Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package shibboleth-sp Dear Release Team, The recent Shibboleth SP advisory (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987608) was fixed upstream by a new patch level release: 3.2.2. The release contains nothing but two crash fixes: one affecting test setups only and the remote unauthenticaed DoS fix referenced by the above advisory. However, upstream upgraded to Autoconf 2.71 meanwhile, so the debdiff is too big to fit in this bug report. Here's the diffstat instead: $ debdiff shibboleth-sp_3.2.1+dfsg1-1.dsc shibboleth-sp_3.2.2+dfsg1-1.dsc | diffstat Makefile.in | 3 aclocal.m4 | 4 adfs/Makefile.in | 1 apache/Makefile.in | 1 build-aux/compile | 6 build-aux/config.guess | 620 build-aux/config.sub | 2585 +- build-aux/depcomp | 2 build-aux/install-sh | 161 build-aux/missing | 2 config.h.in | 12 config_win32.h | 6 configs/Makefile.in | 1 configure | 9133 +++++----- configure.ac | 2 debian/changelog | 8 debian/patches/Clean-up-cxxtest-configuration.patch | 2 debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch | 2 doc/Makefile.in | 1 fastcgi/Makefile.in | 1 m4/libtool.m4 | 13 memcache-store/Makefile.in | 1 nsapi_shib/Makefile.in | 1 odbc-store/Makefile.in | 1 plugins/Makefile.in | 1 schemas/Makefile.in | 1 selinux/Makefile.in | 1 shibboleth.spec | 9 shibboleth.spec.in | 7 shibd/Makefile.in | 1 shibsp/Makefile.am | 4 shibsp/Makefile.in | 5 shibsp/handler/impl/SAML2Logout.cpp | 9 shibsp/handler/impl/SAML2NameIDMgmt.cpp | 10 shibsp/impl/StorageServiceSessionCache.cpp | 8 shibsp/shibsp.rc | 4 shibsp/version.h | 2 unittests/Makefile.in | 1 util/Makefile.in | 1 39 files changed, 7044 insertions(+), 5589 deletions(-) On the other hand, the shibboleth-sp package builds with Debhelper compat level 12, which includes autoreconf, so the bulk of this is inconsequential. The actual code difference is pretty small: $ git diff --stat 3.2.1 3.2.2 config_win32.h | 6 +++--- configure.ac | 2 +- shibboleth.spec.in | 7 +++++-- shibsp/Makefile.am | 4 ++-- shibsp/handler/impl/SAML2Logout.cpp | 9 +++++---- shibsp/handler/impl/SAML2NameIDMgmt.cpp | 10 ++++++---- shibsp/impl/StorageServiceSessionCache.cpp | 8 +++++++- shibsp/shibsp.rc | 4 ++-- shibsp/version.h | 2 +- util/resourceCommon.rci | 6 +++--- 10 files changed, 35 insertions(+), 23 deletions(-) So here is the debdiff with the Autocruft omitted: diff -Nru shibboleth-sp-3.2.1+dfsg1/configure.ac shibboleth-sp-3.2.2+dfsg1/configure.ac --- shibboleth-sp-3.2.1+dfsg1/configure.ac 2021-03-16 14:33:31.000000000 +0100 +++ shibboleth-sp-3.2.2+dfsg1/configure.ac 2021-04-23 00:18:15.000000000 +0200 @@ -1,5 +1,5 @@ AC_PREREQ([2.50]) -AC_INIT([shibboleth],[3.2.1],[https://issues.shibboleth.net/],[shibboleth-sp]) +AC_INIT([shibboleth],[3.2.2],[https://issues.shibboleth.net/],[shibboleth-sp]) AC_CONFIG_SRCDIR(shibsp) AC_CONFIG_AUX_DIR(build-aux) AC_CONFIG_MACRO_DIR(m4) diff -Nru shibboleth-sp-3.2.1+dfsg1/config_win32.h shibboleth-sp-3.2.2+dfsg1/config_win32.h --- shibboleth-sp-3.2.1+dfsg1/config_win32.h 2021-03-16 14:33:45.000000000 +0100 +++ shibboleth-sp-3.2.2+dfsg1/config_win32.h 2021-04-23 00:18:15.000000000 +0200 @@ -121,13 +121,13 @@ #define PACKAGE_NAME "shibboleth" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "shibboleth 3.2.1" +#define PACKAGE_STRING "shibboleth 3.2.2" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "shibboleth-sp" /* Define to the version of this package. */ -#define PACKAGE_VERSION "3.2.1" +#define PACKAGE_VERSION "3.2.2" /* Define to the necessary symbol if this constant uses a non-standard name on your system. */ @@ -140,7 +140,7 @@ /* #undef TM_IN_SYS_TIME */ /* Version number of package */ -#define VERSION "3.2.1" +#define VERSION "3.2.2" /* Define to empty if `const' does not conform to ANSI C. */ /* #undef const */ diff -Nru shibboleth-sp-3.2.1+dfsg1/debian/changelog shibboleth-sp-3.2.2+dfsg1/debian/changelog --- shibboleth-sp-3.2.1+dfsg1/debian/changelog 2021-03-17 14:29:08.000000000 +0100 +++ shibboleth-sp-3.2.2+dfsg1/debian/changelog 2021-04-27 12:11:06.000000000 +0200 @@ -1,3 +1,20 @@ +shibboleth-sp (3.2.2+dfsg1-1) unstable; urgency=high + + * [e44283d] New upstream release: 3.2.2 + High urgency because it fixes CVE-2021-31826: + Session recovery feature contains a null pointer dereference + The cookie-based session recovery feature added in V3.0 contains a + flaw that is exploitable on systems *not* using the feature if a + specially crafted cookie is supplied. + This manifests as a crash in the shibd daemon. + Because it is very simple to trigger this condition remotely, it + results in a potential denial of service condition exploitable by + a remote, unauthenticated attacker. + Thanks to Scott Cantor (Closes: #987608) + * [3a6ac33] Refresh our patches + + -- Ferenc Wágner <wf...@debian.org> Tue, 27 Apr 2021 12:11:06 +0200 + shibboleth-sp (3.2.1+dfsg1-1) unstable; urgency=high * [4ecfe4a] New upstream release: 3.2.1 diff -Nru shibboleth-sp-3.2.1+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch shibboleth-sp-3.2.2+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch --- shibboleth-sp-3.2.1+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch 2021-03-17 14:26:00.000000000 +0100 +++ shibboleth-sp-3.2.2+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch 2021-04-27 12:06:29.000000000 +0200 @@ -9,7 +9,7 @@ 1 file changed, 5 deletions(-) diff --git a/configure.ac b/configure.ac -index ddae588..ceb34a3 100644 +index 57dd2c0..7690d8c 100644 --- a/configure.ac +++ b/configure.ac @@ -940,15 +940,10 @@ AM_CONDITIONAL([GSSAPI_NAMINGEXTS],[test "x$ac_cv_have_decl_gss_get_name_attribu diff -Nru shibboleth-sp-3.2.1+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch shibboleth-sp-3.2.2+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch --- shibboleth-sp-3.2.1+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch 2021-03-17 14:26:00.000000000 +0100 +++ shibboleth-sp-3.2.2+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch 2021-04-27 12:06:29.000000000 +0200 @@ -37,7 +37,7 @@ # If $DAEMON_USER is set, try to run shibd as that user. However, diff --git a/shibsp/Makefile.am b/shibsp/Makefile.am -index 9176c17..0dd24cb 100644 +index c3490e0..466c699 100644 --- a/shibsp/Makefile.am +++ b/shibsp/Makefile.am @@ -282,7 +282,7 @@ libshibsp_lite_la_LIBADD = \ diff -Nru shibboleth-sp-3.2.1+dfsg1/shibboleth.spec.in shibboleth-sp-3.2.2+dfsg1/shibboleth.spec.in --- shibboleth-sp-3.2.1+dfsg1/shibboleth.spec.in 2020-12-15 04:00:19.000000000 +0100 +++ shibboleth-sp-3.2.2+dfsg1/shibboleth.spec.in 2021-04-23 00:18:15.000000000 +0200 @@ -93,8 +93,8 @@ Obsoletes: shibboleth-sp-devel = 2.5.0 Requires: libxerces-c-devel >= 3.2 Requires: libxml-security-c-devel >= 2.0.0 -Requires: libxmltooling-devel >= 3.1.0 -Requires: libsaml-devel >= 3.1.0 +Requires: libxmltooling-devel >= 3.2.0 +Requires: libsaml-devel >= 3.2.0 %{?_with_log4cpp:Requires: liblog4cpp-devel >= 1.0} %{!?_with_log4cpp:Requires: liblog4shib-devel >= 2} @@ -481,6 +481,9 @@ %doc %{pkgdocdir}/api %changelog +* Thu Apr 22 2021 Scott Cantor <canto...@osu.edu> - 3.2.2-1 +- Fix devel dependency versions + * Tue Dec 1 2020 Scott Cantor <canto...@osu.edu> - 3.2.0-1 - Version and lib bump diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2Logout.cpp shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2Logout.cpp --- shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2Logout.cpp 2020-03-18 19:45:13.000000000 +0100 +++ shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2Logout.cpp 2021-03-31 14:50:45.000000000 +0200 @@ -646,8 +646,8 @@ } } if (!ep || !encoder) { - auto_ptr_char id(dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID()); - m_log.error("unable to locate compatible SLO service for provider (%s)", id.get()); + auto_ptr_char id(role ? dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID() : nullptr); + m_log.error("unable to locate compatible SLO service for provider (%s)", id.get() ? id.get() : "unknown"); MetadataException ex("Unable to locate endpoint at IdP ($entityID) to send LogoutResponse."); annotateException(&ex, role); // throws it } @@ -667,7 +667,8 @@ } Issuer* issuer = IssuerBuilder::buildIssuer(); logout->setIssuer(issuer); - issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second); + issuer->setName(application.getRelyingParty(role ? dynamic_cast<EntityDescriptor*>(role->getParent()) : + nullptr)->getXMLString("entityID").second); fillStatus(*logout, code, subcode, msg); XMLCh* msgid = SAMLConfig::getConfig().generateIdentifier(); logout->setID(msgid); @@ -675,7 +676,7 @@ logout->setIssueInstant(time(nullptr)); if (logoutEvent) { - logoutEvent->m_peer = dynamic_cast<EntityDescriptor*>(role->getParent()); + logoutEvent->m_peer = role ? dynamic_cast<EntityDescriptor*>(role->getParent()) : nullptr; logoutEvent->m_saml2Response = logout.get(); application.getServiceProvider().getTransactionLog()->write(*logoutEvent); } diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp --- shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp 2020-03-06 18:16:06.000000000 +0100 +++ shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp 2021-03-31 14:56:25.000000000 +0200 @@ -286,7 +286,8 @@ ); } - EntityDescriptor* entity = policy->getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : nullptr; + EntityDescriptor* entity = policy->getIssuerMetadata() ? + dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : nullptr; scoped_ptr<XMLObject> decryptedID; NameID* nameid = mgmtRequest->getNameID(); @@ -485,8 +486,8 @@ } } if (!ep || !encoder) { - auto_ptr_char id(dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID()); - m_log.error("unable to locate compatible NIM service for provider (%s)", id.get()); + auto_ptr_char id(role ? dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID() : nullptr); + m_log.error("unable to locate compatible NIM service for provider (%s)", id.get() ? id.get() : "unknown"); MetadataException ex("Unable to locate endpoint at IdP ($entityID) to send ManageNameIDResponse."); annotateException(&ex, role); // throws it } @@ -506,7 +507,8 @@ } Issuer* issuer = IssuerBuilder::buildIssuer(); nim->setIssuer(issuer); - issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second); + issuer->setName(application.getRelyingParty(role ? dynamic_cast<EntityDescriptor*>(role->getParent()) : + nullptr)->getXMLString("entityID").second); fillStatus(*nim, code, subcode, msg); auto_ptr_char dest(nim->getDestination()); diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp shibboleth-sp-3.2.2+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp --- shibboleth-sp-3.2.1+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp 2020-12-07 21:51:12.000000000 +0100 +++ shibboleth-sp-3.2.2+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp 2021-04-23 00:18:15.000000000 +0200 @@ -1148,6 +1148,12 @@ else { // We're out of process, so we can recover the session. #ifndef SHIBSP_LITE + const DataSealer* sealer = XMLToolingConfig::getConfig().getDataSealer(); + if (!sealer) { + m_log.warn("can't attempt recovery of session (%s), no DataSealer configured", key); + return false; + } + m_log.debug("checking for revocation of session (%s)", key); try { if (m_storage_lite->readString("Revoked", key) > 0) { @@ -1174,7 +1180,7 @@ try { dup = strdup(data); XMLToolingConfig::getConfig().getURLEncoder()->decode(dup); - unwrapped = XMLToolingConfig::getConfig().getDataSealer()->unwrap(dup); + unwrapped = sealer->unwrap(dup); free(dup); stringstream str(unwrapped); diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/Makefile.am shibboleth-sp-3.2.2+dfsg1/shibsp/Makefile.am --- shibboleth-sp-3.2.1+dfsg1/shibsp/Makefile.am 2021-03-16 15:19:16.000000000 +0100 +++ shibboleth-sp-3.2.2+dfsg1/shibsp/Makefile.am 2021-04-23 01:14:32.000000000 +0200 @@ -244,7 +244,7 @@ # this is different from the project version # http://sources.redhat.com/autobook/autobook/autobook_91.html -libshibsp_la_LDFLAGS = -version-info 10:0:0 +libshibsp_la_LDFLAGS = -version-info 10:1:0 libshibsp_la_CXXFLAGS = \ $(AM_CXXFLAGS) \ $(BOOST_CPPFLAGS) \ @@ -263,7 +263,7 @@ $(xerces_LIBS) \ $(xmlsec_LIBS) \ $(xmltooling_LIBS) -libshibsp_lite_la_LDFLAGS = -version-info 10:0:0 +libshibsp_lite_la_LDFLAGS = -version-info 10:1:0 libshibsp_lite_la_CXXFLAGS = -DSHIBSP_LITE \ $(AM_CXXFLAGS) \ $(BOOST_CPPFLAGS) \ diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/shibsp.rc shibboleth-sp-3.2.2+dfsg1/shibsp/shibsp.rc --- shibboleth-sp-3.2.1+dfsg1/shibsp/shibsp.rc 2021-03-16 15:43:09.000000000 +0100 +++ shibboleth-sp-3.2.2+dfsg1/shibsp/shibsp.rc 2021-04-23 00:18:15.000000000 +0200 @@ -80,8 +80,8 @@ #endif #endif VALUE "PrivateBuild", "\0" - VALUE "ProductName", "Shibboleth 3.2.1\0" - VALUE "ProductVersion", "3, 2, 1, 0\0" + VALUE "ProductName", "Shibboleth 3.2.2\0" + VALUE "ProductVersion", "3, 2, 2, 0\0" VALUE "SpecialBuild", "\0" END END diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/version.h shibboleth-sp-3.2.2+dfsg1/shibsp/version.h --- shibboleth-sp-3.2.1+dfsg1/shibsp/version.h 2021-03-16 14:32:51.000000000 +0100 +++ shibboleth-sp-3.2.2+dfsg1/shibsp/version.h 2021-04-23 00:18:15.000000000 +0200 @@ -44,7 +44,7 @@ #define SHIBSP_VERSION_MAJOR 3 #define SHIBSP_VERSION_MINOR 2 -#define SHIBSP_VERSION_REVISION 1 +#define SHIBSP_VERSION_REVISION 2 /** DO NOT MODIFY BELOW THIS LINE */ So most of this is version number bump. The actual DoS fix is the two hunks in StorageServiceSessionCache.cpp; the SAML2Logout.cpp and SAML2NameIDMgmt.cpp changes are the corner case crash fix. The DoS fix alone applies fine to the current bullseye package, so cherry-picking the small security part into a 3.2.1+dfsg1-2 is a possibility. I'd like to avoid that for the sake of transparency, though, if possible. Since shibboleth-sp is a non-key package with successful autopkgtests, it doesn't strictly need an unblock at the moment, but the full freeze is drawing closer and the security aspect would justify faster migration anyway, so I ask for your advice. I'm ready to upload 3.2.2+dfsg1-1 as above (abridged) or prepare a 3.2.1+dfsg1-2 if needed. unblock shibboleth-sp/3.2.2+dfsg1-1 -- Thanks, Feri.