Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package shibboleth-sp

Dear Release Team,

The recent Shibboleth SP advisory
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987608) was fixed
upstream by a new patch level release: 3.2.2.  The release contains
nothing but two crash fixes: one affecting test setups only and the
remote unauthenticaed DoS fix referenced by the above advisory.
However, upstream upgraded to Autoconf 2.71 meanwhile, so the debdiff is
too big to fit in this bug report.  Here's the diffstat instead:

$ debdiff shibboleth-sp_3.2.1+dfsg1-1.dsc shibboleth-sp_3.2.2+dfsg1-1.dsc | 
diffstat 
 Makefile.in                                                    |    3 
 aclocal.m4                                                     |    4 
 adfs/Makefile.in                                               |    1 
 apache/Makefile.in                                             |    1 
 build-aux/compile                                              |    6 
 build-aux/config.guess                                         |  620 
 build-aux/config.sub                                           | 2585 +-
 build-aux/depcomp                                              |    2 
 build-aux/install-sh                                           |  161 
 build-aux/missing                                              |    2 
 config.h.in                                                    |   12 
 config_win32.h                                                 |    6 
 configs/Makefile.in                                            |    1 
 configure                                                      | 9133 
+++++-----
 configure.ac                                                   |    2 
 debian/changelog                                               |    8 
 debian/patches/Clean-up-cxxtest-configuration.patch            |    2 
 debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch |    2 
 doc/Makefile.in                                                |    1 
 fastcgi/Makefile.in                                            |    1 
 m4/libtool.m4                                                  |   13 
 memcache-store/Makefile.in                                     |    1 
 nsapi_shib/Makefile.in                                         |    1 
 odbc-store/Makefile.in                                         |    1 
 plugins/Makefile.in                                            |    1 
 schemas/Makefile.in                                            |    1 
 selinux/Makefile.in                                            |    1 
 shibboleth.spec                                                |    9 
 shibboleth.spec.in                                             |    7 
 shibd/Makefile.in                                              |    1 
 shibsp/Makefile.am                                             |    4 
 shibsp/Makefile.in                                             |    5 
 shibsp/handler/impl/SAML2Logout.cpp                            |    9 
 shibsp/handler/impl/SAML2NameIDMgmt.cpp                        |   10 
 shibsp/impl/StorageServiceSessionCache.cpp                     |    8 
 shibsp/shibsp.rc                                               |    4 
 shibsp/version.h                                               |    2 
 unittests/Makefile.in                                          |    1 
 util/Makefile.in                                               |    1 
 39 files changed, 7044 insertions(+), 5589 deletions(-)

On the other hand, the shibboleth-sp package builds with Debhelper
compat level 12, which includes autoreconf, so the bulk of this is
inconsequential.  The actual code difference is pretty small:

$ git diff --stat 3.2.1 3.2.2
 config_win32.h                             |  6 +++---
 configure.ac                               |  2 +-
 shibboleth.spec.in                         |  7 +++++--
 shibsp/Makefile.am                         |  4 ++--
 shibsp/handler/impl/SAML2Logout.cpp        |  9 +++++----
 shibsp/handler/impl/SAML2NameIDMgmt.cpp    | 10 ++++++----
 shibsp/impl/StorageServiceSessionCache.cpp |  8 +++++++-
 shibsp/shibsp.rc                           |  4 ++--
 shibsp/version.h                           |  2 +-
 util/resourceCommon.rci                    |  6 +++---
 10 files changed, 35 insertions(+), 23 deletions(-)

So here is the debdiff with the Autocruft omitted:

diff -Nru shibboleth-sp-3.2.1+dfsg1/configure.ac 
shibboleth-sp-3.2.2+dfsg1/configure.ac
--- shibboleth-sp-3.2.1+dfsg1/configure.ac      2021-03-16 14:33:31.000000000 
+0100
+++ shibboleth-sp-3.2.2+dfsg1/configure.ac      2021-04-23 00:18:15.000000000 
+0200
@@ -1,5 +1,5 @@
 AC_PREREQ([2.50])
-AC_INIT([shibboleth],[3.2.1],[https://issues.shibboleth.net/],[shibboleth-sp])
+AC_INIT([shibboleth],[3.2.2],[https://issues.shibboleth.net/],[shibboleth-sp])
 AC_CONFIG_SRCDIR(shibsp)
 AC_CONFIG_AUX_DIR(build-aux)
 AC_CONFIG_MACRO_DIR(m4)
diff -Nru shibboleth-sp-3.2.1+dfsg1/config_win32.h 
shibboleth-sp-3.2.2+dfsg1/config_win32.h
--- shibboleth-sp-3.2.1+dfsg1/config_win32.h    2021-03-16 14:33:45.000000000 
+0100
+++ shibboleth-sp-3.2.2+dfsg1/config_win32.h    2021-04-23 00:18:15.000000000 
+0200
@@ -121,13 +121,13 @@
 #define PACKAGE_NAME "shibboleth"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "shibboleth 3.2.1"
+#define PACKAGE_STRING "shibboleth 3.2.2"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "shibboleth-sp"
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "3.2.1"
+#define PACKAGE_VERSION "3.2.2"
 
