This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch master in repository wss4j.
commit a02e4e4a1081564baa0da40d57ffbbe79201b0ee Author: Emmanuel Bourg <[email protected]> Date: Thu Feb 12 09:42:47 2015 +0100 Fixed CVE-2015-0227: WSS4J is still vulnerable to Bleichenbacher's attack --- debian/changelog | 3 + debian/patches/02-CVE-2015-0227.patch | 137 ++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 141 insertions(+) diff --git a/debian/changelog b/debian/changelog index 10b8c9c..7a7fc24 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,8 @@ wss4j (1.6.15-2) UNRELEASED; urgency=medium + * Fixed security issues (Closes: #777741): + - CVE-2015-0227: WSS4J is still vulnerable to Bleichenbacher's attack + (incomplete fix for CVE-2011-2487) * Standards-Version updated to 3.9.6 (no changes) -- Emmanuel Bourg <[email protected]> Thu, 12 Feb 2015 09:11:29 +0100 diff --git a/debian/patches/02-CVE-2015-0227.patch b/debian/patches/02-CVE-2015-0227.patch new file mode 100644 index 0000000..464a1a7 --- /dev/null +++ b/debian/patches/02-CVE-2015-0227.patch @@ -0,0 +1,137 @@ +Description: Fix CVE-2015-0227: WSS4J is still vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487) +Origin: backport, http://svn.apache.org/r1619359 +Bug-Debian: http://bugs.debian.org/777741 +--- a/src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java ++++ b/src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java +@@ -91,7 +91,7 @@ + ); + + if (elem != null && request.isRequireSignedEncryptedDataElements()) { +- WSSecurityUtil.verifySignedElement(elem, elem.getOwnerDocument(), wsDocInfo.getSecurityHeader()); ++ WSSecurityUtil.verifySignedElement(elem, wsDocInfo); + } + + SecretKey key = null; +--- a/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java ++++ b/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java +@@ -403,7 +403,7 @@ + Element encryptedDataElement = + ReferenceListProcessor.findEncryptedDataElement(doc, docInfo, dataRefURI); + if (encryptedDataElement != null && data.isRequireSignedEncryptedDataElements()) { +- WSSecurityUtil.verifySignedElement(encryptedDataElement, doc, docInfo.getSecurityHeader()); ++ WSSecurityUtil.verifySignedElement(encryptedDataElement, docInfo); + } + // + // Prepare the SecretKey object to decrypt EncryptedData +--- a/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java ++++ b/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java +@@ -132,7 +132,7 @@ + Element encryptedDataElement = findEncryptedDataElement(doc, wsDocInfo, dataRefURI); + + if (encryptedDataElement != null && asymBinding && data.isRequireSignedEncryptedDataElements()) { +- WSSecurityUtil.verifySignedElement(encryptedDataElement, doc, wsDocInfo.getSecurityHeader()); ++ WSSecurityUtil.verifySignedElement(encryptedDataElement, wsDocInfo); + } + // + // Prepare the SecretKey object to decrypt EncryptedData +--- a/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java ++++ b/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java +@@ -24,6 +24,7 @@ + import org.apache.ws.security.SOAPConstants; + import org.apache.ws.security.WSConstants; + import org.apache.ws.security.WSDataRef; ++import org.apache.ws.security.WSDocInfo; + import org.apache.ws.security.WSEncryptionPart; + import org.apache.ws.security.WSSecurityEngineResult; + import org.apache.ws.security.WSSecurityException; +@@ -50,10 +51,8 @@ + import java.security.SecureRandom; + import java.util.ArrayList; + import java.util.Collections; +-import java.util.HashSet; + import java.util.Iterator; + import java.util.List; +-import java.util.Set; + + /** + * WS-Security Utility methods. <p/> +@@ -1350,56 +1349,39 @@ + } + } + +- public static void verifySignedElement(Element elem, Document doc, Element securityHeader) +- throws WSSecurityException { +- final Element envelope = doc.getDocumentElement(); +- final Set<String> signatureRefIDs = getSignatureReferenceIDs(securityHeader); +- if (!signatureRefIDs.isEmpty()) { +- Node cur = elem; +- while (!cur.isSameNode(envelope)) { +- if (cur.getNodeType() == Node.ELEMENT_NODE) { +- if (WSConstants.SIG_LN.equals(cur.getLocalName()) +- && WSConstants.SIG_NS.equals(cur.getNamespaceURI())) { +- throw new WSSecurityException(WSSecurityException.FAILED_CHECK, +- "requiredElementNotSigned", new Object[] {elem}); +- } else if (isLinkedBySignatureRefs((Element)cur, signatureRefIDs)) { +- return; ++ public static void verifySignedElement(Element elem, WSDocInfo wsDocInfo) throws WSSecurityException { ++ List<WSSecurityEngineResult> signedResults = wsDocInfo.getResultsByTag(WSConstants.SIGN); ++ if (signedResults != null) { ++ for (WSSecurityEngineResult signedResult : signedResults) { ++ @SuppressWarnings("unchecked") ++ List<WSDataRef> dataRefs = (List<WSDataRef>) signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS); ++ if (dataRefs != null) { ++ for (WSDataRef dataRef : dataRefs) { ++ if (isElementOrAncestorSigned(elem, dataRef.getProtectedElement())) { ++ return; ++ } + } + } +- cur = cur.getParentNode(); + } + } + throw new WSSecurityException( + WSSecurityException.FAILED_CHECK, "requiredElementNotSigned", new Object[] {elem}); + } + +- private static boolean isLinkedBySignatureRefs(Element elem, Set<String> allIDs) { +- // Try the wsu:Id first +- String attributeNS = elem.getAttributeNS(WSConstants.WSU_NS, "Id"); +- if (!"".equals(attributeNS) && allIDs.contains(attributeNS)) { +- return true; +- } +- attributeNS = elem.getAttributeNS(null, "Id"); +- return (!"".equals(attributeNS) && allIDs.contains(attributeNS)); +- } +- +- private static Set<String> getSignatureReferenceIDs(Element wsseHeader) throws WSSecurityException { +- final Set<String> refs = new HashSet<String>(); +- final List<Element> signatures = WSSecurityUtil.getDirectChildElements(wsseHeader, WSConstants.SIG_LN, WSConstants.SIG_NS); +- for (Element signature : signatures) { +- Element sigInfo = WSSecurityUtil.getDirectChildElement(signature, WSConstants.SIG_INFO_LN, WSConstants.SIG_NS); +- List<Element> references = WSSecurityUtil.getDirectChildElements(sigInfo, WSConstants.REF_LN, WSConstants.SIG_NS); +- for (Element reference : references) { +- String uri = reference.getAttributeNS(null, "URI"); +- if (!"".equals(uri)) { +- boolean added = refs.add(WSSecurityUtil.getIDFromReference(uri)); +- if (!added) { +- log.warn("Duplicated reference uri: " + uri); +- } +- } ++ /** ++ * Does the current element or some ancestor of it correspond to the known "signedElement"? ++ */ ++ private static boolean isElementOrAncestorSigned(Element elem, Element signedElement) throws WSSecurityException { ++ final Element envelope = elem.getOwnerDocument().getDocumentElement(); ++ Node cur = elem; ++ while (!cur.isSameNode(envelope)) { ++ if (cur.getNodeType() == Node.ELEMENT_NODE && cur.equals(signedElement)) { ++ return true; + } ++ cur = cur.getParentNode(); + } +- return refs; ++ ++ return false; + } + + } diff --git a/debian/patches/series b/debian/patches/series index 1591d9b..446e128 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 01-no-saml.patch +02-CVE-2015-0227.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/wss4j.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
