Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 797223 (CVE-2021-33054) - <gnustep-apps/sogo-5.1.1: user impersonation vulnerability with SAML auth (CVE-2021-33054)
Summary: <gnustep-apps/sogo-5.1.1: user impersonation vulnerability with SAML auth (CV...
Status: RESOLVED FIXED
Alias: CVE-2021-33054
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://blogs.akamai.com/2021/06/sogo...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-20 22:59 UTC by John Helmert III
Modified: 2021-06-22 01:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-06-20 22:59:38 UTC
CVE-2021-33054 (https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md):

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)


Maintainers, I guess we just need to cleanup 4.x?
Comment 1 Bernard Cafarelli gentoo-dev 2021-06-21 22:14:21 UTC
Looks so, let me remove sope/sogo 4.3.2 and we will be good there
Comment 2 Larry the Git Cow gentoo-dev 2021-06-21 22:15:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15c1feabb78a45a595b94bda58555d5c63ceb39a

commit 15c1feabb78a45a595b94bda58555d5c63ceb39a
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-06-21 22:15:34 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-06-21 22:15:46 +0000

    gnustep-libs/sope: drop version for removed sogo 4.x
    
    Bug: https://bugs.gentoo.org/797223
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 gnustep-libs/sope/Manifest          |  1 -
 gnustep-libs/sope/sope-4.3.2.ebuild | 54 -------------------------------------
 2 files changed, 55 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e56b89a609e0343c716986912b5f8508ed8ece0

commit 1e56b89a609e0343c716986912b5f8508ed8ece0
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-06-21 22:14:47 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-06-21 22:15:46 +0000

    gnustep-apps/sogo: drop security vulnerable version
    
    Bug: https://bugs.gentoo.org/797223
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 gnustep-apps/sogo/Manifest          |   1 -
 gnustep-apps/sogo/sogo-4.3.2.ebuild | 102 ------------------------------------
 2 files changed, 103 deletions(-)
Comment 3 John Helmert III gentoo-dev Security 2021-06-22 01:03:08 UTC
Thanks! noglsa, all done