Bug 46480 - simplesamlphp: Multiple Issues (4.2)
simplesamlphp: Multiple Issues (4.2)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P5 critical (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
Depends on: 46755
  Show dependency treegraph
Reported: 2018-03-05 10:24 CET by Philipp Hahn
Modified: 2018-05-08 14:57 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) NVD
hahn: Patch_Available+


Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-03-05 10:24:33 CET
UCS-4.2 uses Debian-Stretch 1.14.11-1+deb9u1:
CVE-2017-12867  5.9     The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.
CVE-2017-12869  7.5     The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input.
CVE-2017-12873  9.8     SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.
CVE-2017-12874  7.5     The InfoCard module 1.0 for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities.
CVE-2017-18121  6.1     The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code on the victim's web browser.
CVE-2017-18122  8.1     A signature-validation bypass issue was discovered in SimpleSAMLphp through 1.14.16. A SimpleSAMLphp Service Provider using SAML 1.1 will regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions is valid. Attributes contained in all the assertions received will be merged and the entityID of the first assertion received will be used, allowing an attacker to impersonate any user of any IdP given an assertion signed by the targeted IdP.
CVE-2018-6519   7.5     The SAML2 library before 1.10.4, 2.x before 2.3.5, and 3.x before 3.1.1 in SimpleSAMLphp has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp.
CVE-2018-6521   9.8     The sqlauth module in SimpleSAMLphp before 1.15.2 relies on the MySQL utf8 charset, which truncates queries upon encountering four-byte characters. There might be a scenario in which this allows remote attackers to bypass intended access restrictions.

Comment 1 Philipp Hahn univentionstaff 2018-03-05 11:04:37 CET
repo_admin.py --cherrypick -r 4.3 --releasedest 4.2 --dest errata4.2-3 -p simplesamlphp

Package: simplesamlphp
Version: 1.14.11-1+deb9u1A~
Version: 1.14.11-1+deb9u1A~
Branch: ucs_4.2-0
Scope: errata4.2-3

OK: The following patches will be applied:

[4.2-3] 6c76c614c2 Bug #46480: simplesamlphp_1.14.11-1+deb9u1
[4.2-3] ed9aed4b6f Bug #46480: simplesamlphp_1.14.11-1+deb9u1

OK: <>
OK: <>
OK: <>
Comment 2 Erik Damrose univentionstaff 2018-03-05 17:58:41 CET
Seems like CVE-2018-7644 is also fixed in this version, please verify. https://security-tracker.debian.org/tracker/CVE-2018-7644
Comment 3 Philipp Hahn univentionstaff 2018-03-06 09:00:58 CET
(In reply to Erik Damrose from comment #2)
> Seems like CVE-2018-7644 is also fixed in this version, please verify.
> https://security-tracker.debian.org/tracker/CVE-2018-7644

Thanks, added:
[4.2-3] b5bd4c2445 Bug #46480: simplesamlphp_1.14.11-1+deb9u1 Fix
Comment 4 Arvid Requate univentionstaff 2018-04-12 20:04:54 CEST
I've removed CVE-2017-12873 from the advisory, affects the jessie version only and we have the stretch version of this particular package already in UCS 4.2.

* Upstream source package imported
* UCS patches applied during built
* Package update works
* Advisory: Ok
Comment 5 Quality Assurance univentionstaff 2018-05-04 16:56:01 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/simplesamlphp_1.14.11-1A~
+++ apt/ucs_4.2-0-errata4.2-3/source/simplesamlphp_1.14.11-1+deb9u1A~
@@ -1,8 +1,16 @@
-1.14.11-1A~ [Fri, 10 Mar 2017 12:27:29 +0100] Univention builddaemon <buildd@univention.de>:
+1.14.11-1+deb9u1A~ [Mon, 05 Mar 2018 10:50:09 +0100] Univention builddaemon <buildd@univention.de>:
   * UCS auto build. The following patches have been applied to the original source package
+1.14.11-1+deb9u1 [Thu, 01 Mar 2018 20:16:49 +0100] Thijs Kinkhorst <thijs@debian.org>:
+  * Update by the security team for stretch.
+    CVE-2017-12867 CVE-2017-12869
+    CVE-2017-12874 CVE-2017-18121 CVE-2017-18122
+    CVE-2018-6519 CVE-2018-6521 SSPSA-201802-01
+    (closes: #889286).
 1.14.11-1 [Tue, 13 Dec 2016 08:24:57 +0000] Thijs Kinkhorst <thijs@debian.org>:
Comment 6 Arvid Requate univentionstaff 2018-05-08 14:57:06 CEST