[SCM] Debian packaging for the Shibboleth Apache SP branch, etch, updated. b18d7f7c2dabfd16cfb0d64585d3948155ac554d

Russ Allbery rra at debian.org
Fri Sep 25 05:18:22 UTC 2009 

The following commit has been merged in the etch branch:
commit 0988b3ffd9b9a776639d3dc01057bfe2ec719468
Author: Russ Allbery <rra at debian.org>
Date:   Thu Sep 24 15:19:47 2009 -0700

    Backport upstream security fix for URL decoding
    
    * SECURITY: Correctly handle decoding of malformed URLs, closing a
      possibly exploitable buffer overflow.
      See <http://shibboleth.internet2.edu/secadv/secadv_20090826.txt>

diff --git a/debian/changelog b/debian/changelog
index bc820af..abed638 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
 shibboleth-sp (1.3f.dfsg1-2+etch1) UNRELEASED; urgency=high
 
+  * SECURITY: Correctly handle decoding of malformed URLs, closing a
+    possibly exploitable buffer overflow.
+    See <http://shibboleth.internet2.edu/secadv/secadv_20090826.txt>
   * SECURITY: Certificate subject names were incorrectly matched against
     trusted "key names" when they contained nul characters.  This affects
     only Shibboleth deployments relying on the "PKIX" style of trust
diff --git a/debian/patches/security-url-decode b/debian/patches/security-url-decode
new file mode 100644
index 0000000..97913b5
--- /dev/null
+++ b/debian/patches/security-url-decode
@@ -0,0 +1,27 @@
+SECURITY: Correctly handle decoding of malformed URLs, closing a
+possibly exploitable buffer overflow.
+
+See <http://shibboleth.internet2.edu/secadv/secadv_20090826.txt>
+
+--- shibboleth-sp.orig/adfs/adfs.cpp
++++ shibboleth-sp/adfs/adfs.cpp
+@@ -240,7 +240,7 @@
+ 
+     for(x=0,y=0;url[y];++x,++y)
+     {
+-        if((url[x] = url[y]) == '%')
++        if((url[x] = url[y]) == '%' && isxdigit(url[y+1]) && isxdigit(url[y+2]))
+         {
+             url[x] = x2c(&url[y+1]);
+             y+=2;
+--- shibboleth-sp.orig/shib-target/shib-handlers.cpp
++++ shibboleth-sp/shib-target/shib-handlers.cpp
+@@ -522,7 +522,7 @@
+ 
+     for(x=0,y=0;url[y];++x,++y)
+     {
+-        if((url[x] = url[y]) == '%')
++        if((url[x] = url[y]) == '%' && isxdigit(url[y+1]) && isxdigit(url[y+2]))
+         {
+             url[x] = x2c(&url[y+1]);
+             y+=2;
diff --git a/debian/patches/series b/debian/patches/series
index 2e2d755..67f99f4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ dfsg
 remote-mysql
 64-bit
 security-cert-name
+security-url-decode

-- 
Debian packaging for the Shibboleth Apache SP

More information about the Pkg-shibboleth-devel mailing list