Bug#929611: Update

To: 929611@bugs.debian.org
Subject: Bug#929611: Update
From: Xavier <yadd@debian.org>
Date: Wed, 26 Jun 2019 14:08:22 +0200
Message-id: <[🔎] c6d6cef6-5bae-ef77-4a9f-177d13210e59@debian.org>
Reply-to: Xavier <yadd@debian.org>, 929611@bugs.debian.org
References: <155894817680.12690.2529758184550647336.reportbug@mac-debian.lemonldap-ng.org>

Hi all,

I updated my debdiff due to a little security hole discovered in
lemonldap-ng 1.9.x

Cheers,
Xavier

diff --git a/debian/changelog b/debian/changelog
index a1fe37b..e1e20aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (1.9.7-3+deb9u2) stretch; urgency=medium
+
+  * Fix CDA regression introduced in 1.9.7-3+deb9u1
+  * Fix XXE vulnerability (Closes: #931117)
+
+ -- Xavier Guimard <yadd@debian.org>  Wed, 26 Jun 2019 13:46:13 +0200
+
 lemonldap-ng (1.9.7-3+deb9u1) stretch-security; urgency=medium
 
   * Add patch to fix token security (Closes: #928944, CVE-2019-12046)
diff --git a/debian/patches/CDA-regression.patch b/debian/patches/CDA-regression.patch
new file mode 100644
index 0000000..242ce9c
--- /dev/null
+++ b/debian/patches/CDA-regression.patch
@@ -0,0 +1,62 @@
+Description: CDA regression fix
+ Fix for #928944 (CVE-2019-12046) introduced a regression in cross-domain
+ feature. This diff fix it and fix also a little issue when portal is called
+ using an Ajax request: it must not send Access-Control-Allow-Origin header.
+ (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1519)
+Author: Clément Oudot <clement@oodo.net>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/deff50f072c64898d1204daa28c01fdcc7275ea4
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1756
+Bug-Debian: https://bugs.debian.org/928944
+Forwarded: not-needed
+Reviewed-By: Guilhem Moulin <guilhem@debian.org>
+Last-Update: 2019-05-27
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
+@@ -1049,7 +1049,7 @@
+ 
+ }
+ 
+-## @method void updateSession(hashRef infos, string id)
++## @method void updateSession(hashRef infos, string id, string kind)
+ # Update session stored.
+ # If no id is given, try to get it from cookie.
+ # If the session is available, update datas with $info.
+@@ -1057,9 +1057,10 @@
+ # server local cache, if there are several LL::NG servers.
+ # @param infos hash reference of information to update
+ # @param id Session ID
++# @param kind Session kind
+ # @return nothing
+ sub updateSession {
+-    my ( $self, $infos, $id ) = @_;
++    my ( $self, $infos, $id, $kind ) = @_;
+ 
+     # Return if no infos to update
+     return () unless ( ref $infos eq 'HASH' and %$infos );
+@@ -1084,7 +1085,7 @@
+         }
+ 
+         # Update session in global storage
+-        if ( my $apacheSession = $self->getApacheSession( $id, 1 ) ) {
++        if ( my $apacheSession = $self->getApacheSession( $id, 1, undef, $kind ) ) {
+ 
+             # Store updateTime
+             $infos->{updateTime} = strftime( "%Y%m%d%H%M%S", localtime() );
+@@ -1569,7 +1570,6 @@
+             print $self->header(
+                 -status                        => '401 Unauthorizated',
+                 '-WWW-Authenticate'            => "SSO $self->{portal}",
+-                '-Access-Control-Allow-Origin' => '*',
+             );
+             $self->quit;
+         }
+@@ -2744,7 +2744,7 @@
+                     $cdaInfos->{cookie_name} = $self->{cookieName} . "http";
+                 }
+ 
+-                $self->updateSession( $cdaInfos, $cdaSession->id );
++                $self->updateSession( $cdaInfos, $cdaSession->id, 'CDA' );
+ 
+                 $self->{urldc} .=
+                     ( $self->{urldc} =~ /\?/ ? '&' : '?' )
diff --git a/debian/patches/fix-xxe-vulnerability.patch b/debian/patches/fix-xxe-vulnerability.patch
new file mode 100644
index 0000000..90d8b90
--- /dev/null
+++ b/debian/patches/fix-xxe-vulnerability.patch
@@ -0,0 +1,19 @@
+Description: Fix XXE vulnerability
+ Due to #838097, XML::LibXML expands external entities by default. In
+ lemonldap-ng, this permits to an administrator allowed to create
+ notifications to access to server filesystem.
+Author: Xavier Guimard <yadd@debian.org>
+Forwarded: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/5cbdaf7a
+Last-Update: 2019-06-26
+
+--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Notification.pm
++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Notification.pm
+@@ -44,7 +44,7 @@
+     }
+ 
+     # Initiate XML parser
+-    $parser = XML::LibXML->new();
++    $parser = XML::LibXML->new( load_ext_dtd => 0, expand_entities => 0 );
+ 
+     return $self;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index b13b6df..eb00970 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,5 @@ avoid-modify-sources.patch
 replace-mouse-by-moose.patch
 Avoid-developer-tests.patch
 CVE-2019-12046.patch
+CDA-regression.patch
+fix-xxe-vulnerability.patch

Reply to:

Prev by Date: Bug#928882: unblock: [pre-approval] ghc/8.4.4+dfsg1-3
Next by Date: Bug#931118: unblock: debian-keyring/2019.06.25
Previous by thread: Bug#931105: marked as done (unblock: python-periodictable/1.5.0-8)
Next by thread: Bug#931118: unblock: debian-keyring/2019.06.25
Index(es):
- Date
- Thread