Bug#950139: buster-pu: package xmltooling/3.0.4-1

To: 950139@bugs.debian.org
Subject: Bug#950139: buster-pu: package xmltooling/3.0.4-1
From: wferi@niif.hu
Date: Fri, 31 Jan 2020 23:30:40 +0100
Message-id: <[🔎] 87y2tn5kdr.fsf@lant.ki.iif.hu>
Reply-to: wferi@niif.hu, 950139@bugs.debian.org
In-reply-to: <[🔎] 158029707684.20362.1079704718904604253.reportbug@lant.ki.iif.hu>
References: <[🔎] 158029707684.20362.1079704718904604253.reportbug@lant.ki.iif.hu>

On Wed, 29 Jan 2020 12:24:36 +0100 =?utf-8?q?Ferenc_W=C3=A1gner?= <wferi@debian.org> wrote:

> I'm looking for guidance first: I'd like to fix #950135 (libxmltooling8:
> Race condition bug in new session cookie feature leads to SP crash) in
> buster.
> [...]
> Upstream cut a new release (3.0.5) for this fix specifically, but the
> full diff between 3.0.4 and 3.0.5 is much longer due to changes in the
> version number in several files, VC project files, generated Autotools
> files, RPM spec file and Windows resource file.  Still not huge, and
> most of that is entirely irrelevant for Debian.  But in the 3.0.5-1
> upload I included some packaging changes (mainly autopkgtest and Salsa
> CI, but also a no-effect upgrade to debhelper compat 12).  I guess you'd
> rather not review all this in a stable update, right?  Then I'll add a
> quilt patch and submit that, as you prefer.

Here's the minimal debdiff containing only a quilt patch:

$ debdiff xmltooling_3.0.4-1.dsc xmltooling_3.0.4-1+deb10u1.dsc 
diff -Nru xmltooling-3.0.4/debian/changelog xmltooling-3.0.4/debian/changelog
--- xmltooling-3.0.4/debian/changelog	2019-03-14 14:58:36.000000000 +0100
+++ xmltooling-3.0.4/debian/changelog	2020-01-31 23:06:07.000000000 +0100
@@ -1,3 +1,11 @@
+xmltooling (3.0.4-1+deb10u1) buster; urgency=medium
+
+  * [7c6eb12] This branch is for buster updates
+  * [97e580e] New patch: CPPXT-145 - DataSealer is sharing non-thread safe keys.
+    Thanks to Scott Cantor (Closes: #950135)
+
+ -- Ferenc Wágner <wferi@debian.org>  Fri, 31 Jan 2020 23:06:07 +0100
+
 xmltooling (3.0.4-1) unstable; urgency=high
 
   * [f185b26] New upstream security release: 3.0.4
diff -Nru xmltooling-3.0.4/debian/gbp.conf xmltooling-3.0.4/debian/gbp.conf
--- xmltooling-3.0.4/debian/gbp.conf	2019-03-14 14:34:19.000000000 +0100
+++ xmltooling-3.0.4/debian/gbp.conf	2020-01-31 22:59:40.000000000 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/buster
 upstream-branch = upstream/latest
 pristine-tar = True
 
diff -Nru xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch
--- xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch	1970-01-01 01:00:00.000000000 +0100
+++ xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch	2020-01-31 23:04:41.000000000 +0100
@@ -0,0 +1,42 @@
+From: Scott Cantor <cantor.2@osu.edu>
+Date: Tue, 1 Oct 2019 19:16:19 -0400
+Subject: CPPXT-145 - DataSealer is sharing non-thread safe keys
+
+Xmltooling versions 3.0.0 to 3.0.4 suffer from a race condition bug that
+leads to a crash under load.
+
+https://issues.shibboleth.net/jira/browse/CPPXT-145
+
+Closes: #950135
+---
+ xmltooling/security/impl/DataSealer.cpp | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/xmltooling/security/impl/DataSealer.cpp b/xmltooling/security/impl/DataSealer.cpp
+index c7ec7f9..aef85b7 100644
+--- a/xmltooling/security/impl/DataSealer.cpp
++++ b/xmltooling/security/impl/DataSealer.cpp
+@@ -156,8 +156,10 @@ string DataSealer::wrap(const char* s, time_t exp) const
+ 
+     safeBuffer ciphertext;
+     try {
++        // Keys are not threadsafe, use a clone to encrypt.
++        scoped_ptr<XSECCryptoKey> clonedKey(defaultKey.second->clone());
+         scoped_ptr<XENCEncryptionMethod> method(XENCEncryptionMethod::create(env.get(), algorithm));
+-        if (!handler->encryptToSafeBuffer(&tx, method.get(), defaultKey.second, dummydoc, ciphertext)) {
++        if (!handler->encryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, ciphertext)) {
+             throw XMLSecurityException("Data encryption failed.");
+         }
+     }
+@@ -235,8 +237,10 @@ string DataSealer::unwrap(const char* s) const
+     unsigned int len = 0;
+     safeBuffer plaintext;
+     try {
++        // Keys are not threadsafe, use a clone to decrypt.
++        scoped_ptr<XSECCryptoKey> clonedKey(requiredKey.second->clone());
+         scoped_ptr<XENCEncryptionMethod> method(XENCEncryptionMethod::create(env.get(), algorithm));
+-        len = handler->decryptToSafeBuffer(&tx, method.get(), requiredKey.second, dummydoc, plaintext);
++        len = handler->decryptToSafeBuffer(&tx, method.get(), clonedKey.get(), dummydoc, plaintext);
+     }
+     catch (const XSECException& ex) {
+         auto_ptr_char msg(ex.getMsg());
diff -Nru xmltooling-3.0.4/debian/patches/series xmltooling-3.0.4/debian/patches/series
--- xmltooling-3.0.4/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ xmltooling-3.0.4/debian/patches/series	2020-01-31 23:04:41.000000000 +0100
@@ -0,0 +1 @@
+CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch

I'm ready to upload this if you feel like going straight to 3.0.5-1 (in
unstable) would be too much.
-- 
Thanks,
Feri

Reply to:

Follow-Ups:
- Bug#950139: buster-pu: package xmltooling/3.0.4-1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#950139: buster-pu: package xmltooling/3.0.4-1
  - From: Ferenc Wágner <wferi@debian.org>

Prev by Date: Re: on updating debian-security-support in stable and oldstable (due to DSA-4562-1)
Next by Date: Bug#948695: buster-pu: package openssh/1:7.9p1-10+deb10u2
Previous by thread: Bug#950139: buster-pu: package xmltooling/3.0.4-1
Next by thread: Bug#950139: buster-pu: package xmltooling/3.0.4-1
Index(es):
- Date
- Thread