Control: tags -1 confirmed
On 2021-04-27 14:42:49 +0200, Ferenc Wágner wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Please unblock package shibboleth-sp
>
> Dear Release Team,
>
> The recent Shibboleth SP advisory
> (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987608) was fixed
> upstream by a new patch level release: 3.2.2. The release contains
> nothing but two crash fixes: one affecting test setups only and the
> remote unauthenticaed DoS fix referenced by the above advisory.
> However, upstream upgraded to Autoconf 2.71 meanwhile, so the debdiff is
> too big to fit in this bug report. Here's the diffstat instead:
>
> $ debdiff shibboleth-sp_3.2.1+dfsg1-1.dsc shibboleth-sp_3.2.2+dfsg1-1.dsc | diffstat
> Makefile.in | 3
> aclocal.m4 | 4
> adfs/Makefile.in | 1
> apache/Makefile.in | 1
> build-aux/compile | 6
> build-aux/config.guess | 620
> build-aux/config.sub | 2585 +-
> build-aux/depcomp | 2
> build-aux/install-sh | 161
> build-aux/missing | 2
> config.h.in | 12
> config_win32.h | 6
> configs/Makefile.in | 1
> configure | 9133 +++++-----
> configure.ac | 2
> debian/changelog | 8
> debian/patches/Clean-up-cxxtest-configuration.patch | 2
> debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch | 2
> doc/Makefile.in | 1
> fastcgi/Makefile.in | 1
> m4/libtool.m4 | 13
> memcache-store/Makefile.in | 1
> nsapi_shib/Makefile.in | 1
> odbc-store/Makefile.in | 1
> plugins/Makefile.in | 1
> schemas/Makefile.in | 1
> selinux/Makefile.in | 1
> shibboleth.spec | 9
> shibboleth.spec.in | 7
> shibd/Makefile.in | 1
> shibsp/Makefile.am | 4
> shibsp/Makefile.in | 5
> shibsp/handler/impl/SAML2Logout.cpp | 9
> shibsp/handler/impl/SAML2NameIDMgmt.cpp | 10
> shibsp/impl/StorageServiceSessionCache.cpp | 8
> shibsp/shibsp.rc | 4
> shibsp/version.h | 2
> unittests/Makefile.in | 1
> util/Makefile.in | 1
> 39 files changed, 7044 insertions(+), 5589 deletions(-)
>
> On the other hand, the shibboleth-sp package builds with Debhelper
> compat level 12, which includes autoreconf, so the bulk of this is
> inconsequential. The actual code difference is pretty small:
>
> $ git diff --stat 3.2.1 3.2.2
> config_win32.h | 6 +++---
> configure.ac | 2 +-
> shibboleth.spec.in | 7 +++++--
> shibsp/Makefile.am | 4 ++--
> shibsp/handler/impl/SAML2Logout.cpp | 9 +++++----
> shibsp/handler/impl/SAML2NameIDMgmt.cpp | 10 ++++++----
> shibsp/impl/StorageServiceSessionCache.cpp | 8 +++++++-
> shibsp/shibsp.rc | 4 ++--
> shibsp/version.h | 2 +-
> util/resourceCommon.rci | 6 +++---
> 10 files changed, 35 insertions(+), 23 deletions(-)
>
> So here is the debdiff with the Autocruft omitted:
>
> diff -Nru shibboleth-sp-3.2.1+dfsg1/configure.ac shibboleth-sp-3.2.2+dfsg1/configure.ac
> --- shibboleth-sp-3.2.1+dfsg1/configure.ac 2021-03-16 14:33:31.000000000 +0100
> +++ shibboleth-sp-3.2.2+dfsg1/configure.ac 2021-04-23 00:18:15.000000000 +0200
> @@ -1,5 +1,5 @@
> AC_PREREQ([2.50])
> -AC_INIT([shibboleth],[3.2.1],[https://issues.shibboleth.net/],[shibboleth-sp])
> +AC_INIT([shibboleth],[3.2.2],[https://issues.shibboleth.net/],[shibboleth-sp])
> AC_CONFIG_SRCDIR(shibsp)
> AC_CONFIG_AUX_DIR(build-aux)
> AC_CONFIG_MACRO_DIR(m4)
> diff -Nru shibboleth-sp-3.2.1+dfsg1/config_win32.h shibboleth-sp-3.2.2+dfsg1/config_win32.h
> --- shibboleth-sp-3.2.1+dfsg1/config_win32.h 2021-03-16 14:33:45.000000000 +0100
> +++ shibboleth-sp-3.2.2+dfsg1/config_win32.h 2021-04-23 00:18:15.000000000 +0200
> @@ -121,13 +121,13 @@
> #define PACKAGE_NAME "shibboleth"
>
> /* Define to the full name and version of this package. */
> -#define PACKAGE_STRING "shibboleth 3.2.1"
> +#define PACKAGE_STRING "shibboleth 3.2.2"
>
> /* Define to the one symbol short name of this package. */
> #define PACKAGE_TARNAME "shibboleth-sp"
>
> /* Define to the version of this package. */
> -#define PACKAGE_VERSION "3.2.1"
> +#define PACKAGE_VERSION "3.2.2"
>
