[SCM] Debian branch, master, updated. debian/1.2.2-2-24-g9c37cfe
Xavier Guimard
x.guimard at free.fr
Sat Dec 22 08:17:48 UTC 2012
The following commit has been merged in the master branch:
commit 613dc3c395be3f6626de316d5b42190e4e7866b0
Author: Xavier Guimard <x.guimard at free.fr>
Date: Sat Dec 22 09:09:18 2012 +0100
Add verify-saml-signatures.patch + refresh other patch
diff --git a/debian/changelog b/debian/changelog
index 1eee9ca..571ee6f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,40 +2,18 @@ lemonldap-ng (1.2.2-3) UNRELEASED; urgency=low
TODO:
- debian/copyright:
- + copyright information is incomplete, e.g.
- lemonldap-ng-manager/example/skins/default/ui-darkness/jquery-ui-1.8.6.custom.css
- or the files under scripts/
- => Done
- - There is still a syntax problem: a .css file doesn't match
- jquery-ui*.js, and even if it did, it would be overridden by the later
- jquery*.js;
- - And what about scripts/DoxyGen/SQLFilter.pm? Please run 'grep -ri
- copy' and make sure every copyright holder that comes up is covered
- by debian/copyright
- => Done
+ the license information for e.g. jquery.cookie.js or the icons in
lemonldap-ng-portal/example/skins/common/apps/ does not agree with
what's documented in the source of those files / README
=> It's a README error that will be changed in the next version
- that's ok, but while this hasn't been changed upstream perhaps add a
Comment: field to the respective paragraphs?
- + there is no file in the source package that "Files: jquery.base64.js"
- applies to (missing path or globbing)
- => it's here: lemonldap-ng-portal/example/skins/common/jquery.base64.js
- - I know, but debian/copyright is meant to be machine-readable and the
- pattern doesn't match. See second bullet point at
- http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#files-field
- => Done
- + copyright-format 1.0 specifies that the *last* matching paragraph
- applies (reverse sorting)
- => Done (but introduced a new case I mentioned above)
- => Done
- debian/control:
+ the short description does not fit the recommended "<package> is a ..."
format
=> Can you check what I've done ?
- - you only put the "..." into the short description. So e.g. "OpenID, CAS
- and SAML compatible Web-SSO system (common files)" for
+ - you only put the "..." into the short description. So e.g. "OpenID,
+ CAS and SAML compatible Web-SSO system (common files)" for
liblemonldap-ng-conf-perl. (Did you only update the first package's
description on purpose?)
+ the long description is very short and not very informative. It does not
@@ -44,7 +22,6 @@ lemonldap-ng (1.2.2-3) UNRELEASED; urgency=low
it would be useful to know how it compares to other Single Sign-On system
such as Shibboleth or OpenID
=> Done
- - s/ bu / be /
- better, but I still don't really know why I should use lemonldap-ng
rather than e.g. Shibboleth
+ embedded code copies have been removed and replaced with links to their
@@ -124,6 +101,7 @@ lemonldap-ng (1.2.2-3) UNRELEASED; urgency=low
* Replace duplicate files by links
* Update descriptions
* Update debian/copyright (missing entries)
+ * Add verify-saml-signatures.patch, fix for CVE-2012-6426 (Closes: #696329)
-- Xavier Guimard <x.guimard at free.fr> Wed, 05 Dec 2012 06:25:56 +0100
diff --git a/debian/patches/change-js-libs-by-shared-packages.patch b/debian/patches/change-js-libs-by-shared-packages.patch
index 11e4dd6..6722b0f 100644
--- a/debian/patches/change-js-libs-by-shared-packages.patch
+++ b/debian/patches/change-js-libs-by-shared-packages.patch
@@ -3,9 +3,9 @@ Author: Xavier Guimard <x.guimard at free.fr>
Forwarded: no
Last-Update: 2012-11-27
---- lemonldap-ng-1.2.2.orig/lemonldap-ng-portal/MANIFEST
