Bug#929611: Update

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Wed, 2019-06-26 at 14:08 +0200, Xavier wrote:
> Hi all,
> 
> I updated my debdiff due to a little security hole discovered in
> lemonldap-ng 1.9.x

Please go ahead; sorry for the delay.

Regards,

Adam

Processed: Re: Bug#929611: Update

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #929611 [release.debian.org] stretch-pu: package lemonldap-ng/1.9.7-3+deb9u2
Added tag(s) moreinfo.

-- 
929611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929611
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#929611: Update

[Xavier]

Hi all,

I updated my debdiff due to a little security hole discovered in
lemonldap-ng 1.9.x

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index a1fe37b..e1e20aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (1.9.7-3+deb9u2) stretch; urgency=medium
+
+  * Fix CDA regression introduced in 1.9.7-3+deb9u1
+  * Fix XXE vulnerability (Closes: #931117)
+
+ -- Xavier Guimard   Wed, 26 Jun 2019 13:46:13 +0200
+
 lemonldap-ng (1.9.7-3+deb9u1) stretch-security; urgency=medium
 
   * Add patch to fix token security (Closes: #928944, CVE-2019-12046)
diff --git a/debian/patches/CDA-regression.patch 
b/debian/patches/CDA-regression.patch
new file mode 100644
index 000..242ce9c
--- /dev/null
+++ b/debian/patches/CDA-regression.patch
@@ -0,0 +1,62 @@
+Description: CDA regression fix
+ Fix for #928944 (CVE-2019-12046) introduced a regression in cross-domain
+ feature. This diff fix it and fix also a little issue when portal is called
+ using an Ajax request: it must not send Access-Control-Allow-Origin header.
+ (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1519)
+Author: Clément Oudot 
+Origin: upstream, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/deff50f072c64898d1204daa28c01fdcc7275ea4
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1756
+Bug-Debian: https://bugs.debian.org/928944
+Forwarded: not-needed
+Reviewed-By: Guilhem Moulin 
+Last-Update: 2019-05-27
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
 b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
+@@ -1049,7 +1049,7 @@
+ 
+ }
+ 
+-## @method void updateSession(hashRef infos, string id)
++## @method void updateSession(hashRef infos, string id, string kind)
+ # Update session stored.
+ # If no id is given, try to get it from cookie.
+ # If the session is available, update datas with $info.
+@@ -1057,9 +1057,10 @@
+ # server local cache, if there are several LL::NG servers.
+ # @param infos hash reference of information to update
+ # @param id Session ID
++# @param kind Session kind
+ # @return nothing
+ sub updateSession {
+-my ( $self, $infos, $id ) = @_;
++my ( $self, $infos, $id, $kind ) = @_;
+ 
+ # Return if no infos to update
+ return () unless ( ref $infos eq 'HASH' and %$infos );
+@@ -1084,7 +1085,7 @@
+ }
+ 
+ # Update session in global storage
+-if ( my $apacheSession = $self->getApacheSession( $id, 1 ) ) {
++if ( my $apacheSession = $self->getApacheSession( $id, 1, undef, 
$kind ) ) {
+ 
+ # Store updateTime
+ $infos->{updateTime} = strftime( "%Y%m%d%H%M%S", localtime() );
+@@ -1569,7 +1570,6 @@
+ print $self->header(
+ -status=> '401 Unauthorizated',
+ '-WWW-Authenticate'=> "SSO $self->{portal}",
+-'-Access-Control-Allow-Origin' => '*',
+ );
+ $self->quit;
+ }
+@@ -2744,7 +2744,7 @@
+ $cdaInfos->{cookie_name} = $self->{cookieName} . "http";
+ }
+ 
+-$self->updateSession( $cdaInfos, $cdaSession->id );
++$self->updateSession( $cdaInfos, $cdaSession->id, 'CDA' );
+ 
+ $self->{urldc} .=
+ ( $self->{urldc} =~ /\?/ ? '&' : '?' )
diff --git a/debian/patches/fix-xxe-vulnerability.patch 
b/debian/patches/fix-xxe-vulnerability.patch
new file mode 100644
index 000..90d8b90
--- /dev/null
+++ b/debian/patches/fix-xxe-vulnerability.patch
@@ -0,0 +1,19 @@
+Description: Fix XXE vulnerability
+ Due to #838097, XML::LibXML expands external entities by default. In
+ lemonldap-ng, this permits to an administrator allowed to create
+ notifications to access to server filesystem.
+Author: Xavier Guimard 
+Forwarded: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/5cbdaf7a
+Last-Update: 2019-06-26
+
+--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Notification.pm
 b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Notification.pm
+@@ -44,7 +44,7 @@
+ }
+ 
+ # Initiate XML parser
+-$parser = XML::LibXML->new();
++$parser = XML::LibXML->new( load_ext_dtd => 0, expand_entities => 0 );
+ 
+ return $self;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index b13b6df..eb00970 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,5 @@ avoid-modify-sources.patch
 replace-mouse-by-moose.patch
 Avoid-developer-tests.patch
 CVE-2019-12046.patch
+CDA-regression.patch
+fix-xxe-vulnerability.patch