Skip to content
GitLab
Closed
Issue created by sfroger@sfrogerReporter

CAS error after security api upgrade - Too few arguments to function phpCAS::client()

Hello FD !

Since yesterday some of our clients running fusiondirectory on debian 12 or ubuntu 22.04+ have trouble to connect to their FD after a security upgrade was applied that have introduced breaking changes in the API of the library php-cas, and therefore the load of the library breaks the app.

2024-07-25 06:14:36 startup archives unpack
2024-07-25 06:14:37 upgrade php-cas:all 1.3.8-1 1.3.8-1ubuntu0.22.04.1
2024-07-25 06:14:37 status half-configured php-cas:all 1.3.8-1
2024-07-25 06:14:37 status unpacked php-cas:all 1.3.8-1
2024-07-25 06:14:38 status half-installed php-cas:all 1.3.8-1
2024-07-25 06:14:39 status unpacked php-cas:all 1.3.8-1ubuntu0.22.04.1
2024-07-25 06:14:40 startup packages configure
2024-07-25 06:14:40 configure php-cas:all 1.3.8-1ubuntu0.22.04.1 <none>
2024-07-25 06:14:40 status unpacked php-cas:all 1.3.8-1ubuntu0.22.04.1
2024-07-25 06:14:41 status half-configured php-cas:all 1.3.8-1ubuntu0.22.04.1
2024-07-25 06:14:41 status installed php-cas:all 1.3.8-1ubuntu0.22.04.1


  * SECURITY UPDATE: Authentication bypass vulnerability in Client.php
    - debian/patches/CVE-2022-39369.patch: Add ServerName classes and required
      service_name constructor argument.
    - CVE-2022-39369

On most install, we have this error when we display then on screen:

ArgumentCountError : Too few arguments to function phpCAS::client(), 4 passed in /usr/share/fusiondirectory/include/login/class_LoginCAS.inc on line 60 and at least 5 expected

On a fresh I also had this error:

PHP error ""
Trace[1]: function spl_autoload_call	File: (Line )	Type: -
Arguments: "CAS_Client"
Trace[2]: function class_exists	File: /usr/share/php/CAS/source/CAS/Autoload.php (Line 84)	Type: -
Arguments: "CAS_Client"
Trace[3]: function require_once	File: /usr/share/php/CAS/source/CAS.php (Line 257)	Type: -
Arguments: "/usr/share/php/CAS/source/CAS/Autoload.php"
Trace[4]: function require_once	File: /usr/share/php/CAS/CAS.php (Line 30)	Type: -
Arguments: "/usr/share/php/CAS/source/CAS.php"
Trace[5]: function require_once	File: /usr/share/fusiondirectory/include/login/class_LoginCAS.inc (Line 37)	Type: -
Arguments: "/usr/share/php/CAS/CAS.php"
Trace[6]: class LoginCAS / function initCAS	File: /usr/share/fusiondirectory/include/login/class_LoginCAS.inc (Line 75)	Type: static
Arguments: -
Trace[7]: class LoginCAS / function loginProcess	File: /usr/share/fusiondirectory/include/login/class_LoginMethod.inc (Line 219)	Type: static
Arguments: -
Trace[8]: class LoginMethod / function loginProcess	File: /usr/share/fusiondirectory/html/index.php (Line 163)	Type: static
Arguments: -

Fatal error: cannot instantiate class 'CAS_Client' - try running 'fusiondirectory-configuration-manager --update-cache' to fix this

To be able to login, a quick and dirty solution is to change configuration attribute fdLoginMethod from 'LoginCAS' to 'LoginPost':

dn: cn=config,ou=fusiondirectory,dc=example,dc=com
changetype: modify
replace: fdLoginMethod
fdLoginMethod: LoginPost

Seen on debian/ubuntu

I will update this issue when we have a functional fix to push

Edited by sfroger