diff --git a/CVE-2025-46404.patch b/CVE-2025-46404.patch new file mode 100644 index 0000000000000000000000000000000000000000..bb11f5ebaa4ba7970242c92e80aa1a021822942f --- /dev/null +++ b/CVE-2025-46404.patch @@ -0,0 +1,26 @@ +From c880cad13732bcb50cbd9fa376ea39edb53e7d68 Mon Sep 17 00:00:00 2001 +From: Benjamin Dauvergne +Date: Thu, 15 May 2025 15:51:08 +0200 +Subject: [PATCH] misc: check xmlSecGetNodeNsHref for possible NULL result + (#105693) + +Origin: https://git.entrouvert.org/entrouvert/lasso/commit/c880cad13732bcb50cbd9fa376ea39edb53e7d68 +--- + lasso/id-ff/provider.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c +index 1dcd1b02..e3c9dce5 100644 +--- a/lasso/id-ff/provider.c ++++ b/lasso/id-ff/provider.c +@@ -1364,8 +1364,8 @@ lasso_provider_verify_saml_signature(LassoProvider *provider, + + /* ID-FF 1.2 Signatures case */ + node_ns = xmlSecGetNodeNsHref(signed_node); +- if ((strcmp((char*)node_ns, LASSO_SAML2_PROTOCOL_HREF) == 0) || +- (strcmp((char*)node_ns, LASSO_SAML2_ASSERTION_HREF) == 0)) { ++ if (node_ns && ((strcmp((char*)node_ns, LASSO_SAML2_PROTOCOL_HREF) == 0) || ++ (strcmp((char*)node_ns, LASSO_SAML2_ASSERTION_HREF) == 0))) { + id_attribute_name = "ID"; + } else if (xmlSecCheckNodeName(signed_node, (xmlChar*)"Request", (xmlChar*)LASSO_SAML_PROTOCOL_HREF)) { + id_attribute_name = "RequestID"; diff --git a/CVE-2025-46705-pre.patch b/CVE-2025-46705-pre.patch new file mode 100644 index 0000000000000000000000000000000000000000..60780430985eddbcb3e6766242039a20c1b43f8b --- /dev/null +++ b/CVE-2025-46705-pre.patch @@ -0,0 +1,73 @@ +From b140660709c341bb44f9b7ebbd8253cde9169e8b Mon Sep 17 00:00:00 2001 +From: Benjamin Dauvergne +Date: Thu, 15 May 2025 15:39:42 +0200 +Subject: [PATCH] tests: test that inserted comment do not change node value + and still validate signature (#105693) + +Origin: Origin: https://git.entrouvert.org/entrouvert/lasso/commit/b140660709c341bb44f9b7ebbd8253cde9169e8b +--- + bindings/python/tests/profiles_tests.py | 23 +++++++++++++++++++++++ + lasso/xml/xml.c | 2 +- + 2 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/bindings/python/tests/profiles_tests.py b/bindings/python/tests/profiles_tests.py +index 8679d663..9f694907 100755 +--- a/bindings/python/tests/profiles_tests.py ++++ b/bindings/python/tests/profiles_tests.py +@@ -24,6 +24,7 @@ + # along with this program; if not, see . + + ++import base64 + import os + import unittest + import sys +@@ -362,6 +363,28 @@ class LoginTestCase(unittest.TestCase): + assert 'xmlenc#rsa-1_5' not in run(key_encryption_method=lasso.KEY_ENCRYPTION_METHOD_OAEP) + assert 'xmlenc#rsa-oaep-mgf1p' in run(key_encryption_method=lasso.KEY_ENCRYPTION_METHOD_OAEP) + ++ def test_09(self): ++ '''Login test between SP and IdP with encrypted private keys''' ++ sp_server = server('sp7-saml2', lasso.PROVIDER_ROLE_IDP, 'idp7-saml2') ++ idp_server = server('idp7-saml2', lasso.PROVIDER_ROLE_SP, 'sp7-saml2') ++ ++ sp_login = lasso.Login(sp_server) ++ sp_login.initAuthnRequest() ++ sp_login.request.protocolBinding = lasso.SAML2_METADATA_BINDING_POST ++ sp_login.buildAuthnRequestMsg() ++ idp_login = lasso.Login(idp_server) ++ idp_login.setSignatureVerifyHint(lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE) ++ idp_login.processAuthnRequestMsg(sp_login.msgUrl.split('?')[1]) ++ idp_login.validateRequestMsg(True, True) ++ idp_login.buildAssertion("None", "None", "None", "None", "None") ++ idp_login.buildAuthnResponseMsg() ++ sp_login.setSignatureVerifyHint(lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE) ++ # insert comment inside NameID ++ msg = base64.b64encode(base64.b64decode(idp_login.msgBody).decode().replace(idp_login.assertion.subject.nameId.content, idp_login.assertion.subject.nameId.content[:10] + '' + idp_login.assertion.subject.nameId.content[10:]).encode()) ++ sp_login.processAuthnResponseMsg(msg.decode()) ++ sp_login.acceptSso() ++ assert sp_login.assertion.subject.nameId.content == idp_login.assertion.subject.nameId.content ++ + + class LogoutTestCase(unittest.TestCase): + def test01(self): +diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c +index adf0ba99..b713b523 100644 +--- a/lasso/xml/xml.c ++++ b/lasso/xml/xml.c +@@ -1710,7 +1710,6 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode) + ERROR; + } + #undef ADVANCE +-#undef ERROR + + if (matched_snippet->offset || (matched_snippet->type & SNIPPET_PRIVATE)) { + switch (matched_snippet->type & 0xff) { +@@ -1772,6 +1771,7 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode) + g_assert_not_reached(); + } + } ++#undef ERROR + if (t) { /* t is an ELEMENT that dont match any snippet, when taken in order */ + if (snippet_any && is_snippet_type(snippet_any, SNIPPET_LIST_XMLNODES)) { + value = SNIPPET_STRUCT_MEMBER_P(node, g_type_any, snippet_any); diff --git a/CVE-2025-46705.patch b/CVE-2025-46705.patch new file mode 100644 index 0000000000000000000000000000000000000000..db08469d20c9784425de409d61a8a2c0d45c0e02 --- /dev/null +++ b/CVE-2025-46705.patch @@ -0,0 +1,24 @@ +From 37836a9cf14234ce720edb5c43f6ed0491f72cf6 Mon Sep 17 00:00:00 2001 +From: Benjamin Dauvergne +Date: Thu, 15 May 2025 16:02:25 +0200 +Subject: [PATCH] xml: do not terminate on an unknown XML node type (#105693) + +Origin: https://git.entrouvert.org/entrouvert/lasso/commit/37836a9cf14234ce720edb5c43f6ed0491f72cf6 +--- + lasso/xml/xml.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c +index ca8d72fa..10732f3b 100644 +--- a/lasso/xml/xml.c ++++ b/lasso/xml/xml.c +@@ -1771,7 +1771,8 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode) + lasso_node_set_original_xmlnode(subnode, t); + } + } else { +- g_assert_not_reached(); ++ /* Anything else should not be there, abort. */ ++ ERROR; + } + } + #undef ERROR diff --git a/CVE-2025-47151.patch b/CVE-2025-47151.patch new file mode 100644 index 0000000000000000000000000000000000000000..ffc9665db06dffaad1bf3614c09f09519aa176e5 --- /dev/null +++ b/CVE-2025-47151.patch @@ -0,0 +1,63 @@ +From 8d12e6263fd6add923469bd5704e05a1ccfa8c69 Mon Sep 17 00:00:00 2001 +From: Benjamin Dauvergne +Date: Thu, 15 May 2025 15:44:58 +0200 +Subject: [PATCH] xml: prevent assignment of attribute value inside any + attribute + +Origin: https://git.entrouvert.org/entrouvert/lasso/commit/8d12e6263fd6add923469bd5704e05a1ccfa8c69 +--- + lasso/xml/misc_text_node.c | 2 +- + lasso/xml/saml-2.0/saml2_attribute_value.c | 2 +- + lasso/xml/xml.c | 3 +++ + 3 