-+++ lemonldap-ng-1.2.2/lemonldap-ng-portal/MANIFEST
-@@ -43,10 +43,8 @@ example/skins/common/email.png
+--- a/lemonldap-ng-portal/MANIFEST
++++ b/lemonldap-ng-portal/MANIFEST
+@@ -43,10 +43,8 @@
example/skins/common/error.png
example/skins/common/favicon.ico
example/skins/common/inputicons.css
@@ -16,9 +16,9 @@ Last-Update: 2012-11-27
example/skins/common/key.png
example/skins/common/mail_confirm.tpl
example/skins/common/mail_footer.tpl
---- lemonldap-ng-1.2.2.orig/lemonldap-ng-manager/MANIFEST
-+++ lemonldap-ng-1.2.2/lemonldap-ng-manager/MANIFEST
-@@ -44,10 +44,8 @@ example/skins/default/images/spinner.gif
+--- a/lemonldap-ng-manager/MANIFEST
++++ b/lemonldap-ng-manager/MANIFEST
+@@ -44,10 +44,8 @@
example/skins/default/images/tree/root.gif
example/skins/default/images/tree/spacer.gif
example/skins/default/images/tree/tree.png
@@ -29,8 +29,8 @@ Last-Update: 2012-11-27
example/skins/default/js/jquery.elastic.source.js
example/skins/default/js/manager.js
example/skins/default/js/notifications.js
---- lemonldap-ng-1.2.2.orig/lemonldap-ng-portal/example/skins/impact/header.tpl
-+++ lemonldap-ng-1.2.2/lemonldap-ng-portal/example/skins/impact/header.tpl
+--- a/lemonldap-ng-portal/example/skins/impact/header.tpl
++++ b/lemonldap-ng-portal/example/skins/impact/header.tpl
@@ -13,10 +13,10 @@
<link rel="openid.server" href="<TMPL_VAR NAME="PROVIDERURI">" />
<link rel="openid2.provider" href="<TMPL_VAR NAME="PROVIDERURI">" />
@@ -44,8 +44,8 @@ Last-Update: 2012-11-27
<script type="text/javascript">//<![CDATA[
var displaytab='<TMPL_VAR NAME="DISPLAY_TAB">';
var choicetab='<TMPL_VAR NAME="CHOICE_VALUE">';
---- lemonldap-ng-1.2.2.orig/lemonldap-ng-portal/example/skins/pastel/header.tpl
-+++ lemonldap-ng-1.2.2/lemonldap-ng-portal/example/skins/pastel/header.tpl
+--- a/lemonldap-ng-portal/example/skins/pastel/header.tpl
++++ b/lemonldap-ng-portal/example/skins/pastel/header.tpl
@@ -13,10 +13,10 @@
<link rel="openid.server" href="<TMPL_VAR NAME="PROVIDERURI">" />
<link rel="openid2.provider" href="<TMPL_VAR NAME="PROVIDERURI">" />
@@ -59,8 +59,8 @@ Last-Update: 2012-11-27
<script type="text/javascript">//<![CDATA[
var displaytab='<TMPL_VAR NAME="DISPLAY_TAB">';
var choicetab='<TMPL_VAR NAME="CHOICE_VALUE">';
---- lemonldap-ng-1.2.2.orig/lemonldap-ng-manager/example/skins/default/notifications.tpl
-+++ lemonldap-ng-1.2.2/lemonldap-ng-manager/example/skins/default/notifications.tpl
+--- a/lemonldap-ng-manager/example/skins/default/notifications.tpl
++++ b/lemonldap-ng-manager/example/skins/default/notifications.tpl
@@ -10,9 +10,9 @@
<link rel="stylesheet" type="text/css" id="csstheme" href="<TMPL_VAR NAME="DIR">/<TMPL_VAR NAME="CSS_THEME">/jquery-ui-1.8.6.custom.css" />
<!-- Manager CSS -->
@@ -73,8 +73,8 @@ Last-Update: 2012-11-27
<script src="<TMPL_VAR NAME="DIR">/js/tree.js" type="text/JavaScript"></script>
<script src="<TMPL_VAR NAME="DIR">/js/notifications.js" type="text/JavaScript"></script>
<script type="text/JavaScript">//<![CDATA[
---- lemonldap-ng-1.2.2.orig/lemonldap-ng-manager/example/skins/default/sessions.tpl
-+++ lemonldap-ng-1.2.2/lemonldap-ng-manager/example/skins/default/sessions.tpl
+--- a/lemonldap-ng-manager/example/skins/default/sessions.tpl
++++ b/lemonldap-ng-manager/example/skins/default/sessions.tpl
@@ -10,9 +10,9 @@
<link rel="stylesheet" type="text/css" id="csstheme" href="<TMPL_VAR NAME="DIR">/<TMPL_VAR NAME="CSS_THEME">/jquery-ui-1.8.6.custom.css" />
<!-- Manager CSS -->
@@ -87,8 +87,8 @@ Last-Update: 2012-11-27
<script src="<TMPL_VAR NAME="DIR">/js/tree.js" type="text/JavaScript"></script>
<script src="<TMPL_VAR NAME="DIR">/js/sessions.js" type="text/JavaScript"></script>
<script type="text/JavaScript">//<![CDATA[
