Bug#950139: buster-pu: package xmltooling/3.0.4-1
On Wed, 29 Jan 2020 12:24:36 +0100 =?utf-8?q?Ferenc_W=C3=A1gner?= <wferi@debian.org> wrote:
> I'm looking for guidance first: I'd like to fix #950135 (libxmltooling8:
> Race condition bug in new session cookie feature leads to SP crash) in
> buster.
> [...]
> Upstream cut a new release (3.0.5) for this fix specifically, but the
> full diff between 3.0.4 and 3.0.5 is much longer due to changes in the
> version number in several files, VC project files, generated Autotools
> files, RPM spec file and Windows resource file. Still not huge, and
> most of that is entirely irrelevant for Debian. But in the 3.0.5-1
> upload I included some packaging changes (mainly autopkgtest and Salsa
> CI, but also a no-effect upgrade to debhelper compat 12). I guess you'd
> rather not review all this in a stable update, right? Then I'll add a
> quilt patch and submit that, as you prefer.
Here's the minimal debdiff containing only a quilt patch:
$ debdiff xmltooling_3.0.4-1.dsc xmltooling_3.0.4-1+deb10u1.dsc
diff -Nru xmltooling-3.0.4/debian/changelog xmltooling-3.0.4/debian/changelog
--- xmltooling-3.0.4/debian/changelog 2019-03-14 14:58:36.000000000 +0100
+++ xmltooling-3.0.4/debian/changelog 2020-01-31 23:06:07.000000000 +0100
@@ -1,3 +1,11 @@
+xmltooling (3.0.4-1+deb10u1) buster; urgency=medium
+
+ * [7c6eb12] This branch is for buster updates
+ * [97e580e] New patch: CPPXT-145 - DataSealer is sharing non-thread safe keys.
+ Thanks to Scott Cantor (Closes: #950135)
+
+ -- Ferenc Wágner <wferi@debian.org> Fri, 31 Jan 2020 23:06:07 +0100
+
xmltooling (3.0.4-1) unstable; urgency=high
* [f185b26] New upstream security release: 3.0.4
diff -Nru xmltooling-3.0.4/debian/gbp.conf xmltooling-3.0.4/debian/gbp.conf
--- xmltooling-3.0.4/debian/gbp.conf 2019-03-14 14:34:19.000000000 +0100
+++ xmltooling-3.0.4/debian/gbp.conf 2020-01-31 22:59:40.000000000 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/buster
upstream-branch = upstream/latest
pristine-tar = True
diff -Nru xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch
--- xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch 1970-01-01 01:00:00.000000000 +0100
+++ xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch 2020-01-31 23:04:41.000000000 +0100
@@ -0,0 +1,42 @@
+From: Scott Cantor <cantor.2@osu.edu>
+Date: Tue, 1 Oct 2019 19:16:19 -0400
+Subject: CPPXT-145 - DataSealer is sharing non-thread safe keys
+
+Xmltooling versions 3.0.0 to 3.0.4 suffer from a race condition bug that
+leads to a crash under load.
+
+https://issues.shibboleth.net/jira/browse/CPPXT-145
+
+Closes: #950135
+---
+ xmltooling/security/impl/DataSealer.cpp | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/xmltooling/security/impl/DataSealer.cpp b/xmltooling/security/impl/DataSealer.cpp
+index c7ec7f9..aef85b7 100644
+--- a/xmltooling/security/impl/DataSealer.cpp
++++ b/xmltooling/security/impl/DataSealer.cpp
+@@ -156,8 +156,10 @@ string DataSealer::wrap(const char* s, time_t exp) const
+
+ safeBuffer ciphertext;
+ try {
++ // Keys are not threadsafe, use a clone to encrypt.
++ scoped_ptr<XSECCryptoKey> clonedKey(defaultKey.second->clone());
+ scoped_ptr<XENCEncryptionMethod> method(XENCEncryptionMethod::create(env.get(), algorithm));
+- if (!handler->encryptToSafeBuffer(&tx, method.get(), defaultKey.second, dummydoc, ciphertext)) {
++ if (!handler->encryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, ciphertext)) {
+ throw XMLSecurityException("Data encryption failed.");
+ }
+ }
+@@ -235,8 +237,10 @@ string DataSealer::unwrap(const char* s) const
+ unsigned int len = 0;
+ safeBuffer plaintext;
+ try {
++ // Keys are not threadsafe, use a clone to decrypt.
++ scoped_ptr<XSECCryptoKey> clonedKey(requiredKey.second->clone());
+ scoped_ptr<XENCEncryptionMethod> method(XENCEncryptionMethod::create(env.get(), algorithm));
+- len = handler->decryptToSafeBuffer(&tx, method.get(), requiredKey.second, dummydoc, plaintext);
++ len = handler->decryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, plaintext);
+ }
+ catch (const XSECException& ex) {
+ auto_ptr_char msg(ex.getMsg());
diff -Nru xmltooling-3.0.4/debian/patches/series xmltooling-3.0.4/debian/patches/series
--- xmltooling-3.0.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ xmltooling-3.0.4/debian/patches/series 2020-01-31 23:04:41.000000000 +0100
@@ -0,0 +1 @@
+CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch
I'm ready to upload this if you feel like going straight to 3.0.5-1 (in
unstable) would be too much.
--
Thanks,
Feri
Reply to: