Ubuntu
mahara package

Minor security update for Mahara

Bug #958841 reported by Melissa Draper
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mahara (Ubuntu)
Fix Released
Low
Unassigned
Lucid
Fix Released
Low
Ubuntu Security Team
Maverick
Fix Released
Low
Ubuntu Security Team
Natty
Fix Released
Low
Ubuntu Security Team
Oneiric
Fix Released
Low
Ubuntu Security Team
Precise
Fix Released
Low
Unassigned

Bug Description

[Problem]
Minor security issue in past versions of Mahara.

By default, SAML authentication instances have the "Match username attribute to Remote username" setting unchecked. This means that a user logging in using single sign-on will log in as the local Mahara user whose Mahara username matches their SAML username attribute.

[Impact]
Security issue. Could allow for impersonation. Only affects sites which make use of the SAML authentication plugin and have more than one SAML identity provider. Would allow administrators of one institution to control users in other institutions.

[Development Fix]
Fixed upstream in the 1.4.1 release which was brought into Debian Nov 4, 2011 as version 1.4.1-1 (which fixes CVE-2011-2771, CVE-2011-2772, CVE-2011-2773, CVE-2011-2774). This version was sync'd into Ubuntu precise.

[Stable Fix]
lucid, maverick, and natty carry 1.2.x which is affected by this issue. oneiric carries 1.4.0 and is also affected. Debdiff patches to fix all four versions are attached in comments 7,8,9,10 respectively.

[Text Case]
1. Set up mahara with the SAML plugin
2. Set up multiple SAML instances
3. Use default configuration
4. Set up a remote SAML username that matches a local Mahara user
5. Log on using single sign-on
Broken Behavior:
In config, "Match username attribute to Remote username" is unchecked.
Allows gaining control over the local Mara user account.

Fixed Behavior:
"Match username attribute to Remote username" is enabled by default.

[Regression Potential]
Unknown

[Original Report]
Here are patches to fix a minor security issue in lucid, maverick, natty and oneiric versions of Mahara

The issue affects both 1.2.x and 1.4.x

 * Fix default config for sites with multiple SAML instances
   - Default configuration changed to prevent impersonation
   - https://mahara.org/interaction/forum/topic.php?id=4367

See original description
Revision history for this message
Melissa Draper (melissa) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :
Jamie Strandboge (jdstrand)
visibility: private → public
Changed in mahara (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Low
Changed in mahara (Ubuntu Maverick):
status: New → Confirmed
importance: Undecided → Low
Changed in mahara (Ubuntu Natty):
status: New → Confirmed
importance: Undecided → Low
Changed in mahara (Ubuntu Oneiric):
status: New → Confirmed
importance: Undecided → Low
Changed in mahara (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Melissa Draper (melissa) wrote :

I've just noticed that these patches need the bug #, and the oneiric one is not even for this lot of updates. Will rectify this soon

Revision history for this message
Steve Beattie (sbeattie) wrote :

HI Melissa,

On first review, the lucid through natty patches look fine; once you provide updated debdiffs I'll be happy to publish them for you. Thanks!

Revision history for this message
Melissa Draper (melissa) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :
Bryce Harrington (bryce)
description: updated
Bryce Harrington (bryce)
description: updated
Bryce Harrington (bryce)
Changed in mahara (Ubuntu Lucid):
status: Confirmed → Triaged
Changed in mahara (Ubuntu Maverick):
status: Confirmed → Triaged
Changed in mahara (Ubuntu Oneiric):
status: Confirmed → Triaged
Changed in mahara (Ubuntu Natty):
status: Confirmed → Triaged
Changed in mahara (Ubuntu Precise):
status: Confirmed → Triaged
Bryce Harrington (bryce)
description: updated
Revision history for this message
Bryce Harrington (bryce) wrote :

Hi Melissa, thanks for tackling this security issue.

I've verified the packages build, reviewed the patch, and filled in the SRU description. However, since this targets the -security queue, I am not able to upload it. So, I will assign it to the security team and unsub sponsors.

Changed in mahara (Ubuntu Lucid):
status: Triaged → Fix Committed
Changed in mahara (Ubuntu Maverick):
status: Triaged → Fix Committed
Changed in mahara (Ubuntu Natty):
status: Triaged → Fix Committed
Changed in mahara (Ubuntu Oneiric):
status: Triaged → Fix Committed
Changed in mahara (Ubuntu Precise):
status: Triaged → Fix Released
Changed in mahara (Ubuntu Lucid):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in mahara (Ubuntu Maverick):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in mahara (Ubuntu Natty):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Bryce Harrington (bryce)
Changed in mahara (Ubuntu Oneiric):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.4.0-1ubuntu0.2

---------------
mahara (1.4.0-1ubuntu0.2) oneiric-security; urgency=low

  * SECURITY UPDATE: Fix default config for sites with multiple SAML instances
    - Default configuration changed to prevent impersonation (LP: #958841)
    - debian/patches/saml_multi_default_config.patch: upstream patch
 -- Melissa Draper <email address hidden> Wed, 21 Mar 2012 14:43:12 +1300

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.2.7-1ubuntu0.3

---------------
mahara (1.2.7-1ubuntu0.3) natty-security; urgency=low

  * SECURITY UPDATE: Fix default config for sites with multiple SAML instances
    - Default configuration changed to prevent impersonation (LP: #958841)
    - debian/patches/saml_multi_default_config.patch: upstream patch
 -- Melissa Draper <email address hidden> Wed, 21 Mar 2012 01:38:40 +0000

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.2.5-2ubuntu0.4

---------------
mahara (1.2.5-2ubuntu0.4) maverick-security; urgency=low

  * SECURITY UPDATE: Fix default config for sites with multiple SAML instances
    - Default configuration changed to prevent impersonation (LP: #958841)
    - debian/patches/saml_multi_default_config.patch: upstream patch
 -- Melissa Draper <email address hidden> Wed, 21 Mar 2012 00:23:05 +0000

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.2.4-1ubuntu0.5

---------------
mahara (1.2.4-1ubuntu0.5) lucid-security; urgency=low

  * SECURITY UPDATE: Fix default config for sites with multiple SAML instances
    - Default configuration changed to prevent impersonation (LP: #958841)
    - debian/patches/saml_multi_default_config.patch: upstream patch
 -- Melissa Draper <email address hidden> Wed, 21 Mar 2012 00:11:15 +0000

Changed in mahara (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in mahara (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in mahara (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in mahara (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.