---- lemonldap-ng-1.2.2.orig/lemonldap-ng-manager/example/skins/default/manager.tpl
-+++ lemonldap-ng-1.2.2/lemonldap-ng-manager/example/skins/default/manager.tpl
+--- a/lemonldap-ng-manager/example/skins/default/manager.tpl
++++ b/lemonldap-ng-manager/example/skins/default/manager.tpl
@@ -12,9 +12,9 @@
<link rel="stylesheet" type="text/css" id="csstheme" href="<TMPL_VAR NAME="DIR">/<TMPL_VAR NAME="CSS_THEME">/jquery-ui-1.8.6.custom.css" />
<!-- Manager CSS -->
@@ -101,7 +101,7 @@ Last-Update: 2012-11-27
<script src="<TMPL_VAR NAME="DIR">/js/jquery.ajaxfileupload.js" type="text/JavaScript"></script>
<script src="<TMPL_VAR NAME="DIR">/js/jquery.elastic.source.js" type="text/JavaScript"></script>
<script src="<TMPL_VAR NAME="DIR">/js/tree.js" type="text/JavaScript"></script>
---- lemonldap-ng-1.2.2.orig/lemonldap-ng-portal/example/skins/common/jquery.cookie.js
+--- a/lemonldap-ng-portal/example/skins/common/jquery.cookie.js
+++ /dev/null
@@ -1,96 +0,0 @@
-/**
@@ -201,7 +201,7 @@ Last-Update: 2012-11-27
- }
-};
\ No newline at end of file
---- lemonldap-ng-1.2.2.orig/lemonldap-ng-portal/example/skins/common/jquery-1.4.2.min.js
+--- a/lemonldap-ng-portal/example/skins/common/jquery-1.4.2.min.js
+++ /dev/null
@@ -1,154 +0,0 @@
-/*!
@@ -358,7 +358,7 @@ Last-Update: 2012-11-27
-f.top,left:d.left-f.left}},offsetParent:function(){return this.map(function(){for(var a=this.offsetParent||s.body;a&&!/^body|html$/i.test(a.nodeName)&&c.css(a,"position")==="static";)a=a.offsetParent;return a})}});c.each(["Left","Top"],function(a,b){var d="scroll"+b;c.fn[d]=function(f){var e=this[0],j;if(!e)return null;if(f!==w)return this.each(function(){if(j=wa(this))j.scrollTo(!a?f:c(j).scrollLeft(),a?f:c(j).scrollTop());else this[d]=f});else return(j=wa(e))?"pageXOffset"in j?j[a?"pageYOffset":
-"pageXOffset"]:c.support.boxModel&&j.document.documentElement[d]||j.document.body[d]:e[d]}});c.each(["Height","Width"],function(a,b){var d=b.toLowerCase();c.fn["inner"+b]=function(){return this[0]?c.css(this[0],d,false,"padding"):null};c.fn["outer"+b]=function(f){return this[0]?c.css(this[0],d,false,f?"margin":"border"):null};c.fn[d]=function(f){var e=this[0];if(!e)return f==null?null:this;if(c.isFunction(f))return this.each(function(j){var i=c(this);i[d](f.call(this,j,i[d]()))});return"scrollTo"in
-e&&e.document?e.document.compatMode==="CSS1Compat"&&e.document.documentElement["client"+b]||e.document.body["client"+b]:e.nodeType===9?Math.max(e.documentElement["client"+b],e.body["scroll"+b],e.documentElement["scroll"+b],e.body["offset"+b],e.documentElement["offset"+b]):f===w?c.css(e,d):this.css(d,typeof f==="string"?f:f+"px")}});A.jQuery=A.$=c})(window);
---- lemonldap-ng-1.2.2.orig/lemonldap-ng-manager/example/skins/default/js/jquery.cookie.js
+--- a/lemonldap-ng-manager/example/skins/default/js/jquery.cookie.js
+++ /dev/null
@@ -1,96 +0,0 @@
-/**
@@ -458,7 +458,7 @@ Last-Update: 2012-11-27
- }
-};
\ No newline at end of file
---- lemonldap-ng-1.2.2.orig/lemonldap-ng-manager/example/skins/default/js/jquery-1.4.2.min.js
+--- a/lemonldap-ng-manager/example/skins/default/js/jquery-1.4.2.min.js
+++ /dev/null
@@ -1,154 +0,0 @@
-/*!
diff --git a/debian/patches/series b/debian/patches/series
index 10aced8..8032806 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
change-js-libs-by-shared-packages.patch
+verify-saml-signatures.patch
diff --git a/debian/patches/verify-saml-signatures.patch b/debian/patches/verify-saml-signatures.patch
new file mode 100644
index 0000000..ee61f46
--- /dev/null
+++ b/debian/patches/verify-saml-signatures.patch
@@ -0,0 +1,146 @@
+Description: Verify SAML signature
+ Due to a bad use of Lasso library, SAML signatures are never checked, even if
+ we force signature check.
