Bug#1114506: Proposed debdiff for bookworm-security

Sat Sep 6 16:51:07 BST 2025

Hi Ferenc,

On Sat, Sep 06, 2025 at 12:58:32PM +0200, Ferenc Wágner wrote:
> On Sat, 06 Sep 2025 12:33:17 +0200 =?utf-8?Q?Ferenc_W=C3=A1gner?= <wferi at debian.org> wrote:
> 
> > Do you still handle bookworm security uploads, or is that LTS
> > territory now?
> 
> Anyway, the analogous debdiff for bookworm is:
> 
> $ debdiff shibboleth-sp_3.4.1+dfsg-2.dsc shibboleth-sp_3.4.1+dfsg-2+deb12u1.dsc 
> diff -Nru shibboleth-sp-3.4.1+dfsg/debian/changelog shibboleth-sp-3.4.1+dfsg/debian/changelog
> --- shibboleth-sp-3.4.1+dfsg/debian/changelog	2023-01-30 08:04:53.000000000 +0100
> +++ shibboleth-sp-3.4.1+dfsg/debian/changelog	2025-09-06 12:38:25.000000000 +0200
> @@ -1,3 +1,14 @@
> +shibboleth-sp (3.4.1+dfsg-2+deb12u1) bookworm-security; urgency=high
> +
> +  * [80ae771] New patch: SSPCPP-1014 - Extend escaping in strings.
> +    Fix SQL injection vulnerability in Service Provider ODBC plugin:
> +    specially crafted inputs can exfiltrate information stored in the
> +    database used by the SP.  The vulnerability is moderate to high
> +    severity for anyone using the ODBC plugin, and of no impact for others.
> +    Thanks to Scott Cantor (Closes: #1114506)
> +
> + -- Ferenc Wágner <wferi at debian.org>  Sat, 06 Sep 2025 12:38:25 +0200
> +
>  shibboleth-sp (3.4.1+dfsg-2) unstable; urgency=medium
>  
>    * Upload to unstable
> diff -Nru shibboleth-sp-3.4.1+dfsg/debian/gbp.conf shibboleth-sp-3.4.1+dfsg/debian/gbp.conf
> --- shibboleth-sp-3.4.1+dfsg/debian/gbp.conf	2023-01-22 14:20:06.000000000 +0100
> +++ shibboleth-sp-3.4.1+dfsg/debian/gbp.conf	2025-09-06 12:37:27.000000000 +0200
> @@ -1,5 +1,5 @@
>  [DEFAULT]
> -debian-branch = debian/master
> +debian-branch = debian/bookworm
>  upstream-branch = upstream/latest
>  pristine-tar = True
>  
> diff -Nru shibboleth-sp-3.4.1+dfsg/debian/patches/series shibboleth-sp-3.4.1+dfsg/debian/patches/series
> --- shibboleth-sp-3.4.1+dfsg/debian/patches/series	2023-01-22 14:20:26.000000000 +0100
> +++ shibboleth-sp-3.4.1+dfsg/debian/patches/series	2025-09-06 12:37:59.000000000 +0200
> @@ -4,3 +4,4 @@
>  seckeygen-defaults-for-Debian.patch
>  Use-runstatedir-from-future-Autoconf-2.70.patch
>  configure.ac-AC_MSG_ERROR-can-t-be-used-as-value-if-not-f.patch
> +SSPCPP-1014-Extend-escaping-in-strings.patch
> diff -Nru shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch
> --- shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch	1970-01-01 01:00:00.000000000 +0100
> +++ shibboleth-sp-3.4.1+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch	2025-09-06 12:37:59.000000000 +0200
> @@ -0,0 +1,25 @@
> +From: Scott Cantor <cantor.2 at osu.edu>
> +Date: Wed, 3 Sep 2025 08:45:54 -0400
> +Subject: SSPCPP-1014 - Extend escaping in strings
> +
> +---
> + odbc-store/odbc-store.cpp | 5 +++--
> + 1 file changed, 3 insertions(+), 2 deletions(-)
> +
> +diff --git a/odbc-store/odbc-store.cpp b/odbc-store/odbc-store.cpp
> +index 2316e95..aae8520 100644
> +--- a/odbc-store/odbc-store.cpp
> ++++ b/odbc-store/odbc-store.cpp
> +@@ -255,9 +255,10 @@ namespace {
> +         string m_copy;
> +     public:
> +         SQLString(const char* src) : m_src(src) {
> +-            if (strchr(src, '\'')) {
> ++            if (strchr(src, '\\') || strchr(src, '\'')) {
> +                 m_copy = src;
> +-                replace_all(m_copy, "'", "''");
> ++                replace_all(m_copy, "\\", "\\\\");
> ++                replace_all(m_copy, "'", "\\'");
> +             }
> +         }
> + 
> 
> I'm ready to upload or hand this over to the LTS Team as appropriate.

Looks good as well, please upload equally to security-master (as well
here built with -sa).

Regards,
Salvatore