Ubuntu
libapache2-mod-auth-mellon package

[MIR] libapache2-mod-auth-mellon, liblasso3

Bug #1610286 reported by Corey Bryant
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lasso (Ubuntu)
Fix Released
Medium
Unassigned
libapache2-mod-auth-mellon (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

[MIR] libapache2-mod-auth-mellon

[Availability]
Currently in universe.

[Rationale]
This module is required for OpenStack Keystone Federation: http://docs.openstack.org/developer/keystone/configure_federation.html

[Security]
No security history.

[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian.

[Dependencies]
All are in main except for liblasso3.

[Standards Compliance]
FHS and Debian Policy compliant.

[Maintenance]
Simple package that the OpenStack Team will take care of.

[Background]
mod_auth_mellon is a authentication module for Apache. It authenticates the user against a SAML 2.0 IdP, and grants access to directories depending on attributes received from the IdP

--------

[MIR] liblasso3 (lasso)

[Availability]
Currently in universe.

[Rationale]
liblasso3 is required by libapache2-mod-auth-mellon.

[Security]
CVE-2012-6426 LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.

CVE-2009-0050 Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.

CVE-2005-2605 Unknown vulnerability in Lasso Professional Server8.0.4 and 8.0.5 allows attackers to bypass authentication, related to [Auth] tags.

CVE-2002-2118 Buffer overflow in Blue World Lasso Web Data Engine 3.6.5 allows remote attackers to cause a denial of service via a long URL.

CVE-1999-1250 Vulnerability in CGI program in the Lasso application by Blue World, as used on WebSTAR and other servers, allows remote attackers to read arbitrary files.

[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian.

[Dependencies]
All are in main.

[Standards Compliance]
FHS and Debian Policy compliant.

[Maintenance]
The OpenStack Team will take care of this package.

[Background]
Lasso (Liberty Alliance Single Sign-On) is a free (GNU GPL) implementation of the Liberty Alliance specifications. Those define processes for federated identities, single sign-on and related protocols. Lasso provides both a C library and bindings for different languages.

homepage: http://lasso.entrouvert.or

Corey Bryant (corey.bryant)
affects: ubuntu → libapache2-mod-auth-mellon (Ubuntu)
Revision history for this message
Michael Terry (mterry) wrote :

libapache2-mod-auth-mellon has no security history? The last changelog entry has this:
    - Fixes Denial of Service issues [CVE-2016-2145, CVE-2016-2146].

Looks like both of these are security sensitive, will pass to security team.

Changed in libapache2-mod-auth-mellon (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in lasso (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed libapache2-mod-auth-mellon version 0.12.0-1 as checked into
zesty. This should not be considered a full security audit but rather a
quick gauge of maintainability.

- Four previous CVEs were reported against this module. While this is
  unfortunate I don't think it's unduly distressing.

- libapache2-mod-auth-mellon provides an authn and authz interface for
  Apache that can perform queries against a centralized SAML IdP.
- Build-Depends: debhelper, autotools-dev, dh-apache2, apache2-dev,
  libcurl3-dev, liblasso3-dev
- Does not itself daemonize
- pre/post inst/rm are automatically generated
- No initscripts
- No dbus services
- No setuid files
- No binaries in the path
- No sudo fragments
- No udev rules
- No test suite
- No cron jobs
- Clean build logs
- Clean cppcheck

- No subprocesses spawned
- Memory manage is usual for apache modules
- File IO is under control of configuration files
- Logging is very extensive
- Environment variables can be read as directed by configuration files
- No privileged system calls
- Does use curl to download data
- No obviously privileged portions of the code
- The use of /var/tmp/mellonLock should be changed
- No WebKit
- No JavaScript
- No PolicyKit

Here's some notes I took while reading the code; Olav will release a
new version soon with these issues addressed. Olav was responsive and
thoughtful.

- am_postdir_cleanup() could be extremely expensive if it had to walk a
  directory of twenty thousand saved requests. It has no mechanism to
  bail after a certain amount of work. am_save_post() appears to call
  am_postdir_cleanup() unconditionally on every saved post. This has
  the potential to have spiraling costs until finally all threads are
  spending all their time re-walking the same pile of files looking for
  old ones to delete.
  [The default setting is 100.]
- am_hc_block_write() is tail-recursive. If the compiler fails to optimize
  the tail call away, the call depth might wind up blowing out the stack
  frame available to the thread. How large is this stack frame? What is
  the largest amount of data that curl can be expected to retrieve? Having
  a thousand little 1012 byte structures in memory just to handle a one
  megabyte download sounds suboptimal.
  [Curl currently calls this function with no more than 16kB blocks, the
  responses from auth servers are typically < 4kB.]
- auth_mellon_commands claims the lockfile path is /tmp/mellonLock -- this
  is not a safe default if it's correct. (I think it's no longer correct,
  but /var/tmp/mellonLock isn't better -- someplace only the webserver
  user can write to would be ideal. mellonPost directory perhaps?)
  [Not currently used on Linux,

Security team ACK for promoting libapache2-mod-auth-mellon to main.