+ [CVE-2012-6426]
+Author: Clément OUDOT <coudot at linagora.com>
+Bug: http://jira.ow2.org/browse/LEMONLDAP-570
+Bug-Debian: http://bugs.debian.org/696329
+Forwarded: yes
+Reviewed-By: Xavier Guimard <x.guimard at free.fr>
+Last-Update: 2012-12-19
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
+@@ -2241,6 +2241,21 @@
+ return $self->checkLassoError($@);
+ }
+
++## @method boolean forceSignatureVerification(Lasso::Profile profile)
++# Modify Lasso signature hint to force signature verification
++# @param profile Lasso profile object
++# @return result
++sub forceSignatureVerification {
++ my ( $self, $profile ) = splice @_;
++
++ eval {
++ Lasso::Profile::set_signature_verify_hint( $profile,
++ Lasso::Constants::PROFILE_SIGNATURE_VERIFY_HINT_FORCE );
++ };
++
++ return $self->checkLassoError($@);
++}
++
+ ## @method string getAuthnContext(string context)
+ # Convert configuration string into SAML2 AuthnContextClassRef string
+ # @param context configuration string
+@@ -3232,6 +3247,10 @@
+
+ Modify Lasso signature hint to disable signature verification
+
++=head2 forceSignatureVerification
++
++Modify Lasso signature hint to force signature verification
++
+ =head2 getAuthnContext
+
+ Convert configuration string into SAML2 AuthnContextClassRef string
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
+@@ -125,7 +125,18 @@
+ ->{samlIDPMetaDataOptionsCheckSSOMessageSignature};
+
+ if ($checkSSOMessageSignature) {
+- unless ( $self->checkSignatureStatus($login) ) {
++
++ $self->forceSignatureVerification($login);
++
++ if ($artifact) {
++ $result = $self->processArtResponseMsg( $login, $response );
++ }
++ else {
++ $result =
++ $self->processAuthnResponseMsg( $login, $response );
++ }
++
++ unless ($result) {
+ $self->lmLog( "Signature is not valid", 'error' );
+ return PE_SAML_SIGNATURE_ERROR;
+ }
+@@ -404,7 +415,12 @@
+ ->{samlIDPMetaDataOptionsCheckSLOMessageSignature};
+
+ if ($checkSLOMessageSignature) {
+- unless ( $self->checkSignatureStatus($logout) ) {
++
++ $self->forceSignatureVerification($logout);
++
++ $result = $self->processLogoutResponseMsg( $logout, $response );
++
++ unless ($result) {
+ $self->lmLog( "Signature is not valid", 'error' );
+ return PE_SAML_SIGNATURE_ERROR;
+ }
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
+@@ -150,7 +150,17 @@
+ ->{samlSPMetaDataOptionsCheckSSOMessageSignature};
+
+ if ($checkSSOMessageSignature) {
+- unless ( $self->checkSignatureStatus($login) ) {
++
++ $self->forceSignatureVerification($login);
++
++ if ($artifact) {
++ $result = $self->processArtResponseMsg( $login, $request );
++ }
++ else {
++ $result = $self->processAuthnRequestMsg( $login, $request );
++ }
++
++ unless ($result) {
+ $self->lmLog( "Signature is not valid", 'error' );
+ return PE_SAML_SIGNATURE_ERROR;
+ }
+@@ -277,7 +287,10 @@
+ ->{samlSPMetaDataOptionsCheckSLOMessageSignature};
+
+ if ($checkSLOMessageSignature) {
+- unless ( $self->checkSignatureStatus($logout) ) {
++
++ $self->forceSignatureVerification($logout);
++
++ unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
+ $self->lmLog( "Signature is not valid", 'error' );
+ return $self->sendSLOErrorResponse( $logout, $method );
+ }
+@@ -1203,7 +1216,17 @@
+ ->{samlSPMetaDataOptionsCheckSSOMessageSignature};
+
+ if ($checkSSOMessageSignature) {
+- unless ( $self->checkSignatureStatus($login) ) {
++
++ $self->forceSignatureVerification($login);
++
++ if ($artifact) {
++ $result = $self->processArtResponseMsg( $login, $request );
++ }
++ else {
++ $result = $self->processAuthnRequestMsg( $login, $request );
++ }
++
++ unless ($result) {
+ $self->lmLog( "Signature is not valid", 'error' );
+ return PE_SAML_SIGNATURE_ERROR;
+ }
+@@ -1851,7 +1874,10 @@
+ ->{samlSPMetaDataOptionsCheckSLOMessageSignature};
+
+ if ($checkSLOMessageSignature) {
+- unless ( $self->checkSignatureStatus($logout) ) {
++
++ $self->forceSignatureVerification($logout);
++
++ unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
+ $self->lmLog( "Signature is not valid", 'error' );
+ return $self->sendSLOErrorResponse( $logout, $method );
+ }
--
Debian
More information about the Pkg-perl-cvs-commits
mailing list