Re: Wheezy update of simplesamlphp?

To: Thijs Kinkhorst <thijs@debian.org>, debian-lts@lists.debian.org
Subject: Re: Wheezy update of simplesamlphp?
From: Raphael Hertzog <hertzog@debian.org>
Date: Tue, 5 Dec 2017 12:31:08 +0100
Message-id: <[🔎] 20171205113108.GB12164@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Thijs Kinkhorst <thijs@debian.org>, debian-lts@lists.debian.org
In-reply-to: <20171130171637.GA26314@x260-buxy>
References: <20170830142619.6udtc5nige6wqpnq@home.ouaza.com> <96bb410ef0858bfb79ddc7a9d56c3f6a.squirrel@aphrodite.kinkhorst.nl> <20171130171637.GA26314@x260-buxy>

Hi,

On Thu, 30 Nov 2017, Raphael Hertzog wrote:
> It would be nice if you (and/or other LTS users) could test the package (I
> did absolutely no tests so far, except building the package):
> $ dget https://people.debian.org/~hertzog/packages/simplesamlphp_1.9.2-1+deb7u1_amd64.changes

I installed the package and tried to access the web interface. I
discovered a few problems when logging as admin (one missing parenthesis,
object names with underscore and not backslashes so that auto-loading
works) that I fixed.

I pushed updated packages with the same version.

Thijs, do you think you can do better tests in the next few days or shall
I release the package as is ?

Details of my fixes:

> --- simplesamlphp-1.9.2/debian/patches/CVE-2017-12872.patch	1970-01-01 01:00:00.000000000 +0100
> +++ simplesamlphp-1.9.2/debian/patches/CVE-2017-12872.patch	2017-11-30 15:07:03.000000000 +0100
[...]
> +--- a/lib/SimpleSAML/Session.php
> ++++ b/lib/SimpleSAML/Session.php
> +@@ -1037,7 +1037,7 @@ class SimpleSAML_Session {
> + 				SimpleSAML_Logger::warning('Missing AuthToken cookie.');
> + 				return NULL;
> + 			}
> +-			if ($_COOKIE[$authTokenCookieName] !== $session->authToken) {
> ++			if (!SimpleSAML\Utils\Crypto::secureCompare($session->authToken, $_COOKIE[$authTokenCookieName])) {

Here I have changed "SimpleSAML\Utils\Crypto" into "SimpleSAML_Utils_Crypto".

> +--- a/lib/SimpleSAML/Utils/Crypto.php
> ++++ b/lib/SimpleSAML/Utils/Crypto.php
> +@@ -72,7 +104,7 @@ class SimpleSAML_Utils_Crypto {
> + 				// Salted hash
> + 				$hash_length = strlen(hash($php_algo, 'whatever', TRUE));
> + 				$salt = substr(base64_decode($cryptedpw), $hash_length);
> +-				return ( $crypted == self::pwHash($clear, $algo, $salt) );
> ++				return self::secureCompare($crypted, self::pwHash($clear, $algo, $salt);

Here a parenthesis was missing at the end of the line.

> +--- a/modules/authcrypt/lib/Auth/Source/Htpasswd.php
> ++++ b/modules/authcrypt/lib/Auth/Source/Htpasswd.php
> +@@ -72,8 +72,9 @@ class sspmod_authcrypt_Auth_Source_Htpas
> + 				$attributes = array_merge(array('uid' => array($username)), $this->attributes);
> + 
> + 				// Traditional crypt(3)
> +-				if(crypt($password, $crypted) == $crypted) {
> ++				if (SimpleSAML\Utils\Crypto::secureCompare($crypted, crypt($password, $crypted))) {

Here I have changed "SimpleSAML\Utils\Crypto" into "SimpleSAML_Utils_Crypto".

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Reply to:

Prev by Date: Re: Wheezy update of tor?
Next by Date: November Report
Previous by thread: LTS Report for November 2017
Next by thread: libnet-ping-external-perl / CVE-2008-7319
Index(es):
- Date
- Thread