This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch master in repository wss4j.
commit 60f3852ad426167811d1bae4758e3a17550e6cf4 Author: Emmanuel Bourg <[email protected]> Date: Thu Feb 12 09:50:17 2015 +0100 Fix CVE-2015-0226: WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property --- debian/changelog | 2 ++ debian/patches/03-CVE-2015-0226.patch | 41 +++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 44 insertions(+) diff --git a/debian/changelog b/debian/changelog index 7a7fc24..109a381 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,8 @@ wss4j (1.6.15-2) UNRELEASED; urgency=medium * Fixed security issues (Closes: #777741): - CVE-2015-0227: WSS4J is still vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487) + - CVE-2015-0226: WSS4J doesn't correctly enforce the + requireSignedEncryptedDataElements property * Standards-Version updated to 3.9.6 (no changes) -- Emmanuel Bourg <[email protected]> Thu, 12 Feb 2015 09:11:29 +0100 diff --git a/debian/patches/03-CVE-2015-0226.patch b/debian/patches/03-CVE-2015-0226.patch new file mode 100644 index 0000000..395eaa6 --- /dev/null +++ b/debian/patches/03-CVE-2015-0226.patch @@ -0,0 +1,41 @@ +Description: Fix CVE-2015-0226: WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property +Origin: backport, http://svn.apache.org/r1621329 +Bug-Debian: http://bugs.debian.org/777741 +--- a/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java ++++ b/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java +@@ -19,6 +19,7 @@ + + package org.apache.ws.security.processor; + ++import java.security.NoSuchAlgorithmException; + import java.security.PrivateKey; + import java.security.cert.X509Certificate; + import java.security.spec.MGF1ParameterSpec; +@@ -209,7 +210,7 @@ + private static byte[] getRandomKey(List<String> dataRefURIs, Document doc, WSDocInfo wsDocInfo) throws WSSecurityException { + try { + String alg = "AES"; +- int size = 128; ++ int size = 16; + if (!dataRefURIs.isEmpty()) { + String uri = dataRefURIs.iterator().next(); + Element ee = ReferenceListProcessor.findEncryptedDataElement(doc, wsDocInfo, uri); +@@ -221,8 +222,16 @@ + kgen.init(size * 8); + SecretKey k = kgen.generateKey(); + return k.getEncoded(); +- } catch (Exception ex) { +- throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, ex); ++ } catch (Throwable ex) { ++ // Fallback to just using AES to avoid attacks on EncryptedData algorithms ++ try { ++ KeyGenerator kgen = KeyGenerator.getInstance("AES"); ++ kgen.init(128); ++ SecretKey k = kgen.generateKey(); ++ return k.getEncoded(); ++ } catch (NoSuchAlgorithmException e) { ++ throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, e); ++ } + } + } + diff --git a/debian/patches/series b/debian/patches/series index 446e128..14e908c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 01-no-saml.patch 02-CVE-2015-0227.patch +03-CVE-2015-0226.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/wss4j.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
