Fix dead code issue
Resolves: rhbz#1966606: CVE-2021-28091 lasso: XML signature wrapping vulnerability when parsing SAML responses
This commit is contained in:
parent
3791d4b04d
commit
1f87a4d9fe
@ -0,0 +1,59 @@
|
||||
From 20f653f70818b85fe1b4de77a629fce352fb8cbd Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 26 Jul 2021 16:25:52 +0200
|
||||
Subject: [PATCH] lasso_saml20_login_process_response_status_and_assertion:
|
||||
handle rc as per verify_hint
|
||||
|
||||
In case VERIFY_HINT was set to IGNORE and the login signature was
|
||||
incorrect, lasso_saml20_login_process_response_status_and_assertion
|
||||
would have jumped straight to the cleanup label which just returns the
|
||||
return code. Let's jump to a new label handlerc instead which might set
|
||||
the return code to 0 in case verify_hint is set to IGNORE.
|
||||
|
||||
Related: https://dev.entrouvert.org/issues/54689
|
||||
---
|
||||
lasso/saml-2.0/login.c | 20 ++++++--------------
|
||||
1 file changed, 6 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
|
||||
index cf62c1cc9..1d5668b5b 100644
|
||||
--- a/lasso/saml-2.0/login.c
|
||||
+++ b/lasso/saml-2.0/login.c
|
||||
@@ -1371,7 +1371,7 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
|
||||
char *status_value;
|
||||
lasso_error_t rc = 0;
|
||||
lasso_error_t assertion_signature_status = 0;
|
||||
- LassoProfileSignatureVerifyHint verify_hint;
|
||||
+ LassoProfileSignatureVerifyHint verify_hint = LASSO_PROFILE_SIGNATURE_VERIFY_HINT_LAST;
|
||||
|
||||
profile = &login->parent;
|
||||
lasso_extract_node_or_fail(response, profile->response, SAMLP2_STATUS_RESPONSE,
|
||||
@@ -1492,20 +1492,12 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
|
||||
lasso_assign_gobject (login->private_data->saml2_assertion, last_assertion);
|
||||
}
|
||||
|
||||
- switch (verify_hint) {
|
||||
- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
|
||||
- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
|
||||
- break;
|
||||
- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:
|
||||
- /* ignore signature errors */
|
||||
- if (rc == LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE) {
|
||||
- rc = 0;
|
||||
- }
|
||||
- break;
|
||||
- default:
|
||||
- g_assert(0);
|
||||
- }
|
||||
cleanup:
|
||||
+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE &&
|
||||
+ rc == LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE) {
|
||||
+ profile->signature_status = rc;
|
||||
+ rc = 0;
|
||||
+ }
|
||||
return rc;
|
||||
}
|
||||
|
||||
--
|
||||
2.26.3
|
||||
|
@ -59,7 +59,7 @@
|
||||
Summary: Liberty Alliance Single Sign On
|
||||
Name: lasso
|
||||
Version: 2.7.0
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
License: GPLv2+
|
||||
URL: http://lasso.entrouvert.org/
|
||||
Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz
|
||||
@ -96,6 +96,7 @@ Patch0005: 0005-Check-if-the-signature-method-is-allowed-in-addition.patch
|
||||
Patch0006: 0006-python-Skip-the-DSA-key-test-unless-SHA-1-is-configu.patch
|
||||
Patch0007: 0007-test13_test_lasso_server_load_metadata-Don-t-verify-.patch
|
||||
Patch0008: autogen.noconfig
|
||||
Patch0009: 0009-lasso_saml20_login_process_response_status_and_asser.patch
|
||||
|
||||
%description
|
||||
Lasso is a library that implements the Liberty Alliance Single Sign On
|
||||
@ -322,6 +323,11 @@ rm -fr %{buildroot}%{_defaultdocdir}/%{name}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jun 28 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-7
|
||||
- Fix dead code issue
|
||||
- Resolves: rhbz#1966606: CVE-2021-28091 lasso: XML signature wrapping
|
||||
vulnerability when parsing SAML responses
|
||||
|
||||
* Thu Jul 29 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-6
|
||||
- Resolves: rhbz#1984822 - lasso: FTBFS in test suite due to short test
|
||||
timeout (potentially OpenSSL-related)
|
||||
|
Loading…
Reference in New Issue
Block a user