[Bug 1407695] Re: [MIR] python-saml2, python-repoze.who, xmlsec1

Fri Mar 13 02:39:29 UTC 2015

I reviewed python-pysaml2 version 2.2.0-0ubuntu2 as found in Ubuntu vivid.
This should not be considered a full security audit, but rather a quick
gauge of maintainability.

- python-pysaml2 is a middleware designed to handle SAML2 authentication,
  a competitor to oauth and FIDO. SAML2 is popular in enterprise
  environments.
- Build-Depends: debhelper, python-all, python-setuptools, python-sphinx,
  python-crypto, python-dateutil, python-decorator, python-mako,
  python-memcache, python-openssl, python-paste, python-pyasn1,
  python-pytest, python-pymongo, python-repoze.who, python-requests,
  python-tz, python-zope.interface, xmlsec1
- Does not itself daemonize
- Does not itself listen on external interfaces
- pre/post inst/rm are automatically added
- No initscripts
- No dbus services
- No setuid executables
- No sudo fragments
- No udev rules
- No cron entries

- Spawns subprocesses, looks careful
- Files opened under direction of controlling programs
- Logging looked careful, except for logged passwords
- No environment variables
- No privileged operations
- Extensive cryptography
- No privileged portions of the program
- No temporary files
- No webkit
- No javascript
- No PolicyKit

Here's some issues I discovered while reading this program:

- src/saml2/s_utils.py sid() provides highly-guessable session identifiers
- src/saml2/s_utils.py rndstr() strings are not cryptographically strong,
  appear to be used for cryptographic purposes
- src/sigver.py create_id() generated identifiers are not
  cryptographically strong
- example/idp2/idp.py, example/idp2/idp_uwsgi.y, example/aa/aa.py,
  example/idp2_repoze/idp, all have a staticfile() method that will serve
  every file on the computer that is readable by the server userid. No
  effort is made to filter out .. path traversals.
- example/idp2/service.py, example/idp2/idp.py, example/idp2/idp_uwsgi.py,
  example/aa/aa.py, example/idp2_repoze/idp.py all have password checks
  that do not attempt to prevent timing analysis.
- src/saml2/authn.py verify() will logger.debug() a password
- src/saml2/authn.py _verify() has a password check that does not attempt
  to prevent timing analysis
- example/idp2/service.py, example/idp2/idp.py, example/idp2/idp_uwsgi.py,
  example/aa/aa.py, example/idp2_repoze/idp.py info_from_cookie() do not
  handle TypeError exception from b64decode, will these provide a simple
  DOS attack vector?
- example/idp2/service.py, example/idp2/idp.py, example/idp2/idp_uwsgi.py,
  example/aa/aa.py, example/idp2_repoze/idp.py ecp() do not handle
  TypeError exception from b64decode, will these provide a simple DOS
  attack vector? This method also logs HTTP_AUTHORIZATION to
  logger.debug(), this may include passwords.

I reported the above issues to the author, who provided fixes for them
very quickly; he's inexperienced with CVEs but sounded willing to learn.

Please update the packaged version to include these fixes; I do not know
if they are security fixes, but it's plausible that some might be.
Security team ACK for promoting version 2.3.0 or higher to main.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to python-pysaml2 in Ubuntu.
https://bugs.launchpad.net/bugs/1407695

Title:
  [MIR] python-saml2, python-repoze.who, xmlsec1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-pysaml2/+bug/1407695/+subscriptions