Hi Ferenc, On Sat, Sep 06, 2025 at 12:33:17PM +0200, Ferenc Wágner wrote: > Dear Security Team, > > Please review the following source debdiff (straight cherry pick from > the upstream 3.5.1 tag): > > $ debdiff shibboleth-sp_3.5.0+dfsg-2.dsc > shibboleth-sp_3.5.0+dfsg-2+deb13u1.dsc > diff -Nru shibboleth-sp-3.5.0+dfsg/debian/changelog > shibboleth-sp-3.5.0+dfsg/debian/changelog > --- shibboleth-sp-3.5.0+dfsg/debian/changelog 2025-01-12 13:52:44.000000000 > +0100 > +++ shibboleth-sp-3.5.0+dfsg/debian/changelog 2025-09-06 11:46:12.000000000 > +0200 > @@ -1,3 +1,14 @@ > +shibboleth-sp (3.5.0+dfsg-2+deb13u1) trixie-security; urgency=high > + > + * [627cc27] New patch: SSPCPP-1014 - Extend escaping in strings. > + Fix SQL injection vulnerability in Service Provider ODBC plugin: > + specially crafted inputs can exfiltrate information stored in the > + database used by the SP. The vulnerability is moderate to high > + severity for anyone using the ODBC plugin, and of no impact for others. > + Thanks to Scott Cantor (Closes: #1114506) > + > + -- Ferenc Wágner <[email protected]> Sat, 06 Sep 2025 11:46:12 +0200 > + > shibboleth-sp (3.5.0+dfsg-2) unstable; urgency=medium > > * Upload to unstable > diff -Nru shibboleth-sp-3.5.0+dfsg/debian/gbp.conf > shibboleth-sp-3.5.0+dfsg/debian/gbp.conf > --- shibboleth-sp-3.5.0+dfsg/debian/gbp.conf 2023-01-22 14:20:06.000000000 > +0100 > +++ shibboleth-sp-3.5.0+dfsg/debian/gbp.conf 2025-09-06 11:43:32.000000000 > +0200 > @@ -1,5 +1,5 @@ > [DEFAULT] > -debian-branch = debian/master > +debian-branch = debian/trixie > upstream-branch = upstream/latest > pristine-tar = True > > diff -Nru shibboleth-sp-3.5.0+dfsg/debian/patches/series > shibboleth-sp-3.5.0+dfsg/debian/patches/series > --- shibboleth-sp-3.5.0+dfsg/debian/patches/series 2025-01-03 > 22:53:32.000000000 +0100 > +++ shibboleth-sp-3.5.0+dfsg/debian/patches/series 2025-09-06 > 11:44:50.000000000 +0200 > @@ -3,3 +3,4 @@ > Debianize-the-systemd-service-file-of-shibd.patch > seckeygen-defaults-for-Debian.patch > Use-runstatedir-from-future-Autoconf-2.70.patch > +SSPCPP-1014-Extend-escaping-in-strings.patch > diff -Nru > shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch > > shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch > --- > shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch > 2025-09-06 11:44:50.000000000 +0200 > @@ -0,0 +1,25 @@ > +From: Scott Cantor <[email protected]> > +Date: Wed, 3 Sep 2025 08:45:54 -0400 > +Subject: SSPCPP-1014 - Extend escaping in strings > + > +--- > + odbc-store/odbc-store.cpp | 5 +++-- > + 1 file changed, 3 insertions(+), 2 deletions(-) > + > +diff --git a/odbc-store/odbc-store.cpp b/odbc-store/odbc-store.cpp > +index 2316e95..aae8520 100644 > +--- a/odbc-store/odbc-store.cpp > ++++ b/odbc-store/odbc-store.cpp > +@@ -255,9 +255,10 @@ namespace { > + string m_copy; > + public: > + SQLString(const char* src) : m_src(src) { > +- if (strchr(src, '\'')) { > ++ if (strchr(src, '\\') || strchr(src, '\'')) { > + m_copy = src; > +- replace_all(m_copy, "'", "''"); > ++ replace_all(m_copy, "\\", "\\\\"); > ++ replace_all(m_copy, "'", "\\'"); > + } > + } > +
Unfortunately the upstream issue is not accessible, but based on above it looks good. Please upload this to security-master (make sure to build with -sa). > Upstream is requesting a CVE ID for this issue, but I don't know it > yet. Ok! > I'm ready to upload on your word. Do you still handle bookworm security > uploads, or is that LTS territory now? yes bookworm is still regularly supported, will have a look at your second diff as well. Regards, Salvatore
