[opensaml/f15] Backported security patch for CVE-2011-1411 from 2.4.3 Update Source URL to new location
Guido Grazioli
guidograzioli at fedoraproject.org
Fri Sep 16 13:18:49 UTC 2011
commit e85923898751f60eab2305f4ef8bf88abc4ad582
Author: Guido Grazioli <guido.grazioli at gmail.com>
Date: Fri Sep 16 15:02:01 2011 +1000
Backported security patch for CVE-2011-1411 from 2.4.3
Update Source URL to new location
opensaml-CVE-2011-1411.patch | 78 ++++++++++++++++++++++++++++++++++++++++++
opensaml.spec | 32 ++++++++--------
2 files changed, 94 insertions(+), 16 deletions(-)
---
diff --git a/opensaml-CVE-2011-1411.patch b/opensaml-CVE-2011-1411.patch
new file mode 100644
index 0000000..30df7e2
--- /dev/null
+++ b/opensaml-CVE-2011-1411.patch
@@ -0,0 +1,78 @@
+--- opensaml2-2.3.orig/saml/signature/ContentReference.cpp
++++ opensaml2-2.3/saml/signature/ContentReference.cpp
+@@ -46,6 +46,7 @@
+ void ContentReference::createReferences(DSIGSignature* sig)
+ {
+ DSIGReference* ref=NULL;
++ sig->setIdByAttributeName(false);
+ const XMLCh* id=m_signableObject.getXMLID();
+ if (!id || !*id)
+ ref=sig->createReference(&chNull, m_digest ? m_digest : DSIGConstants::s_unicodeStrURISHA1); // whole doc reference
+--- opensaml2-2.3.orig/saml/signature/SignatureProfileValidator.cpp
++++ opensaml2-2.3/saml/signature/SignatureProfileValidator.cpp
+@@ -25,6 +25,7 @@
+ #include "signature/SignableObject.h"
+ #include "signature/SignatureProfileValidator.h"
+
++#include <xmltooling/logging.h>
+ #include <xmltooling/signature/Signature.h>
+
+ #include <xercesc/util/XMLUniDefs.hpp>
+@@ -35,6 +36,7 @@
+
+ using namespace opensaml;
+ using namespace xmlsignature;
++using namespace xmltooling::logging;
+ using namespace xmltooling;
+ using namespace std;
+
+@@ -63,7 +65,14 @@
+ const SignableObject* signableObj=dynamic_cast<const SignableObject*>(sigObj.getParent());
+ if (!signableObj)
+ throw ValidationException("Signature is not a child of a signable SAML object.");
+-
++
++ if (sig->getObjectLength() != 0) {
++ Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained an embedded <Object> element");
++ throw ValidationException("Invalid signature profile for SAML object.");
++ }
++
++ sig->setIdByAttributeName(false);
++
+ bool valid=false;
+ DSIGReferenceList* refs=sig->getReferenceList();
+ if (refs && refs->getSize()==1) {
+@@ -80,13 +89,33 @@
+ else if (tlist->item(i)->getTransformType()!=TRANSFORM_EXC_C14N &&
+ tlist->item(i)->getTransformType()!=TRANSFORM_C14N) {
+ valid=false;
++ Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained an invalid transform");
+ break;
+ }
+ }
+ }
++
++ if (valid && URI && *URI) {
++ valid = false;
++ if (sigObj.getDOM() && signableObj->getDOM()) {
++ DOMElement* signedNode = sigObj.getDOM()->getOwnerDocument()->getElementById(ID);
++ if (signedNode && signedNode->isSameNode(signableObj->getDOM())) {
++ valid = true;
++ }
++ else {
++ Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature reference does not match parent object node");
++ }
++ }
++ }
++ }
++ else {
++ Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature reference does not match parent object ID");
+ }
+ }
+ }
++ else {
++ Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained multiple or zero references");
++ }
+
+ if (!valid)
+ throw ValidationException("Invalid signature profile for SAML object.");
diff --git a/opensaml.spec b/opensaml.spec
index 4227166..dfb5ecd 100644
--- a/opensaml.spec
+++ b/opensaml.spec
@@ -1,13 +1,13 @@
Name: opensaml
Version: 2.3
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Security Assertion Markup Language
Group: System Environment/Libraries
License: ASL 2.0
URL: http://www.opensaml.org/
-Source0: http://shibboleth.internet2.edu/downloads/opensaml/cpp/%{version}/opensaml-%{version}.tar.gz
-Patch0: %{name}-rm-pl-ending.patch
+Source0: http://www.shibboleth.net/downloads/c++-opensaml/archive/%{version}/opensaml-%{version}.tar.gz
+Patch0: %{name}-CVE-2011-1411.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: log4cpp-devel
@@ -19,8 +19,7 @@ BuildRequires: cxxtest
Requires: xml-common
-# Needed since we are doing an autoreconf
-# below.
+# Needed since we are doing an autoreconf below.
BuildRequires: automake
BuildRequires: autoconf
BuildRequires: libtool
@@ -31,8 +30,8 @@ Markup Language Specification. It contains a set of open source C++ classes
that support the SAML 1.0, 1.1, and 2.0 specifications.
%package devel
-Summary: Security Assertion Markup Language Development
-Group: System Environment/Libraries
+Summary: Security Assertion Markup Language Development
+Group: System Environment/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
@@ -43,8 +42,8 @@ that support the SAML 1.0, 1.1, and 2.0 specifications.
%{name}-devel provides header files for development.
%package doc
-Summary: Security Assertion Markup Language Documentation
-Group: System Environment/Libraries
+Summary: Security Assertion Markup Language Documentation
+Group: System Environment/Libraries
Requires: %{name} = %{version}-%{release}
%if %{?fedora}%{!?fedora:0} >= 10 || %{?rhel}%{!?rhel:0} >= 6
BuildArch: noarch
@@ -59,16 +58,12 @@ that support the SAML 1.0, 1.1, and 2.0 specifications.
%prep
%setup -q
-#%patch0 -p1
+%patch0 -p1
# Remove private zlib to be sure we don't use it.
rm -rf saml/zlib
%build
-aclocal
-autoconf
-autoheader
-automake --add-missing --copy
-libtoolize --copy --force
+autoreconf -fiv
%configure
make %{?_smp_mflags}
@@ -94,7 +89,6 @@ rm -rf $RPM_BUILD_ROOT
#%{_bindir}/samltest
%{_libdir}/libsaml.so.*
%{_datadir}/xml/opensaml
-
%doc doc/README.txt doc/LICENSE.txt
%files devel
@@ -108,6 +102,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Wed Sep 14 2011 Guido Grazioli <guido.grazioli at gmail.com> - 2.3-4
+- Backported security patch for CVE-2011-1411 from 2.4.3
+- Update Source URL to new location
+
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
@@ -116,11 +114,13 @@ rm -rf $RPM_BUILD_ROOT
* Thu Nov 19 2009 Steve Traylen <steve.traylen at cern.ch> - 2.3-1
- New upstream 2.3
+
* Fri Oct 16 2009 Steve Traylen <steve.traylen at cern.ch> - 2.2.1-2
- Change Source URL to explicit version rather than "latest"
- Add a BuildRequires of cxxtest.
- Add Requires xml-common to ensure existence of /usr/share/xml
- Add more minimum versions for BuildRequires.
+
* Tue Oct 6 2009 Steve Traylen <steve.traylen at cern.ch> - 2.2.1-1
- First Build
More information about the scm-commits
mailing list