Hi,
El dj. 11 de 11 de 2021 a les 22:07 +0100, en/na Jordi Mallach va
escriure:
> Hi Salvatore,
>
> El dv. 04 de 06 de 2021 a les 23:07 +0200, en/na Salvatore Bonaccorso
> va escriure:
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog
> > entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2021-33054
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33054
> > [1]
> > https://github.com/inverse-inc/sogo/commit/e53636564680ac0df11ec898304bc442908ba746
> >
> > Please adjust the affected versions in the BTS as needed.
>
> I have prepared a source package for bullseye, with a debdiff
> attached.
Now attached...
Jordi
--
Jordi Mallach
Debian Project
diff -Nru sogo-5.0.1/debian/changelog sogo-5.0.1/debian/changelog
--- sogo-5.0.1/debian/changelog 2021-02-02 01:28:14.0 +0100
+++ sogo-5.0.1/debian/changelog 2021-11-11 21:44:21.0 +0100
@@ -1,3 +1,11 @@
+sogo (5.0.1-4+deb11u1) bullseye-security; urgency=high
+
+ * [CVE-2021-33054] fixes validation of SAML message signatures
+(closes: #989479)
+ * Switch gbp debian branch to bullseye.
+
+ -- Jordi Mallach Thu, 11 Nov 2021 21:44:21 +0100
+
sogo (5.0.1-4) unstable; urgency=medium
* Build against OpenSSL, now that ftpmaster considers it a system
diff -Nru sogo-5.0.1/debian/gbp.conf sogo-5.0.1/debian/gbp.conf
--- sogo-5.0.1/debian/gbp.conf 2019-10-31 09:28:21.0 +0100
+++ sogo-5.0.1/debian/gbp.conf 2021-11-11 21:43:53.0 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian
-upstream-branch=upstream
+debian-branch = bullseye
+upstream-branch = upstream
upstream-vcs-tag = SOGo-%(version)s
diff -Nru sogo-5.0.1/debian/patches/cve-2021-33054.patch sogo-5.0.1/debian/patches/cve-2021-33054.patch
--- sogo-5.0.1/debian/patches/cve-2021-33054.patch 1970-01-01 01:00:00.0 +0100
+++ sogo-5.0.1/debian/patches/cve-2021-33054.patch 2021-11-11 21:40:56.0 +0100
@@ -0,0 +1,18 @@
+commit e53636564680ac0df11ec898304bc442908ba746
+Author: Francis Lachapelle
+Date: Mon May 17 10:10:01 2021 -0400
+
+fix(saml): don't ignore the signature of messages
+
+diff --git a/SoObjects/SOGo/SOGoSAML2Session.m b/SoObjects/SOGo/SOGoSAML2Session.m
+index 782bc1f2c..e07f84116 100644
+--- a/SoObjects/SOGo/SOGoSAML2Session.m
b/SoObjects/SOGo/SOGoSAML2Session.m
+@@ -454,7 +454,6 @@ static NSMapTable *serverTable = nil;
+
+ responseData = strdup ([authnResponse UTF8String]);
+
+- lasso_profile_set_signature_verify_hint(lassoLogin, LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE);
+ rc = lasso_login_process_authn_response_msg (lassoLogin, responseData);
+ if (rc)
+ [NSException raiseSAML2Exception: rc];
diff -Nru sogo-5.0.1/debian/patches/series sogo-5.0.1/debian/patches/series
--- sogo-5.0.1/debian/patches/series 2021-02-02 01:28:14.0 +0100
+++ sogo-5.0.1/debian/patches/series 2021-11-11 21:41:21.0 +0100
@@ -9,3 +9,4 @@
0008-Unset-MAKEFLAGS-and-MFLAGS-in-configure.patch
0009-Omit-signedViewer-altogether-when-not-using-openssl.patch
python3.patch
+cve-2021-33054.patch