Bug 52857 – python-pysaml2: Multiple issues (4.4)

Bug 52857 - python-pysaml2: Multiple issues (4.4)


Summary:	python-pysaml2: Multiple issues (4.4)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.4
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.4-7-errata
Assigned To:	Felix Botner
QA Contact:	Erik Damrose

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-03-01 09:45 CET by Quality Assurance
Modified:	2021-03-17 14:00 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) NVD RedHat

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2021-03-01 09:45:20 CET

New Debian python-pysaml2 3.0.0-5+deb9u2A~4.4.7.202103010941 fixes:
This update addresses the following issues:
* Access restriction bypass (CVE-2017-1000433)
* PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2  before 6.5.0 has an improper verification of cryptographic signature  vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1  backend and need to verify signed SAML documents are impacted. PySAML2 does  not ensure that a signed SAML document is correctly signed. The default  CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the  signature of signed SAML documents, but by default xmlsec1 accepts any type  of key found within the given document. xmlsec1 needs to be configured  explicitly to only use only _x509 certificates_ for the verification  process of the SAML document signature. This is fixed in PySAML2 6.5.0.  (CVE-2021-21239)

Comment 1 Quality Assurance

2021-03-01 10:00:32 CET

--- mirror/ftp/4.4/unmaintained/component/4.4-7-errata/source/python-pysaml2_3.0.0-5+deb9u1A~4.4.7.202012081556.dsc
+++ apt/ucs_4.4-0-errata4.4-7/source/python-pysaml2_3.0.0-5+deb9u2A~4.4.7.202103010941.dsc
@@ -1,4 +1,4 @@
-3.0.0-5+deb9u1A~4.4.7.202012081556 [Tue, 08 Dec 2020 15:56:48 +0100] Univention builddaemon <buildd@univention.de>:
+3.0.0-5+deb9u2A~4.4.7.202103010941 [Mon, 01 Mar 2021 09:45:47 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     002
@@ -7,6 +7,16 @@
     006-disable-writeback-for-shelve
     debhelper
 
+3.0.0-5+deb9u2 [Tue, 02 Feb 2021 08:42:57 +1100] Brian May <bam@debian.org>:
+
+  [ Brian May ]
+  * Non-maintainer upload by the LTS Security Team.
+  * Fix CVE-2021-21239 - Restrict the key data that xmlsec1 accepts to on.
+
+  [ Abhijith PA ]
+  * Fix CVE-2017-1000433 - bypass password with python optimizations
+    enabled
+
 3.0.0-5+deb9u1 [Wed, 19 Feb 2020 21:45:47 +0100] Moritz Mühlenhoff <jmm@debian.org>:
 
   * CVE-2020-5390

<http://10.200.17.11/4.4-7/#2545423272866835348>

Comment 2 Erik Damrose

2021-03-03 09:41:07 CET

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-7] 6e51164947 Bug #52857: python-pysaml2 3.0.0-5+deb9u2A~4.4.7.202103010941
 doc/errata/staging/python-pysaml2.yaml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

Comment 3 Erik Damrose

2021-03-03 10:57:59 CET

Reopen: 82_saml.27_renewed_idp_cert

Comment 4 Felix Botner

2021-03-12 11:20:05 CET

Es ist dieser Patch python-pysaml2-3.0.0/debian/patches/CVE-2021-21239.patch, vermutlich wichtig, wire sollten den Test und ggf die Doku anpassen.

It is this patch python-pysaml2-3.0.0/debian/patches/CVE-2021-21239.patch

--- a/src/saml2/sigver.py
+++ b/src/saml2/sigver.py
@@ -896,6 +896,7 @@ class CryptoBackendXmlSec1(CryptoBackend

         com_list = [self.xmlsec, "--verify",
                     "--pubkey-cert-%s" % cert_type, cert_file,
+                    "--enabled-key-data", 'raw-x509-cert',
                     "--id-attr:%s" % id_attr, node_name]

         if self.debug:

that breaks our test. We should modify the the test. The test currently does not update /usr/share/univention-management-console/saml/idp/*.xml and restart univention-management-console-web-server.

Doku https://help.univention.com/t/renewing-the-ssl-certificates/37 seems .

Comment 5 Felix Botner

2021-03-12 11:29:31 CET

just added reload_idp_metadata() after renew_sso_cert() in 82_saml/27_renewed_idp_cert

ucs-test - 793c8049d07ee7c1e28754293cbf37496f467876 4.4-7
ucs-test - d8821335b3352c61ad034a12e563ef1030724087 5.0-0

Comment 6 Philipp Hahn

2021-03-12 17:19:32 CET

Failing test:
- <https://git.knut.univention.de/univention/ucs/-/blob/4.4-7/test/ucs-test/tests/82_saml/27_renewed_idp_cert>

Failing scenarios:
- <https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-7/job/AutotestJoin/lastCompletedBuild/SambaVersion=no-samba,Systemrolle=master/testReport/82_saml/27_renewed_idp_cert/master090/>

- <https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-7/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/testReport/82_saml/27_renewed_idp_cert/master091/>

Maybe <https://git.knut.univention.de/univention/ucs/-/commit/793c8049d07ee7c1e28754293cbf37496f467876> will fix it...

Comment 7 Erik Damrose

2021-03-15 15:23:55 CET

OK: UCS 4 + UCS 5 fix
Verified: Fixed test by correctly reloading metadata.

Comment 8 Julia Bremer

2021-03-17 14:00:03 CET

<https://errata.software-univention.de/#/?erratum=4.4x918>