gentoo (leap year) resync : 29.02.2020

author: V3n3RiX <venerix@redcorelinux.org> 2020-02-29 18:01:47 +0000
committer: V3n3RiX <venerix@redcorelinux.org> 2020-02-29 18:01:47 +0000
commit: ceeeb463cc1eef97fd62eaee8bf2196ba04bc384 (patch)
tree: 9f47ee47c31a0f13f9496879cd88a1042550aa81 /dev-python/pysaml2
parent: 53cba99042fa967e2a93da9f8db806fe2d035543 (diff)
6 files changed, 195 insertions, 75 deletions
diff --git a/dev-python/pysaml2/Manifest b/dev-python/pysaml2/Manifest
index 3bf09c4de822..4ae7312c874e 100644
--- a/dev-python/pysaml2/Manifest
+++ b/dev-python/pysaml2/Manifest
@@ -1,6 +1,4 @@
-DIST pysaml2-4.6.3.tar.gz 316979 BLAKE2B cf393075903269ce93dd219bd23479949ce8e39383d8150f8ee30185733569fe79c7421b87b3439b95e707f17d5f513abfa2610be76441b8f18d8f75a5a9fdd3 SHA512 259f7395afad44caac32453a03bbdaf8c464adeeb856b78786b665281dbe75b37e8054efaf945a7d10333c0b09d9f516d606e95b157aed34c1cd0821b7255b9d
+AUX cve-2020-5390.patch 15871 BLAKE2B d5c129683e60d27c692669f71955bae111579c92fff19750b4c08117371020185a2925a480cabcfc3164b737a16f84447679d05d835726fb864b1c2eff3369ab SHA512 b338a795664d3d0917ca3dace6c0817ed4445e1fa720f8eb1da6c8d4a6c0fc7985495af8d82fa4994c75b1a0dd29d1048c461214f712163829079c0b94bb8f27
 DIST pysaml2-4.6.5.tar.gz 319131 BLAKE2B d2b78d00cc5e65717bae267fbe88c781d4583996025eb4a9602030215f842a29b625ba41905e867d887e4564bbacdb1251170af46e5f00cc0f9d202c7741418d SHA512 da9cd23f9bef37da1079bba539f91df6a79190fcf8ab20b4c025fd8eae9b147799623dcc1376acfb6ff06c8566a58d478f8da7765195fe058d54007a2ebe79bb
-EBUILD pysaml2-4.6.3-r1.ebuild 1219 BLAKE2B 5909b42219923f06b23f2ac16998745d46735d4a9f632d9a21ca47ea6accf080d2a980e4584bbb6a733c7a3eb55f1d6c31dc2f0e68395c0af2b712a9bf92fe42 SHA512 ddc2ec9df857b4625593eaac22ed3cbab90aa85153d3c6a8ac7800855bbe86b029ca16dce6ea7ebd08f06095d0fac750d75a31f44a0ecc618faff791877ddac9
-EBUILD pysaml2-4.6.3.ebuild 813 BLAKE2B 04fe2029b78a53fd2d3e71f3a06ab446b258ecb8c0ce5723c4fe7682bb57bc162427b61d4703722e049e45d75fceda3a55668193b8440223bf03d71cb6a81af3 SHA512 bd919956051b7be294896fbbee561c75c12327b8e0b344ea45dfebb2d4338d01aa93679402cdd599076932f7bf77b3ff34b778773f782314c146d4e7cee06e06
-EBUILD pysaml2-4.6.5.ebuild 1221 BLAKE2B 0e95b864ec534adbcd1ab94f4f717330c81c1ba7030fea8d66e08f4aa08089c339f8275fb1b9c503fca8d36b954ca16b94ffcbe910d0c6c5c2c7be1ba2507337 SHA512 77a64a723be5db3c1a62cc104ca5c790a65fcddd9d116be264eaad38503e808f37e5e14ef68a924dd5d5031de25e2d77abd2b0416fa39c84efe5c3d61f2cdc2b
-MISC metadata.xml 606 BLAKE2B 5262e7d7a6f2ff32547ab8570f3aace4dfc3af9d667fdaac6ba2eba77ffd562524a136154eb7b96d4f1f7dfb316b72ee7a0311efa46153afff150c3956151b32 SHA512 7b4facbe3e25898488fffb7b39f9ff7eedd12492f668fa294952711efb3ca9549f2653ab6bc2a948286deff5f45116b0b8bd9a5fc796e99413acc9334eade348
+EBUILD pysaml2-4.6.5-r1.ebuild 1268 BLAKE2B 1c31dd21e6051e584d50092201b838f82bec8df2bfb35a9c3d49dbff9557ae8a8290a370c3ca8f6887e1b80152d46f39273cd1aff964d3b438b96bfc1414f95f SHA512 2ba2b8734393cff3aea052dcaad5ebd7210ac2c572d5bcfd8059c2a29af727958469c3153b03b7f72dd7470ba66be53e6ed5851fae7065ff02f3ff0029d6b84f
+MISC metadata.xml 860 BLAKE2B 3291896b3fcfd7b513f0772b7f5716b56a38b25b0d51cb391e704102bc0875e1b7b5a2844bb468e2c7eed61c85356d2a6497c304cf192079e47387e88bb2d41e SHA512 a6370907aa8f3c2b07b938c66fd17af3014881c22eebe4a8d5db95c17b6cf41ad6614c9159a94a5688512dd22923d180f07bc9fc1bf465556b7c951f3df20ff5
diff --git a/dev-python/pysaml2/files/cve-2020-5390.patch b/dev-python/pysaml2/files/cve-2020-5390.patch
new file mode 100644
index 000000000000..bef46808d920
--- /dev/null
+++ b/dev-python/pysaml2/files/cve-2020-5390.patch
@@ -0,0 +1,189 @@
+From 5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25 Mon Sep 17 00:00:00 2001
+From: Ivan Kanakarakis <ivan.kanak@gmail.com>
+Date: Sat, 4 Jan 2020 00:39:47 +0200
+Subject: [PATCH] Fix XML Signature Wrapping (XSW) vulnerabilities
+
+PySAML2 did not check that the signature in a SAML document is enveloped and thus
+XML signature wrapping (XSW) was effective.
+
+The signature information and the node/object that is signed can be in different places
+and thus the signature verification will succeed, but the wrong data will be used. This
+specifically affects the verification of assertions that have been signed.
+
+This was assigned CVE-2020-5390
+
+Thanks to Alexey Sintsov and Yuri Goltsev from HERE Technologies to report this.
+
++ + + + + + + +
+
+In more detail:
+
+libxml2 follows the xmldsig-core specification. The xmldsig specification is way too
+general. saml-core reuses the xmldsig specification, but constrains it to use of
+specific facilities. The implementation of the SAML specification is responsible to
+enforce those constraints. libxml2/xmlsec1 are not aware of those constraints and thus
+process the document based on the full/general xmldsig rules.
+
+What is happening is the following:
+
+- xmldsig-core allows the signature-information and the data that was signed to be in
+  different places. This works by setting the URI attribute of the Reference element.
+  The URI attribute contains an optional identifier of the object being signed. (see
+  "4.4.3 The Reference Element" -- https://www.w3.org/TR/xmldsig-core1/#sec-Reference)
+  This identifier is actually a pointer that can be defined in many different ways; from
+  XPath expressions that need to be executed(!), to a full URL that should be fetched(!)
+  in order to recalculate the signature.
+
+- saml-core section "5.4 XML Signature Profile" defines constrains on the xmldsig-core
+  facilities. It explicitly dictates that enveloped signatures are the only signatures
+  allowed. This mean that:
+  * Assertion/RequestType/ResponseType elements must have an ID attribute
+  * signatures must have a single Reference element
+  * the Reference element must have a URI attribute
+  * the URI attribute contains an anchor
+  * the anchor points to the enclosing element's ID attribute
+
+xmlsec1 does the right thing - it follows the reference URI pointer and validates the
+assertion. But, the pointer points to an assertion in another part of the document; not
+the assertion in which the signature is embedded/enveloped. SAML processing thinks that
+the signature is fine (that's what xmlsec1 said), and gets the assertion data from the
+assertion that contains the signature - but that assertion was never validated. The
+issue is that pysaml2 does not enforce the constrains on the signature validation
+facilities of xmldsig-core, that the saml-core spec defines.
+
+The solution is simple; all we need is to make sure that assertions with signatures (1)
+contain one reference element that (2) has a URI attribute (3) that is an anchor that
+(4) points to the assertion in which the signature is embedded. If those conditions are
+met then we're good, otherwise we should fail the verification.
+
+Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
+---
+ src/saml2/sigver.py          | 49 ++++++++++++++++++++++++++++++++++++
+ tests/saml2_response_xsw.xml |  6 +++++
+ tests/test_xsw.py            | 44 ++++++++++++++++++++++++++++++++
+ 3 files changed, 99 insertions(+)
+ create mode 100644 tests/saml2_response_xsw.xml
+ create mode 100644 tests/test_xsw.py
+
+diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py
+index cbeca41f..c3d298a9 100644
+--- a/src/saml2/sigver.py
++++ b/src/saml2/sigver.py
+@@ -1476,6 +1476,55 @@ def _check_signature(self, decoded_xml, item, node_name=NODE_NAME, origdoc=None,
+         if not certs:
+             raise MissingKey(_issuer)
+ 
++        # saml-core section "5.4 XML Signature Profile" defines constrains on the
++        # xmldsig-core facilities. It explicitly dictates that enveloped signatures
++        # are the only signatures allowed. This mean that:
++        # * Assertion/RequestType/ResponseType elements must have an ID attribute
++        # * signatures must have a single Reference element
++        # * the Reference element must have a URI attribute
++        # * the URI attribute contains an anchor
++        # * the anchor points to the enclosing element's ID attribute
++        references = item.signature.signed_info.reference
++        signatures_must_have_a_single_reference_element = len(references) == 1
++        the_Reference_element_must_have_a_URI_attribute = (
++            signatures_must_have_a_single_reference_element
++            and hasattr(references[0], "uri")
++        )
++        the_URI_attribute_contains_an_anchor = (
++            the_Reference_element_must_have_a_URI_attribute
++            and references[0].uri.startswith("#")
++            and len(references[0].uri) > 1
++        )
++        the_anchor_points_to_the_enclosing_element_ID_attribute = (
++            the_URI_attribute_contains_an_anchor
++            and references[0].uri == "#{id}".format(id=item.id)
++        )
++        validators = {
++            "signatures must have a single reference element": (
++                signatures_must_have_a_single_reference_element
++            ),
++            "the Reference element must have a URI attribute": (
++                the_Reference_element_must_have_a_URI_attribute
++            ),
++            "the URI attribute contains an anchor": (
++                the_URI_attribute_contains_an_anchor
++            ),
++            "the anchor points to the enclosing element ID attribute": (
++                the_anchor_points_to_the_enclosing_element_ID_attribute
++            ),
++        }
++        if not all(validators.values()):
++            error_context = {
++                "message": "Signature failed to meet constraints on xmldsig",
++                "validators": validators,
++                "item ID": item.id,
++                "reference URI": item.signature.signed_info.reference[0].uri,
++                "issuer": _issuer,
++                "node name": node_name,
++                "xml document": decoded_xml,
++            }
++            raise SignatureError(error_context)
++
+         verified = False
+         last_pem_file = None
+ 
+diff --git a/tests/saml2_response_xsw.xml b/tests/saml2_response_xsw.xml
+new file mode 100644
+index 00000000..3671eb48
+--- /dev/null
++++ b/tests/saml2_response_xsw.xml
+@@ -0,0 +1,6 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="http://lingon.catalogix.se:8087/" ID="id-vqOQ72JCppXaBWnBE" InResponseTo="id12" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns0:Status><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></ns0:Status><ns1:Assertion ID="id-SPOOFED_ASSERTION" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns2:Signature Id="Signature2"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:Reference URI="#id-Aa9IWfDxJVIX6GQye"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestValue>EWBvQUlrwQbtrAjuUXkSBAVsZ50=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>m4zRgTWleMcx1dFboeiYlbiDigHWAVhHVa+GLN++ELNMFDutuzBxc3tu6okyaNQGW3leu32wzbfdpb5+3RlpGoKj2wPX570/EMJj4uw91XfXsZfpNP+5GlgNT8w/elDmBXhG/KwmSO477Imk0szKovTBMVHmo3QOd+ba//dVsJE=</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0GA1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJsiojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSwmDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6mrPzGzk3ECbupFnqyREH3+ZPSdk=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="id12">ANOTHER_ID</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z" Recipient="http://lingon.catalogix.se:8087/"/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2019-12-20T12:15:16Z" NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2019-12-20T12:15:16Z" SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ADMIN</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">HACKER@gmail.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion>
++<XSW_ATTACK>
++<ns1:Assertion ID="id-Aa9IWfDxJVIX6GQye" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="id12">ac5b22bb8eac4a26ed07a55432a0fe0da243f6e911aa614cff402c44d7cdec36</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z" Recipient="http://lingon.catalogix.se:8087/"/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2019-12-20T12:15:16Z" NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2019-12-20T12:15:16Z" SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">member</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">foo@gmail.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion>
++</XSW_ATTACK>
++</ns0:Response>
+diff --git a/tests/test_xsw.py b/tests/test_xsw.py
+new file mode 100644
+index 00000000..9978c4d3
+--- /dev/null
++++ b/tests/test_xsw.py
+@@ -0,0 +1,44 @@
++from datetime import datetime
++from unittest.mock import Mock
++from unittest.mock import patch
++
++from saml2.config import config_factory
++from saml2.response import authn_response
++from saml2.sigver import SignatureError
++
++from dateutil import parser
++
++from pytest import raises
++
++from pathutils import dotname
++from pathutils import full_path
++
++
++XML_RESPONSE_XSW = full_path("saml2_response_xsw.xml")
++
++
++class TestAuthnResponse:
++    def setup_class(self):
++        self.conf = config_factory("sp", dotname("server_conf"))
++        self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
++
++    @patch('saml2.response.validate_on_or_after', return_value=True)
++    def test_verify_signed_xsw(self, mock_validate_on_or_after):
++        self.ar.issue_instant_ok = Mock(return_value=True)
++
++        with open(XML_RESPONSE_XSW) as fp:
++            xml_response = fp.read()
++
++        self.ar.outstanding_queries = {"id12": "http://localhost:8088/sso"}
++        self.ar.timeslack = 10000
++        self.ar.loads(xml_response, decode=False)
++
++        assert self.ar.came_from == 'http://localhost:8088/sso'
++        assert self.ar.session_id() == "id12"
++        assert self.ar.issuer() == 'urn:mace:example.com:saml:roland:idp'
++
++        with raises(SignatureError):
++            self.ar.verify()
++
++        assert self.ar.ava is None
++        assert self.ar.name_id is None
diff --git a/dev-python/pysaml2/metadata.xml b/dev-python/pysaml2/metadata.xml
index e06acc272e6a..34133f9748f2 100644
--- a/dev-python/pysaml2/metadata.xml
+++ b/dev-python/pysaml2/metadata.xml
@@ -10,7 +10,7 @@
 		<name>Openstack</name>
 	</maintainer>
 	<longdescription lang="en">
-	Python implementation of SAML Version 2 to be used in a WSGI environment
+		PySAML2 is a pure python implementation of SAML Version 2 Standard. It contains all necessary pieces for building a SAML2 service provider or an identity provider. The distribution contains examples of both. Originally written to work in a WSGI environment there are extensions that allow you to use it with other frameworks.