Thanks

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed lasso 2.5.0-5build1 as checked into ubuntu zesty. This should
not be considered a full security audit but rather a quick gauge of
maintainability.

lasso has two CVEs in our databases, CVE-2009-0050 and CVE-2015-1783. The
first was an OpenSSL API misuse which was common to many other
applications due to awkward API design. The second was use of an
uninitialized variable, which appeared to be due to a typo.

Lasso is part of a single-signon system as part of Project Liberty.

- Build-Depends: debhelper, dh-python, libxml2-dev, libxslt1-dev,
  libxmlsec1-dev, libxmlsec1-openssl, libglib2.0-dev, python-all-dev,
  python3-all-dev, libexpat1-dev, fastjar, python-lxml, python3-lxml,
  python-six, python3-six, chrpath, dh-python

- does not itself do networking
- does not itself daemonize
- pre/post inst/rm scripts are automatically generated
- no init scripts
- no dbus services
- no setuid
- no binaries in PATH
- no sudo fragments
- no udev rules
- there is a test suite but it is not run at build time
- no cron jobs
- build logs are clean

- no subprocesses spawned
- memory management is using glib's allocators, which kill the program on
  failure. There are roughly 360 of these in the sources; it is a big
  assumption for a library to make that falling over is the best way to
  handle an error.
- file IO under control of callers
- extensive error logging, spot checks looked safe
- uses environment variables REQUEST_METHOD and QUERY_STRING presumably
  from a web server
- no privileged functions
- extensive use of encryption
- does not itself do networking
- no privileged portions of code
- no temporary files
- no webkit
- no javascript
- no policykit
- many cppcheck warnings but probably only one real error:
  - lasso/id-wsf/discovery.c lasso_discovery_build_credential()
    'profile' may be NULL in this expression:
    response = LASSO_DISCO_QUERY_RESPONSE(profile->response);

- tests/tests.c my_malloc() fails to account for size=0 allocations

While lasso looks like it was programmed defensively, the subject matter
is extremely complex, and logic errors are likely. It's just too large to
avoid. We will rely heavily on upstream or other teams inside of Canonical
in the event vulnerabilities in the protocol handling are discovered.

Please enable the test suite.

Security team ACK on promoting lasso to main on the condition that the
test suite is enabled.

Thanks

Changed in libapache2-mod-auth-mellon (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Changed in lasso (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
James Page (james-page) wrote :

Lasso needs some testsuite enablement; libapache2-mod-auth-mellon +1'ed for main promotion.

Changed in lasso (Ubuntu):
importance: Undecided → Medium
Changed in libapache2-mod-auth-mellon (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Changed in lasso (Ubuntu):
status: New → Incomplete
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Tests have been enabled during build in lasso 2.5.0-5ubuntu1.

Corey Bryant (corey.bryant)
Changed in lasso (Ubuntu):
status: Incomplete → New
Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

I tested mod-auth-mellon/lasso on xenial with testshib (http://www.testshib.org/) and ADFS (that comes with w2k12r2) on the idP side, including sha256 support https://dev.entrouvert.org/issues/10019 - I could successfully perform authentication and get to a protected page. Both Service Provider (mellon) and Identity Provider (shibboleth or ADFS) were TLS-terminated though this does not matter for the functionality under test.

Sample mellon metadata XML:
https://paste.ubuntu.com/p/cg7j6hrhm6/

Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

libapache2-mod-auth-mellon 0.12.0-1
liblasso3 2.5.0-3ubuntu2

Revision history for this message
Corey Bryant (corey.bryant) wrote :

I've seeded libapache2-mod-auth-mellon for Ubuntu: https://bazaar.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/platform.bionic/revision/2166

Revision history for this message
Matthias Klose (doko) wrote :

lasso:
  - please add a symbols file for the shared library
  - please update to the 2.5.1 release. From the ChangeLog it looks like a bug-fix-only release.

2.5.1 - February 19th 2016
---------------------------
17 commits, 16 files changed, 1096 insertions, 42 deletions

 - Add missing urn constants used in PAOS HTTP header
 - Set NotBefore in SAML 2.0 login assertions
 - tests: fix leak in test test16_test_get_issuer
 - id-ff: fix leak of profile->private_data->message_id
 - saml-2.0: fix leak of message_id in lasso_profile_saml20_build_paos_request_msg
 - tests: fix leaks in test_ecp
 - xml: fix wrong termination of comment
 - xml: fix leak in lasso_soap_envelope_new_full
 - profile: fix leak of private idp_list field
 - saml-2.0: fix leaks of url
 - tests: fix leak
 - tests: update valgrind suppressions
 - perl: remove quotes from $PERL -V::ccflags: output (#9572)
 - Fix wrong snippet type (fixes #9616). Thanks to Brett Gardner for the patch.
 - tools.c: use correct NID and digest length when building RSA signature using SHA-2 digest
   (fixes #10019) Thanks to Brett Gardner for the patch.
 - bindings/php5: fix enum getters and setters (fixes #10032). Thanks to Brett Gardner for the bug
   report.
 - fix warning about INCLUDES directive

Changed in lasso (Ubuntu):
status: New → Incomplete
Revision history for this message
Matthias Klose (doko) wrote :

libapache2-mod-auth-mellon itself looks ok

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Thanks very much for the reviews. I've uploaded lasso 2.5.1-0ubuntu1 which includes the liblasso3.symbols file. I've also submitted patches for test enablement and addition of symbols file back to Debian.

