Bug#1114506: Proposed debdiff for bookworm-security

[Ferenc Wágner]

On Sat, 06 Sep 2025 12:33:17 +0200 =?utf-8?Q?Ferenc_W=C3=A1gner?= <wferi at debian.org> wrote:

> Do you still handle bookworm security uploads, or is that LTS
> territory now?

Anyway, the analogous debdiff for bookworm is:

$ debdiff shibboleth-sp_3.4.1+dfsg-2.dsc shibboleth-sp_3.4.1+dfsg-2+deb12u1.dsc 
diff -Nru shibboleth-sp-3.4.1+dfsg/debian/changelog shibboleth-sp-3.4.1+dfsg/debian/changelog
--- shibboleth-sp-3.4.1+dfsg/debian/changelog	2023-01-30 08:04:53.000000000 +0100
+++ shibboleth-sp-3.4.1+dfsg/debian/changelog	2025-09-06 12:38:25.000000000 +0200
@@ -1,3 +1,14 @@
+shibboleth-sp (3.4.1+dfsg-2+deb12u1) bookworm-security; urgency=high
+
+  * [80ae771] New patch: SSPCPP-1014 - Extend escaping in strings.
+    Fix SQL injection vulnerability in Service Provider ODBC plugin:
+    specially crafted inputs can exfiltrate information stored in the
+    database used by the SP.  The vulnerability is moderate to high
+    severity for anyone using the ODBC plugin, and of no impact for others.
+    Thanks to Scott Cantor (Closes: #1114506)
+
+ -- Ferenc Wágner <wferi at debian.org>  Sat, 06 Sep 2025 12:38:25 +0200
+
 shibboleth-sp (3.4.1+dfsg-2) unstable; urgency=medium
 
   * Upload to unstable
diff -Nru shibboleth-sp-3.4.1+dfsg/debian/gbp.conf shibboleth-sp-3.4.1+dfsg/debian/gbp.conf
--- shibboleth-sp-3.4.1+dfsg/debian/gbp.conf	2023-01-22 14:20:06.000000000 +0100
+++ shibboleth-sp-3.4.1+dfsg/debian/gbp.conf	2025-09-06 12:37:27.000000000 +0200
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/bookworm
 upstream-branch = upstream/latest
 pristine-tar = True
 
diff -Nru shibboleth-sp-3.4.1+dfsg/debian/patches/series shibboleth-sp-3.4.1+dfsg/debian/patches/series
--- shibboleth-sp-3.4.1+dfsg/debian/patches/series	2023-01-22 14:20:26.000000000 +0100
+++ shibboleth-sp-3.4.1+dfsg/debian/patches/series	2025-09-06 12:37:59.000000000 +0200
@@ -4,3 +4,4 @@
 seckeygen-defaults-for-Debian.patch
 Use-runstatedir-from-future-Autoconf-2.70.patch
 configure.ac-AC_MSG_ERROR-can-t-be-used-as-value-if-not-f.patch
+SSPCPP-1014-Extend-escaping-in-strings.patch
diff -Nru shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch
--- shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch	1970-01-01 01:00:00.000000000 +0100
+++ shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch	2025-09-06 12:37:59.000000000 +0200
@@ -0,0 +1,25 @@
+From: Scott Cantor <cantor.2 at osu.edu>
+Date: Wed, 3 Sep 2025 08:45:54 -0400
+Subject: SSPCPP-1014 - Extend escaping in strings
+
+---
+ odbc-store/odbc-store.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/odbc-store/odbc-store.cpp b/odbc-store/odbc-store.cpp
+index 2316e95..aae8520 100644
+--- a/odbc-store/odbc-store.cpp
++++ b/odbc-store/odbc-store.cpp
+@@ -255,9 +255,10 @@ namespace {
+         string m_copy;
+     public:
+         SQLString(const char* src) : m_src(src) {
+-            if (strchr(src, '\'')) {
++            if (strchr(src, '\\') || strchr(src, '\'')) {
+                 m_copy = src;
+-                replace_all(m_copy, "'", "''");
++                replace_all(m_copy, "\\", "\\\\");
++                replace_all(m_copy, "'", "\\'");
+             }
+         }
+ 

I'm ready to upload or hand this over to the LTS Team as appropriate.
-- 
Feri.