1
I reviewed python-pysaml2 version 2.2.0-0ubuntu2 as found in Ubuntu vivid.
2
This should not be considered a full security audit, but rather a quick
3
gauge of maintainability.
5
- python-pysaml2 is a middleware designed to handle SAML2 authentication,
6
a competitor to oauth and FIDO. SAML2 is popular in enterprise
8
- Build-Depends: debhelper, python-all, python-setuptools, python-sphinx,
9
python-crypto, python-dateutil, python-decorator, python-mako,
10
python-memcache, python-openssl, python-paste, python-pyasn1,
11
python-pytest, python-pymongo, python-repoze.who, python-requests,
12
python-tz, python-zope.interface, xmlsec1
13
- Does not itself daemonize
14
- Does not itself listen on external interfaces
15
- pre/post inst/rm are automatically added
18
- No setuid executables
23
- Spawns subprocesses, looks careful
24
- Files opened under direction of controlling programs
25
- Logging looked careful, except for logged passwords
26
- No environment variables
27
- No privileged operations
28
- Extensive cryptography
29
- No privileged portions of the program
35
Here's some issues I discovered while reading this program:
37
- src/saml2/s_utils.py sid() provides highly-guessable session identifiers
38
- src/saml2/s_utils.py rndstr() strings are not cryptographically strong,
39
appear to be used for cryptographic purposes
40
- src/sigver.py create_id() generated identifiers are not
41
cryptographically strong
42
- example/idp2/idp.py, example/idp2/idp_uwsgi.y, example/aa/aa.py,
43
example/idp2_repoze/idp, all have a staticfile() method that will serve
44
every file on the computer that is readable by the server userid. No
45
effort is made to filter out .. path traversals.
46
- example/idp2/service.py, example/idp2/idp.py, example/idp2/idp_uwsgi.py,
47
example/aa/aa.py, example/idp2_repoze/idp.py all have password checks
48
that do not attempt to prevent timing analysis.
49
- src/saml2/authn.py verify() will logger.debug() a password
50
- src/saml2/authn.py _verify() has a password check that does not attempt
51
to prevent timing analysis
52
- example/idp2/service.py, example/idp2/idp.py, example/idp2/idp_uwsgi.py,
53
example/aa/aa.py, example/idp2_repoze/idp.py info_from_cookie() do not
54
handle TypeError exception from b64decode, will these provide a simple
56
- example/idp2/service.py, example/idp2/idp.py, example/idp2/idp_uwsgi.py,
57
example/aa/aa.py, example/idp2_repoze/idp.py ecp() do not handle
58
TypeError exception from b64decode, will these provide a simple DOS
59
attack vector? This method also logs HTTP_AUTHORIZATION to
60
logger.debug(), this may include passwords.
62
I reported the above issues to the author, who provided fixes for them
63
very quickly; he's inexperienced with CVEs but sounded willing to learn.
65
Please update the packaged version to include these fixes; I do not know
66
if they are security fixes, but it's plausible that some might be.
67
Security team ACK for promoting version 2.3.0 or higher to main.