Shibboleth SP software crashes on well-formed but invalid XML.

The Service Provider software contains a code path with an uncaught exception that can be triggered by an unauthenticated attacker by supplying well-formed but schema-invalid XML in the form of SAML metadata or SAML protocol messages. The result is a crash and so causes a denial of service. You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or later. The easiest way to do so is to update the whole chain including shibboleth-2.5.5 an opensaml2.5.5. URL: http://shibboleth.net/community/advisories/secadv_20150721.txt Security: CVE-2015-2684
svn path=/head/; revision=392720
2024-11-23 00:43:28 +00:00 · 2015-07-23 13:21:05 +00:00 · 2015-07-23 13:21:05 +00:00 · 43e9362f36 · 2021-03-31 03:12:20 +00:00
commit 43e9362f36
parent 64cbb61a0a
12 changed files with 26 additions and 48 deletions
--- a/devel/xmltooling/Makefile
+++ b/devel/xmltooling/Makefile
@ -2,10 +2,9 @@
 # $FreeBSD$

 PORTNAME=	xmltooling
-PORTVERSION=	1.5.3
-PORTREVISION=	3
+PORTVERSION=	1.5.5
 CATEGORIES=	devel security
-MASTER_SITES=	http://shibboleth.net/downloads/c++-opensaml/2.5.3/
+MASTER_SITES=	http://shibboleth.net/downloads/c++-opensaml/2.5.5/

 MAINTAINER=	girgen@FreeBSD.org
 COMMENT=	Low level XML support for SAML
--- a/devel/xmltooling/distinfo
+++ b/devel/xmltooling/distinfo
@ -1,2 +1,2 @@
-SHA256 (xmltooling-1.5.3.tar.gz) = 90e453deb738574b04f1f1aa08ed7cc9d8746bcbf93eb59f401a6e38f2ec9574
-SIZE (xmltooling-1.5.3.tar.gz) = 675350
+SHA256 (xmltooling-1.5.5.tar.gz) = 5507332878b1f611efe791c8eeabd9b8327d75602949f0cb189970b8a221333f
+SIZE (xmltooling-1.5.5.tar.gz) = 713161
--- a/devel/xmltooling/files/patch-doc_Makefile.in
+++ b/devel/xmltooling/files/patch-doc_Makefile.in
@ -1,6 +1,6 @@
--- doc/Makefile.in.orig	2011-07-25 16:15:04.474558171 -0400
-+++ doc/Makefile.in	2011-07-25 16:16:15.041554095 -0400
-@@ -233,7 +233,7 @@
+--- doc/Makefile.in.orig	2015-07-09 17:28:24.000000000 +0200
+++ doc/Makefile.in	2015-07-21 20:54:22.000000000 +0200
+@@ -317,7 +317,7 @@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 AUTOMAKE_OPTIONS = foreign
@ -9,22 +9,12 @@
 docfiles = \
 	README.txt \
 	LICENSE.txt \
-@@ -243,7 +243,7 @@
- 	CURL.LICENSE
- 
- pkgdoc_DATA = $(docfiles)
-EXTRA_DIST = $(docfiles) api
-+EXTRA_DIST = $(docfiles)
- all: all-am
- 
- .SUFFIXES:
-@@ -455,10 +455,6 @@
+@@ -547,9 +547,6 @@
 
 
 install-data-hook:
 -	if test -d api ; then \
 -		cp -r api $(DESTDIR)$(pkgdocdir); \
-		rm -rf `find $(DESTDIR)$(pkgdocdir)/api -name .svn`; \
 -	fi;
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
--- a/devel/xmltooling/pkg-plist
+++ b/devel/xmltooling/pkg-plist
@ -82,10 +82,10 @@ include/xmltooling/validation/ValidatorSuite.h
 include/xmltooling/version.h
 lib/libxmltooling-lite.so
 lib/libxmltooling-lite.so.6
-lib/libxmltooling-lite.so.6.0.3
+lib/libxmltooling-lite.so.6.0.5
 lib/libxmltooling.so
 lib/libxmltooling.so.6
-lib/libxmltooling.so.6.0.3
+lib/libxmltooling.so.6.0.5
 libdata/pkgconfig/xmltooling.pc
 share/xml/xmltooling/catalog.xml
 share/xml/xmltooling/soap-envelope.xsd
--- a/security/opensaml2/Makefile
+++ b/security/opensaml2/Makefile
@ -2,7 +2,7 @@
 # $FreeBSD$

