[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#684045: marked as done (pre-approval simplesamlphp/1.9.1-1)

Your message dated Wed, 8 Aug 2012 12:31:35 +0200
with message-id <20120808103135.GC26019@mraw.org>
and subject line Re: Bug#684045: pre-approval simplesamlphp/1.9.1-1
has caused the Debian Bug report #684045,
regarding pre-approval simplesamlphp/1.9.1-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
684045: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684045
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

I would like to upload simplesamlphp/1.9.1-1: an upstream security release
that only fixes a security issue and adds some minor documentation fixes.
The debdiff is attached.

The security issue is described here:
http://www.nds.rub.de/research/publications/breaking-xml-encryption-pkcs15/

Please let me know if I can upload this to unstable so it will end up in
wheezy.


thanks,
Thijs

-- System Information:
Debian Release: 6.0.5
  APT prefers stable
  APT policy: (500, 'stable'), (400, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

diff -Nru simplesamlphp-1.9.0/debian/changelog simplesamlphp-1.9.1/debian/changelog
--- simplesamlphp-1.9.0/debian/changelog	2012-06-13 12:38:24.000000000 +0200
+++ simplesamlphp-1.9.1/debian/changelog	2012-08-06 14:58:01.000000000 +0200
@@ -1,3 +1,10 @@
+simplesamlphp (1.9.1-1) unstable; urgency=medium
+
+  * New upstream security release:
+    Fix for an attack against PKCS 1.5 in XML encryption.
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Mon, 06 Aug 2012 12:57:02 +0000
+
 simplesamlphp (1.9.0-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru simplesamlphp-1.9.0/docs/simplesamlphp-changelog.txt simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt
--- simplesamlphp-1.9.0/docs/simplesamlphp-changelog.txt	2012-06-13 08:30:49.000000000 +0200
+++ simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt	2012-08-02 08:25:33.000000000 +0200
@@ -6,6 +6,12 @@
 This document lists the changes between versions of simpleSAMLphp.
 See the upgrade notes for specific information about upgrading.
 
+## Version 1.9.1
+
+Released 2012-08-02.
+
+  * Fix for a new attack against PKCS 1.5 in XML encryption.
+
 ## Version 1.9
 
 Released 2012-06-13.
@@ -170,6 +176,7 @@
   * Allow ISO8601 durations with subsecond precision.
   * Add support for parsing and serializing the &lt;mdrpi:PublicationInfo> metadata extension.
   * Ignore cacheDuration when validating metadata.
+  * Add support for the Holder-of-Key profile, on both the [SP](./simplesamlphp-hok-sp) and [IdP](./simplesamlphp-hok-idp).
   * Better error handling when receiving a SAML 2.0 artifact from an unknown entity.
   * Fix parsing of &lt;md:AssertionIDRequestService> metadata elements.
   * IdP: Do not always trigger reauthentication when the authentication request contains a IdPList-element.
diff -Nru simplesamlphp-1.9.0/docs/simplesamlphp-reference-idp-hosted.txt simplesamlphp-1.9.1/docs/simplesamlphp-reference-idp-hosted.txt
--- simplesamlphp-1.9.0/docs/simplesamlphp-reference-idp-hosted.txt	2012-04-12 14:40:08.000000000 +0200
+++ simplesamlphp-1.9.1/docs/simplesamlphp-reference-idp-hosted.txt	2012-06-18 14:01:46.000000000 +0200
@@ -293,6 +293,16 @@
     metadata overrides the one configured in the IdP metadata.
 
 
+Metadata extensions
+-------------------
+
+SimpleSAMLphp supports generating metadata with the MDUI and EntityAttributes metadata extensions.
+See the documentation for those extensions for more details:
+
+  * [MDUI extension](./simplesamlphp-metadata-extensions-ui)
+  * [EntityAttributes](./simplesamlphp-metadata-extensions-attributes)
+
+
 Examples
 --------
 
diff -Nru simplesamlphp-1.9.0/docs/simplesamlphp-ukaccess.txt simplesamlphp-1.9.1/docs/simplesamlphp-ukaccess.txt
--- simplesamlphp-1.9.0/docs/simplesamlphp-ukaccess.txt	2011-01-12 15:25:46.000000000 +0100
+++ simplesamlphp-1.9.1/docs/simplesamlphp-ukaccess.txt	2012-06-28 10:40:27.000000000 +0200
@@ -7,7 +7,7 @@
 	http://daringfireball.net/projects/markdown/syntax
 -->
 
-  * Version: `$Id: simplesamlphp-ukaccess.txt 2711 2011-01-12 14:25:46Z olavmrk $`
+  * Version: `$Id: simplesamlphp-ukaccess.txt 3127 2012-06-28 08:40:27Z olavmrk $`
 
 <!-- {{TOC}} -->
 
@@ -26,7 +26,7 @@
   * [Service Provider QuickStart](simplesamlphp-sp)
   * [Configuration Reference](./saml:sp)
 
-### Enablig a certificate for your Service Provider
+### Enabling a certificate for your Service Provider
 
 UK Access Federation and InCommon probably requires that you enable a certificate for your SP. Other federations do not always require that you do.
 
