Minor security update for Mahara

Bug #958841 reported by Melissa Draper on 2012-03-18
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mahara (Ubuntu)
Low
Unassigned
Lucid
Low
Ubuntu Security Team
Maverick
Low
Ubuntu Security Team
Natty
Low
Ubuntu Security Team
Oneiric
Low
Ubuntu Security Team
Precise
Low
Unassigned

Bug Description

[Problem]
Minor security issue in past versions of Mahara.

By default, SAML authentication instances have the "Match username attribute to Remote username" setting unchecked. This means that a user logging in using single sign-on will log in as the local Mahara user whose Mahara username matches their SAML username attribute.

[Impact]
Security issue. Could allow for impersonation. Only affects sites which make use of the SAML authentication plugin and have more than one SAML identity provider. Would allow administrators of one institution to control users in other institutions.

[Development Fix]
Fixed upstream in the 1.4.1 release which was brought into Debian Nov 4, 2011 as version 1.4.1-1 (which fixes CVE-2011-2771, CVE-2011-2772, CVE-2011-2773, CVE-2011-2774). This version was sync'd into Ubuntu precise.

[Stable Fix]
lucid, maverick, and natty carry 1.2.x which is affected by this issue. oneiric carries 1.4.0 and is also affected. Debdiff patches to fix all four versions are attached in comments 7,8,9,10 respectively.

[Text Case]
1. Set up mahara with the SAML plugin
2. Set up multiple SAML instances
3. Use default configuration
4. Set up a remote SAML username that matches a local Mahara user
5. Log on using single sign-on
Broken Behavior:
In config, "Match username attribute to Remote username" is unchecked.
Allows gaining control over the local Mara user account.

Fixed Behavior:
"Match username attribute to Remote username" is enabled by default.

[Regression Potential]
Unknown

[Original Report]
Here are patches to fix a minor security issue in lucid, maverick, natty and oneiric versions of Mahara

The issue affects both 1.2.x and 1.4.x

 * Fix default config for sites with multiple SAML instances
   - Default configuration changed to prevent impersonation
   - https://mahara.org/interaction/forum/topic.php?id=4367

Melissa Draper (melissa) wrote :
Melissa Draper (melissa) wrote :
Melissa Draper (melissa) wrote :
Melissa Draper (melissa) wrote :
visibility: private → public
Changed in mahara (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Low
Changed in mahara (Ubuntu Maverick):
status: New → Confirmed
importance: Undecided → Low
Changed in mahara (Ubuntu Natty):
status: New → Confirmed
importance: Undecided → Low
Changed in mahara (Ubuntu Oneiric):
status: New → Confirmed
importance: Undecided → Low
Changed in mahara (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Low
Melissa Draper (melissa) wrote :

I've just noticed that these patches need the bug #, and the oneiric one is not even for this lot of updates. Will rectify this soon

Steve Beattie (sbeattie) wrote :

HI Melissa,

On first review, the lucid through natty patches look fine; once you provide updated debdiffs I'll be happy to publish them for you. Thanks!

Melissa Draper (melissa) wrote :
Melissa Draper (melissa) wrote :
Melissa Draper (melissa) wrote :
Melissa Draper (melissa) wrote :
Bryce Harrington (bryce) on 2012-03-22
description: updated
Bryce Harrington (bryce) on 2012-03-22
description: updated
Bryce Harrington (bryce) on 2012-03-22
Changed in mahara (Ubuntu Lucid):
status: Confirmed → Triaged
Changed in mahara (Ubuntu Maverick):
status: Confirmed → Triaged
Changed in mahara (Ubuntu Oneiric):
status: Confirmed → Triaged
Changed in mahara (Ubuntu Natty):
status: Confirmed → Triaged
Changed in mahara (Ubuntu Precise):
status: Confirmed → Triaged
Bryce Harrington (bryce) on 2012-03-22
description: updated
Bryce Harrington (bryce) wrote :

Hi Melissa, thanks for tackling this security issue.

I've verified the packages build, reviewed the patch, and filled in the SRU description. However, since this targets the -security queue, I am not able to upload it. So, I will assign it to the security team and unsub sponsors.

Changed in mahara (Ubuntu Lucid):
status: Triaged → Fix Committed
Changed in mahara (Ubuntu Maverick):
status: Triaged → Fix Committed
Changed in mahara (Ubuntu Natty):
status: Triaged → Fix Committed
Changed in mahara (Ubuntu Oneiric):
status: Triaged → Fix Committed
Changed in mahara (Ubuntu Precise):
status: Triaged → Fix Released
Changed in mahara (Ubuntu Lucid):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in mahara (Ubuntu Maverick):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in mahara (Ubuntu Natty):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Bryce Harrington (bryce) on 2012-03-22
Changed in mahara (Ubuntu Oneiric):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.4.0-1ubuntu0.2

---------------
mahara (1.4.0-1ubuntu0.2) oneiric-security; urgency=low

  * SECURITY UPDATE: Fix default config for sites with multiple SAML instances
    - Default configuration changed to prevent impersonation (LP: #958841)
    - debian/patches/saml_multi_default_config.patch: upstream patch
 -- Melissa Draper <email address hidden> Wed, 21 Mar 2012 14:43:12 +1300

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.2.7-1ubuntu0.3

---------------
mahara (1.2.7-1ubuntu0.3) natty-security; urgency=low

  * SECURITY UPDATE: Fix default config for sites with multiple SAML instances
    - Default configuration changed to prevent impersonation (LP: #958841)
    - debian/patches/saml_multi_default_config.patch: upstream patch
 -- Melissa Draper <email address hidden> Wed, 21 Mar 2012 01:38:40 +0000

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.2.5-2ubuntu0.4

---------------
mahara (1.2.5-2ubuntu0.4) maverick-security; urgency=low

  * SECURITY UPDATE: Fix default config for sites with multiple SAML instances
    - Default configuration changed to prevent impersonation (LP: #958841)
    - debian/patches/saml_multi_default_config.patch: upstream patch
 -- Melissa Draper <email address hidden> Wed, 21 Mar 2012 00:23:05 +0000

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.2.4-1ubuntu0.5

---------------
mahara (1.2.4-1ubuntu0.5) lucid-security; urgency=low

  * SECURITY UPDATE: Fix default config for sites with multiple SAML instances
    - Default configuration changed to prevent impersonation (LP: #958841)
    - debian/patches/saml_multi_default_config.patch: upstream patch
 -- Melissa Draper <email address hidden> Wed, 21 Mar 2012 00:11:15 +0000

Changed in mahara (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in mahara (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in mahara (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in mahara (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers