Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 605324 (CVE-2016-10127)

Summary: <dev-python/pysaml2-4.0.2-r1: vulnerable to XXE
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor Flags: stable-bot: sanity-check+
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/rohe/pysaml2/issues/366
See Also: https://bugs.debian.org/850716
Whiteboard: B3 [noglsa cve]
Package list:
=dev-python/pysaml2-4.0.2-r1 amd64 x86
Runtime testing required: ---

Description Thomas Deutschmann gentoo-dev 2017-01-11 00:09:52 UTC
An XML XEE discovered in dev-python/pysaml2 by Matias P. Brutti.

dev-python/pysaml2 does not sanitize SAML XML requests or responses.


Upstream issue: https://github.com/rohe/pysaml2/issues/366

Upstream patch: https://github.com/fruechel/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b
Comment 1 Thomas Deutschmann gentoo-dev 2017-01-11 00:11:09 UTC
CVE request: http://www.openwall.com/lists/oss-security/2017/01/10/6
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-01-11 03:17:32 UTC
no release with it yet, and openstack requires <pysaml2-4.0.3 to avoid the pycryptodome change.

so... I backported the patch and released 4.0.2-r1
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-01-11 03:18:53 UTC
arches, please stabilize =dev-python/pysaml2-4.0.2-r1
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-11 10:47:20 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-13 15:44:34 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-01-13 16:24:55 UTC
cleaned up, removing from cc
Comment 7 Thomas Deutschmann gentoo-dev 2017-01-30 02:07:58 UTC
GLSA Vote: No

Repository is clean.