Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package lemonldap-ng
Hi all,
We'd like to have an unblock to push lemonldap-ng_1.1.2-5+deb70u1
This release will contain :
* the security fix to close #696329
* the pt_BR.po file to close #693366
Best regards,
Xavier
unblock lemonldap-ng/1.1.2-5+deb70u1
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (800, 'testing'), (700, 'stable'), (600, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru lemonldap-ng-1.1.2/debian/changelog lemonldap-ng-1.1.2/debian/changelog
--- lemonldap-ng-1.1.2/debian/changelog 2012-03-24 17:59:00.0 +0100
+++ lemonldap-ng-1.1.2/debian/changelog 2012-12-21 06:03:04.0 +0100
@@ -1,3 +1,10 @@
+lemonldap-ng (1.1.2-5+deb70u1) testing-proposed-updates; urgency=high
+
+ * Fix for CVE-2012-6426 (Closes: #696329)
+ * Brazilian translation (Closes: #693366)
+
+ -- Xavier Guimard x.guim...@free.fr Thu, 20 Dec 2012 06:41:50 +0100
+
lemonldap-ng (1.1.2-5) unstable; urgency=low
* Remove some mistakes reported by
diff -Nru lemonldap-ng-1.1.2/debian/patches/series lemonldap-ng-1.1.2/debian/patches/series
--- lemonldap-ng-1.1.2/debian/patches/series 1970-01-01 01:00:00.0 +0100
+++ lemonldap-ng-1.1.2/debian/patches/series 2012-12-19 22:16:19.0 +0100
@@ -0,0 +1 @@
+verify-saml-signatures.patch
diff -Nru lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch
--- lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch 1970-01-01 01:00:00.0 +0100
+++ lemonldap-ng-1.1.2/debian/patches/verify-saml-signatures.patch 2012-12-19 22:21:48.0 +0100
@@ -0,0 +1,146 @@
+Description: Verify SAML signature
+ Due to a bad use of Lasso library, SAML signatures are never checked, even if
+ we force signature check.
+ [CVE-2012-6426]
+Author: Clément OUDOT cou...@linagora.com
+Bug: http://jira.ow2.org/browse/LEMONLDAP-570
+Bug-Debian: http://bugs.debian.org/696329
+Forwarded: yes
+Reviewed-By: Xavier Guimard x.guim...@free.fr
+Last-Update: 2012-12-19
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
+@@ -2218,6 +2218,21 @@
+ return $self-checkLassoError($@);
+ }
+
++## @method boolean forceSignatureVerification(Lasso::Profile profile)
++# Modify Lasso signature hint to force signature verification
++# @param profile Lasso profile object
++# @return result
++sub forceSignatureVerification {
++my ( $self, $profile ) = splice @_;
++
++eval {
++Lasso::Profile::set_signature_verify_hint( $profile,
++Lasso::Constants::PROFILE_SIGNATURE_VERIFY_HINT_FORCE );
++};
++
++return $self-checkLassoError($@);
++}
++
+ ## @method string getAuthnContext(string context)
+ # Convert configuration string into SAML2 AuthnContextClassRef string
+ # @param context configuration string
+@@ -3223,6 +3238,10 @@
+
+ Modify Lasso signature hint to disable signature verification
+
++=head2 forceSignatureVerification
++
++Modify Lasso signature hint to force signature verification
++
+ =head2 getAuthnContext
+
+ Convert configuration string into SAML2 AuthnContextClassRef string
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
+@@ -125,7 +125,18 @@
+ -{samlIDPMetaDataOptionsCheckSSOMessageSignature};
+
+ if ($checkSSOMessageSignature) {
+-unless ( $self-checkSignatureStatus($login) ) {
++
++$self-forceSignatureVerification($login);
++
++if ($artifact) {
++$result = $self-processArtResponseMsg( $login, $response );
++}
++else {
++$result =
++ $self-processAuthnResponseMsg( $login, $response );
++}
++
++unless ($result) {
+ $self-lmLog( Signature is not valid, 'error' );
+ return PE_SAML_SIGNATURE_ERROR;
+ }
+@@ -406,7 +417,12 @@
+ -{samlIDPMetaDataOptionsCheckSLOMessageSignature};
+
+ if ($checkSLOMessageSignature) {
+-unless ( $self-checkSignatureStatus($logout) ) {
++
++$self-forceSignatureVerification($logout);
++
++$result = $self-processLogoutResponseMsg( $logout, $response );
++
++unless ($result) {
+ $self-lmLog( Signature is not valid, 'error' );
+ return PE_SAML_SIGNATURE_ERROR;
+ }
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
+@@