Bug#698946: Security update broke php-cas, wrong call to setSslCaCert()
On Sat, January 26, 2013 16:05, Olivier Berger wrote: As you can see in [0], I've integrated the full upstream commit [1] and not just the change on Client.php. Hope this helps. The updated package indeed fixes the problem and works fine. Thanks! Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698946: Security update broke php-cas, wrong call to setSslCaCert()
Hi. Thijs Kinkhorst th...@debian.org writes: The security update in 1.3.1-2 broke php-cas. The problem is in this hunk: @@ -2418,6 +2428,7 @@ class CAS_Client } if ($this-_cas_server_ca_cert != '') { $request-setSslCaCert($this-_cas_server_ca_cert); +$request-setSslCaCert($this-_cas_server_cn_validate); } // add extra stuff if SAML As you can see, the code now sets setSslCaCert first with the correct CA cert, but then sets it again with a boolean value. This makes all CA validation fail and thus renders php-cas unusable. The intended change, which is also upstream, is what is in attached patch. Can you provide a fixed package? Let me know if my help is needed. Thanks for testing and reporting. I've updated and uploaded the package. As you can see in [0], I've integrated the full upstream commit [1] and not just the change on Client.php. Hope this helps. I'll make sure this transitions in testing/wheezy too. Best regards, [0] http://anonscm.debian.org/gitweb/?p=users/obergix/phpcas.git;a=shortlog;h=refs/heads/debian-1.3.1 [1] https://github.com/Jasig/phpCAS/commit/0e75d13385c0480d24512e5ea7dbb69863609b43 -- Olivier BERGER (OpenPGP: 4096R/7C5BB6A5) http://www.olivierberger.com/weblog/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698946: Security update broke php-cas, wrong call to setSslCaCert()
Package: php-cas Version: 1.3.1-2 Severity: grave Tags: patch Hi Olivier, The security update in 1.3.1-2 broke php-cas. The problem is in this hunk: @@ -2418,6 +2428,7 @@ class CAS_Client } if ($this-_cas_server_ca_cert != '') { $request-setSslCaCert($this-_cas_server_ca_cert); +$request-setSslCaCert($this-_cas_server_cn_validate); } // add extra stuff if SAML As you can see, the code now sets setSslCaCert first with the correct CA cert, but then sets it again with a boolean value. This makes all CA validation fail and thus renders php-cas unusable. The intended change, which is also upstream, is what is in attached patch. Can you provide a fixed package? Let me know if my help is needed. Thanks, Thijs -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (400, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash --- php-cas-1.3.1.orig/CAS-1.3.1/CAS/Client.php +++ php-cas-1.3.1/CAS-1.3.1/CAS/Client.php @@ -2427,8 +2427,7 @@ class CAS_Client phpCAS::error('one of the methods phpCAS::setCasServerCACert() or phpCAS::setNoCasServerValidation() must be called.'); } if ($this-_cas_server_ca_cert != '') { -$request-setSslCaCert($this-_cas_server_ca_cert); -$request-setSslCaCert($this-_cas_server_cn_validate); +$request-setSslCaCert($this-_cas_server_ca_cert, $this-_cas_server_cn_validate); } // add extra stuff if SAML