 PORTNAME=	opensaml2
-PORTVERSION=	2.5.4
+PORTVERSION=	2.5.5
 CATEGORIES=	security
 MASTER_SITES=	http://shibboleth.net/downloads/c++-opensaml/${PORTVERSION}/
 DISTNAME=	opensaml-${PORTVERSION}
--- a/security/opensaml2/distinfo
+++ b/security/opensaml2/distinfo
@ -1,2 +1,2 @@
-SHA256 (opensaml-2.5.4.tar.gz) = 562d3b5fe7b29aefbad9d5910508baf2edcb87327e51a4f239076e54663763e6
-SIZE (opensaml-2.5.4.tar.gz) = 738788
+SHA256 (opensaml-2.5.5.tar.gz) = 133bee4f1cfe79bff33d358391806eaef575cd02db9d3eb532438b24a97b12e0
+SIZE (opensaml-2.5.5.tar.gz) = 739776
--- a/security/opensaml2/files/patch-doc_Makefile.in
+++ b/security/opensaml2/files/patch-doc_Makefile.in
@ -1,11 +0,0 @@
--- doc/Makefile.in.orig
-+++ doc/Makefile.in
-@@ -231,7 +231,7 @@
- 	LOG4CPP.LICENSE
- 
- pkgdoc_DATA = $(docfiles)
-EXTRA_DIST = $(docfiles) api
-+EXTRA_DIST = $(docfiles)
- all: all-am
- 
- .SUFFIXES:
--- a/security/opensaml2/pkg-plist
+++ b/security/opensaml2/pkg-plist
@ -49,13 +49,12 @@ include/saml/util/CommonDomainCookie.h
 include/saml/util/SAMLConstants.h
 lib/libsaml.so
 lib/libsaml.so.8
-lib/libsaml.so.8.0.4
+lib/libsaml.so.8.0.5
 libdata/pkgconfig/opensaml.pc
 %%PORTDOCS%%%%DOCSDIR%%/README.txt
 %%PORTDOCS%%%%DOCSDIR%%/LICENSE.txt
 %%PORTDOCS%%%%DOCSDIR%%/NOTICE.txt
 %%PORTDOCS%%%%DOCSDIR%%/LOG4CPP.LICENSE
-%%PORTDOCS%%@dir %%DOCSDIR%%/api
 share/xml/opensaml/saml20-catalog.xml
 share/xml/opensaml/saml10-catalog.xml
 share/xml/opensaml/saml11-catalog.xml
--- a/security/shibboleth2-sp/Makefile
+++ b/security/shibboleth2-sp/Makefile
@ -2,7 +2,7 @@
 # $FreeBSD$

 PORTNAME=	shibboleth-sp
-PORTVERSION=	2.5.4
+PORTVERSION=	2.5.5
 CATEGORIES=	security www
 MASTER_SITES=	http://shibboleth.net/downloads/service-provider/${PORTVERSION}/

@ -26,6 +26,8 @@ GROUPS=		shibd
 USE_APACHE=	22+
 USE_OPENSSL=	yes

+INSTALL_TARGET=	install-strip
+
 .include <bsd.port.pre.mk>

 .if ${APACHE_VERSION} == 22
--- a/security/shibboleth2-sp/distinfo
+++ b/security/shibboleth2-sp/distinfo
@ -1,2 +1,2 @@
-SHA256 (shibboleth-sp-2.5.4.tar.gz) = be0adfb324d1831e55b2ce281c7f8bd27bb9bdd65f1d0e9d8019e4cde1ceb6bb
-SIZE (shibboleth-sp-2.5.4.tar.gz) = 993532
+SHA256 (shibboleth-sp-2.5.5.tar.gz) = 30da36e0bba2ce4606a9effc37c05cd110dafdd6d3141468c4aa0f57ce4d96ce
+SIZE (shibboleth-sp-2.5.5.tar.gz) = 1003433
--- a/security/shibboleth2-sp/files/patch-shibboleth-spec
+++ b/security/shibboleth2-sp/files/patch-shibboleth-spec
@ -1,6 +1,6 @@
--- shibboleth.spec.in.orig	2013-06-16 21:43:47.000000000 +0200
-+++ shibboleth.spec.in	2013-07-29 14:42:22.887422969 +0200
-@@ -59,7 +59,7 @@
+--- shibboleth.spec.in.orig	2015-07-20 21:31:32.000000000 +0200
+++ shibboleth.spec.in	2015-07-22 17:45:15.000000000 +0200
+@@ -71,7 +71,7 @@
 %if "%{_vendor}" == "suse"
 %define pkgdocdir %{_docdir}/shibboleth
 %else
@ -9,7 +9,7 @@
 %endif
 
 %description
-@@ -203,14 +203,6 @@
+@@ -275,14 +275,6 @@
 /sbin/ldconfig
 %endif
 
@ -18,7 +18,7 @@
 -if [ -f sp-key.pem ] ; then
 -	%{__chown} %{runuser}:%{runuser} sp-key.pem sp-cert.pem 2>/dev/null || :
 -else
-	sh ./keygen.sh -b -u %{runuser} -g %{runuser}
+-	/bin/sh ./keygen.sh -b -u %{runuser} -g %{runuser}
 -fi
 -
 # Fix ownership of log files (even on new installs, if they're left from an older one).
--- a/security/shibboleth2-sp/pkg-plist
+++ b/security/shibboleth2-sp/pkg-plist
@ -136,7 +136,7 @@ include/shibsp/util/PropertySet.h
 include/shibsp/util/SPConstants.h
 include/shibsp/util/TemplateParameters.h
 include/shibsp/version.h
-lib/libshibsp.so.6.0.4
+lib/libshibsp.so.6.0.5
 lib/libshibsp.so.6
 lib/libshibsp.so
 lib/shibboleth/adfs.so
@ -146,7 +146,7 @@ lib/shibboleth/plugins-lite.so
 lib/shibboleth/plugins.so
 %%WITH_APACHE_22%%lib/shibboleth/mod_shib_22.so
 %%WITH_APACHE_24%%lib/shibboleth/mod_shib_24.so
-lib/libshibsp-lite.so.6.0.4
+lib/libshibsp-lite.so.6.0.5
 lib/libshibsp-lite.so.6
 lib/libshibsp-lite.so
 sbin/shibd
@ -170,7 +170,6 @@ share/doc/shibboleth/OPENSSL.LICENSE
 share/doc/shibboleth/README.txt
 share/doc/shibboleth/RELEASE.txt
 share/doc/shibboleth/main.css
-@dir share/doc/shibboleth/api
@dir share/doc/shibboleth
@dir lib/shibboleth
@dir share/xml/shibboleth