Bug#695998: unblock: php-cas/1.3.1-3
Hi.
Here's the needed associate debdiff.
Best regards,
--
Olivier BERGER
(OpenPGP: 4096R/7C5BB6A5)
http://www.olivierberger.com/weblog/
diff -Nru php-cas-1.3.1/debian/changelog php-cas-1.3.1/debian/changelog
--- php-cas-1.3.1/debian/changelog 2012-06-13 22:41:56.000000000 +0200
+++ php-cas-1.3.1/debian/changelog 2012-12-12 18:43:39.000000000 +0100
@@ -1,3 +1,18 @@
+php-cas (1.3.1-3) unstable; urgency=high
+
+ * The previous upload missed the CVE-2012-5583 reference. Rewriting the
+ changelog message.
+
+ -- Olivier Berger <obergix@debian.org> Wed, 12 Dec 2012 18:43:26 +0100
+
+php-cas (1.3.1-2) unstable; urgency=high
+
+ * Fix security problem on libcurl verification of SSL cert's hostname
+ (apply upstream fixes for issue #58 on github) (CVE-2012-5583 -
+ insecure usage of curl).
+
+ -- Olivier Berger <obergix@debian.org> Fri, 30 Nov 2012 09:48:50 +0100
+
php-cas (1.3.1-1) unstable; urgency=low
* Initial release. (Closes: #495542)
diff -Nru php-cas-1.3.1/debian/patches/0001-Fix-security-problem-on-libcurl-verification-of-SSL-cert-s-hostname.patch php-cas-1.3.1/debian/patches/0001-Fix-security-problem-on-libcurl-verification-of-SSL-cert-s-hostname.patch
--- php-cas-1.3.1/debian/patches/0001-Fix-security-problem-on-libcurl-verification-of-SSL-cert-s-hostname.patch 1970-01-01 01:00:00.000000000 +0100
+++ php-cas-1.3.1/debian/patches/0001-Fix-security-problem-on-libcurl-verification-of-SSL-cert-s-hostname.patch 2012-12-12 18:00:38.000000000 +0100
@@ -0,0 +1,273 @@
+From: Olivier Berger <olivier.berger@telecom-sudparis.eu>
+Date: Fri, 30 Nov 2012 09:42:25 +0100
+Subject: Squashed commit of the following:
+
+commit bbe3d9e868d1fd0d922cd4a762949b0117bef543
+Author: jfritschi <jfritschi@freenet.de>
+Date: Thu Nov 29 00:17:57 2012 +0100
+
+ #58 make the validate CN parameter optional in the RequestInterface
+
+commit ddddf84099aa17557e1331b717c003acebdf5339
+Author: jfritschi <jfritschi@freenet.de>
+Date: Wed Nov 28 22:53:43 2012 +0100
+
+ #58 Enable full CN valdiation of SSL certifcate and create a manual user
+ override to disable it. The new default is a proper CN
+ validation.
+---
+ CAS-1.3.1/CAS.php | 17 +++---
+ CAS-1.3.1/CAS/Client.php | 15 +++++-
+ CAS-1.3.1/CAS/Request/AbstractRequest.php | 5 +-
+ CAS-1.3.1/CAS/Request/CurlRequest.php | 7 ++-
+ CAS-1.3.1/CAS/Request/RequestInterface.php | 5 +-
+ docs/examples/example_no_ssl_cn_validation.php | 66 ++++++++++++++++++++++++
+ 6 files changed, 102 insertions(+), 13 deletions(-)
+ create mode 100644 docs/examples/example_no_ssl_cn_validation.php
+
+diff --git a/CAS-1.3.1/CAS.php b/CAS-1.3.1/CAS.php
+index 32674ff..fb4f1a5 100644
+--- a/CAS-1.3.1/CAS.php
++++ b/CAS-1.3.1/CAS.php
+@@ -303,7 +303,7 @@ class phpCAS
+ * @param string $server_hostname the hostname of the CAS server
+ * @param string $server_port the port the CAS server is running on
+ * @param string $server_uri the URI the CAS server is responding on
+- * @param bool $changeSessionID Allow phpCAS to change the session_id (Single
++ * @param bool $changeSessionID Allow phpCAS to change the session_id (Single
+ * Sign Out/handleLogoutRequests is based on that change)
+ *
+ * @return a newly created CAS_Client object
+@@ -355,7 +355,7 @@ class phpCAS
+ * @param string $server_hostname the hostname of the CAS server
+ * @param string $server_port the port the CAS server is running on
+ * @param string $server_uri the URI the CAS server is responding on
+- * @param bool $changeSessionID Allow phpCAS to change the session_id (Single
++ * @param bool $changeSessionID Allow phpCAS to change the session_id (Single
+ * Sign Out/handleLogoutRequests is based on that change)
+ *
+ * @return a newly created CAS_Client object
+@@ -1630,13 +1630,15 @@ class phpCAS
+ }
+
+ /**
+- * Set the certificate of the CAS server CA.
++ * Set the certificate of the CAS server CA and if the CN should be properly
++ * verified.
+ *
+- * @param string $cert CA certificate file name
++ * @param string $cert CA certificate file name
++ * @param bool $validate_host_name Validate CN in certificate (default true)
+ *
+ * @return void
+ */
+- public static function setCasServerCACert($cert)
++ public static function setCasServerCACert($cert, $validate_cn = true)
+ {
+ phpCAS :: traceBegin();
+ if (!is_object(self::$_PHPCAS_CLIENT)) {
+@@ -1645,7 +1647,10 @@ class phpCAS
+ if (gettype($cert) != 'string') {
+ phpCAS :: error('type mismatched for parameter $cert (should be `string\')');
+ }
+- self::$_PHPCAS_CLIENT->setCasServerCACert($cert);
++ if (gettype($validate_cn) != 'boolean') {
++ phpCAS :: error('type mismatched for parameter $validate_cn (should be `boolean\')');
++ }
++ self::$_PHPCAS_CLIENT->setCasServerCACert($cert, $validate_cn);
+ phpCAS :: traceEnd();
+ }
+
+diff --git a/CAS-1.3.1/CAS/Client.php b/CAS-1.3.1/CAS/Client.php
+index abe7f21..02431ab 100644
+--- a/CAS-1.3.1/CAS/Client.php
++++ b/CAS-1.3.1/CAS/Client.php
+@@ -1620,6 +1620,14 @@ class CAS_Client
+ */
+ private $_cas_server_ca_cert = '';
+
++
++ /**
++ * validate CN of the CAS server certificate
++ *
++ * @hideinitializer
++ */
++ private $_cas_server_cn_validate = '';
++
+ /**
+ * Set to true not to validate the CAS server.
+ *
+@@ -1631,14 +1639,16 @@ class CAS_Client
+ /**
+ * Set the CA certificate of the CAS server.
+ *
+- * @param string $cert the PEM certificate file name of the CA that emited
++ * @param string $cert the PEM certificate file name of the CA that emited
+ * the cert of the server
++ * @param bool $validate_cn valiate CN of the CAS server certificate
+ *
+ * @return void
+ */
+- public function setCasServerCACert($cert)
++ public function setCasServerCACert($cert, $validate_cn)
+ {
+ $this->_cas_server_ca_cert = $cert;
++ $this->_cas_server_cn_validate = $validate_cn;
+ }
+
+ /**
+@@ -2418,6 +2428,7 @@ class CAS_Client
+ }
+ if ($this->_cas_server_ca_cert != '') {
+ $request->setSslCaCert($this->_cas_server_ca_cert);
++ $request->setSslCaCert($this->_cas_server_cn_validate);
+ }
+
+ // add extra stuff if SAML
+diff --git a/CAS-1.3.1/CAS/Request/AbstractRequest.php b/CAS-1.3.1/CAS/Request/AbstractRequest.php
+index 8109542..66ad2f2 100644
+--- a/CAS-1.3.1/CAS/Request/AbstractRequest.php
++++ b/CAS-1.3.1/CAS/Request/AbstractRequest.php
+@@ -47,6 +47,7 @@ implements CAS_Request_RequestInterface
+ protected $isPost = false;
+ protected $postBody = null;
+ protected $caCertPath = null;
++ protected $validateCN = true;
+ private $_sent = false;
+ private $_responseHeaders = array();
+ private $_responseBody = null;
+@@ -183,17 +184,19 @@ implements CAS_Request_RequestInterface
+ * Specify the path to an SSL CA certificate to validate the server with.
+ *
+ * @param string $caCertPath path to cert
++ * @param bool $validate_cn valdiate CN of certificate
+ *
+ * @return void
+ * @throws CAS_OutOfSequenceException If called after the Request has been sent.
+ */
+- public function setSslCaCert ($caCertPath)
++ public function setSslCaCert ($caCertPath,$validate_cn=true)
+ {
+ if ($this->_sent) {
+ throw new CAS_OutOfSequenceException('Request has already been sent cannot '.__METHOD__);
+ }
+
+ $this->caCertPath = $caCertPath;
++ $this->validateCN = $validate_cn;
+ }
+
+ /*********************************************************
+diff --git a/CAS-1.3.1/CAS/Request/CurlRequest.php b/CAS-1.3.1/CAS/Request/CurlRequest.php
+index ef55886..f6026ba 100644
+--- a/CAS-1.3.1/CAS/Request/CurlRequest.php
++++ b/CAS-1.3.1/CAS/Request/CurlRequest.php
+@@ -117,12 +117,15 @@ implements CAS_Request_RequestInterface
+ * Set SSL configuration
+ *********************************************************/
+ if ($this->caCertPath) {
+- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
++ if($this->validateCN){
++ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
++ }else{
++ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
++ }
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
+ curl_setopt($ch, CURLOPT_CAINFO, $this->caCertPath);
+ phpCAS::trace('CURL: Set CURLOPT_CAINFO');
+ } else {
+- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+ }
+
+diff --git a/CAS-1.3.1/CAS/Request/RequestInterface.php b/CAS-1.3.1/CAS/Request/RequestInterface.php
+index d6ccdc8..c5e3bdb 100644
+--- a/CAS-1.3.1/CAS/Request/RequestInterface.php
++++ b/CAS-1.3.1/CAS/Request/RequestInterface.php
+@@ -119,12 +119,13 @@ interface CAS_Request_RequestInterface
+ /**
+ * Specify the path to an SSL CA certificate to validate the server with.
+ *
+- * @param string $caCertPath path to cert file
++ * @param string $caCertPath path to cert file
++ * @param boolean $validate_cn validate CN of SSL certificate
+ *
+ * @return void
+ * @throws CAS_OutOfSequenceException If called after the Request has been sent.
+ */
+- public function setSslCaCert ($caCertPath);
++ public function setSslCaCert ($caCertPath, $validate_cn = true);
+
+
+
+diff --git a/docs/examples/example_no_ssl_cn_validation.php b/docs/examples/example_no_ssl_cn_validation.php
+new file mode 100644
+index 0000000..b16e1e4
+--- /dev/null
++++ b/docs/examples/example_no_ssl_cn_validation.php
+@@ -0,0 +1,66 @@
++<?php
++
++/**
++ * Example for diabling SSL CN valdiation
++ *
++ * PHP Version 5
++ *
++ * @file example_simple.php
++ * @category Authentication
++ * @package PhpCAS
++ * @author Joachim Fritschi <jfritschi@freenet.de>
++ * @author Adam Franco <afranco@middlebury.edu>
++ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
++ * @link https://wiki.jasig.org/display/CASC/phpCAS
++ */
++
++// Load the settings from the central config file
++require_once 'config.php';
++// Load the CAS lib
++require_once $phpcas_path . '/CAS.php';
++
++// Uncomment to enable debugging
++phpCAS::setDebug();
++
++// Initialize phpCAS
++phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
++
++// For production use set the CA certificate that is the issuer of the cert
++// on the CAS server and uncomment the line below
++// phpCAS::setCasServerCACert($cas_server_ca_cert_path);
++
++// For quick testing you can disable SSL validation of the CAS server.
++// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
++// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL!
++// phpCAS::setNoCasServerValidation();
++// You can also disable the validation of the certficate CN. This means the
++// certificate must be valid but the CN of the certificate must not match the
++// IP or hostname you are using to access the server
++phpCAS::setCasServerCACert($cas_server_ca_cert_path, false);
++
++
++// force CAS authentication
++phpCAS::forceAuthentication();
++
++// at this step, the user has been authenticated by the CAS server
++// and the user's login name can be read with phpCAS::getUser().
++
++// logout if desired
++if (isset($_REQUEST['logout'])) {
++ phpCAS::logout();
++}
++
++// for this test, simply print that the authentication was successfull
++?>
++<html>
++ <head>
++ <title>phpCAS simple client</title>
++ </head>
++ <body>
++ <h1>Successfull Authentication!</h1>
++ <?php require 'script_info.php' ?>
++ <p>the user's login is <b><?php echo phpCAS::getUser(); ?></b>.</p>
++ <p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</p>
++ <p><a href="?logout=">Logout</a></p>
++ </body>
++</html>
diff -Nru php-cas-1.3.1/debian/patches/series php-cas-1.3.1/debian/patches/series
--- php-cas-1.3.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ php-cas-1.3.1/debian/patches/series 2012-12-12 18:00:38.000000000 +0100
@@ -0,0 +1 @@
+0001-Fix-security-problem-on-libcurl-verification-of-SSL-cert-s-hostname.patch
Reply to: