Hi Ferenc, On Sat, Sep 06, 2025 at 12:58:32PM +0200, Ferenc Wágner wrote: > On Sat, 06 Sep 2025 12:33:17 +0200 =?utf-8?Q?Ferenc_W=C3=A1gner?= > <[email protected]> wrote: > > > Do you still handle bookworm security uploads, or is that LTS > > territory now? > > Anyway, the analogous debdiff for bookworm is: > > $ debdiff shibboleth-sp_3.4.1+dfsg-2.dsc > shibboleth-sp_3.4.1+dfsg-2+deb12u1.dsc > diff -Nru shibboleth-sp-3.4.1+dfsg/debian/changelog > shibboleth-sp-3.4.1+dfsg/debian/changelog > --- shibboleth-sp-3.4.1+dfsg/debian/changelog 2023-01-30 08:04:53.000000000 > +0100 > +++ shibboleth-sp-3.4.1+dfsg/debian/changelog 2025-09-06 12:38:25.000000000 > +0200 > @@ -1,3 +1,14 @@ > +shibboleth-sp (3.4.1+dfsg-2+deb12u1) bookworm-security; urgency=high > + > + * [80ae771] New patch: SSPCPP-1014 - Extend escaping in strings. > + Fix SQL injection vulnerability in Service Provider ODBC plugin: > + specially crafted inputs can exfiltrate information stored in the > + database used by the SP. The vulnerability is moderate to high > + severity for anyone using the ODBC plugin, and of no impact for others. > + Thanks to Scott Cantor (Closes: #1114506) > + > + -- Ferenc Wágner <[email protected]> Sat, 06 Sep 2025 12:38:25 +0200 > + > shibboleth-sp (3.4.1+dfsg-2) unstable; urgency=medium > > * Upload to unstable > diff -Nru shibboleth-sp-3.4.1+dfsg/debian/gbp.conf > shibboleth-sp-3.4.1+dfsg/debian/gbp.conf > --- shibboleth-sp-3.4.1+dfsg/debian/gbp.conf 2023-01-22 14:20:06.000000000 > +0100 > +++ shibboleth-sp-3.4.1+dfsg/debian/gbp.conf 2025-09-06 12:37:27.000000000 > +0200 > @@ -1,5 +1,5 @@ > [DEFAULT] > -debian-branch = debian/master > +debian-branch = debian/bookworm > upstream-branch = upstream/latest > pristine-tar = True > > diff -Nru shibboleth-sp-3.4.1+dfsg/debian/patches/series > shibboleth-sp-3.4.1+dfsg/debian/patches/series > --- shibboleth-sp-3.4.1+dfsg/debian/patches/series 2023-01-22 > 14:20:26.000000000 +0100 > +++ shibboleth-sp-3.4.1+dfsg/debian/patches/series 2025-09-06 > 12:37:59.000000000 +0200 > @@ -4,3 +4,4 @@ > seckeygen-defaults-for-Debian.patch > Use-runstatedir-from-future-Autoconf-2.70.patch > configure.ac-AC_MSG_ERROR-can-t-be-used-as-value-if-not-f.patch > +SSPCPP-1014-Extend-escaping-in-strings.patch > diff -Nru > shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch > > shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch > --- > shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch > 2025-09-06 12:37:59.000000000 +0200 > @@ -0,0 +1,25 @@ > +From: Scott Cantor <[email protected]> > +Date: Wed, 3 Sep 2025 08:45:54 -0400 > +Subject: SSPCPP-1014 - Extend escaping in strings > + > +--- > + odbc-store/odbc-store.cpp | 5 +++-- > + 1 file changed, 3 insertions(+), 2 deletions(-) > + > +diff --git a/odbc-store/odbc-store.cpp b/odbc-store/odbc-store.cpp > +index 2316e95..aae8520 100644 > +--- a/odbc-store/odbc-store.cpp > ++++ b/odbc-store/odbc-store.cpp > +@@ -255,9 +255,10 @@ namespace { > + string m_copy; > + public: > + SQLString(const char* src) : m_src(src) { > +- if (strchr(src, '\'')) { > ++ if (strchr(src, '\\') || strchr(src, '\'')) { > + m_copy = src; > +- replace_all(m_copy, "'", "''"); > ++ replace_all(m_copy, "\\", "\\\\"); > ++ replace_all(m_copy, "'", "\\'"); > + } > + } > + > > I'm ready to upload or hand this over to the LTS Team as appropriate.
Looks good as well, please upload equally to security-master (as well here built with -sa). Regards, Salvatore
