Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id
<ee4c0876608d99eb3f8b333b556fbd92e7a652eb.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1105113,
regarding bookworm-pu: package simplesamlphp/1.19.7-1+deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1105113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105113
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:simplesamlphp
User: [email protected]
Usertags: pu
Hi,
this s-p-u is to fix CVE-2025-27773 a signature confusion attack,
to close the gap after fixing LTS (bullseye) and unstable.
(The package will not be in trixie)
[ Tests ]
Manual test in VM, setting up simplesamlphp as service provider and
identy provider and testing if things are still working.
Joost also helped out in testing, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595#20
The patch is identical for unstable and bullseye, as the file which has
been patched is identical too on all those versions, so the testing
Joost has done is applicable too
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The patch has been backported from the upstream changeset, origin:
https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0
[ Other info ]
This s-p-u has been done in coordination and approval from the security
team.
I will upload the new package to the queue after sending this email.
Cheers
--
tobi
diff -Nru simplesamlphp-1.19.7/debian/changelog simplesamlphp-1.19.7/debian/changelog
--- simplesamlphp-1.19.7/debian/changelog 2024-12-01 16:41:33.000000000 +0100
+++ simplesamlphp-1.19.7/debian/changelog 2025-05-11 08:35:04.000000000 +0200
@@ -1,7 +1,14 @@
+simplesamlphp (1.19.7-1+deb12u2) bookworm; urgency=medium
+
+ * Team upload for stable proposed updates.
+ * Fix CVE-2025-27773 (Closes: #1100595)
+
+ -- Tobias Frost <[email protected]> Sun, 11 May 2025 08:35:04 +0200
+
simplesamlphp (1.19.7-1+deb12u1) bookworm-security; urgency=high
* Upload to the security archive.
- * Fix CVE-2024-52596
+ * Fix CVE-2024-52596 (Closes: #1088904)
-- Thijs Kinkhorst <[email protected]> Sun, 01 Dec 2024 16:41:33 +0100
diff -Nru simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch
--- simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch 1970-01-01 01:00:00.000000000 +0100
+++ simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch 2025-05-11 08:25:15.000000000 +0200
@@ -0,0 +1,122 @@
+Description: CVE-2025-27773 - signature confusion attack
+Origin: https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595
+Bug: https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56
+
+--- a/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php
++++ b/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php
+@@ -94,7 +94,7 @@
+ /**
+ * Receive a SAML 2 message sent using the HTTP-Redirect binding.
+ *
+- * Throws an exception if it is unable receive the message.
++ * Throws an exception if it is unable to receive the message.
+ *
+ * @throws \Exception
+ * @return \SAML2\Message The received message.
+@@ -104,10 +104,36 @@
+ public function receive(): Message
+ {
+ $data = self::parseQuery();
+- if (array_key_exists('SAMLRequest', $data)) {
+- $message = $data['SAMLRequest'];
+- } elseif (array_key_exists('SAMLResponse', $data)) {
+- $message = $data['SAMLResponse'];
++ $signedQuery = $data['SignedQuery'];
++
++ /**
++ * Get the SAMLRequest/SAMLResponse from the exact same signed data that will be verified later in
++ * validateSignature into $res using the actual SignedQuery
++ */
++ $res = [];
++ foreach (explode('&', $signedQuery) as $e) {
++ $tmp = explode('=', $e, 2);
++ $name = $tmp[0];
++ if (count($tmp) === 2) {
++ $value = $tmp[1];
++ } else {
++ /* No value for this parameter. */
++ $value = '';
++ }
++ $name = urldecode($name);
++ $res[$name] = urldecode($value);
++ }
++
++ /**
++ * Put the SAMLRequest/SAMLResponse from the actual query string into $message,
++ * and assert that the result from parseQuery() in $data and the parsing of the SignedQuery in $res agree
++ */
++ if (array_key_exists('SAMLRequest', $res)) {
++ Assert::same($res['SAMLRequest'], $data['SAMLRequest'], 'Parse failure.');
++ $message = $res['SAMLRequest'];
++ } elseif (array_key_exists('SAMLResponse', $res)) {
++ Assert::same($res['SAMLResponse'], $data['SAMLResponse'], 'Parse failure.');
++ $message = $res['SAMLResponse'];
+ } else {
+ throw new \Exception('Missing SAMLRequest or SAMLResponse parameter.');
+ }
+@@ -116,7 +142,7 @@
+ throw new \Exception('Unknown SAMLEncoding: '.var_export($data['SAMLEncoding'], true));
+ }
+
+- $message = base64_decode($message);
++ $message = base64_decode($message, true);
+ if ($message === false) {
+ throw new \Exception('Error while base64 decoding SAML message.');
+ }
+@@ -141,6 +167,15 @@
+ return $message;
+ }
+
++ /**
++ * 3.4.5.2 - SAML Bindings
++ *
++ * If the message is signed, the Destination XML attribute in the root SAML element of the protocol
++ * message MUST contain the URL to which the sender has instructed the user agent to deliver the
++ * message.
++ */
++ Assert::notNull($message->getDestination()); // Validation of the value must be done upstream
++
+ if (!array_key_exists('SigAlg', $data)) {
+ throw new \Exception('Missing signature algorithm.');
+ }
+@@ -148,7 +183,7 @@
+ $signData = [
+ 'Signature' => $data['Signature'],
+ 'SigAlg' => $data['SigAlg'],
+- 'Query' => $data['SignedQuery'],
++ 'Query' => $signedQuery,
+ ];
+
+ $message->addValidator([get_class($this), 'validateSignature'], $signData);
+@@ -165,6 +200,7 @@
+ * signed.
+ *
+ * @return array The query data that is signed.
++ * @throws \Exception
+ */
+ private static function parseQuery() : array
+ {
+@@ -186,7 +222,12 @@
+ /* No value for this parameter. */
+ $value = '';
+ }
++
+ $name = urldecode($name);
++ // Prevent keys from being set more than once
++ if (array_key_exists($name, $data)) {
++ throw new \Exception('Duplicate parameter.');
++ }
+ $data[$name] = urldecode($value);
+
+ switch ($name) {
+@@ -202,6 +243,9 @@
+ break;
+ }
+ }
++ if (array_key_exists('SAMLRequest', $data) && array_key_exists('SAMLResponse', $data)) {
++ throw new \Exception('Both SAMLRequest and SAMLResponse provided.');
++ }
+
+ $data['SignedQuery'] = $sigQuery.$relayState.$sigAlg;
+
diff -Nru simplesamlphp-1.19.7/debian/patches/series simplesamlphp-1.19.7/debian/patches/series
--- simplesamlphp-1.19.7/debian/patches/series 2024-12-01 16:41:33.000000000 +0100
+++ simplesamlphp-1.19.7/debian/patches/series 2025-05-11 08:25:15.000000000 +0200
@@ -1,2 +1,3 @@
debian_config.patch
CVE-2024-52596.patch
+CVE-2025-27773.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.12
Hi,
Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.
Regards,
Adam
--- End Message ---