@@ -51,7 +51,7 @@
 Consuming Federation Metadata
 -----------------------------
 
-In order to enable the functionality to automatically download and parse metadata from a remtote URL, enable the `metarefresh` and `cron` modules:
+In order to enable the functionality to automatically download and parse metadata from a remote URL, enable the `metarefresh` and `cron` modules:
 
 	touch modules/metarefresh/enable
 	cp modules/metarefresh/config-templates/*.php config/
@@ -86,7 +86,7 @@
 		),
 	);
 
-The example above is from **UK Acces Federation**. If you instead would like to get metadata from **InCommon**, use the following URL and fingerprint:
+The example above is from **UK Access Federation**. If you instead would like to get metadata from **InCommon**, use the following URL and fingerprint:
 
 	'src' => 'http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml',
 	'validateFingerprint' => '74278f967cf1bfcaaa1b41afb6336448a2150eb4',	
@@ -110,7 +110,7 @@
 
 Then the page should load for a while and show no errors, only a white page. (These URLs are meant to run from *cron*, hence no output). If this operation seems to run fine, navigate to the **SimpleSAMLphp Front page** › **Federation**. Here you should see a list of all trusted Identity Providers. The Identity Providers that are downloaded are listed with information about the valid cache duration, such as *(expires in 96.0 hours)*.
 
-For more details on how to configure automateed metadata:
+For more details on how to configure automated metadata:
 
   * [Automated Metadata Management](simplesamlphp-automated_metadata)
 
@@ -167,7 +167,7 @@
   * SimpleSAMLphp uses the SAML 2.0 HTTP-REDIRECT binding for authentication request.
   * SimpleSAMLphp by default sends unsigned authentication request, may be enabled by configuring a certificate.
   * SimpleSAMLphp supports the SAML 2.0 HTTP-POST binding for Response.
-  * SimpleSAMLphp do not support the SAML 2.0 Artifact binding for Response. Estimated to be available in SimpleSAMLphp 1.6.
+  * SimpleSAMLphp does not support the SAML 2.0 Artifact binding for Response. Estimated to be available in SimpleSAMLphp 1.6.
   * SimpleSAMLphp supports SAML 2.0 Attribute Queries, but these are not sent automatically during SSO.
   * SimpleSAMLphp supports receiving and decrypting EncryptedAssertions.
   * SimpleSAMLphp supports receiving and decrypting NameID, as enabled by default by Shibboleth 2.0 - 2.1.
@@ -191,5 +191,5 @@
 - [UK Access Federation](http://www.ukfederation.org.uk/)
 - [InCommon](http://www.incommonfederation.org/)
 
-If your questions are not related to simpleSAMLphp, but instead to procedures on how to deal with a specific federation, the support channels specific for that federation.
+If your questions are not related to simpleSAMLphp, but instead procedures on how to deal with a specific federation, visit the support channels specific for that federation.
 
diff -Nru simplesamlphp-1.9.0/lib/SAML2/Utils.php simplesamlphp-1.9.1/lib/SAML2/Utils.php
--- simplesamlphp-1.9.0/lib/SAML2/Utils.php	2012-03-30 13:12:48.000000000 +0200
+++ simplesamlphp-1.9.1/lib/SAML2/Utils.php	2012-08-02 08:25:23.000000000 +0200
@@ -398,9 +398,13 @@
 				SimpleSAML_Logger::error('Failed to decrypt symmetric key: ' . $e->getMessage());
 				/* Create a replacement key, so that it looks like we fail in the same way as if the key was correctly padded. */
 
-				/* We base the symmetric key on the encrypted key, so that we always behave the same way for a given input key. */
+				/* We base the symmetric key on the encrypted key and private key, so that we always behave the
+				 * same way for a given input key.
+				 */
 				$encryptedKey = $encKey->getCipherValue();
-				$key = md5($encryptedKey, TRUE);
+				$pkey = openssl_pkey_get_details($symmetricKeyInfo->key);
+				$pkey = sha1(serialize($pkey), TRUE);
+				$key = sha1($encryptedKey . $pkey, TRUE);
 
 				/* Make sure that the key has the correct length. */
 				if (strlen($key) > $keySize) {
@@ -431,7 +435,7 @@
 		 */
 		$xml = '<root xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>'.$decrypted.'</root>';
 		$newDoc = new DOMDocument();
-		if (!$newDoc->loadXML($xml)) {
+		if (!@$newDoc->loadXML($xml)) {
 			throw new Exception('Failed to parse decrypted XML. Maybe the wrong sharedkey was used?');
 		}
 		$decryptedElement = $newDoc->firstChild->firstChild;
diff -Nru simplesamlphp-1.9.0/lib/SimpleSAML/Configuration.php simplesamlphp-1.9.1/lib/SimpleSAML/Configuration.php
--- simplesamlphp-1.9.0/lib/SimpleSAML/Configuration.php	2012-06-13 08:38:44.000000000 +0200
+++ simplesamlphp-1.9.1/lib/SimpleSAML/Configuration.php	2012-08-02 08:28:37.000000000 +0200
@@ -5,7 +5,7 @@
  *
  * @author Andreas Aakre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
  * @package simpleSAMLphp
- * @version $Id: Configuration.php 3120 2012-06-13 06:38:44Z olavmrk $
+ * @version $Id: Configuration.php 3136 2012-08-02 06:28:37Z olavmrk $
  */
 class SimpleSAML_Configuration {
 
@@ -295,7 +295,7 @@
 	 * @return string
 	 */
 	public function getVersion() {
-		return '1.9.0';
+		return '1.9.1';
 	}

--- End Message ---
--- Begin Message --- 
Thijs Kinkhorst <thijs@debian.org> (08/08/2012):
> On Wed, August 8, 2012 01:15, Cyril Brulebois wrote:
> > That is totally obscure to me though:
> > -         if (!$newDoc->loadXML($xml)) {
> > +         if (!@$newDoc->loadXML($xml)) {
> >
> > What does that do? Fix a bug, silence a language warning, or anything
> > else?
> 
> It silences a language warning: if the loadXML call fails the interpreter
> would output a warning, but this is handled more gracefully already by
> throwing an exception straight below it.

Alright, thanks for the explanation.

Unblocked.

Mraw,
KiBi.

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: