[opensaml/f16] Backported security patch for CVE-2011-1411 from 2.4.3 Update Source URL to new location
Guido Grazioli
guidograzioli at fedoraproject.org
Fri Sep 16 13:40:54 UTC 2011
commit 3fd6e080a5d1d2b027d817548bda16f085dba675
Author: Guido Grazioli <guido.grazioli at gmail.com>
Date: Fri Sep 16 23:40:38 2011 +1000
Backported security patch for CVE-2011-1411 from 2.4.3
Update Source URL to new location
opensaml-CVE-2011-1411.patch | 78 ++++++++++++++++++++++++++++++++++++++++++
opensaml.spec | 26 ++++++++-----
2 files changed, 94 insertions(+), 10 deletions(-)
---
diff --git a/opensaml-CVE-2011-1411.patch b/opensaml-CVE-2011-1411.patch
new file mode 100644
index 0000000..30df7e2
--- /dev/null
+++ b/opensaml-CVE-2011-1411.patch
@@ -0,0 +1,78 @@
+--- opensaml2-2.3.orig/saml/signature/ContentReference.cpp
++++ opensaml2-2.3/saml/signature/ContentReference.cpp
+@@ -46,6 +46,7 @@
+ void ContentReference::createReferences(DSIGSignature* sig)
+ {
+ DSIGReference* ref=NULL;
++ sig->setIdByAttributeName(false);
+ const XMLCh* id=m_signableObject.getXMLID();
+ if (!id || !*id)
+ ref=sig->createReference(&chNull, m_digest ? m_digest : DSIGConstants::s_unicodeStrURISHA1); // whole doc reference
+--- opensaml2-2.3.orig/saml/signature/SignatureProfileValidator.cpp
++++ opensaml2-2.3/saml/signature/SignatureProfileValidator.cpp
+@@ -25,6 +25,7 @@
+ #include "signature/SignableObject.h"
+ #include "signature/SignatureProfileValidator.h"
+
++#include <xmltooling/logging.h>
+ #include <xmltooling/signature/Signature.h>
+
+ #include <xercesc/util/XMLUniDefs.hpp>
+@@ -35,6 +36,7 @@
+
+ using namespace opensaml;
+ using namespace xmlsignature;
++using namespace xmltooling::logging;
+ using namespace xmltooling;
+ using namespace std;
+
+@@ -63,7 +65,14 @@
+ const SignableObject* signableObj=dynamic_cast<const SignableObject*>(sigObj.getParent());
+ if (!signableObj)
+ throw ValidationException("Signature is not a child of a signable SAML object.");
+-
++
++ if (sig->getObjectLength() != 0) {
++ Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained an embedded <Object> element");
++ throw ValidationException("Invalid signature profile for SAML object.");
++ }
++
++ sig->setIdByAttributeName(false);
++
+ bool valid=false;
+ DSIGReferenceList* refs=sig->getReferenceList();
+ if (refs && refs->getSize()==1) {
+@@ -80,13 +89,33 @@
+ else if (tlist->item(i)->getTransformType()!=TRANSFORM_EXC_C14N &&
+ tlist->item(i)->getTransformType()!=TRANSFORM_C14N) {
+ valid=false;
++ Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained an invalid transform");
+ break;
+ }
+ }
+ }
++
++ if (valid && URI && *URI) {
++ valid = false;
++ if (sigObj.getDOM() && signableObj->getDOM()) {
++ DOMElement* signedNode = sigObj.getDOM()->getOwnerDocument()->getElementById(ID);
++ if (signedNode && signedNode->isSameNode(signableObj->getDOM())) {
++ valid = true;
++ }
++ else {
++ Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature reference does not match parent object node");
++ }
++ }
++ }
++ }
++ else {
++ Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature reference does not match parent object ID");
+ }
+ }
+ }
++ else {
++ Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained multiple or zero references");
++ }
+
+ if (!valid)
+ throw ValidationException("Invalid signature profile for SAML object.");
diff --git a/opensaml.spec b/opensaml.spec
index b5b2be9..caed0c0 100644
--- a/opensaml.spec
+++ b/opensaml.spec
@@ -1,13 +1,13 @@
Name: opensaml
Version: 2.3
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: Security Assertion Markup Language
Group: System Environment/Libraries
License: ASL 2.0
URL: http://www.opensaml.org/
-Source0: http://shibboleth.internet2.edu/downloads/opensaml/cpp/%{version}/opensaml-%{version}.tar.gz
-Patch0: %{name}-rm-pl-ending.patch
+Source0: http://www.shibboleth.net/downloads/c++-opensaml/archive/%{version}/opensaml-%{version}.tar.gz
+Patch0: %{name}-CVE-2011-1411.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: log4cpp-devel
@@ -59,16 +59,17 @@ that support the SAML 1.0, 1.1, and 2.0 specifications.
%prep
%setup -q
-#%patch0 -p1
+%patch0 -p1
# Remove private zlib to be sure we don't use it.
rm -rf saml/zlib
%build
-aclocal
-autoconf
-autoheader
-automake --add-missing --copy
-libtoolize --copy --force
+#aclocal
+#autoconf
+#autoheader
+#automake --add-missing --copy
+#libtoolize --copy --force
+autoreconf -fiv
%configure
make %{?_smp_mflags}
@@ -94,7 +95,6 @@ rm -rf $RPM_BUILD_ROOT
#%{_bindir}/samltest
%{_libdir}/libsaml.so.*
%{_datadir}/xml/opensaml
-
%doc doc/README.txt doc/LICENSE.txt
%files devel
@@ -108,6 +108,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Wed Sep 14 2011 Guido Grazioli <guido.grazioli at gmail.com> - 2.3-6
+- Backported security patch for CVE-2011-1411 from 2.4.3
+- Update Source URL to new location
+
* Wed Mar 16 2011 Kalev Lember <kalev at smartlink.ee> - 2.3-5
- Rebuilt with xml-security-c 1.6
@@ -122,11 +126,13 @@ rm -rf $RPM_BUILD_ROOT
* Thu Nov 19 2009 Steve Traylen <steve.traylen at cern.ch> - 2.3-1
- New upstream 2.3
+
* Fri Oct 16 2009 Steve Traylen <steve.traylen at cern.ch> - 2.2.1-2
- Change Source URL to explicit version rather than "latest"
- Add a BuildRequires of cxxtest.
- Add Requires xml-common to ensure existence of /usr/share/xml
- Add more minimum versions for BuildRequires.
+
* Tue Oct 6 2009 Steve Traylen <steve.traylen at cern.ch> - 2.2.1-1
- First Build
More information about the scm-commits
mailing list