> /* Define to the necessary symbol if this constant uses a non-standard name on
> your system. */
> @@ -140,7 +140,7 @@
> /* #undef TM_IN_SYS_TIME */
>
> /* Version number of package */
> -#define VERSION "3.2.1"
> +#define VERSION "3.2.2"
>
> /* Define to empty if `const' does not conform to ANSI C. */
> /* #undef const */
> diff -Nru shibboleth-sp-3.2.1+dfsg1/debian/changelog shibboleth-sp-3.2.2+dfsg1/debian/changelog
> --- shibboleth-sp-3.2.1+dfsg1/debian/changelog 2021-03-17 14:29:08.000000000 +0100
> +++ shibboleth-sp-3.2.2+dfsg1/debian/changelog 2021-04-27 12:11:06.000000000 +0200
> @@ -1,3 +1,20 @@
> +shibboleth-sp (3.2.2+dfsg1-1) unstable; urgency=high
> +
> + * [e44283d] New upstream release: 3.2.2
> + High urgency because it fixes CVE-2021-31826:
> + Session recovery feature contains a null pointer dereference
> + The cookie-based session recovery feature added in V3.0 contains a
> + flaw that is exploitable on systems *not* using the feature if a
> + specially crafted cookie is supplied.
> + This manifests as a crash in the shibd daemon.
> + Because it is very simple to trigger this condition remotely, it
> + results in a potential denial of service condition exploitable by
> + a remote, unauthenticated attacker.
> + Thanks to Scott Cantor (Closes: #987608)
> + * [3a6ac33] Refresh our patches
> +
> + -- Ferenc Wágner <wferi@debian.org> Tue, 27 Apr 2021 12:11:06 +0200
> +
> shibboleth-sp (3.2.1+dfsg1-1) unstable; urgency=high
>
> * [4ecfe4a] New upstream release: 3.2.1
> diff -Nru shibboleth-sp-3.2.1+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch shibboleth-sp-3.2.2+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch
> --- shibboleth-sp-3.2.1+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch 2021-03-17 14:26:00.000000000 +0100
> +++ shibboleth-sp-3.2.2+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch 2021-04-27 12:06:29.000000000 +0200
> @@ -9,7 +9,7 @@
> 1 file changed, 5 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> -index ddae588..ceb34a3 100644
> +index 57dd2c0..7690d8c 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -940,15 +940,10 @@ AM_CONDITIONAL([GSSAPI_NAMINGEXTS],[test "x$ac_cv_have_decl_gss_get_name_attribu
> diff -Nru shibboleth-sp-3.2.1+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch shibboleth-sp-3.2.2+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch
> --- shibboleth-sp-3.2.1+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch 2021-03-17 14:26:00.000000000 +0100
> +++ shibboleth-sp-3.2.2+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch 2021-04-27 12:06:29.000000000 +0200
> @@ -37,7 +37,7 @@
>
> # If $DAEMON_USER is set, try to run shibd as that user. However,
> diff --git a/shibsp/Makefile.am b/shibsp/Makefile.am
> -index 9176c17..0dd24cb 100644
> +index c3490e0..466c699 100644
> --- a/shibsp/Makefile.am
> +++ b/shibsp/Makefile.am
> @@ -282,7 +282,7 @@ libshibsp_lite_la_LIBADD = \
> diff -Nru shibboleth-sp-3.2.1+dfsg1/shibboleth.spec.in shibboleth-sp-3.2.2+dfsg1/shibboleth.spec.in
> --- shibboleth-sp-3.2.1+dfsg1/shibboleth.spec.in 2020-12-15 04:00:19.000000000 +0100
> +++ shibboleth-sp-3.2.2+dfsg1/shibboleth.spec.in 2021-04-23 00:18:15.000000000 +0200
> @@ -93,8 +93,8 @@
> Obsoletes: shibboleth-sp-devel = 2.5.0
> Requires: libxerces-c-devel >= 3.2
> Requires: libxml-security-c-devel >= 2.0.0
> -Requires: libxmltooling-devel >= 3.1.0
> -Requires: libsaml-devel >= 3.1.0
> +Requires: libxmltooling-devel >= 3.2.0
> +Requires: libsaml-devel >= 3.2.0
> %{?_with_log4cpp:Requires: liblog4cpp-devel >= 1.0}
> %{!?_with_log4cpp:Requires: liblog4shib-devel >= 2}
>
> @@ -481,6 +481,9 @@
> %doc %{pkgdocdir}/api
>
> %changelog
> +* Thu Apr 22 2021 Scott Cantor <cantor.2@osu.edu> - 3.2.2-1
> +- Fix devel dependency versions
> +
> * Tue Dec 1 2020 Scott Cantor <cantor.2@osu.edu> - 3.2.0-1
> - Version and lib bump
