Bug#1114506: Proposed debdiff for trixie-security
Ferenc Wágner
wferi at debian.org
Sat Sep 6 11:33:17 BST 2025
Dear Security Team,
Please review the following source debdiff (straight cherry pick from
the upstream 3.5.1 tag):
$ debdiff shibboleth-sp_3.5.0+dfsg-2.dsc shibboleth-sp_3.5.0+dfsg-2+deb13u1.dsc
diff -Nru shibboleth-sp-3.5.0+dfsg/debian/changelog shibboleth-sp-3.5.0+dfsg/debian/changelog
--- shibboleth-sp-3.5.0+dfsg/debian/changelog 2025-01-12 13:52:44.000000000 +0100
+++ shibboleth-sp-3.5.0+dfsg/debian/changelog 2025-09-06 11:46:12.000000000 +0200
@@ -1,3 +1,14 @@
+shibboleth-sp (3.5.0+dfsg-2+deb13u1) trixie-security; urgency=high
+
+ * [627cc27] New patch: SSPCPP-1014 - Extend escaping in strings.
+ Fix SQL injection vulnerability in Service Provider ODBC plugin:
+ specially crafted inputs can exfiltrate information stored in the
+ database used by the SP. The vulnerability is moderate to high
+ severity for anyone using the ODBC plugin, and of no impact for others.
+ Thanks to Scott Cantor (Closes: #1114506)
+
+ -- Ferenc Wágner <wferi at debian.org> Sat, 06 Sep 2025 11:46:12 +0200
+
shibboleth-sp (3.5.0+dfsg-2) unstable; urgency=medium
* Upload to unstable
diff -Nru shibboleth-sp-3.5.0+dfsg/debian/gbp.conf shibboleth-sp-3.5.0+dfsg/debian/gbp.conf
--- shibboleth-sp-3.5.0+dfsg/debian/gbp.conf 2023-01-22 14:20:06.000000000 +0100
+++ shibboleth-sp-3.5.0+dfsg/debian/gbp.conf 2025-09-06 11:43:32.000000000 +0200
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/trixie
upstream-branch = upstream/latest
pristine-tar = True
diff -Nru shibboleth-sp-3.5.0+dfsg/debian/patches/series shibboleth-sp-3.5.0+dfsg/debian/patches/series
--- shibboleth-sp-3.5.0+dfsg/debian/patches/series 2025-01-03 22:53:32.000000000 +0100
+++ shibboleth-sp-3.5.0+dfsg/debian/patches/series 2025-09-06 11:44:50.000000000 +0200
@@ -3,3 +3,4 @@
Debianize-the-systemd-service-file-of-shibd.patch
seckeygen-defaults-for-Debian.patch
Use-runstatedir-from-future-Autoconf-2.70.patch
+SSPCPP-1014-Extend-escaping-in-strings.patch
diff -Nru shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch
--- shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch 1970-01-01 01:00:00.000000000 +0100
+++ shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch 2025-09-06 11:44:50.000000000 +0200
@@ -0,0 +1,25 @@
+From: Scott Cantor <cantor.2 at osu.edu>
+Date: Wed, 3 Sep 2025 08:45:54 -0400
+Subject: SSPCPP-1014 - Extend escaping in strings
+
+---
+ odbc-store/odbc-store.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/odbc-store/odbc-store.cpp b/odbc-store/odbc-store.cpp
+index 2316e95..aae8520 100644
+--- a/odbc-store/odbc-store.cpp
++++ b/odbc-store/odbc-store.cpp
+@@ -255,9 +255,10 @@ namespace {
+ string m_copy;
+ public:
+ SQLString(const char* src) : m_src(src) {
+- if (strchr(src, '\'')) {
++ if (strchr(src, '\\') || strchr(src, '\'')) {
+ m_copy = src;
+- replace_all(m_copy, "'", "''");
++ replace_all(m_copy, "\\", "\\\\");
++ replace_all(m_copy, "'", "\\'");
+ }
+ }
+
Upstream is requesting a CVE ID for this issue, but I don't know it
yet.
I'm ready to upload on your word. Do you still handle bookworm security
uploads, or is that LTS territory now?
--
Thanks,
Feri.
More information about the Pkg-shibboleth-devel
mailing list