Bug#686344: unblock: simplesamlphp/1.9.2.-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#686344: unblock: simplesamlphp/1.9.2.-1
From: Thijs Kinkhorst <thijs@debian.org>
Date: Fri, 31 Aug 2012 13:26:34 +0200
Message-id: <[🔎] 20120831112634.6520.51449.reportbug@incagijs.uvt.nl>
Reply-to: Thijs Kinkhorst <thijs@debian.org>, 686344@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

Please unblock package simplesamlphp. It's a security-update only release
that further tightens the screws on the security issue addressed in 1.9.1,
after further discussion with the scientists who discovered the issue.

The debdiff is very simple.

Please
unblock simplesamlphp/1.9.2.-1


Thanks,
Thijs

diff -Nru simplesamlphp-1.9.1/debian/changelog simplesamlphp-1.9.2/debian/changelog
--- simplesamlphp-1.9.1/debian/changelog	2012-08-06 14:58:01.000000000 +0200
+++ simplesamlphp-1.9.2/debian/changelog	2012-08-29 17:45:36.000000000 +0200
@@ -1,3 +1,11 @@
+simplesamlphp (1.9.2-1) unstable; urgency=medium
+
+  * New upstream security release:
+    Fix possible issue in PKCS 1.5 encryption when a key is
+    correctly decrypted but its length is not the one expected.
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Wed, 29 Aug 2012 15:43:31 +0000
+
 simplesamlphp (1.9.1-1) unstable; urgency=medium
 
   * New upstream security release:
diff -Nru simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt simplesamlphp-1.9.2/docs/simplesamlphp-changelog.txt
--- simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt	2012-08-02 08:25:33.000000000 +0200
+++ simplesamlphp-1.9.2/docs/simplesamlphp-changelog.txt	2012-08-29 10:19:20.000000000 +0200
@@ -6,6 +6,12 @@
 This document lists the changes between versions of simpleSAMLphp.
 See the upgrade notes for specific information about upgrading.
 
+## Version 1.9.2
+
+Released 2012-08-29
+
+  * Fix related to the security issue addressed in version 1.9.1.
+
 ## Version 1.9.1
 
 Released 2012-08-02.
diff -Nru simplesamlphp-1.9.1/lib/SAML2/Utils.php simplesamlphp-1.9.2/lib/SAML2/Utils.php
--- simplesamlphp-1.9.1/lib/SAML2/Utils.php	2012-08-02 08:25:23.000000000 +0200
+++ simplesamlphp-1.9.2/lib/SAML2/Utils.php	2012-08-29 10:19:12.000000000 +0200
@@ -393,6 +393,10 @@
 
 			try {
 				$key = $encKey->decryptKey($symmetricKeyInfo);
+				if (strlen($key) != $keySize) {
+					throw new Exception('Unexpected key size (' . strlen($key) * 8 . 'bits) for encryption algorithm: ' .
+										var_export($symmetricKey->type, TRUE));
+				}
 			} catch (Exception $e) {
 				/* We failed to decrypt this key. Log it, and substitute a "random" key. */
 				SimpleSAML_Logger::error('Failed to decrypt symmetric key: ' . $e->getMessage());
diff -Nru simplesamlphp-1.9.1/lib/SimpleSAML/Configuration.php simplesamlphp-1.9.2/lib/SimpleSAML/Configuration.php
--- simplesamlphp-1.9.1/lib/SimpleSAML/Configuration.php	2012-08-02 08:28:37.000000000 +0200
+++ simplesamlphp-1.9.2/lib/SimpleSAML/Configuration.php	2012-08-29 11:16:57.000000000 +0200
@@ -5,7 +5,7 @@
  *
  * @author Andreas Aakre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
  * @package simpleSAMLphp
- * @version $Id: Configuration.php 3136 2012-08-02 06:28:37Z olavmrk $
+ * @version $Id: Configuration.php 3152 2012-08-29 09:16:57Z jaimepc@gmail.com $
  */
 class SimpleSAML_Configuration {
 
@@ -295,7 +295,7 @@
 	 * @return string
 	 */
 	public function getVersion() {
-		return '1.9.1';
+		return '1.9.2';
 	}

Reply to:

Follow-Ups:
- Bug#686344: marked as done (unblock: simplesamlphp/1.9.2.-1)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#683831: unblock: aplus-fsf/4.22.1-5
Next by Date: Bug#683142: unblock: bdii/5.2.12-1
Previous by thread: Processed: reassign 678242 to release.debian.org, affects 678242
Next by thread: Bug#686344: marked as done (unblock: simplesamlphp/1.9.2.-1)
Index(es):
- Date
- Thread