Your message dated Sat, 28 Mar 2015 11:50:59 +0100
with message-id <[email protected]>
and subject line Re: Bug#781378: unblock: src:shibboleth-sp2/2.5.3+dfsg-2
has caused the Debian Bug report #781378,
regarding unblock: src:shibboleth-sp2/2.5.3+dfsg-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
781378: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781378
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package src:shibboleth-sp2
This package (which I'm sponsoring on behalf of Ferenc Wagner),
backports the upstream fix for CVE-2015-2684 to 2.5.3. I have just
sponsored a similar upload to wheezy-security, so a DSA should be
coming out about that shortly.
The upstream fix is viewable here:
http://svn.shibboleth.net/view/cpp-sp?view=revision&revision=3894
I attach the debdiff, which you will see just incorporates that
upstream fix.
I built this in a jessie sbuild chroot.
Thanks,
Matthew
unblock src:shibboleth-sp2/2.5.3+dfsg-2
-- System Information:
Debian Release: 7.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru shibboleth-sp2-2.5.3+dfsg/debian/changelog shibboleth-sp2-2.5.3+dfsg/debian/changelog
--- shibboleth-sp2-2.5.3+dfsg/debian/changelog 2014-04-01 05:01:56.000000000 +0100
+++ shibboleth-sp2-2.5.3+dfsg/debian/changelog 2015-03-24 15:03:24.000000000 +0000
@@ -1,3 +1,11 @@
+shibboleth-sp2 (2.5.3+dfsg-2) unstable; urgency=high
+
+ * Incorporate security fix from V2.5.4 for CVE-2015-2684: authenticated
+ denial of service vulnerability that results in a crash on certain
+ kinds of malformed SAML messages.
+
+ -- Ferenc Wagner <[email protected]> Tue, 24 Mar 2015 08:55:06 +0100
+
shibboleth-sp2 (2.5.3+dfsg-1) unstable; urgency=medium
* New upstream release.
diff -Nru shibboleth-sp2-2.5.3+dfsg/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch shibboleth-sp2-2.5.3+dfsg/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch
--- shibboleth-sp2-2.5.3+dfsg/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch 1970-01-01 01:00:00.000000000 +0100
+++ shibboleth-sp2-2.5.3+dfsg/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch 2015-03-24 15:04:02.000000000 +0000
@@ -0,0 +1,56 @@
+From: =?utf-8?q?Ferenc_W=C3=A1gner?= <[email protected]>
+Date: Tue, 17 Mar 2015 15:09:39 +0100
+Subject: Security fix from V2.5.4 for CVE-2015-2684
+
+Shibboleth SP software crashes on malformed input messages
+===============================================================
+The SP software includes an authenticated denial of service
+vulnerability that results in a crash on certain kinds of malformed
+SAML messages. The vulnerability is only triggered when special
+conditions are met and after a message or assertion signature
+has been verified, so exploitation requires a message produced
+under a trusted key, limiting the impact.
+
+URL for the full Security Advisory:
+https://shibboleth.net/community/advisories/secadv_20150319.txt
+---
+ shibsp/handler/impl/SAML2Consumer.cpp | 4 ++++
+ shibsp/impl/StorageServiceSessionCache.cpp | 3 ++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/shibsp/handler/impl/SAML2Consumer.cpp b/shibsp/handler/impl/SAML2Consumer.cpp
+index ec62384..be2397c 100644
+--- a/shibsp/handler/impl/SAML2Consumer.cpp
++++ b/shibsp/handler/impl/SAML2Consumer.cpp
+@@ -44,6 +44,7 @@
+ # include <xmltooling/XMLToolingConfig.h>
+ # include <xmltooling/io/HTTPRequest.h>
+ # include <xmltooling/util/DateTime.h>
++# include <xmltooling/validation/ValidatorSuite.h>
+ using namespace opensaml::saml2;
+ using namespace opensaml::saml2p;
+ using namespace opensaml::saml2md;
+@@ -312,6 +313,9 @@ void SAML2Consumer::implementProtocol(
+ if (!decrypted->getSignature() && requireSignedAssertions.first && requireSignedAssertions.second)
+ throw SecurityPolicyException("The incoming assertion was unsigned, violating local security policy.");
+
++ // Run the schema validators against the assertion, since it was hidden by encryption.
++ SchemaValidators.validate(decrypted.get());
++
+ // We clear the security flag, so we can tell whether the token was secured on its own.
+ policy.setAuthenticated(false);
+ policy.reset(true);
+diff --git a/shibsp/impl/StorageServiceSessionCache.cpp b/shibsp/impl/StorageServiceSessionCache.cpp
+index 9e5d48d..b816624 100644
+--- a/shibsp/impl/StorageServiceSessionCache.cpp
++++ b/shibsp/impl/StorageServiceSessionCache.cpp
+@@ -1233,7 +1233,8 @@ void SSCache::insert(
+ throw FatalProfileException("Attempted to create a session with a duplicate key.");
+
+ // Store the reverse mapping for logout.
+- if (nameid && m_reverseIndex && (m_excludedNames.size() == 0 || m_excludedNames.count(nameid->getName()) == 0)) {
++ if (name.get() && *name.get() && m_reverseIndex
++ && (m_excludedNames.size() == 0 || m_excludedNames.count(nameid->getName()) == 0)) {
+ try {
+ insert(key.get(), expires, name.get(), index.get());
+ }
diff -Nru shibboleth-sp2-2.5.3+dfsg/debian/patches/series shibboleth-sp2-2.5.3+dfsg/debian/patches/series
--- shibboleth-sp2-2.5.3+dfsg/debian/patches/series 2014-04-01 05:01:56.000000000 +0100
+++ shibboleth-sp2-2.5.3+dfsg/debian/patches/series 2015-03-24 15:03:24.000000000 +0000
@@ -4,3 +4,4 @@
0004-Shire-log-path-for-Debian.patch
0005-Default-native-logger-to-syslog.patch
0006-Remove-WSTrust-schema-references.patch
+0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch
--- End Message ---
--- Begin Message ---
On 2015-03-28 11:27, Matthew Vernon wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package src:shibboleth-sp2
>
> This package (which I'm sponsoring on behalf of Ferenc Wagner),
> backports the upstream fix for CVE-2015-2684 to 2.5.3. I have just
> sponsored a similar upload to wheezy-security, so a DSA should be
> coming out about that shortly.
>
> The upstream fix is viewable here:
> http://svn.shibboleth.net/view/cpp-sp?view=revision&revision=3894
>
> I attach the debdiff, which you will see just incorporates that
> upstream fix.
>
> I built this in a jessie sbuild chroot.
>
> Thanks,
>
> Matthew
>
> unblock src:shibboleth-sp2/2.5.3+dfsg-2
>
> [...]
Unblocked, thanks.
~Niels
--- End Message ---
