Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 710732 (CVE-2020-5390) - <dev-python/pysaml2-4.6.5-r1: does not check that the signature in a SAML document is enveloped (CVE-2020-5390)
Summary: <dev-python/pysaml2-4.6.5-r1: does not check that the signature in a SAML doc...
Status: RESOLVED FIXED
Alias: CVE-2020-5390
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-25 00:02 UTC by GLSAMaker/CVETool Bot
Modified: 2020-05-04 00:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-02-25 00:02:51 UTC 
CVE-2020-5390 (https://nvd.nist.gov/vuln/detail/CVE-2020-5390):
  PySAML2 before 5.0.0 does not check that the signature in a SAML document is
  enveloped and thus signature wrapping is effective, i.e., it is affected by
  XML Signature Wrapping (XSW). The signature information and the node/object
  that is signed can be in different places and thus the signature
  verification will succeed, but the wrong data will be used. This
  specifically affects the verification of assertion that have been signed.


Upstream patch:

https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25
Comment 1 Larry the Git Cow gentoo-dev 2020-02-28 16:29:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb6782d4bdfaedc803fd0e70791f5af297210c59

commit fb6782d4bdfaedc803fd0e70791f5af297210c59
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-02-28 16:29:16 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-02-28 16:29:46 +0000

    dev-python/pysaml2: cleanup
    
    Bug: https://bugs.gentoo.org/710732
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 dev-python/pysaml2/Manifest                |  1 -
 dev-python/pysaml2/pysaml2-4.6.3-r1.ebuild | 40 ------------------------------
 dev-python/pysaml2/pysaml2-4.6.3.ebuild    | 29 ----------------------
 dev-python/pysaml2/pysaml2-4.6.5.ebuild    | 40 ------------------------------
 4 files changed, 110 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7a247aadc5e35bf5aed61f78f7e8b0d9ed21dfb

commit e7a247aadc5e35bf5aed61f78f7e8b0d9ed21dfb
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-02-28 16:28:00 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-02-28 16:29:44 +0000

    dev-python/pysaml2: 4.6.5-r1 added fast stable for CVE-2020-5390
    
    Bug: https://bugs.gentoo.org/710732
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    RepoMan-Options: --force
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 dev-python/pysaml2/files/cve-2020-5390.patch | 189 +++++++++++++++++++++++++++
 dev-python/pysaml2/metadata.xml              |   2 +-
 dev-python/pysaml2/pysaml2-4.6.5-r1.ebuild   |  42 ++++++
 3 files changed, 232 insertions(+), 1 deletion(-)
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2020-02-28 16:30:18 UTC 
fixed, fast stable with cleanup
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-16 00:48:43 UTC 
Thanks all, tree is clean.