[Bug 1438483] Re: Sync moonshot-gss-eap 0.9.2-3+deb8u1 (universe) from Debian unstable (main)

Micah Gersten launchpad at micahscomputing.com
Tue Mar 31 04:14:56 UTC 2015 

Thank you for keeping Ubuntu up to date.  I'll take a look at this.

** Changed in: moonshot-gss-eap (Ubuntu)
       Status: New => In Progress

** Changed in: moonshot-gss-eap (Ubuntu)
   Importance: Undecided => High

** Changed in: moonshot-gss-eap (Ubuntu)
     Assignee: (unassigned) => Micah Gersten (micahg)

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1438483

Title:
  Sync moonshot-gss-eap 0.9.2-3+deb8u1 (universe) from Debian unstable
  (main)

Status in moonshot-gss-eap package in Ubuntu:
  Fix Released

Bug description:
  Please sync moonshot-gss-eap 0.9.2-3+deb8u1 (universe) from Debian
  unstable (main)

  This version addresses two critical problems which will effect ubuntu users.
  -These are not filed in launchpad, but were debian bugs.
  The first is that if an application using moonshot-gss-eap deletes a security context (read closes a session) all uses of openssl in the same process break.

  The second is that there's a parsing bug that prevents credentials issued by the world's only production Moonshot service (JISC Assent) from being used.
  While Ubuntu users are free to set up their own moonshot services, we know that several sites in the target customer base of JISC Assent do use Ubuntu and we'd like moonshot-gss-eap in Ubuntu to work for them.

  I've included a debdiff to illustrate that the changes are small and
  well-contained.

  Changelog entries since current vivid version 0.9.2-3:

  moonshot-gss-eap (0.9.2-3+deb8u1) unstable; urgency=medium

    * Incorporate upstream deltas:
        - 6dbf073: Allow white space in CA certificates, Closes: #781312
        - 90f04c98: Don't shut down openssl on last context deletion,
      Closes: #781311

   -- Sam Hartman <hartmans at debian.org>  Fri, 27 Mar 2015 08:16:18 -0400

  diff --git a/debian/changelog b/debian/changelog
  index 5aa07bc..3027275 100644
  --- a/debian/changelog
  +++ b/debian/changelog
  @@ -1,3 +1,12 @@
  +moonshot-gss-eap (0.9.2-3+deb8u1) unstable; urgency=medium
  +
  +  * Incorporate upstream deltas:
  +      - 6dbf073: Allow white space in CA certificates, Closes: #781312
  +      - 90f04c98: Don't shut down openssl on last context deletion,
  +    Closes: #781311
  +
  + -- Sam Hartman <hartmans at debian.org>  Fri, 27 Mar 2015 08:16:18 -0400
  +
   moonshot-gss-eap (0.9.2-3) unstable; urgency=medium
   
     * Review security of libeap/wpa_supplicant and send mail to security
  diff --git a/libeap/src/crypto/tls_openssl.c b/libeap/src/crypto/tls_openssl.c
  index c0a40f9..d155c09 100644
  --- a/libeap/src/crypto/tls_openssl.c
  +++ b/libeap/src/crypto/tls_openssl.c
  @@ -767,13 +767,7 @@ void tls_deinit(void *ssl_ctx)
   
   	tls_openssl_ref_count--;
   	if (tls_openssl_ref_count == 0) {
  -#ifndef OPENSSL_NO_ENGINE
  -		ENGINE_cleanup();
  -#endif /* OPENSSL_NO_ENGINE */
  -		CRYPTO_cleanup_all_ex_data();
   		ERR_remove_state(0);
  -		ERR_free_strings();
  -		EVP_cleanup();
   		os_free(tls_global);
   		tls_global = NULL;
   	}
  diff --git a/mech_eap/util_base64.c b/mech_eap/util_base64.c
  index aaa1ea8..0ec1cdc 100644
  --- a/mech_eap/util_base64.c
  +++ b/mech_eap/util_base64.c
  @@ -124,9 +124,15 @@ base64Decode(const char *str, void *data)
       q = data;
       p = str;
   
  -    while (*p && *p && (*p == '=' || strchr(base64_chars, *p))) {
  -	unsigned int val = token_decode(p);
  -	unsigned int marker = (val >> 24) & 0xff;
  +    while (*p && (*p == '=' || strchr(base64_chars, *p) || isspace(*p))) {
  +	unsigned int val; 
  +	unsigned int marker; 
  +	if (isspace(*p)) {
  +            p++;
  +            continue;
  +        }
  +        val = token_decode(p);
  +        marker = (val >> 24) & 0xff;
   	if (val == DECODE_ERROR)
   	    return -1;
   	*q++ = (val >> 16) & 0xff;
  @@ -135,8 +141,6 @@ base64Decode(const char *str, void *data)
   	if (marker < 1)
   	    *q++ = val & 0xff;
   	p += 4;
  -	if (*p == '\n')
  -	    p++;
       }
       return q - (unsigned char *) data;
   }
  diff --git a/mech_eap/util_moonshot.c b/mech_eap/util_moonshot.c
  index ce05322..68537a3 100644
  --- a/mech_eap/util_moonshot.c
  +++ b/mech_eap/util_moonshot.c
  @@ -241,8 +241,7 @@ libMoonshotResolveInitiatorCred(OM_uint32 *minor,
   
           blobLength = base64Decode(caCertificate, blobData);
   
  -        if ((blobLength <= 0) ||
  -            (blobLength < maxLength - 2)) {
  +        if (blobLength <= 0) {
               major = GSS_S_DEFECTIVE_CREDENTIAL;
               *minor = GSSEAP_BAD_CACERTIFICATE;
               GSSEAP_FREE(blobData);

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/moonshot-gss-eap/+bug/1438483/+subscriptions

More information about the Ubuntu-sponsors mailing list