Control: tags -1 confirmed On 2021-04-27 14:42:49 +0200, Ferenc Wágner wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock package shibboleth-sp > > Dear Release Team, > > The recent Shibboleth SP advisory > (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987608) was fixed > upstream by a new patch level release: 3.2.2. The release contains > nothing but two crash fixes: one affecting test setups only and the > remote unauthenticaed DoS fix referenced by the above advisory. > However, upstream upgraded to Autoconf 2.71 meanwhile, so the debdiff is > too big to fit in this bug report. Here's the diffstat instead: > > $ debdiff shibboleth-sp_3.2.1+dfsg1-1.dsc shibboleth-sp_3.2.2+dfsg1-1.dsc | > diffstat > Makefile.in | 3 > aclocal.m4 | 4 > adfs/Makefile.in | 1 > apache/Makefile.in | 1 > build-aux/compile | 6 > build-aux/config.guess | 620 > build-aux/config.sub | 2585 +- > build-aux/depcomp | 2 > build-aux/install-sh | 161 > build-aux/missing | 2 > config.h.in | 12 > config_win32.h | 6 > configs/Makefile.in | 1 > configure | 9133 > +++++----- > configure.ac | 2 > debian/changelog | 8 > debian/patches/Clean-up-cxxtest-configuration.patch | 2 > debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch | 2 > doc/Makefile.in | 1 > fastcgi/Makefile.in | 1 > m4/libtool.m4 | 13 > memcache-store/Makefile.in | 1 > nsapi_shib/Makefile.in | 1 > odbc-store/Makefile.in | 1 > plugins/Makefile.in | 1 > schemas/Makefile.in | 1 > selinux/Makefile.in | 1 > shibboleth.spec | 9 > shibboleth.spec.in | 7 > shibd/Makefile.in | 1 > shibsp/Makefile.am | 4 > shibsp/Makefile.in | 5 > shibsp/handler/impl/SAML2Logout.cpp | 9 > shibsp/handler/impl/SAML2NameIDMgmt.cpp | 10 > shibsp/impl/StorageServiceSessionCache.cpp | 8 > shibsp/shibsp.rc | 4 > shibsp/version.h | 2 > unittests/Makefile.in | 1 > util/Makefile.in | 1 > 39 files changed, 7044 insertions(+), 5589 deletions(-) > > On the other hand, the shibboleth-sp package builds with Debhelper > compat level 12, which includes autoreconf, so the bulk of this is > inconsequential. The actual code difference is pretty small: > > $ git diff --stat 3.2.1 3.2.2 > config_win32.h | 6 +++--- > configure.ac | 2 +- > shibboleth.spec.in | 7 +++++-- > shibsp/Makefile.am | 4 ++-- > shibsp/handler/impl/SAML2Logout.cpp | 9 +++++---- > shibsp/handler/impl/SAML2NameIDMgmt.cpp | 10 ++++++---- > shibsp/impl/StorageServiceSessionCache.cpp | 8 +++++++- > shibsp/shibsp.rc | 4 ++-- > shibsp/version.h | 2 +- > util/resourceCommon.rci | 6 +++--- > 10 files changed, 35 insertions(+), 23 deletions(-) > > So here is the debdiff with the Autocruft omitted: > > diff -Nru shibboleth-sp-3.2.1+dfsg1/configure.ac > shibboleth-sp-3.2.2+dfsg1/configure.ac > --- shibboleth-sp-3.2.1+dfsg1/configure.ac 2021-03-16 14:33:31.000000000 > +0100 > +++ shibboleth-sp-3.2.2+dfsg1/configure.ac 2021-04-23 00:18:15.000000000 > +0200 > @@ -1,5 +1,5 @@ > AC_PREREQ([2.50]) > -AC_INIT([shibboleth],[3.2.1],[https://issues.shibboleth.net/],[shibboleth-sp]) > +AC_INIT([shibboleth],[3.2.2],[https://issues.shibboleth.net/],[shibboleth-sp]) > AC_CONFIG_SRCDIR(shibsp) > AC_CONFIG_AUX_DIR(build-aux) > AC_CONFIG_MACRO_DIR(m4) > diff -Nru shibboleth-sp-3.2.1+dfsg1/config_win32.h > shibboleth-sp-3.2.2+dfsg1/config_win32.h > --- shibboleth-sp-3.2.1+dfsg1/config_win32.h 2021-03-16 14:33:45.000000000 > +0100 > +++ shibboleth-sp-3.2.2+dfsg1/config_win32.h 2021-04-23 00:18:15.000000000 > +0200 > @@ -121,13 +121,13 @@ > #define PACKAGE_NAME "shibboleth" > > /* Define to the full name and version of this package. */ > -#define PACKAGE_STRING "shibboleth 3.2.1" > +#define PACKAGE_STRING "shibboleth 3.2.2" > > /* Define to the one symbol short name of this package. */ > #define PACKAGE_TARNAME "shibboleth-sp" > > /* Define to the version of this package. */ > -#define PACKAGE_VERSION "3.2.1" > +#define PACKAGE_VERSION "3.2.2" > > /* Define to the necessary symbol if this constant uses a non-standard name > on > your system. */ > @@ -140,7 +140,7 @@ > /* #undef TM_IN_SYS_TIME */ > > /* Version number of package */ > -#define VERSION "3.2.1" > +#define VERSION "3.2.2" > > /* Define to empty if `const' does not conform to ANSI C. */ > /* #undef const */ > diff -Nru shibboleth-sp-3.2.1+dfsg1/debian/changelog > shibboleth-sp-3.2.2+dfsg1/debian/changelog > --- shibboleth-sp-3.2.1+dfsg1/debian/changelog 2021-03-17 > 14:29:08.000000000 +0100 > +++ shibboleth-sp-3.2.2+dfsg1/debian/changelog 2021-04-27 > 12:11:06.000000000 +0200 > @@ -1,3 +1,20 @@ > +shibboleth-sp (3.2.2+dfsg1-1) unstable; urgency=high > + > + * [e44283d] New upstream release: 3.2.2 > + High urgency because it fixes CVE-2021-31826: > + Session recovery feature contains a null pointer dereference > + The cookie-based session recovery feature added in V3.0 contains a > + flaw that is exploitable on systems *not* using the feature if a > + specially crafted cookie is supplied. > + This manifests as a crash in the shibd daemon. > + Because it is very simple to trigger this condition remotely, it > + results in a potential denial of service condition exploitable by > + a remote, unauthenticated attacker. > + Thanks to Scott Cantor (Closes: #987608) > + * [3a6ac33] Refresh our patches > + > + -- Ferenc Wágner <wf...@debian.org> Tue, 27 Apr 2021 12:11:06 +0200 > + > shibboleth-sp (3.2.1+dfsg1-1) unstable; urgency=high > > * [4ecfe4a] New upstream release: 3.2.1 > diff -Nru > shibboleth-sp-3.2.1+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch > shibboleth-sp-3.2.2+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch > --- > shibboleth-sp-3.2.1+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch > 2021-03-17 14:26:00.000000000 +0100 > +++ > shibboleth-sp-3.2.2+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch > 2021-04-27 12:06:29.000000000 +0200 > @@ -9,7 +9,7 @@ > 1 file changed, 5 deletions(-) > > diff --git a/configure.ac b/configure.ac > -index ddae588..ceb34a3 100644 > +index 57dd2c0..7690d8c 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -940,15 +940,10 @@ AM_CONDITIONAL([GSSAPI_NAMINGEXTS],[test > "x$ac_cv_have_decl_gss_get_name_attribu > diff -Nru > shibboleth-sp-3.2.1+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch > > shibboleth-sp-3.2.2+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch > --- > shibboleth-sp-3.2.1+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch > 2021-03-17 14:26:00.000000000 +0100 > +++ > shibboleth-sp-3.2.2+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch > 2021-04-27 12:06:29.000000000 +0200 > @@ -37,7 +37,7 @@ > > # If $DAEMON_USER is set, try to run shibd as that user. However, > diff --git a/shibsp/Makefile.am b/shibsp/Makefile.am > -index 9176c17..0dd24cb 100644 > +index c3490e0..466c699 100644 > --- a/shibsp/Makefile.am > +++ b/shibsp/Makefile.am > @@ -282,7 +282,7 @@ libshibsp_lite_la_LIBADD = \ > diff -Nru shibboleth-sp-3.2.1+dfsg1/shibboleth.spec.in > shibboleth-sp-3.2.2+dfsg1/shibboleth.spec.in > --- shibboleth-sp-3.2.1+dfsg1/shibboleth.spec.in 2020-12-15 > 04:00:19.000000000 +0100 > +++ shibboleth-sp-3.2.2+dfsg1/shibboleth.spec.in 2021-04-23 > 00:18:15.000000000 +0200 > @@ -93,8 +93,8 @@ > Obsoletes: shibboleth-sp-devel = 2.5.0 > Requires: libxerces-c-devel >= 3.2 > Requires: libxml-security-c-devel >= 2.0.0 > -Requires: libxmltooling-devel >= 3.1.0 > -Requires: libsaml-devel >= 3.1.0 > +Requires: libxmltooling-devel >= 3.2.0 > +Requires: libsaml-devel >= 3.2.0 > %{?_with_log4cpp:Requires: liblog4cpp-devel >= 1.0} > %{!?_with_log4cpp:Requires: liblog4shib-devel >= 2} > > @@ -481,6 +481,9 @@ > %doc %{pkgdocdir}/api > > %changelog > +* Thu Apr 22 2021 Scott Cantor <canto...@osu.edu> - 3.2.2-1 > +- Fix devel dependency versions > + > * Tue Dec 1 2020 Scott Cantor <canto...@osu.edu> - 3.2.0-1 > - Version and lib bump > > diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2Logout.cpp > shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2Logout.cpp > --- shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2Logout.cpp > 2020-03-18 19:45:13.000000000 +0100 > +++ shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2Logout.cpp > 2021-03-31 14:50:45.000000000 +0200 > @@ -646,8 +646,8 @@ > } > } > if (!ep || !encoder) { > - auto_ptr_char > id(dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID()); > - m_log.error("unable to locate compatible SLO service for > provider (%s)", id.get()); > + auto_ptr_char id(role ? > dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID() : nullptr); > + m_log.error("unable to locate compatible SLO service for > provider (%s)", id.get() ? id.get() : "unknown"); > MetadataException ex("Unable to locate endpoint at IdP > ($entityID) to send LogoutResponse."); > annotateException(&ex, role); // throws it > } > @@ -667,7 +667,8 @@ > } > Issuer* issuer = IssuerBuilder::buildIssuer(); > logout->setIssuer(issuer); > - > issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second); > + issuer->setName(application.getRelyingParty(role ? > dynamic_cast<EntityDescriptor*>(role->getParent()) : > + nullptr)->getXMLString("entityID").second); > fillStatus(*logout, code, subcode, msg); > XMLCh* msgid = SAMLConfig::getConfig().generateIdentifier(); > logout->setID(msgid); > @@ -675,7 +676,7 @@ > logout->setIssueInstant(time(nullptr)); > > if (logoutEvent) { > - logoutEvent->m_peer = > dynamic_cast<EntityDescriptor*>(role->getParent()); > + logoutEvent->m_peer = role ? > dynamic_cast<EntityDescriptor*>(role->getParent()) : nullptr; > logoutEvent->m_saml2Response = logout.get(); > > application.getServiceProvider().getTransactionLog()->write(*logoutEvent); > } > diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp > shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp > --- shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp > 2020-03-06 18:16:06.000000000 +0100 > +++ shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2NameIDMgmt.cpp > 2021-03-31 14:56:25.000000000 +0200 > @@ -286,7 +286,8 @@ > ); > } > > - EntityDescriptor* entity = policy->getIssuerMetadata() ? > dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : > nullptr; > + EntityDescriptor* entity = policy->getIssuerMetadata() ? > + > dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : > nullptr; > > scoped_ptr<XMLObject> decryptedID; > NameID* nameid = mgmtRequest->getNameID(); > @@ -485,8 +486,8 @@ > } > } > if (!ep || !encoder) { > - auto_ptr_char > id(dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID()); > - m_log.error("unable to locate compatible NIM service for > provider (%s)", id.get()); > + auto_ptr_char id(role ? > dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID() : nullptr); > + m_log.error("unable to locate compatible NIM service for > provider (%s)", id.get() ? id.get() : "unknown"); > MetadataException ex("Unable to locate endpoint at IdP > ($entityID) to send ManageNameIDResponse."); > annotateException(&ex, role); // throws it > } > @@ -506,7 +507,8 @@ > } > Issuer* issuer = IssuerBuilder::buildIssuer(); > nim->setIssuer(issuer); > - > issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second); > + issuer->setName(application.getRelyingParty(role ? > dynamic_cast<EntityDescriptor*>(role->getParent()) : > + nullptr)->getXMLString("entityID").second); > fillStatus(*nim, code, subcode, msg); > > auto_ptr_char dest(nim->getDestination()); > diff -Nru > shibboleth-sp-3.2.1+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp > shibboleth-sp-3.2.2+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp > --- shibboleth-sp-3.2.1+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp > 2020-12-07 21:51:12.000000000 +0100 > +++ shibboleth-sp-3.2.2+dfsg1/shibsp/impl/StorageServiceSessionCache.cpp > 2021-04-23 00:18:15.000000000 +0200 > @@ -1148,6 +1148,12 @@ > else { > // We're out of process, so we can recover the session. > #ifndef SHIBSP_LITE > + const DataSealer* sealer = > XMLToolingConfig::getConfig().getDataSealer(); > + if (!sealer) { > + m_log.warn("can't attempt recovery of session (%s), no > DataSealer configured", key); > + return false; > + } > + > m_log.debug("checking for revocation of session (%s)", key); > try { > if (m_storage_lite->readString("Revoked", key) > 0) { > @@ -1174,7 +1180,7 @@ > try { > dup = strdup(data); > XMLToolingConfig::getConfig().getURLEncoder()->decode(dup); > - unwrapped = > XMLToolingConfig::getConfig().getDataSealer()->unwrap(dup); > + unwrapped = sealer->unwrap(dup); > free(dup); > > stringstream str(unwrapped); > diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/Makefile.am > shibboleth-sp-3.2.2+dfsg1/shibsp/Makefile.am > --- shibboleth-sp-3.2.1+dfsg1/shibsp/Makefile.am 2021-03-16 > 15:19:16.000000000 +0100 > +++ shibboleth-sp-3.2.2+dfsg1/shibsp/Makefile.am 2021-04-23 > 01:14:32.000000000 +0200 > @@ -244,7 +244,7 @@ > > # this is different from the project version > # http://sources.redhat.com/autobook/autobook/autobook_91.html > -libshibsp_la_LDFLAGS = -version-info 10:0:0 > +libshibsp_la_LDFLAGS = -version-info 10:1:0 > libshibsp_la_CXXFLAGS = \ > $(AM_CXXFLAGS) \ > $(BOOST_CPPFLAGS) \ > @@ -263,7 +263,7 @@ > $(xerces_LIBS) \ > $(xmlsec_LIBS) \ > $(xmltooling_LIBS) > -libshibsp_lite_la_LDFLAGS = -version-info 10:0:0 > +libshibsp_lite_la_LDFLAGS = -version-info 10:1:0 > libshibsp_lite_la_CXXFLAGS = -DSHIBSP_LITE \ > $(AM_CXXFLAGS) \ > $(BOOST_CPPFLAGS) \ > diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/shibsp.rc > shibboleth-sp-3.2.2+dfsg1/shibsp/shibsp.rc > --- shibboleth-sp-3.2.1+dfsg1/shibsp/shibsp.rc 2021-03-16 > 15:43:09.000000000 +0100 > +++ shibboleth-sp-3.2.2+dfsg1/shibsp/shibsp.rc 2021-04-23 > 00:18:15.000000000 +0200 > @@ -80,8 +80,8 @@ > #endif > #endif > VALUE "PrivateBuild", "\0" > - VALUE "ProductName", "Shibboleth 3.2.1\0" > - VALUE "ProductVersion", "3, 2, 1, 0\0" > + VALUE "ProductName", "Shibboleth 3.2.2\0" > + VALUE "ProductVersion", "3, 2, 2, 0\0" > VALUE "SpecialBuild", "\0" > END > END > diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/version.h > shibboleth-sp-3.2.2+dfsg1/shibsp/version.h > --- shibboleth-sp-3.2.1+dfsg1/shibsp/version.h 2021-03-16 > 14:32:51.000000000 +0100 > +++ shibboleth-sp-3.2.2+dfsg1/shibsp/version.h 2021-04-23 > 00:18:15.000000000 +0200 > @@ -44,7 +44,7 @@ > > #define SHIBSP_VERSION_MAJOR 3 > #define SHIBSP_VERSION_MINOR 2 > -#define SHIBSP_VERSION_REVISION 1 > +#define SHIBSP_VERSION_REVISION 2 > > /** DO NOT MODIFY BELOW THIS LINE */ > > So most of this is version number bump. The actual DoS fix is the two > hunks in StorageServiceSessionCache.cpp; the SAML2Logout.cpp and > SAML2NameIDMgmt.cpp changes are the corner case crash fix. > > The DoS fix alone applies fine to the current bullseye package, so > cherry-picking the small security part into a 3.2.1+dfsg1-2 is a > possibility. I'd like to avoid that for the sake of transparency, > though, if possible. > > Since shibboleth-sp is a non-key package with successful autopkgtests, > it doesn't strictly need an unblock at the moment, but the full freeze > is drawing closer and the security aspect would justify faster migration > anyway, so I ask for your advice. I'm ready to upload 3.2.2+dfsg1-1 as > above (abridged) or prepare a 3.2.1+dfsg1-2 if needed.
Since the new upstream release only fixes the security issue, let's take 3.2.2+dfsg1-1. Cheers > > unblock shibboleth-sp/3.2.2+dfsg1-1 > -- > Thanks, > Feri. -- Sebastian Ramacher
signature.asc
Description: PGP signature
