Bug#698946: Security update broke php-cas, wrong call to setSslCaCert()
On Sat, January 26, 2013 16:05, Olivier Berger wrote: As you can see in [0], I've integrated the full upstream commit [1] and not just the change on Client.php. Hope this helps. The updated package indeed fixes the problem and works fine. Thanks! Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698946: Security update broke php-cas, wrong call to setSslCaCert()
Hi.
Thijs Kinkhorst th...@debian.org writes:
The security update in 1.3.1-2 broke php-cas. The problem is in this hunk:
@@ -2418,6 +2428,7 @@ class CAS_Client
}
if ($this-_cas_server_ca_cert != '') {
$request-setSslCaCert($this-_cas_server_ca_cert);
+$request-setSslCaCert($this-_cas_server_cn_validate);
}
// add extra stuff if SAML
As you can see, the code now sets setSslCaCert first with the correct CA
cert, but then sets it again with a boolean value. This makes all CA
validation fail and thus renders php-cas unusable.
The intended change, which is also upstream, is what is in attached patch.
Can you provide a fixed package? Let me know if my help is needed.
Thanks for testing and reporting.
I've updated and uploaded the package.
As you can see in [0], I've integrated the full upstream commit [1] and
not just the change on Client.php.
Hope this helps.
I'll make sure this transitions in testing/wheezy too.
Best regards,
[0]
http://anonscm.debian.org/gitweb/?p=users/obergix/phpcas.git;a=shortlog;h=refs/heads/debian-1.3.1
[1]
https://github.com/Jasig/phpCAS/commit/0e75d13385c0480d24512e5ea7dbb69863609b43
--
Olivier BERGER
(OpenPGP: 4096R/7C5BB6A5)
http://www.olivierberger.com/weblog/
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698946: Security update broke php-cas, wrong call to setSslCaCert()
Package: php-cas
Version: 1.3.1-2
Severity: grave
Tags: patch
Hi Olivier,
The security update in 1.3.1-2 broke php-cas. The problem is in this hunk:
@@ -2418,6 +2428,7 @@ class CAS_Client
}
if ($this-_cas_server_ca_cert != '') {
$request-setSslCaCert($this-_cas_server_ca_cert);
+$request-setSslCaCert($this-_cas_server_cn_validate);
}
// add extra stuff if SAML
As you can see, the code now sets setSslCaCert first with the correct CA
cert, but then sets it again with a boolean value. This makes all CA
validation fail and thus renders php-cas unusable.
The intended change, which is also upstream, is what is in attached patch.
Can you provide a fixed package? Let me know if my help is needed.
Thanks,
Thijs
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (400, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- php-cas-1.3.1.orig/CAS-1.3.1/CAS/Client.php
+++ php-cas-1.3.1/CAS-1.3.1/CAS/Client.php
@@ -2427,8 +2427,7 @@ class CAS_Client
phpCAS::error('one of the methods phpCAS::setCasServerCACert() or phpCAS::setNoCasServerValidation() must be called.');
}
if ($this-_cas_server_ca_cert != '') {
-$request-setSslCaCert($this-_cas_server_ca_cert);
-$request-setSslCaCert($this-_cas_server_cn_validate);
+$request-setSslCaCert($this-_cas_server_ca_cert, $this-_cas_server_cn_validate);
}
// add extra stuff if SAML
