diff --git a/0009-fix-cve-CVE-2025-47151.patch b/0009-fix-cve-CVE-2025-47151.patch new file mode 100644 index 0000000000000000000000000000000000000000..256f5c2305c8c8bdb8a8802c95893bd012f6ca89 --- /dev/null +++ b/0009-fix-cve-CVE-2025-47151.patch @@ -0,0 +1,61 @@ +From 168e527b28b548789c78bf90ac52f64726c0841a Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Thu, 27 Nov 2025 14:49:48 +0800 +Subject: [PATCH] fix cve CVE-2025-47151 + +--- + lasso/xml/misc_text_node.c | 2 +- + lasso/xml/saml-2.0/saml2_attribute_value.c | 2 +- + lasso/xml/xml.c | 3 +++ + 3 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lasso/xml/misc_text_node.c b/lasso/xml/misc_text_node.c +index bb9b6b5..2863971 100644 +--- a/lasso/xml/misc_text_node.c ++++ b/lasso/xml/misc_text_node.c +@@ -41,7 +41,7 @@ typedef struct { + static struct XmlSnippet schema_snippets[] = { + { "content", SNIPPET_TEXT_CHILD, + G_STRUCT_OFFSET(LassoMiscTextNode, content), NULL, NULL, NULL}, +- { "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE, ++ { "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE, + G_STRUCT_OFFSET(LassoMiscTextNodePrivate, any_attributes), NULL, NULL, NULL}, + {NULL, 0, 0, NULL, NULL, NULL} + }; +diff --git a/lasso/xml/saml-2.0/saml2_attribute_value.c b/lasso/xml/saml-2.0/saml2_attribute_value.c +index 3598760..8e0b446 100644 +--- a/lasso/xml/saml-2.0/saml2_attribute_value.c ++++ b/lasso/xml/saml-2.0/saml2_attribute_value.c +@@ -53,7 +53,7 @@ struct _LassoSaml2AttributeValuePrivate { + static struct XmlSnippet schema_snippets[] = { + { "any", SNIPPET_LIST_NODES | SNIPPET_ANY | SNIPPET_ALLOW_TEXT, + G_STRUCT_OFFSET(LassoSaml2AttributeValue, any), NULL, NULL, NULL}, +- { "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE, ++ { "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE, + G_STRUCT_OFFSET(struct _LassoSaml2AttributeValuePrivate, any_attributes), NULL, + NULL, NULL }, + {NULL, 0, 0, NULL, NULL, NULL} +diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c +index 8c3df04..c1e94ed 100644 +--- a/lasso/xml/xml.c ++++ b/lasso/xml/xml.c +@@ -1565,6 +1565,7 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode) + type = snippet->type & 0xff; + /* assign attribute content if attribute has the same name as the + * snippet and: ++ * - the snippet is not the any attribute snippet, + * - the snippet and the attribute have no namespace + * - the snippet has no namespace but the attribute has the same + * namespace as the node +@@ -1572,6 +1573,8 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode) + */ + if (type != SNIPPET_ATTRIBUTE) + continue; ++ if (snippet->type & SNIPPET_ANY) ++ continue; + if (! lasso_strisequal((char*)attr->name, (char*)snippet->name)) + continue; + if (attr->ns) { +-- +2.39.3 + diff --git a/lasso.spec b/lasso.spec index bcf6e6c3c38773ac90699177bf76a5b097749a83..e7d23256884199fcf948fa9e0ad362cb3cfd3795 100644 --- a/lasso.spec +++ b/lasso.spec @@ -15,7 +15,7 @@ Summary: Liberty Alliance Single Sign On Name: lasso Version: 2.5.1 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Libraries Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz @@ -39,6 +39,7 @@ patch5: 0005-PAOS-Do-not-populate-Destination-attribute.patch patch6: 0006-tests-use-self-generated-certificate-to-sign-federat.patch patch7: 0007-Fix-signature-checking-on-unsigned-response-with-mul.patch patch8: 0008-lasso_saml20_login_process_response_status_and_asser.patch +patch9: 0009-fix-cve-CVE-2025-47151.patch %description Lasso is a library that implements the Liberty Alliance Single Sign On @@ -122,6 +123,7 @@ library. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build autoreconf -vif @@ -230,6 +232,9 @@ rm -fr %{buildroot}%{_defaultdocdir}/%{name} %endif %changelog +* Thu Nov 27 2025 zhuhongbo - 2.5.1-9 +- fix: fix cve CVE-2025-47151 + * Wed Jun 2 2021 Jakub Hrozek - 2.5.1-8 - Fix Coverity warning introduced by the previous patch - Related: #1963855 - CVE-2021-28091 lasso: XML signature wrapping