On Sat, 06 Sep 2025 12:33:17 +0200 =?utf-8?Q?Ferenc_W=C3=A1gner?= <[email protected]> wrote:
> Do you still handle bookworm security uploads, or is that LTS > territory now? Anyway, the analogous debdiff for bookworm is: $ debdiff shibboleth-sp_3.4.1+dfsg-2.dsc shibboleth-sp_3.4.1+dfsg-2+deb12u1.dsc diff -Nru shibboleth-sp-3.4.1+dfsg/debian/changelog shibboleth-sp-3.4.1+dfsg/debian/changelog --- shibboleth-sp-3.4.1+dfsg/debian/changelog 2023-01-30 08:04:53.000000000 +0100 +++ shibboleth-sp-3.4.1+dfsg/debian/changelog 2025-09-06 12:38:25.000000000 +0200 @@ -1,3 +1,14 @@ +shibboleth-sp (3.4.1+dfsg-2+deb12u1) bookworm-security; urgency=high + + * [80ae771] New patch: SSPCPP-1014 - Extend escaping in strings. + Fix SQL injection vulnerability in Service Provider ODBC plugin: + specially crafted inputs can exfiltrate information stored in the + database used by the SP. The vulnerability is moderate to high + severity for anyone using the ODBC plugin, and of no impact for others. + Thanks to Scott Cantor (Closes: #1114506) + + -- Ferenc Wágner <[email protected]> Sat, 06 Sep 2025 12:38:25 +0200 + shibboleth-sp (3.4.1+dfsg-2) unstable; urgency=medium * Upload to unstable diff -Nru shibboleth-sp-3.4.1+dfsg/debian/gbp.conf shibboleth-sp-3.4.1+dfsg/debian/gbp.conf --- shibboleth-sp-3.4.1+dfsg/debian/gbp.conf 2023-01-22 14:20:06.000000000 +0100 +++ shibboleth-sp-3.4.1+dfsg/debian/gbp.conf 2025-09-06 12:37:27.000000000 +0200 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/master +debian-branch = debian/bookworm upstream-branch = upstream/latest pristine-tar = True diff -Nru shibboleth-sp-3.4.1+dfsg/debian/patches/series shibboleth-sp-3.4.1+dfsg/debian/patches/series --- shibboleth-sp-3.4.1+dfsg/debian/patches/series 2023-01-22 14:20:26.000000000 +0100 +++ shibboleth-sp-3.4.1+dfsg/debian/patches/series 2025-09-06 12:37:59.000000000 +0200 @@ -4,3 +4,4 @@ seckeygen-defaults-for-Debian.patch Use-runstatedir-from-future-Autoconf-2.70.patch configure.ac-AC_MSG_ERROR-can-t-be-used-as-value-if-not-f.patch +SSPCPP-1014-Extend-escaping-in-strings.patch diff -Nru shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch --- shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch 1970-01-01 01:00:00.000000000 +0100 +++ shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch 2025-09-06 12:37:59.000000000 +0200 @@ -0,0 +1,25 @@ +From: Scott Cantor <[email protected]> +Date: Wed, 3 Sep 2025 08:45:54 -0400 +Subject: SSPCPP-1014 - Extend escaping in strings + +--- + odbc-store/odbc-store.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/odbc-store/odbc-store.cpp b/odbc-store/odbc-store.cpp +index 2316e95..aae8520 100644 +--- a/odbc-store/odbc-store.cpp ++++ b/odbc-store/odbc-store.cpp +@@ -255,9 +255,10 @@ namespace { + string m_copy; + public: + SQLString(const char* src) : m_src(src) { +- if (strchr(src, '\'')) { ++ if (strchr(src, '\\') || strchr(src, '\'')) { + m_copy = src; +- replace_all(m_copy, "'", "''"); ++ replace_all(m_copy, "\\", "\\\\"); ++ replace_all(m_copy, "'", "\\'"); + } + } + I'm ready to upload or hand this over to the LTS Team as appropriate. -- Feri.