 	</longdescription>
 	<upstream>
 		<remote-id type="pypi">pysaml2</remote-id>
diff --git a/dev-python/pysaml2/pysaml2-4.6.3-r1.ebuild b/dev-python/pysaml2/pysaml2-4.6.3-r1.ebuild
deleted file mode 100644
index 4a56f65c6b89..000000000000
--- a/dev-python/pysaml2/pysaml2-4.6.3-r1.ebuild
+++ /dev/null
@@ -1,40 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-PYTHON_COMPAT=( python3_6 )
-
-inherit distutils-r1
-
-DESCRIPTION="Python implementation of SAML Version 2 to be used in a WSGI environment"
-HOMEPAGE="https://github.com/rohe/pysaml2"
-SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="~amd64 ~arm64 ~x86"
-IUSE=""
-
-PATCHES=(
-)
-
-DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]"
-RDEPEND=">=dev-python/cryptography-1.4[${PYTHON_USEDEP}]
-	dev-python/defusedxml[${PYTHON_USEDEP}]
-	dev-python/future[${PYTHON_USEDEP}]
-	dev-python/pyopenssl[${PYTHON_USEDEP}]
-	dev-python/python-dateutil[${PYTHON_USEDEP}]
-	dev-python/pytz[${PYTHON_USEDEP}]
-	>=dev-python/requests-1.0.0[${PYTHON_USEDEP}]
-	dev-python/six[${PYTHON_USEDEP}]"
-
-python_prepare_all() {
-	# Work-around for bug 675824
-	# With older setuptools, version = file:... is not supported, see Note 1 in:
-	#   https://setuptools.readthedocs.io/en/latest/setuptools.html#metadata
-	# In such cases, hardcode the version
-	has_version ">=dev-python/setuptools-39.2.0" || \
-		sed --in-place "s/^version = file:.*\$/version = ${PV}/" setup.cfg
-	##
-	distutils-r1_python_prepare_all
-}
diff --git a/dev-python/pysaml2/pysaml2-4.6.3.ebuild b/dev-python/pysaml2/pysaml2-4.6.3.ebuild
deleted file mode 100644
index 2ebbc1fd51bb..000000000000
--- a/dev-python/pysaml2/pysaml2-4.6.3.ebuild
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-PYTHON_COMPAT=( python3_6 )
-
-inherit distutils-r1
-
-DESCRIPTION="Python implementation of SAML Version 2 to be used in a WSGI environment"
-HOMEPAGE="https://github.com/rohe/pysaml2"
-SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="amd64 ~arm64 x86"
-IUSE=""
-
-PATCHES=(
-)
-
-DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]"
-RDEPEND=">=dev-python/cryptography-1.4[${PYTHON_USEDEP}]
-	dev-python/defusedxml[${PYTHON_USEDEP}]
-	dev-python/future[${PYTHON_USEDEP}]
-	dev-python/pyopenssl[${PYTHON_USEDEP}]
-	dev-python/python-dateutil[${PYTHON_USEDEP}]
-	dev-python/pytz[${PYTHON_USEDEP}]
-	>=dev-python/requests-1.0.0[${PYTHON_USEDEP}]
-	dev-python/six[${PYTHON_USEDEP}]"
diff --git a/dev-python/pysaml2/pysaml2-4.6.5.ebuild b/dev-python/pysaml2/pysaml2-4.6.5-r1.ebuild
index a3f675d0b813..9d807ccf40e8 100644
--- a/dev-python/pysaml2/pysaml2-4.6.5.ebuild
+++ b/dev-python/pysaml2/pysaml2-4.6.5-r1.ebuild
@@ -28,6 +28,8 @@ RDEPEND=">=dev-python/cryptography-1.4[${PYTHON_USEDEP}]
 	>=dev-python/requests-1.0.0[${PYTHON_USEDEP}]
 	dev-python/six[${PYTHON_USEDEP}]"
 
+PATCHES=( "${FILESDIR}/cve-2020-5390.patch" )
+
 python_prepare_all() {
 	# Work-around for bug 675824
 	# With older setuptools, version = file:... is not supported, see Note 1 in:
author	V3n3RiX <venerix@redcorelinux.org>	2020-02-29 18:01:47 +0000
committer	V3n3RiX <venerix@redcorelinux.org>	2020-02-29 18:01:47 +0000
commit	ceeeb463cc1eef97fd62eaee8bf2196ba04bc384 (patch)
tree	9f47ee47c31a0f13f9496879cd88a1042550aa81 /dev-python/pysaml2
parent	53cba99042fa967e2a93da9f8db806fe2d035543 (diff)