Dear Security Team, Please review the following source debdiff (straight cherry pick from the upstream 3.5.1 tag):
$ debdiff shibboleth-sp_3.5.0+dfsg-2.dsc shibboleth-sp_3.5.0+dfsg-2+deb13u1.dsc diff -Nru shibboleth-sp-3.5.0+dfsg/debian/changelog shibboleth-sp-3.5.0+dfsg/debian/changelog --- shibboleth-sp-3.5.0+dfsg/debian/changelog 2025-01-12 13:52:44.000000000 +0100 +++ shibboleth-sp-3.5.0+dfsg/debian/changelog 2025-09-06 11:46:12.000000000 +0200 @@ -1,3 +1,14 @@ +shibboleth-sp (3.5.0+dfsg-2+deb13u1) trixie-security; urgency=high + + * [627cc27] New patch: SSPCPP-1014 - Extend escaping in strings. + Fix SQL injection vulnerability in Service Provider ODBC plugin: + specially crafted inputs can exfiltrate information stored in the + database used by the SP. The vulnerability is moderate to high + severity for anyone using the ODBC plugin, and of no impact for others. + Thanks to Scott Cantor (Closes: #1114506) + + -- Ferenc Wágner <[email protected]> Sat, 06 Sep 2025 11:46:12 +0200 + shibboleth-sp (3.5.0+dfsg-2) unstable; urgency=medium * Upload to unstable diff -Nru shibboleth-sp-3.5.0+dfsg/debian/gbp.conf shibboleth-sp-3.5.0+dfsg/debian/gbp.conf --- shibboleth-sp-3.5.0+dfsg/debian/gbp.conf 2023-01-22 14:20:06.000000000 +0100 +++ shibboleth-sp-3.5.0+dfsg/debian/gbp.conf 2025-09-06 11:43:32.000000000 +0200 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/master +debian-branch = debian/trixie upstream-branch = upstream/latest pristine-tar = True diff -Nru shibboleth-sp-3.5.0+dfsg/debian/patches/series shibboleth-sp-3.5.0+dfsg/debian/patches/series --- shibboleth-sp-3.5.0+dfsg/debian/patches/series 2025-01-03 22:53:32.000000000 +0100 +++ shibboleth-sp-3.5.0+dfsg/debian/patches/series 2025-09-06 11:44:50.000000000 +0200 @@ -3,3 +3,4 @@ Debianize-the-systemd-service-file-of-shibd.patch seckeygen-defaults-for-Debian.patch Use-runstatedir-from-future-Autoconf-2.70.patch +SSPCPP-1014-Extend-escaping-in-strings.patch diff -Nru shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch --- shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch 1970-01-01 01:00:00.000000000 +0100 +++ shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch 2025-09-06 11:44:50.000000000 +0200 @@ -0,0 +1,25 @@ +From: Scott Cantor <[email protected]> +Date: Wed, 3 Sep 2025 08:45:54 -0400 +Subject: SSPCPP-1014 - Extend escaping in strings + +--- + odbc-store/odbc-store.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/odbc-store/odbc-store.cpp b/odbc-store/odbc-store.cpp +index 2316e95..aae8520 100644 +--- a/odbc-store/odbc-store.cpp ++++ b/odbc-store/odbc-store.cpp +@@ -255,9 +255,10 @@ namespace { + string m_copy; + public: + SQLString(const char* src) : m_src(src) { +- if (strchr(src, '\'')) { ++ if (strchr(src, '\\') || strchr(src, '\'')) { + m_copy = src; +- replace_all(m_copy, "'", "''"); ++ replace_all(m_copy, "\\", "\\\\"); ++ replace_all(m_copy, "'", "\\'"); + } + } + Upstream is requesting a CVE ID for this issue, but I don't know it yet. I'm ready to upload on your word. Do you still handle bookworm security uploads, or is that LTS territory now? -- Thanks, Feri.
