[GHSA-j5g2-q29x-cw3h] SimpleSAMLphp vulnerable to XXE in parsing SAML messages #5047
Conversation
|
Hi there @tvdijen! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
sandermarechal/advisory-improvement-5047
|
The SimpleSAMLphp developers do not agree with this change. You cannot assume everyone uses composer. Many of our users rely on our pre-built tarball and it is crucial that they update. We created this advisory deliberately like this. Please close this PR. |
|
The problem is that this advisory generates composer audit errors for people who do use composer, and also creates conflicts for people who use roave/security-advisories (https://github.com/Roave/SecurityAdvisories). They both use this advisory. I am forced to remove roave/security-advisories from my dependencies because of the conflict with simplesamlphp <2.0.15, even though I am not vulnerable at all! |
|
So you're running an old an unsupported version of SimpleSAMLphp and backport security-fixes by updating the dependencies? Even if you do use composer, it's generally bad practise to bypass the lock-file and |
|
We require SimpleSAMLphp as a package in our own application. Composer always ignores lockfiles from dependencies. If that is not a supported use-case then you should probably not publish simplesamlphp/simplesamlphp as a package on packagist. That said, if I have an updated simplesamlphp/saml2 then simplesamlphp/simplesamlphp <2.0.15 is not vulnerable to this XXE, right? Then this security advisory is not valid as it is. |
|
I wouldn't know, because that combination of versions is not tested. Suit yourself if you want to take a risk! |
|
👋 Hi @sandermarechal, thank you for your concern about GHSA-j5g2-q29x-cw3h, but I'm going to leave the advisory as it currently is. It's valid for the maintainers of https://github.com/simplesamlphp/simplesamlphp to want to warn users about a vulnerability for which they may need to take action. |
Advisory GHSA-j5g2-q29x-cw3h applies only to the tarball version of SimpleSAMLphp and not the composer package, because the vulnerability is in the simplesamlphp/saml2 dependency (which has its own advisory under GHSA-pxm4-r5ph-q2m2). The advisory was issued because many people install SimpleSAMLphp from tarball which ships with a composer.lock pointing to the vulnerable saml2 version. See also: github/advisory-database#5047
Advisory GHSA-j5g2-q29x-cw3h applies only to the tarball version of SimpleSAMLphp and not the composer package, because the vulnerability is in the simplesamlphp/saml2 dependency (which has its own advisory under GHSA-pxm4-r5ph-q2m2). The advisory was issued because many people install SimpleSAMLphp from tarball which ships with a composer.lock pointing to the vulnerable saml2 version. See also: github/advisory-database#5047
|
@sandermarechal and @tvdijen I showed this thread to some of my colleagues, and I came to realize that I was too hasty in closing the pull request. I'm commenting in the thread to continue the conversation and explore options for alerting users of a possible vulnerable dependency while minimizing unnecessary alerts. There are a few courses of action that could occur, each with pros and cons, and I want to get your input on each of them.
I'm curious to hear what both of you think of these options and which one is the best for reaching users of SimpleSAMLphp who need to see information about CVE-2024-52596 while minimizing unnecessary alerts. |
|
I never asked for the advisory to be published in the GitHub Advisory Database or for Dependabot-alerts to be sent in the first place.. It's out of my control. So option 3: It would be helpful if this behaviour was configurable when creating a repository advisory. |
|
@shelbyc @tvdijen Another option may be to use a different "ecosystem" tag. Right now the ecosystem is listed as "Composer", which is why composer, packagist and roave/security-advisors picked this up automatically. I tried suggesting a different ecosustem using the github suggestion UI, but "ecosystem" is a required select box, and "Composer" is the only option that comes even close. Maybe ecosystem should not be a required field? Or maybe "tarball" or "download" or "Github release" should be an ecosystem? |
|
General consensus: we need more flexibility on different levels |
|
GHSA-j5g2-q29x-cw3h has been withdrawn with a message that, although the underlying information is valid, those who are affected are users of the tarball, not users of the Composer package. @sandermarechal I'm not sure if Also, do you still want credit on the global advisory? If so, I can get help from colleagues to make that happen. @tvdijen I'm happy to pass along your feedback about wanting greater flexibility in the repository advisory publication process. For now, it is possible to do something similar to what @sandermarechal suggested, and use the |
|
Thanks @shelbyc ! I wasn't aware of the fact that selecting |
Updates
Comments
The vulnerability exists in the simplesamlphp/saml2 package, not in the simplesamlphp/simplesamlphp package. It is possible to update simplesamlphp/saml2 without updating simplesamlphp/simplesamlphp. A simple
composer updatewill work and pull in the updated simplesamlphp/saml2. In that case even older versions of simplesamlphp/simplesamlphp are safe.