Bug#781378: marked as done (unblock: src:shibboleth-sp2/2.5.3+dfsg-2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 28 Mar 2015 11:50:59 +0100
with message-id <55168793.1030009@thykier.net>
and subject line Re: Bug#781378: unblock: src:shibboleth-sp2/2.5.3+dfsg-2
has caused the Debian Bug report #781378,
regarding unblock: src:shibboleth-sp2/2.5.3+dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
781378: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781378
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: src:shibboleth-sp2/2.5.3+dfsg-2
• From: Matthew Vernon <matthew@debian.org>
• Date: Sat, 28 Mar 2015 10:27:56 +0000
• Message-id: <[🔎] 20150328102756.29256.47809.reportbug@aragorn.weathertop.principate.org.uk>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package src:shibboleth-sp2

This package (which I'm sponsoring on behalf of Ferenc Wagner),
backports the upstream fix for CVE-2015-2684 to 2.5.3. I have just
sponsored a similar upload to wheezy-security, so a DSA should be
coming out about that shortly.

The upstream fix is viewable here:
http://svn.shibboleth.net/view/cpp-sp?view=revision&revision=3894

I attach the debdiff, which you will see just incorporates that
upstream fix.

I built this in a jessie sbuild chroot.

Thanks,

Matthew

unblock src:shibboleth-sp2/2.5.3+dfsg-2

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru shibboleth-sp2-2.5.3+dfsg/debian/changelog shibboleth-sp2-2.5.3+dfsg/debian/changelog
--- shibboleth-sp2-2.5.3+dfsg/debian/changelog	2014-04-01 05:01:56.000000000 +0100
+++ shibboleth-sp2-2.5.3+dfsg/debian/changelog	2015-03-24 15:03:24.000000000 +0000
@@ -1,3 +1,11 @@
+shibboleth-sp2 (2.5.3+dfsg-2) unstable; urgency=high
+
+  * Incorporate security fix from V2.5.4 for CVE-2015-2684: authenticated
+    denial of service vulnerability that results in a crash on certain
+    kinds of malformed SAML messages.
+
+ -- Ferenc Wagner <wferi@niif.hu>  Tue, 24 Mar 2015 08:55:06 +0100
+
 shibboleth-sp2 (2.5.3+dfsg-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru shibboleth-sp2-2.5.3+dfsg/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch shibboleth-sp2-2.5.3+dfsg/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch
--- shibboleth-sp2-2.5.3+dfsg/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch	1970-01-01 01:00:00.000000000 +0100
+++ shibboleth-sp2-2.5.3+dfsg/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch	2015-03-24 15:04:02.000000000 +0000
@@ -0,0 +1,56 @@
+From: =?utf-8?q?Ferenc_W=C3=A1gner?= <wferi@niif.hu>
+Date: Tue, 17 Mar 2015 15:09:39 +0100
+Subject: Security fix from V2.5.4 for CVE-2015-2684
+
+Shibboleth SP software crashes on malformed input messages
+===============================================================
+The SP software includes an authenticated denial of service
+vulnerability that results in a crash on certain kinds of malformed
+SAML messages. The vulnerability is only triggered when special
+conditions are met and after a message or assertion signature
+has been verified, so exploitation requires a message produced
+under a trusted key, limiting the impact.
+
+URL for the full Security Advisory:
+https://shibboleth.net/community/advisories/secadv_20150319.txt
+---
+ shibsp/handler/impl/SAML2Consumer.cpp      |    4 ++++
+ shibsp/impl/StorageServiceSessionCache.cpp |    3 ++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/shibsp/handler/impl/SAML2Consumer.cpp b/shibsp/handler/impl/SAML2Consumer.cpp
+index ec62384..be2397c 100644
+--- a/shibsp/handler/impl/SAML2Consumer.cpp
++++ b/shibsp/handler/impl/SAML2Consumer.cpp
+@@ -44,6 +44,7 @@
+ # include <xmltooling/XMLToolingConfig.h>
+ # include <xmltooling/io/HTTPRequest.h>
+ # include <xmltooling/util/DateTime.h>
++# include <xmltooling/validation/ValidatorSuite.h>
+ using namespace opensaml::saml2;
+ using namespace opensaml::saml2p;
+ using namespace opensaml::saml2md;
+@@ -312,6 +313,9 @@ void SAML2Consumer::implementProtocol(
+             if (!decrypted->getSignature() && requireSignedAssertions.first && requireSignedAssertions.second)
+                 throw SecurityPolicyException("The incoming assertion was unsigned, violating local security policy.");
+ 
++            // Run the schema validators against the assertion, since it was hidden by encryption.
++            SchemaValidators.validate(decrypted.get());
++
+             // We clear the security flag, so we can tell whether the token was secured on its own.
+             policy.setAuthenticated(false);
+             policy.reset(true);
+diff --git a/shibsp/impl/StorageServiceSessionCache.cpp b/shibsp/impl/StorageServiceSessionCache.cpp
+index 9e5d48d..b816624 100644
+--- a/shibsp/impl/StorageServiceSessionCache.cpp
++++ b/shibsp/impl/StorageServiceSessionCache.cpp
+@@ -1233,7 +1233,8 @@ void SSCache::insert(
+         throw FatalProfileException("Attempted to create a session with a duplicate key.");
+ 
+     // Store the reverse mapping for logout.
+-    if (nameid && m_reverseIndex && (m_excludedNames.size() == 0 || m_excludedNames.count(nameid->getName()) == 0)) {
++    if (name.get() && *name.get() && m_reverseIndex
++            && (m_excludedNames.size() == 0 || m_excludedNames.count(nameid->getName()) == 0)) {
+         try {
+             insert(key.get(), expires, name.get(), index.get());
+         }
diff -Nru shibboleth-sp2-2.5.3+dfsg/debian/patches/series shibboleth-sp2-2.5.3+dfsg/debian/patches/series
--- shibboleth-sp2-2.5.3+dfsg/debian/patches/series	2014-04-01 05:01:56.000000000 +0100
+++ shibboleth-sp2-2.5.3+dfsg/debian/patches/series	2015-03-24 15:03:24.000000000 +0000
@@ -4,3 +4,4 @@
 0004-Shire-log-path-for-Debian.patch
 0005-Default-native-logger-to-syslog.patch
 0006-Remove-WSTrust-schema-references.patch
+0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch

--- End Message ---

--- Begin Message ---

• To: Matthew Vernon <matthew@debian.org>, 781378-done@bugs.debian.org
• Subject: Re: Bug#781378: unblock: src:shibboleth-sp2/2.5.3+dfsg-2
• From: Niels Thykier <niels@thykier.net>
• Date: Sat, 28 Mar 2015 11:50:59 +0100
• Message-id: <55168793.1030009@thykier.net>
• In-reply-to: <[🔎] 20150328102756.29256.47809.reportbug@aragorn.weathertop.principate.org.uk>
• References: <[🔎] 20150328102756.29256.47809.reportbug@aragorn.weathertop.principate.org.uk>

On 2015-03-28 11:27, Matthew Vernon wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package src:shibboleth-sp2
> 
> This package (which I'm sponsoring on behalf of Ferenc Wagner),
> backports the upstream fix for CVE-2015-2684 to 2.5.3. I have just
> sponsored a similar upload to wheezy-security, so a DSA should be
> coming out about that shortly.
> 
> The upstream fix is viewable here:
> http://svn.shibboleth.net/view/cpp-sp?view=revision&revision=3894
> 
> I attach the debdiff, which you will see just incorporates that
> upstream fix.
> 
> I built this in a jessie sbuild chroot.
> 
> Thanks,
> 
> Matthew
> 
> unblock src:shibboleth-sp2/2.5.3+dfsg-2
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---