SAML messages, assertions, and metadata all commonly make use of the
XML Signature KeyInfo construct, which expresses information about
keys and certificates used in signing or encrypting XML.
The Apache Santuario XML Security for C++ library contained code
paths at risk of dereferencing null pointers when processing various
kinds of malformed KeyInfo hints typically found in signed or
encrypted XML. The usual effect is a crash, and in the case of the
Shibboleth SP software, a crash in the shibd daemon, which prevents
access to protected resources until the daemon is restarted.