Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package src:shibboleth-sp2 This package (which I'm sponsoring on behalf of Ferenc Wagner), backports the upstream fix for CVE-2015-2684 to 2.5.3. I have just sponsored a similar upload to wheezy-security, so a DSA should be coming out about that shortly. The upstream fix is viewable here: http://svn.shibboleth.net/view/cpp-sp?view=revision&revision=3894 I attach the debdiff, which you will see just incorporates that upstream fix. I built this in a jessie sbuild chroot. Thanks, Matthew unblock src:shibboleth-sp2/2.5.3+dfsg-2 -- System Information: Debian Release: 7.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru shibboleth-sp2-2.5.3+dfsg/debian/changelog shibboleth-sp2-2.5.3+dfsg/debian/changelog --- shibboleth-sp2-2.5.3+dfsg/debian/changelog 2014-04-01 05:01:56.000000000 +0100 +++ shibboleth-sp2-2.5.3+dfsg/debian/changelog 2015-03-24 15:03:24.000000000 +0000 @@ -1,3 +1,11 @@ +shibboleth-sp2 (2.5.3+dfsg-2) unstable; urgency=high + + * Incorporate security fix from V2.5.4 for CVE-2015-2684: authenticated + denial of service vulnerability that results in a crash on certain + kinds of malformed SAML messages. + + -- Ferenc Wagner <wf...@niif.hu> Tue, 24 Mar 2015 08:55:06 +0100 + shibboleth-sp2 (2.5.3+dfsg-1) unstable; urgency=medium * New upstream release. diff -Nru shibboleth-sp2-2.5.3+dfsg/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch shibboleth-sp2-2.5.3+dfsg/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch --- shibboleth-sp2-2.5.3+dfsg/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch 1970-01-01 01:00:00.000000000 +0100 +++ shibboleth-sp2-2.5.3+dfsg/debian/patches/0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch 2015-03-24 15:04:02.000000000 +0000 @@ -0,0 +1,56 @@ +From: =?utf-8?q?Ferenc_W=C3=A1gner?= <wf...@niif.hu> +Date: Tue, 17 Mar 2015 15:09:39 +0100 +Subject: Security fix from V2.5.4 for CVE-2015-2684 + +Shibboleth SP software crashes on malformed input messages +=============================================================== +The SP software includes an authenticated denial of service +vulnerability that results in a crash on certain kinds of malformed +SAML messages. The vulnerability is only triggered when special +conditions are met and after a message or assertion signature +has been verified, so exploitation requires a message produced +under a trusted key, limiting the impact. + +URL for the full Security Advisory: +https://shibboleth.net/community/advisories/secadv_20150319.txt +--- + shibsp/handler/impl/SAML2Consumer.cpp | 4 ++++ + shibsp/impl/StorageServiceSessionCache.cpp | 3 ++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/shibsp/handler/impl/SAML2Consumer.cpp b/shibsp/handler/impl/SAML2Consumer.cpp +index ec62384..be2397c 100644 +--- a/shibsp/handler/impl/SAML2Consumer.cpp ++++ b/shibsp/handler/impl/SAML2Consumer.cpp +@@ -44,6 +44,7 @@ + # include <xmltooling/XMLToolingConfig.h> + # include <xmltooling/io/HTTPRequest.h> + # include <xmltooling/util/DateTime.h> ++# include <xmltooling/validation/ValidatorSuite.h> + using namespace opensaml::saml2; + using namespace opensaml::saml2p; + using namespace opensaml::saml2md; +@@ -312,6 +313,9 @@ void SAML2Consumer::implementProtocol( + if (!decrypted->getSignature() && requireSignedAssertions.first && requireSignedAssertions.second) + throw SecurityPolicyException("The incoming assertion was unsigned, violating local security policy."); + ++ // Run the schema validators against the assertion, since it was hidden by encryption. ++ SchemaValidators.validate(decrypted.get()); ++ + // We clear the security flag, so we can tell whether the token was secured on its own. + policy.setAuthenticated(false); + policy.reset(true); +diff --git a/shibsp/impl/StorageServiceSessionCache.cpp b/shibsp/impl/StorageServiceSessionCache.cpp +index 9e5d48d..b816624 100644 +--- a/shibsp/impl/StorageServiceSessionCache.cpp ++++ b/shibsp/impl/StorageServiceSessionCache.cpp +@@ -1233,7 +1233,8 @@ void SSCache::insert( + throw FatalProfileException("Attempted to create a session with a duplicate key."); + + // Store the reverse mapping for logout. +- if (nameid && m_reverseIndex && (m_excludedNames.size() == 0 || m_excludedNames.count(nameid->getName()) == 0)) { ++ if (name.get() && *name.get() && m_reverseIndex ++ && (m_excludedNames.size() == 0 || m_excludedNames.count(nameid->getName()) == 0)) { + try { + insert(key.get(), expires, name.get(), index.get()); + } diff -Nru shibboleth-sp2-2.5.3+dfsg/debian/patches/series shibboleth-sp2-2.5.3+dfsg/debian/patches/series --- shibboleth-sp2-2.5.3+dfsg/debian/patches/series 2014-04-01 05:01:56.000000000 +0100 +++ shibboleth-sp2-2.5.3+dfsg/debian/patches/series 2015-03-24 15:03:24.000000000 +0000 @@ -4,3 +4,4 @@ 0004-Shire-log-path-for-Debian.patch 0005-Default-native-logger-to-syslog.patch 0006-Remove-WSTrust-schema-references.patch +0007-Security-fix-from-V2.5.4-for-CVE-2015-2684.patch