Changed in lasso (Ubuntu):
status: Incomplete → New
Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
lasso 2.5.1-0ubuntu1 in bionic: universe/libs -> main
liblasso-perl 2.5.1-0ubuntu1 in bionic amd64: universe/libs/optional/100% -> main
liblasso-perl 2.5.1-0ubuntu1 in bionic arm64: universe/libs/optional/100% -> main
liblasso-perl 2.5.1-0ubuntu1 in bionic armhf: universe/libs/optional/100% -> main
liblasso-perl 2.5.1-0ubuntu1 in bionic i386: universe/libs/optional/100% -> main
liblasso-perl 2.5.1-0ubuntu1 in bionic ppc64el: universe/libs/optional/100% -> main
liblasso-perl 2.5.1-0ubuntu1 in bionic s390x: universe/libs/optional/100% -> main
liblasso3 2.5.1-0ubuntu1 in bionic amd64: universe/libs/optional/100% -> main
liblasso3 2.5.1-0ubuntu1 in bionic arm64: universe/libs/optional/100% -> main
liblasso3 2.5.1-0ubuntu1 in bionic armhf: universe/libs/optional/100% -> main
liblasso3 2.5.1-0ubuntu1 in bionic i386: universe/libs/optional/100% -> main
liblasso3 2.5.1-0ubuntu1 in bionic ppc64el: universe/libs/optional/100% -> main
liblasso3 2.5.1-0ubuntu1 in bionic s390x: universe/libs/optional/100% -> main
liblasso3-dev 2.5.1-0ubuntu1 in bionic amd64: universe/libdevel/optional/100% -> main
liblasso3-dev 2.5.1-0ubuntu1 in bionic arm64: universe/libdevel/optional/100% -> main
liblasso3-dev 2.5.1-0ubuntu1 in bionic armhf: universe/libdevel/optional/100% -> main
liblasso3-dev 2.5.1-0ubuntu1 in bionic i386: universe/libdevel/optional/100% -> main
liblasso3-dev 2.5.1-0ubuntu1 in bionic ppc64el: universe/libdevel/optional/100% -> main
liblasso3-dev 2.5.1-0ubuntu1 in bionic s390x: universe/libdevel/optional/100% -> main
python-lasso 2.5.1-0ubuntu1 in bionic amd64: universe/python/optional/100% -> main
python-lasso 2.5.1-0ubuntu1 in bionic arm64: universe/python/optional/100% -> main
python-lasso 2.5.1-0ubuntu1 in bionic armhf: universe/python/optional/100% -> main
python-lasso 2.5.1-0ubuntu1 in bionic i386: universe/python/optional/100% -> main
python-lasso 2.5.1-0ubuntu1 in bionic ppc64el: universe/python/optional/100% -> main
python-lasso 2.5.1-0ubuntu1 in bionic s390x: universe/python/optional/100% -> main
python3-lasso 2.5.1-0ubuntu1 in bionic amd64: universe/python/optional/100% -> main
python3-lasso 2.5.1-0ubuntu1 in bionic arm64: universe/python/optional/100% -> main
python3-lasso 2.5.1-0ubuntu1 in bionic armhf: universe/python/optional/100% -> main
python3-lasso 2.5.1-0ubuntu1 in bionic i386: universe/python/optional/100% -> main
python3-lasso 2.5.1-0ubuntu1 in bionic ppc64el: universe/python/optional/100% -> main
python3-lasso 2.5.1-0ubuntu1 in bionic s390x: universe/python/optional/100% -> main

Changed in lasso (Ubuntu):
status: New → Fix Released
Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
libapache2-mod-auth-mellon 0.13.1-1build2 in bionic: universe/misc -> main
libapache2-mod-auth-mellon 0.13.1-1build2 in bionic amd64: universe/web/extra/100% -> main
libapache2-mod-auth-mellon 0.13.1-1build2 in bionic arm64: universe/web/extra/100% -> main
libapache2-mod-auth-mellon 0.13.1-1build2 in bionic armhf: universe/web/extra/100% -> main
libapache2-mod-auth-mellon 0.13.1-1build2 in bionic i386: universe/web/extra/100% -> main
libapache2-mod-auth-mellon 0.13.1-1build2 in bionic ppc64el: universe/web/extra/100% -> main
libapache2-mod-auth-mellon 0.13.1-1build2 in bionic s390x: universe/web/extra/100% -> main
7 publications overridden.

Changed in libapache2-mod-auth-mellon (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

Thanks a lot for this.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.