Bug#989479: sogo: CVE-2021-33054

2021-11-11 Thread Jordi Mallach 
Hi Salvatore,

El dv. 04 de 06 de 2021 a les 23:07 +0200, en/na Salvatore Bonaccorso
va escriure:
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-33054
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33054
> [1]
> https://github.com/inverse-inc/sogo/commit/e53636564680ac0df11ec898304bc442908ba746
> 
> Please adjust the affected versions in the BTS as needed.

I have prepared a source package for bullseye, with a debdiff attached.

I have built it in a bullseye chroot, but I assume you'll want a source
only upload.

I'll upload as soon as you ack it, and will prepare a similar package
for buster at your request.

Thanks,
Jordi


-- 
Jordi Mallach 
Debian Project

Bug#989479: sogo: CVE-2021-33054

2021-11-11 Thread Jordi Mallach 
Hi,

El dj. 11 de 11 de 2021 a les 22:07 +0100, en/na Jordi Mallach va
escriure:
> Hi Salvatore,
> 
> El dv. 04 de 06 de 2021 a les 23:07 +0200, en/na Salvatore Bonaccorso
> va escriure:
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog
> > entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2021-33054
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33054
> > [1]
> > https://github.com/inverse-inc/sogo/commit/e53636564680ac0df11ec898304bc442908ba746
> > 
> > Please adjust the affected versions in the BTS as needed.
> 
> I have prepared a source package for bullseye, with a debdiff
> attached.

Now attached...

Jordi

-- 
Jordi Mallach 
Debian Project
diff -Nru sogo-5.0.1/debian/changelog sogo-5.0.1/debian/changelog
--- sogo-5.0.1/debian/changelog	2021-02-02 01:28:14.0 +0100
+++ sogo-5.0.1/debian/changelog	2021-11-11 21:44:21.0 +0100
@@ -1,3 +1,11 @@
+sogo (5.0.1-4+deb11u1) bullseye-security; urgency=high
+
+  * [CVE-2021-33054] fixes validation of SAML message signatures
+(closes: #989479)
+  * Switch gbp debian branch to bullseye.
+
+ -- Jordi Mallach   Thu, 11 Nov 2021 21:44:21 +0100
+
 sogo (5.0.1-4) unstable; urgency=medium
 
   * Build against OpenSSL, now that ftpmaster considers it a system
diff -Nru sogo-5.0.1/debian/gbp.conf sogo-5.0.1/debian/gbp.conf
--- sogo-5.0.1/debian/gbp.conf	2019-10-31 09:28:21.0 +0100
+++ sogo-5.0.1/debian/gbp.conf	2021-11-11 21:43:53.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian
-upstream-branch=upstream
+debian-branch = bullseye
+upstream-branch = upstream
 upstream-vcs-tag = SOGo-%(version)s
diff -Nru sogo-5.0.1/debian/patches/cve-2021-33054.patch sogo-5.0.1/debian/patches/cve-2021-33054.patch
--- sogo-5.0.1/debian/patches/cve-2021-33054.patch	1970-01-01 01:00:00.0 +0100
+++ sogo-5.0.1/debian/patches/cve-2021-33054.patch	2021-11-11 21:40:56.0 +0100
@@ -0,0 +1,18 @@
+commit e53636564680ac0df11ec898304bc442908ba746
+Author: Francis Lachapelle 
+Date:   Mon May 17 10:10:01 2021 -0400
+
+fix(saml): don't ignore the signature of messages
+
+diff --git a/SoObjects/SOGo/SOGoSAML2Session.m b/SoObjects/SOGo/SOGoSAML2Session.m
+index 782bc1f2c..e07f84116 100644
+--- a/SoObjects/SOGo/SOGoSAML2Session.m
 b/SoObjects/SOGo/SOGoSAML2Session.m
+@@ -454,7 +454,6 @@ static NSMapTable *serverTable = nil;
+ 
+   responseData = strdup ([authnResponse UTF8String]);
+ 
+-  lasso_profile_set_signature_verify_hint(lassoLogin, LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE);
+   rc = lasso_login_process_authn_response_msg (lassoLogin, responseData);
+   if (rc)
+ [NSException raiseSAML2Exception: rc];
diff -Nru sogo-5.0.1/debian/patches/series sogo-5.0.1/debian/patches/series
--- sogo-5.0.1/debian/patches/series	2021-02-02 01:28:14.0 +0100
+++ sogo-5.0.1/debian/patches/series	2021-11-11 21:41:21.0 +0100
@@ -9,3 +9,4 @@
 0008-Unset-MAKEFLAGS-and-MFLAGS-in-configure.patch
 0009-Omit-signedViewer-altogether-when-not-using-openssl.patch
 python3.patch
+cve-2021-33054.patch

Bug#989479: sogo: CVE-2021-33054

2021-06-04 Thread Salvatore Bonaccorso 
Source: sogo
Version: 5.1.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 
Control: found -1 5.0.1-4
Control: found -1 4.0.7-1+deb10u1
Control: found -1 4.0.7-1

Hi,

The following vulnerability was published for sogo.

CVE-2021-33054[0]:
| SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not
| validate the signatures of any SAML assertions it receives. Any actor
| with network access to the deployment could impersonate users when
| SAML is the authentication method. (Only versions after 2.0.5a are
| affected.)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-33054
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33054
[1] 
https://github.com/inverse-inc/sogo/commit/e53636564680ac0df11ec898304bc442908ba746

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore