Bug#1114506: Proposed debdiff for trixie-security

Sat Sep 6 16:50:06 BST 2025

Hi Ferenc,

On Sat, Sep 06, 2025 at 12:33:17PM +0200, Ferenc Wágner wrote:
> Dear Security Team,
> 
> Please review the following source debdiff (straight cherry pick from
> the upstream 3.5.1 tag):
> 
> $ debdiff shibboleth-sp_3.5.0+dfsg-2.dsc shibboleth-sp_3.5.0+dfsg-2+deb13u1.dsc 
> diff -Nru shibboleth-sp-3.5.0+dfsg/debian/changelog shibboleth-sp-3.5.0+dfsg/debian/changelog
> --- shibboleth-sp-3.5.0+dfsg/debian/changelog	2025-01-12 13:52:44.000000000 +0100
> +++ shibboleth-sp-3.5.0+dfsg/debian/changelog	2025-09-06 11:46:12.000000000 +0200
> @@ -1,3 +1,14 @@
> +shibboleth-sp (3.5.0+dfsg-2+deb13u1) trixie-security; urgency=high
> +
> +  * [627cc27] New patch: SSPCPP-1014 - Extend escaping in strings.
> +    Fix SQL injection vulnerability in Service Provider ODBC plugin:
> +    specially crafted inputs can exfiltrate information stored in the
> +    database used by the SP.  The vulnerability is moderate to high
> +    severity for anyone using the ODBC plugin, and of no impact for others.
> +    Thanks to Scott Cantor (Closes: #1114506)
> +
> + -- Ferenc Wágner <wferi at debian.org>  Sat, 06 Sep 2025 11:46:12 +0200
> +
>  shibboleth-sp (3.5.0+dfsg-2) unstable; urgency=medium
>  
>    * Upload to unstable
> diff -Nru shibboleth-sp-3.5.0+dfsg/debian/gbp.conf shibboleth-sp-3.5.0+dfsg/debian/gbp.conf
> --- shibboleth-sp-3.5.0+dfsg/debian/gbp.conf	2023-01-22 14:20:06.000000000 +0100
> +++ shibboleth-sp-3.5.0+dfsg/debian/gbp.conf	2025-09-06 11:43:32.000000000 +0200
> @@ -1,5 +1,5 @@
>  [DEFAULT]
> -debian-branch = debian/master
> +debian-branch = debian/trixie
>  upstream-branch = upstream/latest
>  pristine-tar = True
>  
> diff -Nru shibboleth-sp-3.5.0+dfsg/debian/patches/series shibboleth-sp-3.5.0+dfsg/debian/patches/series
> --- shibboleth-sp-3.5.0+dfsg/debian/patches/series	2025-01-03 22:53:32.000000000 +0100
> +++ shibboleth-sp-3.5.0+dfsg/debian/patches/series	2025-09-06 11:44:50.000000000 +0200
> @@ -3,3 +3,4 @@
>  Debianize-the-systemd-service-file-of-shibd.patch
>  seckeygen-defaults-for-Debian.patch
>  Use-runstatedir-from-future-Autoconf-2.70.patch
> +SSPCPP-1014-Extend-escaping-in-strings.patch
> diff -Nru shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch
> --- shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch	1970-01-01 01:00:00.000000000 +0100
> +++ shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch	2025-09-06 11:44:50.000000000 +0200
> @@ -0,0 +1,25 @@
> +From: Scott Cantor <cantor.2 at osu.edu>
> +Date: Wed, 3 Sep 2025 08:45:54 -0400
> +Subject: SSPCPP-1014 - Extend escaping in strings
> +
> +---
> + odbc-store/odbc-store.cpp | 5 +++--
> + 1 file changed, 3 insertions(+), 2 deletions(-)
> +
> +diff --git a/odbc-store/odbc-store.cpp b/odbc-store/odbc-store.cpp
> +index 2316e95..aae8520 100644
> +--- a/odbc-store/odbc-store.cpp
> ++++ b/odbc-store/odbc-store.cpp
> +@@ -255,9 +255,10 @@ namespace {
> +         string m_copy;
> +     public:
> +         SQLString(const char* src) : m_src(src) {
> +-            if (strchr(src, '\'')) {
> ++            if (strchr(src, '\\') || strchr(src, '\'')) {
> +                 m_copy = src;
> +-                replace_all(m_copy, "'", "''");
> ++                replace_all(m_copy, "\\", "\\\\");
> ++                replace_all(m_copy, "'", "\\'");
> +             }
> +         }
> + 

Unfortunately the upstream issue is not accessible, but based on above
it looks good. Please upload this to security-master (make sure to
build with -sa).

> Upstream is requesting a CVE ID for this issue, but I don't know it
> yet.

Ok!

> I'm ready to upload on your word.  Do you still handle bookworm security
> uploads, or is that LTS territory now?

yes bookworm is still regularly supported, will have a look at your
second diff as well.

Regards,
Salvatore