>
> diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2Logout.cpp shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2Logout.cpp
> --- shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2Logout.cpp 2020-03-18 19:45:13.000000000 +0100
> +++ shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2Logout.cpp 2021-03-31 14:50:45.000000000 +0200
> @@ -646,8 +646,8 @@
> }
> }
> if (!ep || !encoder) {
> - auto_ptr_char id(dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID());
> - m_log.error("unable to locate compatible SLO service for provider (%s)", id.get());
> + auto_ptr_char id(role ? dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID() : nullptr);
> + m_log.error("unable to locate compatible SLO service for provider (%s)", id.get() ? id.get() : "unknown");
> MetadataException ex("Unable to locate endpoint at IdP ($entityID) to send LogoutResponse.");
> annotateException(&ex, role); // throws it
> }
> @@ -667,7 +667,8 @@
> }
> Issuer* issuer = IssuerBuilder::buildIssuer();
> logout->setIssuer(issuer);
> - issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second);
> + issuer->setName(application.getRelyingParty(role ? dynamic_cast<EntityDescriptor*>(role->getParent()) :
> + nullptr)->getXMLString("entityID").second);
> fillStatus(*logout, code, subcode, msg);
> XMLCh* msgid = SAMLConfig::getConfig().generateIdentifier();
> logout->setID(msgid);
> @@ -675,7 +676,7 @@
> logout->setIssueInstant(time(nullptr));
>
> if (logoutEvent) {
> - logoutEvent->m_peer = dynamic_cast<EntityDescriptor*>(role->getParent());
> + logoutEvent->m_peer = role ? dynamic_cast<EntityDescriptor*>(role->getParent()) : nullptr;
> logoutEvent->m_saml2Response = logout.get();
> application.getServiceProvider().getTransactionLog()->write(*logoutEvent);
> }
> diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp
> --- shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp 2020-03-06 18:16:06.000000000 +0100
> +++ shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp 2021-03-31 14:56:25.000000000 +0200
> @@ -286,7 +286,8 @@
> );
> }
>
> - EntityDescriptor* entity = policy->getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : nullptr;
> + EntityDescriptor* entity = policy->getIssuerMetadata() ?
> + dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : nullptr;
>
> scoped_ptr<XMLObject> decryptedID;
> NameID* nameid = mgmtRequest->getNameID();
> @@ -485,8 +486,8 @@
> }
> }
> if (!ep || !encoder) {
> - auto_ptr_char id(dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID());
> - m_log.error("unable to locate compatible NIM service for provider (%s)", id.get());
> + auto_ptr_char id(role ? dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID() : nullptr);
> + m_log.error("unable to locate compatible NIM service for provider (%s)", id.get() ? id.get() : "unknown");
> MetadataException ex("Unable to locate endpoint at IdP ($entityID) to send ManageNameIDResponse.");
> annotateException(&ex, role); // throws it
> }
> @@ -506,7 +507,8 @@
> }
> Issuer* issuer = IssuerBuilder::buildIssuer();
> nim->setIssuer(issuer);
> - issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second);
> + issuer->setName(application.getRelyingParty(role ? dynamic_cast<EntityDescriptor*>(role->getParent()) :
> + nullptr)->getXMLString("entityID").second);
> fillStatus(*nim, code, subcode, msg);
>
> auto_ptr_char dest(nim->getDestination());
> diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp shibboleth-sp-3.2.2+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp
> --- shibboleth-sp-3.2.1+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp 2020-12-07 21:51:12.000000000 +0100
> +++ shibboleth-sp-3.2.2+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp 2021-04-23 00:18:15.000000000 +0200
> @@ -1148,6 +1148,12 @@
> else {
> // We're out of process, so we can recover the session.
