I reviewed python-pysaml2 version 2.2.0-0ubuntu2 as found in Ubuntu vivid. This should not be considered a full security audit, but rather a quick gauge of maintainability.
- python-pysaml2 is a middleware designed to handle SAML2 authentication, a competitor to oauth and FIDO. SAML2 is popular in enterprise environments. - Build-Depends: debhelper, python-all, python-setuptools, python-sphinx, python-crypto, python-dateutil, python-decorator, python-mako, python-memcache, python-openssl, python-paste, python-pyasn1, python-pytest, python-pymongo, python-repoze.who, python-requests, python-tz, python-zope.interface, xmlsec1 - Does not itself daemonize - Does not itself listen on external interfaces - pre/post inst/rm are automatically added - No initscripts - No dbus services - No setuid executables - No sudo fragments - No udev rules - No cron entries - Spawns subprocesses, looks careful - Files opened under direction of controlling programs - Logging looked careful, except for logged passwords - No environment variables - No privileged operations - Extensive cryptography - No privileged portions of the program - No temporary files - No webkit - No javascript - No PolicyKit Here's some issues I discovered while reading this program: - src/saml2/s_utils.py sid() provides highly-guessable session identifiers - src/saml2/s_utils.py rndstr() strings are not cryptographically strong, appear to be used for cryptographic purposes - src/sigver.py create_id() generated identifiers are not cryptographically strong - example/idp2/idp.py, example/idp2/idp_uwsgi.y, example/aa/aa.py, example/idp2_repoze/idp, all have a staticfile() method that will serve every file on the computer that is readable by the server userid. No effort is made to filter out .. path traversals. - example/idp2/service.py, example/idp2/idp.py, example/idp2/idp_uwsgi.py, example/aa/aa.py, example/idp2_repoze/idp.py all have password checks that do not attempt to prevent timing analysis. - src/saml2/authn.py verify() will logger.debug() a password - src/saml2/authn.py _verify() has a password check that does not attempt to prevent timing analysis - example/idp2/service.py, example/idp2/idp.py, example/idp2/idp_uwsgi.py, example/aa/aa.py, example/idp2_repoze/idp.py info_from_cookie() do not handle TypeError exception from b64decode, will these provide a simple DOS attack vector? - example/idp2/service.py, example/idp2/idp.py, example/idp2/idp_uwsgi.py, example/aa/aa.py, example/idp2_repoze/idp.py ecp() do not handle TypeError exception from b64decode, will these provide a simple DOS attack vector? This method also logs HTTP_AUTHORIZATION to logger.debug(), this may include passwords. I reported the above issues to the author, who provided fixes for them very quickly; he's inexperienced with CVEs but sounded willing to learn. Please update the packaged version to include these fixes; I do not know if they are security fixes, but it's plausible that some might be. Security team ACK for promoting version 2.3.0 or higher to main. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-pysaml2 in Ubuntu. https://bugs.launchpad.net/bugs/1407695 Title: [MIR] python-saml2, python-repoze.who, xmlsec1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-pysaml2/+bug/1407695/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
