Bug#1105113: bookworm-pu: package simplesamlphp/1.19.7-1+deb12u2

Sun, 11 May 2025 07:09:24 -0700 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: simplesaml...@packages.debian.org, secur...@debian.org
Control: affects -1 + src:simplesamlphp
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

this s-p-u is to fix CVE-2025-27773 a signature confusion attack,
to close the gap after fixing LTS (bullseye) and unstable.
(The package will not be in trixie)

[ Tests ]
Manual test in VM, setting up simplesamlphp as service provider and
identy provider and testing if things are still working.

Joost also helped out in testing, see 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595#20

The patch is identical for unstable and bullseye, as the file which has
been patched is identical too on all those versions, so the testing
Joost has done is applicable too


[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The patch has been backported from the upstream changeset, origin:
https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0

[ Other info ]
This s-p-u has been done in coordination and approval from the security
team.

I will upload the new package to the queue after sending this email.

Cheers

-- 
tobi

diff -Nru simplesamlphp-1.19.7/debian/changelog simplesamlphp-1.19.7/debian/changelog
--- simplesamlphp-1.19.7/debian/changelog	2024-12-01 16:41:33.000000000 +0100
+++ simplesamlphp-1.19.7/debian/changelog	2025-05-11 08:35:04.000000000 +0200
@@ -1,7 +1,14 @@
+simplesamlphp (1.19.7-1+deb12u2) bookworm; urgency=medium
+
+  * Team upload for stable proposed updates.
+  * Fix CVE-2025-27773 (Closes: #1100595)
+
+ -- Tobias Frost <t...@debian.org>  Sun, 11 May 2025 08:35:04 +0200
+
 simplesamlphp (1.19.7-1+deb12u1) bookworm-security; urgency=high
 
   * Upload to the security archive.
-  * Fix CVE-2024-52596
+  * Fix CVE-2024-52596 (Closes: #1088904)
 
  -- Thijs Kinkhorst <th...@debian.org>  Sun, 01 Dec 2024 16:41:33 +0100
 
diff -Nru simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch
--- simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch	1970-01-01 01:00:00.000000000 +0100
+++ simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch	2025-05-11 08:25:15.000000000 +0200
@@ -0,0 +1,122 @@
+Description: CVE-2025-27773 - signature confusion attack
+Origin: https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595
+Bug: https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56
+
+--- a/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php
++++ b/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php
+@@ -94,7 +94,7 @@
+     /**
+      * Receive a SAML 2 message sent using the HTTP-Redirect binding.
+      *
+-     * Throws an exception if it is unable receive the message.
++     * Throws an exception if it is unable to receive the message.
+      *
+      * @throws \Exception
+      * @return \SAML2\Message The received message.
+@@ -104,10 +104,36 @@
+     public function receive(): Message
+     {
+         $data = self::parseQuery();
+-        if (array_key_exists('SAMLRequest', $data)) {
+-            $message = $data['SAMLRequest'];
+-        } elseif (array_key_exists('SAMLResponse', $data)) {
+-            $message = $data['SAMLResponse'];
++        $signedQuery = $data['SignedQuery'];
++
++        /**
++         * Get the SAMLRequest/SAMLResponse from the exact same signed data that will be verified later in
++         * validateSignature into $res using the actual SignedQuery
++         */
++        $res = [];
++        foreach (explode('&', $signedQuery) as $e) {
++            $tmp = explode('=', $e, 2);
++            $name = $tmp[0];
++            if (count($tmp) === 2) {
++                $value = $tmp[1];
++            } else {
++                /* No value for this parameter. */
++                $value = '';
++            }
++            $name = urldecode($name);
++            $res[$name] = urldecode($value);
++        }
++
++        /**
++         * Put the SAMLRequest/SAMLResponse from the actual query string into $message,
++         * and assert that the result from parseQuery() in $data and the parsing of the SignedQuery in $res agree
++         */
++        if (array_key_exists('SAMLRequest', $res)) {
++            Assert::same($res['SAMLRequest'], $data['SAMLRequest'], 'Parse failure.');
++            $message = $res['SAMLRequest'];
++        } elseif (array_key_exists('SAMLResponse', $res)) {
++            Assert::same($res['SAMLResponse'], $data['SAMLResponse'], 'Parse failure.');
++            $message = $res['SAMLResponse'];
+         } else {
+             throw new \Exception('Missing SAMLRequest or SAMLResponse parameter.');
+         }
+@@ -116,7 +142,7 @@
+             throw new \Exception('Unknown SAMLEncoding: '.var_export($data['SAMLEncoding'], true));
+         }
+ 
+-        $message = base64_decode($message);
++        $message = base64_decode($message, true);
+         if ($message === false) {
+             throw new \Exception('Error while base64 decoding SAML message.');
+         }
+@@ -141,6 +167,15 @@
+             return $message;
+         }
+ 
++        /**
++         * 3.4.5.2 - SAML Bindings
++         *
++         * If the message is signed, the Destination XML attribute in the root SAML element of the protocol
++         * message MUST contain the URL to which the sender has instructed the user agent to deliver the
++         * message.
++         */
++        Assert::notNull($message->getDestination()); // Validation of the value must be done upstream
++
+         if (!array_key_exists('SigAlg', $data)) {
+             throw new \Exception('Missing signature algorithm.');
+         }
+@@ -148,7 +183,7 @@
+         $signData = [
+             'Signature' => $data['Signature'],
+             'SigAlg'    => $data['SigAlg'],
+-            'Query'     => $data['SignedQuery'],
++            'Query'     => $signedQuery,
+         ];
+ 
+         $message->addValidator([get_class($this), 'validateSignature'], $signData);
+@@ -165,6 +200,7 @@
+      * signed.
+      *
+      * @return array The query data that is signed.
++     * @throws \Exception
+      */
+     private static function parseQuery() : array
+     {
+@@ -186,7 +222,12 @@
+                 /* No value for this parameter. */
+                 $value = '';
+             }
++
+             $name = urldecode($name);
++            // Prevent keys from being set more than once
++            if (array_key_exists($name, $data)) {
++                throw new \Exception('Duplicate parameter.');
++            }
+             $data[$name] = urldecode($value);
+ 
+             switch ($name) {
+@@ -202,6 +243,9 @@
+                     break;
+             }
+         }
++        if (array_key_exists('SAMLRequest', $data) && array_key_exists('SAMLResponse', $data)) {
++                throw new \Exception('Both SAMLRequest and SAMLResponse provided.');
++        }
+ 
+         $data['SignedQuery'] = $sigQuery.$relayState.$sigAlg;
+ 
diff -Nru simplesamlphp-1.19.7/debian/patches/series simplesamlphp-1.19.7/debian/patches/series
--- simplesamlphp-1.19.7/debian/patches/series	2024-12-01 16:41:33.000000000 +0100
+++ simplesamlphp-1.19.7/debian/patches/series	2025-05-11 08:25:15.000000000 +0200
@@ -1,2 +1,3 @@
 debian_config.patch
 CVE-2024-52596.patch
+CVE-2025-27773.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to