Re: Wheezy update of simplesamlphp?

Tue, 05 Dec 2017 03:32:25 -0800 

Hi,

On Thu, 30 Nov 2017, Raphael Hertzog wrote:
> It would be nice if you (and/or other LTS users) could test the package (I
> did absolutely no tests so far, except building the package):
> $ dget 
> https://people.debian.org/~hertzog/packages/simplesamlphp_1.9.2-1+deb7u1_amd64.changes

I installed the package and tried to access the web interface. I
discovered a few problems when logging as admin (one missing parenthesis,
object names with underscore and not backslashes so that auto-loading
works) that I fixed.

I pushed updated packages with the same version.

Thijs, do you think you can do better tests in the next few days or shall
I release the package as is ?

Details of my fixes:

> --- simplesamlphp-1.9.2/debian/patches/CVE-2017-12872.patch   1970-01-01 
> 01:00:00.000000000 +0100
> +++ simplesamlphp-1.9.2/debian/patches/CVE-2017-12872.patch   2017-11-30 
> 15:07:03.000000000 +0100
[...]
> +--- a/lib/SimpleSAML/Session.php
> ++++ b/lib/SimpleSAML/Session.php
> +@@ -1037,7 +1037,7 @@ class SimpleSAML_Session {
> +                             SimpleSAML_Logger::warning('Missing AuthToken 
> cookie.');
> +                             return NULL;
> +                     }
> +-                    if ($_COOKIE[$authTokenCookieName] !== 
> $session->authToken) {
> ++                    if 
> (!SimpleSAML\Utils\Crypto::secureCompare($session->authToken, 
> $_COOKIE[$authTokenCookieName])) {

Here I have changed "SimpleSAML\Utils\Crypto" into "SimpleSAML_Utils_Crypto".

> +--- a/lib/SimpleSAML/Utils/Crypto.php
> ++++ b/lib/SimpleSAML/Utils/Crypto.php
> +@@ -72,7 +104,7 @@ class SimpleSAML_Utils_Crypto {
> +                             // Salted hash
> +                             $hash_length = strlen(hash($php_algo, 
> 'whatever', TRUE));
> +                             $salt = substr(base64_decode($cryptedpw), 
> $hash_length);
> +-                            return ( $crypted == self::pwHash($clear, 
> $algo, $salt) );
> ++                            return self::secureCompare($crypted, 
> self::pwHash($clear, $algo, $salt);

Here a parenthesis was missing at the end of the line.

> +--- a/modules/authcrypt/lib/Auth/Source/Htpasswd.php
> ++++ b/modules/authcrypt/lib/Auth/Source/Htpasswd.php
> +@@ -72,8 +72,9 @@ class sspmod_authcrypt_Auth_Source_Htpas
> +                             $attributes = array_merge(array('uid' => 
> array($username)), $this->attributes);
> + 
> +                             // Traditional crypt(3)
> +-                            if(crypt($password, $crypted) == $crypted) {
> ++                            if 
> (SimpleSAML\Utils\Crypto::secureCompare($crypted, crypt($password, 
> $crypted))) {

Here I have changed "SimpleSAML\Utils\Crypto" into "SimpleSAML_Utils_Crypto".

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Reply via email to