> #ifndef SHIBSP_LITE
> + const DataSealer* sealer = XMLToolingConfig::getConfig().getDataSealer();
> + if (!sealer) {
> + m_log.warn("can't attempt recovery of session (%s), no DataSealer configured", key);
> + return false;
> + }
> +
> m_log.debug("checking for revocation of session (%s)", key);
> try {
> if (m_storage_lite->readString("Revoked", key) > 0) {
> @@ -1174,7 +1180,7 @@
> try {
> dup = strdup(data);
> XMLToolingConfig::getConfig().getURLEncoder()->decode(dup);
> - unwrapped = XMLToolingConfig::getConfig().getDataSealer()->unwrap(dup);
> + unwrapped = sealer->unwrap(dup);
> free(dup);
>
> stringstream str(unwrapped);
> diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/Makefile.am shibboleth-sp-3.2.2+dfsg1/shibsp/Makefile.am
> --- shibboleth-sp-3.2.1+dfsg1/shibsp/Makefile.am 2021-03-16 15:19:16.000000000 +0100
> +++ shibboleth-sp-3.2.2+dfsg1/shibsp/Makefile.am 2021-04-23 01:14:32.000000000 +0200
> @@ -244,7 +244,7 @@
>
> # this is different from the project version
> # http://sources.redhat.com/autobook/autobook/autobook_91.html
> -libshibsp_la_LDFLAGS = -version-info 10:0:0
> +libshibsp_la_LDFLAGS = -version-info 10:1:0
> libshibsp_la_CXXFLAGS = \
> $(AM_CXXFLAGS) \
> $(BOOST_CPPFLAGS) \
> @@ -263,7 +263,7 @@
> $(xerces_LIBS) \
> $(xmlsec_LIBS) \
> $(xmltooling_LIBS)
> -libshibsp_lite_la_LDFLAGS = -version-info 10:0:0
> +libshibsp_lite_la_LDFLAGS = -version-info 10:1:0
> libshibsp_lite_la_CXXFLAGS = -DSHIBSP_LITE \
> $(AM_CXXFLAGS) \
> $(BOOST_CPPFLAGS) \
> diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/shibsp.rc shibboleth-sp-3.2.2+dfsg1/shibsp/shibsp.rc
> --- shibboleth-sp-3.2.1+dfsg1/shibsp/shibsp.rc 2021-03-16 15:43:09.000000000 +0100
> +++ shibboleth-sp-3.2.2+dfsg1/shibsp/shibsp.rc 2021-04-23 00:18:15.000000000 +0200
> @@ -80,8 +80,8 @@
> #endif
> #endif
> VALUE "PrivateBuild", "\0"
> - VALUE "ProductName", "Shibboleth 3.2.1\0"
> - VALUE "ProductVersion", "3, 2, 1, 0\0"
> + VALUE "ProductName", "Shibboleth 3.2.2\0"
> + VALUE "ProductVersion", "3, 2, 2, 0\0"
> VALUE "SpecialBuild", "\0"
> END
> END
> diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/version.h shibboleth-sp-3.2.2+dfsg1/shibsp/version.h
> --- shibboleth-sp-3.2.1+dfsg1/shibsp/version.h 2021-03-16 14:32:51.000000000 +0100
> +++ shibboleth-sp-3.2.2+dfsg1/shibsp/version.h 2021-04-23 00:18:15.000000000 +0200
> @@ -44,7 +44,7 @@
>
> #define SHIBSP_VERSION_MAJOR 3
> #define SHIBSP_VERSION_MINOR 2
> -#define SHIBSP_VERSION_REVISION 1
> +#define SHIBSP_VERSION_REVISION 2
>
> /** DO NOT MODIFY BELOW THIS LINE */
>
> So most of this is version number bump. The actual DoS fix is the two
> hunks in StorageServiceSessionCache.cpp; the SAML2Logout.cpp and
> SAML2NameIDMgmt.cpp changes are the corner case crash fix.
>
> The DoS fix alone applies fine to the current bullseye package, so
> cherry-picking the small security part into a 3.2.1+dfsg1-2 is a
> possibility. I'd like to avoid that for the sake of transparency,
> though, if possible.
>
> Since shibboleth-sp is a non-key package with successful autopkgtests,
> it doesn't strictly need an unblock at the moment, but the full freeze
> is drawing closer and the security aspect would justify faster migration
> anyway, so I ask for your advice. I'm ready to upload 3.2.2+dfsg1-1 as
> above (abridged) or prepare a 3.2.1+dfsg1-2 if needed.
Since the new upstream release only fixes the security issue, let's take
3.2.2+dfsg1-1.
Cheers
>
> unblock shibboleth-sp/3.2.2+dfsg1-1
> --
> Thanks,
> Feri.
--
Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature