This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch master in repository wss4j.
commit c1edbdff831f1c585bac11e8e44c55d01b72bea6 Author: Emmanuel Bourg <[email protected]> Date: Tue Jun 27 22:36:43 2017 +0200 Refreshed the patches --- debian/changelog | 4 +- debian/patches/01-no-saml.patch | 40 ++++++---- debian/patches/02-CVE-2015-0227.patch | 137 ---------------------------------- debian/patches/03-CVE-2015-0226.patch | 41 ---------- debian/patches/series | 2 - 5 files changed, 29 insertions(+), 195 deletions(-) diff --git a/debian/changelog b/debian/changelog index 61fd74e..adc193d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,7 @@ -wss4j (1.6.15-3) UNRELEASED; urgency=medium +wss4j (1.6.19-1) UNRELEASED; urgency=medium + * New upstream release (Closes: #822192) + - Refreshed the patches * Added the missing build dependency on junit4 * Let maven-debian-helper populate the package dependencies * Build with the DH sequencer instead of CDBS diff --git a/debian/patches/01-no-saml.patch b/debian/patches/01-no-saml.patch index 3d820a2..9471c2a 100644 --- a/debian/patches/01-no-saml.patch +++ b/debian/patches/01-no-saml.patch @@ -4,7 +4,7 @@ Author: Emmanuel Bourg <[email protected]> Forwarded: not-needed --- a/pom.xml +++ b/pom.xml -@@ -250,6 +250,11 @@ +@@ -298,6 +298,11 @@ <configuration> <source>1.5</source> <target>1.5</target> @@ -16,6 +16,18 @@ Forwarded: not-needed </configuration> </plugin> <plugin> +@@ -540,6 +545,11 @@ + </exclusions> + </dependency> + <dependency> ++ <groupId>org.slf4j</groupId> ++ <artifactId>slf4j-api</artifactId> ++ <version>${slf4j.version}</version> ++ </dependency> ++ <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <version>${junit.version}</version> --- a/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java +++ b/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java @@ -20,7 +20,6 @@ @@ -227,7 +239,7 @@ Forwarded: not-needed import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSDocInfo; import org.apache.ws.security.WSSConfig; -@@ -92,6 +91,7 @@ +@@ -94,6 +93,7 @@ result.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE); result.put(WSSecurityEngineResult.TAG_SECRET, returnedCredential.getSecretKey()); @@ -235,7 +247,7 @@ Forwarded: not-needed if (returnedCredential.getTransformedToken() != null) { result.put( WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN, -@@ -104,7 +104,7 @@ +@@ -106,7 +106,7 @@ new SAMLTokenPrincipal(credential.getTransformedToken()); result.put(WSSecurityEngineResult.TAG_PRINCIPAL, samlPrincipal); } @@ -263,7 +275,7 @@ Forwarded: not-needed private SecurityContextToken securityContextToken; private Principal principal; private byte[] secretKey; -@@ -166,33 +163,41 @@ +@@ -167,33 +164,41 @@ * Set an AssertionWrapper to be validated * @param assertion an AssertionWrapper to be validated */ @@ -315,7 +327,7 @@ Forwarded: not-needed /** * This class enforces processing rules for SecurityTokenReferences to various token elements, -@@ -125,6 +124,7 @@ +@@ -126,6 +125,7 @@ * @param assertion The SAML Token AssertionWrapper object * @throws WSSecurityException */ @@ -323,7 +335,7 @@ Forwarded: not-needed public static void checkSamlTokenBSPCompliance( SecurityTokenReference secRef, AssertionWrapper assertion -@@ -187,6 +187,7 @@ +@@ -188,6 +188,7 @@ } } } @@ -341,7 +353,7 @@ Forwarded: not-needed import java.security.Principal; import java.security.cert.X509Certificate; -@@ -233,6 +232,7 @@ +@@ -240,6 +239,7 @@ put(TAG_ACTION, Integer.valueOf(act)); } @@ -349,7 +361,7 @@ Forwarded: not-needed public WSSecurityEngineResult( int act, AssertionWrapper ass -@@ -242,6 +242,7 @@ +@@ -249,6 +249,7 @@ put(TAG_VALIDATED_TOKEN, Boolean.FALSE); put(TAG_TOKEN_ELEMENT, ass.getElement()); } @@ -367,7 +379,7 @@ Forwarded: not-needed import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSDocInfo; import org.apache.ws.security.WSSConfig; -@@ -82,6 +81,7 @@ +@@ -85,6 +84,7 @@ if (validator != null) { result.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE); @@ -375,7 +387,7 @@ Forwarded: not-needed if (credential.getTransformedToken() != null) { result.put( WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN, credential.getTransformedToken() -@@ -93,7 +93,7 @@ +@@ -96,7 +96,7 @@ new SAMLTokenPrincipal(credential.getTransformedToken()); result.put(WSSecurityEngineResult.TAG_PRINCIPAL, samlPrincipal); } @@ -416,9 +428,9 @@ Forwarded: not-needed ); +*/ tmp.put( - WSSecurityEngine.ENCRYPTED_KEY, - org.apache.ws.security.processor.EncryptedKeyProcessor.class -@@ -181,6 +185,7 @@ + WSSecurityEngine.ENCRYPTED_ASSERTION, + org.apache.ws.security.processor.EncryptedAssertionProcessor.class +@@ -185,6 +189,7 @@ static { final Map<QName, Class<?>> tmp = new HashMap<QName, Class<?>>(); try { @@ -426,7 +438,7 @@ Forwarded: not-needed tmp.put( WSSecurityEngine.SAML_TOKEN, org.apache.ws.security.validate.SamlAssertionValidator.class -@@ -189,6 +194,7 @@ +@@ -193,6 +198,7 @@ WSSecurityEngine.SAML2_TOKEN, org.apache.ws.security.validate.SamlAssertionValidator.class ); diff --git a/debian/patches/02-CVE-2015-0227.patch b/debian/patches/02-CVE-2015-0227.patch deleted file mode 100644 index 464a1a7..0000000 --- a/debian/patches/02-CVE-2015-0227.patch +++ /dev/null @@ -1,137 +0,0 @@ -Description: Fix CVE-2015-0227: WSS4J is still vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487) -Origin: backport, http://svn.apache.org/r1619359 -Bug-Debian: http://bugs.debian.org/777741 ---- a/src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java -+++ b/src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java -@@ -91,7 +91,7 @@ - ); - - if (elem != null && request.isRequireSignedEncryptedDataElements()) { -- WSSecurityUtil.verifySignedElement(elem, elem.getOwnerDocument(), wsDocInfo.getSecurityHeader()); -+ WSSecurityUtil.verifySignedElement(elem, wsDocInfo); - } - - SecretKey key = null; ---- a/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java -+++ b/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java -@@ -403,7 +403,7 @@ - Element encryptedDataElement = - ReferenceListProcessor.findEncryptedDataElement(doc, docInfo, dataRefURI); - if (encryptedDataElement != null && data.isRequireSignedEncryptedDataElements()) { -- WSSecurityUtil.verifySignedElement(encryptedDataElement, doc, docInfo.getSecurityHeader()); -+ WSSecurityUtil.verifySignedElement(encryptedDataElement, docInfo); - } - // - // Prepare the SecretKey object to decrypt EncryptedData ---- a/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java -+++ b/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java -@@ -132,7 +132,7 @@ - Element encryptedDataElement = findEncryptedDataElement(doc, wsDocInfo, dataRefURI); - - if (encryptedDataElement != null && asymBinding && data.isRequireSignedEncryptedDataElements()) { -- WSSecurityUtil.verifySignedElement(encryptedDataElement, doc, wsDocInfo.getSecurityHeader()); -+ WSSecurityUtil.verifySignedElement(encryptedDataElement, wsDocInfo); - } - // - // Prepare the SecretKey object to decrypt EncryptedData ---- a/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java -+++ b/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java -@@ -24,6 +24,7 @@ - import org.apache.ws.security.SOAPConstants; - import org.apache.ws.security.WSConstants; - import org.apache.ws.security.WSDataRef; -+import org.apache.ws.security.WSDocInfo; - import org.apache.ws.security.WSEncryptionPart; - import org.apache.ws.security.WSSecurityEngineResult; - import org.apache.ws.security.WSSecurityException; -@@ -50,10 +51,8 @@ - import java.security.SecureRandom; - import java.util.ArrayList; - import java.util.Collections; --import java.util.HashSet; - import java.util.Iterator; - import java.util.List; --import java.util.Set; - - /** - * WS-Security Utility methods. <p/> -@@ -1350,56 +1349,39 @@ - } - } - -- public static void verifySignedElement(Element elem, Document doc, Element securityHeader) -- throws WSSecurityException { -- final Element envelope = doc.getDocumentElement(); -- final Set<String> signatureRefIDs = getSignatureReferenceIDs(securityHeader); -- if (!signatureRefIDs.isEmpty()) { -- Node cur = elem; -- while (!cur.isSameNode(envelope)) { -- if (cur.getNodeType() == Node.ELEMENT_NODE) { -- if (WSConstants.SIG_LN.equals(cur.getLocalName()) -- && WSConstants.SIG_NS.equals(cur.getNamespaceURI())) { -- throw new WSSecurityException(WSSecurityException.FAILED_CHECK, -- "requiredElementNotSigned", new Object[] {elem}); -- } else if (isLinkedBySignatureRefs((Element)cur, signatureRefIDs)) { -- return; -+ public static void verifySignedElement(Element elem, WSDocInfo wsDocInfo) throws WSSecurityException { -+ List<WSSecurityEngineResult> signedResults = wsDocInfo.getResultsByTag(WSConstants.SIGN); -+ if (signedResults != null) { -+ for (WSSecurityEngineResult signedResult : signedResults) { -+ @SuppressWarnings("unchecked") -+ List<WSDataRef> dataRefs = (List<WSDataRef>) signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS); -+ if (dataRefs != null) { -+ for (WSDataRef dataRef : dataRefs) { -+ if (isElementOrAncestorSigned(elem, dataRef.getProtectedElement())) { -+ return; -+ } - } - } -- cur = cur.getParentNode(); - } - } - throw new WSSecurityException( - WSSecurityException.FAILED_CHECK, "requiredElementNotSigned", new Object[] {elem}); - } - -- private static boolean isLinkedBySignatureRefs(Element elem, Set<String> allIDs) { -- // Try the wsu:Id first -- String attributeNS = elem.getAttributeNS(WSConstants.WSU_NS, "Id"); -- if (!"".equals(attributeNS) && allIDs.contains(attributeNS)) { -- return true; -- } -- attributeNS = elem.getAttributeNS(null, "Id"); -- return (!"".equals(attributeNS) && allIDs.contains(attributeNS)); -- } -- -- private static Set<String> getSignatureReferenceIDs(Element wsseHeader) throws WSSecurityException { -- final Set<String> refs = new HashSet<String>(); -- final List<Element> signatures = WSSecurityUtil.getDirectChildElements(wsseHeader, WSConstants.SIG_LN, WSConstants.SIG_NS); -- for (Element signature : signatures) { -- Element sigInfo = WSSecurityUtil.getDirectChildElement(signature, WSConstants.SIG_INFO_LN, WSConstants.SIG_NS); -- List<Element> references = WSSecurityUtil.getDirectChildElements(sigInfo, WSConstants.REF_LN, WSConstants.SIG_NS); -- for (Element reference : references) { -- String uri = reference.getAttributeNS(null, "URI"); -- if (!"".equals(uri)) { -- boolean added = refs.add(WSSecurityUtil.getIDFromReference(uri)); -- if (!added) { -- log.warn("Duplicated reference uri: " + uri); -- } -- } -+ /** -+ * Does the current element or some ancestor of it correspond to the known "signedElement"? -+ */ -+ private static boolean isElementOrAncestorSigned(Element elem, Element signedElement) throws WSSecurityException { -+ final Element envelope = elem.getOwnerDocument().getDocumentElement(); -+ Node cur = elem; -+ while (!cur.isSameNode(envelope)) { -+ if (cur.getNodeType() == Node.ELEMENT_NODE && cur.equals(signedElement)) { -+ return true; - } -+ cur = cur.getParentNode(); - } -- return refs; -+ -+ return false; - } - - } diff --git a/debian/patches/03-CVE-2015-0226.patch b/debian/patches/03-CVE-2015-0226.patch deleted file mode 100644 index 395eaa6..0000000 --- a/debian/patches/03-CVE-2015-0226.patch +++ /dev/null @@ -1,41 +0,0 @@ -Description: Fix CVE-2015-0226: WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property -Origin: backport, http://svn.apache.org/r1621329 -Bug-Debian: http://bugs.debian.org/777741 ---- a/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java -+++ b/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java -@@ -19,6 +19,7 @@ - - package org.apache.ws.security.processor; - -+import java.security.NoSuchAlgorithmException; - import java.security.PrivateKey; - import java.security.cert.X509Certificate; - import java.security.spec.MGF1ParameterSpec; -@@ -209,7 +210,7 @@ - private static byte[] getRandomKey(List<String> dataRefURIs, Document doc, WSDocInfo wsDocInfo) throws WSSecurityException { - try { - String alg = "AES"; -- int size = 128; -+ int size = 16; - if (!dataRefURIs.isEmpty()) { - String uri = dataRefURIs.iterator().next(); - Element ee = ReferenceListProcessor.findEncryptedDataElement(doc, wsDocInfo, uri); -@@ -221,8 +222,16 @@ - kgen.init(size * 8); - SecretKey k = kgen.generateKey(); - return k.getEncoded(); -- } catch (Exception ex) { -- throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, ex); -+ } catch (Throwable ex) { -+ // Fallback to just using AES to avoid attacks on EncryptedData algorithms -+ try { -+ KeyGenerator kgen = KeyGenerator.getInstance("AES"); -+ kgen.init(128); -+ SecretKey k = kgen.generateKey(); -+ return k.getEncoded(); -+ } catch (NoSuchAlgorithmException e) { -+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, e); -+ } - } - } - diff --git a/debian/patches/series b/debian/patches/series index 14e908c..1591d9b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1 @@ 01-no-saml.patch -02-CVE-2015-0227.patch -03-CVE-2015-0226.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/wss4j.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
