Re: Wheezy update of simplesamlphp?
Hi,
On Thu, 30 Nov 2017, Raphael Hertzog wrote:
> It would be nice if you (and/or other LTS users) could test the package (I
> did absolutely no tests so far, except building the package):
> $ dget https://people.debian.org/~hertzog/packages/simplesamlphp_1.9.2-1+deb7u1_amd64.changes
I installed the package and tried to access the web interface. I
discovered a few problems when logging as admin (one missing parenthesis,
object names with underscore and not backslashes so that auto-loading
works) that I fixed.
I pushed updated packages with the same version.
Thijs, do you think you can do better tests in the next few days or shall
I release the package as is ?
Details of my fixes:
> --- simplesamlphp-1.9.2/debian/patches/CVE-2017-12872.patch 1970-01-01 01:00:00.000000000 +0100
> +++ simplesamlphp-1.9.2/debian/patches/CVE-2017-12872.patch 2017-11-30 15:07:03.000000000 +0100
[...]
> +--- a/lib/SimpleSAML/Session.php
> ++++ b/lib/SimpleSAML/Session.php
> +@@ -1037,7 +1037,7 @@ class SimpleSAML_Session {
> + SimpleSAML_Logger::warning('Missing AuthToken cookie.');
> + return NULL;
> + }
> +- if ($_COOKIE[$authTokenCookieName] !== $session->authToken) {
> ++ if (!SimpleSAML\Utils\Crypto::secureCompare($session->authToken, $_COOKIE[$authTokenCookieName])) {
Here I have changed "SimpleSAML\Utils\Crypto" into "SimpleSAML_Utils_Crypto".
> +--- a/lib/SimpleSAML/Utils/Crypto.php
> ++++ b/lib/SimpleSAML/Utils/Crypto.php
> +@@ -72,7 +104,7 @@ class SimpleSAML_Utils_Crypto {
> + // Salted hash
> + $hash_length = strlen(hash($php_algo, 'whatever', TRUE));
> + $salt = substr(base64_decode($cryptedpw), $hash_length);
> +- return ( $crypted == self::pwHash($clear, $algo, $salt) );
> ++ return self::secureCompare($crypted, self::pwHash($clear, $algo, $salt);
Here a parenthesis was missing at the end of the line.
> +--- a/modules/authcrypt/lib/Auth/Source/Htpasswd.php
> ++++ b/modules/authcrypt/lib/Auth/Source/Htpasswd.php
> +@@ -72,8 +72,9 @@ class sspmod_authcrypt_Auth_Source_Htpas
> + $attributes = array_merge(array('uid' => array($username)), $this->attributes);
> +
> + // Traditional crypt(3)
> +- if(crypt($password, $crypted) == $crypted) {
> ++ if (SimpleSAML\Utils\Crypto::secureCompare($crypted, crypt($password, $crypted))) {
Here I have changed "SimpleSAML\Utils\Crypto" into "SimpleSAML_Utils_Crypto".
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply to: