +leads to a crash under load. + +https://issues.shibboleth.net/jira/browse/CPPXT-145 + +Closes: #950135 +--- + xmltooling/security/impl/DataSealer.cpp | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/xmltooling/security/impl/DataSealer.cpp b/xmltooling/security/impl/DataSealer.cpp +index c7ec7f9..aef85b7 100644 +--- a/xmltooling/security/impl/DataSealer.cpp ++++ b/xmltooling/security/impl/DataSealer.cpp +@@ -156,8 +156,10 @@ string DataSealer::wrap(const char* s, time_t exp) const + + safeBuffer ciphertext; + try { ++ // Keys are not threadsafe, use a clone to encrypt. ++ scoped_ptr<XSECCryptoKey> clonedKey(defaultKey.second->clone()); + scoped_ptr<XENCEncryptionMethod> method(XENCEncryptionMethod::create(env.get(), algorithm)); +- if (!handler->encryptToSafeBuffer(&tx, method.get(), defaultKey.second, dummydoc, ciphertext)) { ++ if (!handler->encryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, ciphertext)) { + throw XMLSecurityException("Data encryption failed."); + } + } +@@ -235,8 +237,10 @@ string DataSealer::unwrap(const char* s) const + unsigned int len = 0; + safeBuffer plaintext; + try { ++ // Keys are not threadsafe, use a clone to decrypt. ++ scoped_ptr<XSECCryptoKey> clonedKey(requiredKey.second->clone()); + scoped_ptr<XENCEncryptionMethod> method(XENCEncryptionMethod::create(env.get(), algorithm)); +- len = handler->decryptToSafeBuffer(&tx, method.get(), requiredKey.second, dummydoc, plaintext); ++ len = handler->decryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, plaintext); + } + catch (const XSECException& ex) { + auto_ptr_char msg(ex.getMsg()); diff -Nru xmltooling-3.0.4/debian/patches/series xmltooling-3.0.4/debian/patches/series --- xmltooling-3.0.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ xmltooling-3.0.4/debian/patches/series 2020-01-31 23:04:41.000000000 +0100 @@ -0,0 +1 @@ +CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch I'm ready to upload this if you feel like going straight to 3.0.5-1 (in unstable) would be too much. -- Thanks, Feri