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lasso/xml/misc_text_node.c b/lasso/xml/misc_text_node.c +index 59d98c5..1f9d980 100644 +--- a/lasso/xml/misc_text_node.c ++++ b/lasso/xml/misc_text_node.c +@@ -41,7 +41,7 @@ typedef struct { + static struct XmlSnippet schema_snippets[] = { + { "content", SNIPPET_TEXT_CHILD, + G_STRUCT_OFFSET(LassoMiscTextNode, content), NULL, NULL, NULL}, +- { "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE, ++ { "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE, + G_STRUCT_OFFSET(LassoMiscTextNodePrivate, any_attributes), NULL, NULL, NULL}, + {NULL, 0, 0, NULL, NULL, NULL} + }; +diff --git a/lasso/xml/saml-2.0/saml2_attribute_value.c b/lasso/xml/saml-2.0/saml2_attribute_value.c +index c8a588c..4526805 100644 +--- a/lasso/xml/saml-2.0/saml2_attribute_value.c ++++ b/lasso/xml/saml-2.0/saml2_attribute_value.c +@@ -53,7 +53,7 @@ struct _LassoSaml2AttributeValuePrivate { + static struct XmlSnippet schema_snippets[] = { + { "any", SNIPPET_LIST_NODES | SNIPPET_ANY | SNIPPET_ALLOW_TEXT, + G_STRUCT_OFFSET(LassoSaml2AttributeValue, any), NULL, NULL, NULL}, +- { "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE, ++ { "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE, + G_STRUCT_OFFSET(struct _LassoSaml2AttributeValuePrivate, any_attributes), NULL, + NULL, NULL }, + {NULL, 0, 0, NULL, NULL, NULL} +diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c +index 0d5c6e3..61a5e17 100644 +--- a/lasso/xml/xml.c ++++ b/lasso/xml/xml.c +@@ -1569,6 +1569,7 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode) + type = snippet->type & 0xff; + /* assign attribute content if attribute has the same name as the + * snippet and: ++ * - the snippet is not the any attribute snippet, + * - the snippet and the attribute have no namespace + * - the snippet has no namespace but the attribute has the same + * namespace as the node +@@ -1576,6 +1577,8 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode) + */ + if (type != SNIPPET_ATTRIBUTE) + continue; ++ if (snippet->type & SNIPPET_ANY) ++ continue; + if (! lasso_strisequal((char*)attr->name, (char*)snippet->name)) + continue; + if (attr->ns) { +-- +2.51.1 + diff --git a/lasso.spec b/lasso.spec index d83bbaf42d03e009c47c6af305900e0a70045587..cb8d04ac5b49b4c2ad44829f14323d2a96e4da65 100644 --- a/lasso.spec +++ b/lasso.spec @@ -1,10 +1,14 @@ Name: lasso Version: 2.8.2 -Release: 2 +Release: 3 Summary: Liberty Alliance Single Sign On License: GPLv2+ URL: http://lasso.entrouvert.org/ Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz +Patch0: CVE-2025-46404.patch +Patch1: CVE-2025-46705-pre.patch +Patch2: CVE-2025-46705.patch +Patch3: CVE-2025-47151.patch Requires: xmlsec1 >= 1.2.25-4 BuildRequires: autoconf automake check-devel glib2-devel gtk-doc libtool @@ -64,7 +68,7 @@ sed -i -E -e '/^#![[:blank:]]*(\/usr\/bin\/env[[:blank:]]+python[^3]?\>) \ %endif %build -./autogen.sh +autoreconf -fi %configure --enable-php5=no --with-python=%{__python3} %make_build CFLAGS="%{optflags}" @@ -103,6 +107,9 @@ fi %doc AUTHORS NEWS README %changelog +* Fri Nov 07 2025 yaoxin <1024769339@qq.com> - 2.8.2-3 +- Fix CVE-2025-46404, CVE-2025-46705 and CVE-2025-47151 + * Sat Mar 15 2025 mahailiang - 2.8.2-2 - add sw_64 support