 /* Define to the necessary symbol if this constant uses a non-standard name on
    your system. */
@@ -140,7 +140,7 @@
 /* #undef TM_IN_SYS_TIME */
 
 /* Version number of package */
-#define VERSION "3.2.1"
+#define VERSION "3.2.2"
 
 /* Define to empty if `const' does not conform to ANSI C. */
 /* #undef const */
diff -Nru shibboleth-sp-3.2.1+dfsg1/debian/changelog 
shibboleth-sp-3.2.2+dfsg1/debian/changelog
--- shibboleth-sp-3.2.1+dfsg1/debian/changelog  2021-03-17 14:29:08.000000000 
+0100
+++ shibboleth-sp-3.2.2+dfsg1/debian/changelog  2021-04-27 12:11:06.000000000 
+0200
@@ -1,3 +1,20 @@
+shibboleth-sp (3.2.2+dfsg1-1) unstable; urgency=high
+
+  * [e44283d] New upstream release: 3.2.2
+    High urgency because it fixes CVE-2021-31826:
+    Session recovery feature contains a null pointer dereference
+    The cookie-based session recovery feature added in V3.0 contains a
+    flaw that is exploitable on systems *not* using the feature if a
+    specially crafted cookie is supplied.
+    This manifests as a crash in the shibd daemon.
+    Because it is very simple to trigger this condition remotely, it
+    results in a potential denial of service condition exploitable by
+    a remote, unauthenticated attacker.
+    Thanks to Scott Cantor (Closes: #987608)
+  * [3a6ac33] Refresh our patches
+
+ -- Ferenc Wágner <wf...@debian.org>  Tue, 27 Apr 2021 12:11:06 +0200
+
 shibboleth-sp (3.2.1+dfsg1-1) unstable; urgency=high
 
   * [4ecfe4a] New upstream release: 3.2.1
diff -Nru 
shibboleth-sp-3.2.1+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch 
shibboleth-sp-3.2.2+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch
--- 
shibboleth-sp-3.2.1+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch   
    2021-03-17 14:26:00.000000000 +0100
+++ 
shibboleth-sp-3.2.2+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch   
    2021-04-27 12:06:29.000000000 +0200
@@ -9,7 +9,7 @@
  1 file changed, 5 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index ddae588..ceb34a3 100644
+index 57dd2c0..7690d8c 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -940,15 +940,10 @@ AM_CONDITIONAL([GSSAPI_NAMINGEXTS],[test 
"x$ac_cv_have_decl_gss_get_name_attribu
diff -Nru 
shibboleth-sp-3.2.1+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch
 
shibboleth-sp-3.2.2+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch
--- 
shibboleth-sp-3.2.1+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch
    2021-03-17 14:26:00.000000000 +0100
+++ 
shibboleth-sp-3.2.2+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch
    2021-04-27 12:06:29.000000000 +0200
@@ -37,7 +37,7 @@
  
      # If $DAEMON_USER is set, try to run shibd as that user.  However,
 diff --git a/shibsp/Makefile.am b/shibsp/Makefile.am
-index 9176c17..0dd24cb 100644
+index c3490e0..466c699 100644
 --- a/shibsp/Makefile.am
 +++ b/shibsp/Makefile.am
 @@ -282,7 +282,7 @@ libshibsp_lite_la_LIBADD = \
diff -Nru shibboleth-sp-3.2.1+dfsg1/shibboleth.spec.in 
shibboleth-sp-3.2.2+dfsg1/shibboleth.spec.in
--- shibboleth-sp-3.2.1+dfsg1/shibboleth.spec.in        2020-12-15 
04:00:19.000000000 +0100
+++ shibboleth-sp-3.2.2+dfsg1/shibboleth.spec.in        2021-04-23 
00:18:15.000000000 +0200
@@ -93,8 +93,8 @@
 Obsoletes:     shibboleth-sp-devel = 2.5.0
 Requires:      libxerces-c-devel >= 3.2
 Requires:      libxml-security-c-devel >= 2.0.0
-Requires:      libxmltooling-devel >= 3.1.0
-Requires:      libsaml-devel >= 3.1.0
+Requires:      libxmltooling-devel >= 3.2.0
+Requires:      libsaml-devel >= 3.2.0
 %{?_with_log4cpp:Requires: liblog4cpp-devel >= 1.0}
 %{!?_with_log4cpp:Requires: liblog4shib-devel >= 2}
 
@@ -481,6 +481,9 @@
 %doc %{pkgdocdir}/api
 
 %changelog
+* Thu Apr 22 2021 Scott Cantor <canto...@osu.edu> - 3.2.2-1
+- Fix devel dependency versions
+
 * Tue Dec 1 2020 Scott Cantor <canto...@osu.edu> - 3.2.0-1
 - Version and lib bump
 
diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2Logout.cpp 
shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2Logout.cpp
--- shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2Logout.cpp       
2020-03-18 19:45:13.000000000 +0100
+++ shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2Logout.cpp       
2021-03-31 14:50:45.000000000 +0200
@@ -646,8 +646,8 @@
             }
         }
         if (!ep || !encoder) {
-            auto_ptr_char 
id(dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID());
-            m_log.error("unable to locate compatible SLO service for provider 
(%s)", id.get());
+            auto_ptr_char id(role ? 
dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID() : nullptr);
+            m_log.error("unable to locate compatible SLO service for provider 
(%s)", id.get() ? id.get() : "unknown");
             MetadataException ex("Unable to locate endpoint at IdP ($entityID) 
to send LogoutResponse.");
             annotateException(&ex, role);   // throws it
         }
@@ -667,7 +667,8 @@
     }
     Issuer* issuer = IssuerBuilder::buildIssuer();
     logout->setIssuer(issuer);
-    
issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second);
+    issuer->setName(application.getRelyingParty(role ? 
dynamic_cast<EntityDescriptor*>(role->getParent()) :
+            nullptr)->getXMLString("entityID").second);
     fillStatus(*logout, code, subcode, msg);
     XMLCh* msgid = SAMLConfig::getConfig().generateIdentifier();
     logout->setID(msgid);
@@ -675,7 +676,7 @@
     logout->setIssueInstant(time(nullptr));
 
     if (logoutEvent) {
-        logoutEvent->m_peer = 
dynamic_cast<EntityDescriptor*>(role->getParent());
+        logoutEvent->m_peer = role ? 
dynamic_cast<EntityDescriptor*>(role->getParent()) : nullptr;
         logoutEvent->m_saml2Response = logout.get();
         
application.getServiceProvider().getTransactionLog()->write(*logoutEvent);
     }
diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp 
shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp
--- shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp   
2020-03-06 18:16:06.000000000 +0100
+++ shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp   
2021-03-31 14:56:25.000000000 +0200
@@ -286,7 +286,8 @@
                 );
         }
 
-        EntityDescriptor* entity = policy->getIssuerMetadata() ? 
dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : 
nullptr;
+        EntityDescriptor* entity = policy->getIssuerMetadata() ?
+                
dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : 
nullptr;
 
         scoped_ptr<XMLObject> decryptedID;
         NameID* nameid = mgmtRequest->getNameID();
@@ -485,8 +486,8 @@
             }
         }
         if (!ep || !encoder) {
-            auto_ptr_char 
id(dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID());
-            m_log.error("unable to locate compatible NIM service for provider 
(%s)", id.get());
+            auto_ptr_char id(role ? 
dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID() : nullptr);
+            m_log.error("unable to locate compatible NIM service for provider 
(%s)", id.get() ? id.get() : "unknown");
             MetadataException ex("Unable to locate endpoint at IdP ($entityID) 
to send ManageNameIDResponse.");
             annotateException(&ex, role);   // throws it
         }
@@ -506,7 +507,8 @@
     }
     Issuer* issuer = IssuerBuilder::buildIssuer();
     nim->setIssuer(issuer);
-    
issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second);
+    issuer->setName(application.getRelyingParty(role ? 
dynamic_cast<EntityDescriptor*>(role->getParent()) :
+            nullptr)->getXMLString("entityID").second);
     fillStatus(*nim, code, subcode, msg);
 
     auto_ptr_char dest(nim->getDestination());
diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp 
shibboleth-sp-3.2.2+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp
--- shibboleth-sp-3.2.1+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp        
2020-12-07 21:51:12.000000000 +0100
+++ shibboleth-sp-3.2.2+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp        
2021-04-23 00:18:15.000000000 +0200
@@ -1148,6 +1148,12 @@
     else {
         // We're out of process, so we can recover the session.
 #ifndef SHIBSP_LITE
+        const DataSealer* sealer = 
XMLToolingConfig::getConfig().getDataSealer();
+        if (!sealer) {
+            m_log.warn("can't attempt recovery of session (%s), no DataSealer 
configured", key);
+            return false;
+        }
+
         m_log.debug("checking for revocation of session (%s)", key);
         try {
             if (m_storage_lite->readString("Revoked", key) > 0) {
@@ -1174,7 +1180,7 @@
         try {
             dup = strdup(data);
             XMLToolingConfig::getConfig().getURLEncoder()->decode(dup);
-            unwrapped = 
XMLToolingConfig::getConfig().getDataSealer()->unwrap(dup);
+            unwrapped = sealer->unwrap(dup);
             free(dup);
 
             stringstream str(unwrapped);
diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/Makefile.am 
shibboleth-sp-3.2.2+dfsg1/shibsp/Makefile.am
--- shibboleth-sp-3.2.1+dfsg1/shibsp/Makefile.am        2021-03-16 
15:19:16.000000000 +0100
+++ shibboleth-sp-3.2.2+dfsg1/shibsp/Makefile.am        2021-04-23 
01:14:32.000000000 +0200
@@ -244,7 +244,7 @@
 
 # this is different from the project version
 # http://sources.redhat.com/autobook/autobook/autobook_91.html
-libshibsp_la_LDFLAGS = -version-info 10:0:0
+libshibsp_la_LDFLAGS = -version-info 10:1:0
 libshibsp_la_CXXFLAGS = \
     $(AM_CXXFLAGS) \
     $(BOOST_CPPFLAGS) \
@@ -263,7 +263,7 @@
     $(xerces_LIBS) \
     $(xmlsec_LIBS) \
     $(xmltooling_LIBS)
-libshibsp_lite_la_LDFLAGS = -version-info 10:0:0
+libshibsp_lite_la_LDFLAGS = -version-info 10:1:0
 libshibsp_lite_la_CXXFLAGS = -DSHIBSP_LITE \
     $(AM_CXXFLAGS) \
     $(BOOST_CPPFLAGS) \
diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/shibsp.rc 
shibboleth-sp-3.2.2+dfsg1/shibsp/shibsp.rc
--- shibboleth-sp-3.2.1+dfsg1/shibsp/shibsp.rc  2021-03-16 15:43:09.000000000 
+0100
+++ shibboleth-sp-3.2.2+dfsg1/shibsp/shibsp.rc  2021-04-23 00:18:15.000000000 
+0200
@@ -80,8 +80,8 @@
 #endif
 #endif
             VALUE "PrivateBuild", "\0"
-            VALUE "ProductName", "Shibboleth 3.2.1\0"
-            VALUE "ProductVersion", "3, 2, 1, 0\0"
+            VALUE "ProductName", "Shibboleth 3.2.2\0"
+            VALUE "ProductVersion", "3, 2, 2, 0\0"
             VALUE "SpecialBuild", "\0"
         END
     END
diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/version.h 
shibboleth-sp-3.2.2+dfsg1/shibsp/version.h
--- shibboleth-sp-3.2.1+dfsg1/shibsp/version.h  2021-03-16 14:32:51.000000000 
+0100
+++ shibboleth-sp-3.2.2+dfsg1/shibsp/version.h  2021-04-23 00:18:15.000000000 
+0200
@@ -44,7 +44,7 @@
 
 #define SHIBSP_VERSION_MAJOR 3
 #define SHIBSP_VERSION_MINOR 2
-#define SHIBSP_VERSION_REVISION 1
+#define SHIBSP_VERSION_REVISION 2
 
 /** DO NOT MODIFY BELOW THIS LINE */
 
So most of this is version number bump.  The actual DoS fix is the two
hunks in StorageServiceSessionCache.cpp; the SAML2Logout.cpp and
SAML2NameIDMgmt.cpp changes are the corner case crash fix.

The DoS fix alone applies fine to the current bullseye package, so
cherry-picking the small security part into a 3.2.1+dfsg1-2 is a
possibility.  I'd like to avoid that for the sake of transparency,
though, if possible.

Since shibboleth-sp is a non-key package with successful autopkgtests,
it doesn't strictly need an unblock at the moment, but the full freeze
is drawing closer and the security aspect would justify faster migration
anyway, so I ask for your advice.  I'm ready to upload 3.2.2+dfsg1-1 as
above (abridged) or prepare a 3.2.1+dfsg1-2 if needed.

unblock shibboleth-sp/3.2.2+dfsg1-1
-- 
Thanks,
Feri.

Reply via email to