[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1105113: marked as done (bookworm-pu: package simplesamlphp/1.19.7-1+deb12u2)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1105113,
regarding bookworm-pu: package simplesamlphp/1.19.7-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1105113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105113
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: simplesamlphp@packages.debian.org, security@debian.org
Control: affects -1 + src:simplesamlphp
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

this s-p-u is to fix CVE-2025-27773 a signature confusion attack,
to close the gap after fixing LTS (bullseye) and unstable.
(The package will not be in trixie)

[ Tests ]
Manual test in VM, setting up simplesamlphp as service provider and
identy provider and testing if things are still working.

Joost also helped out in testing, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595#20

The patch is identical for unstable and bullseye, as the file which has
been patched is identical too on all those versions, so the testing
Joost has done is applicable too


[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The patch has been backported from the upstream changeset, origin:
https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0

[ Other info ]
This s-p-u has been done in coordination and approval from the security
team.

I will upload the new package to the queue after sending this email.

Cheers

-- 
tobi

diff -Nru simplesamlphp-1.19.7/debian/changelog simplesamlphp-1.19.7/debian/changelog
--- simplesamlphp-1.19.7/debian/changelog	2024-12-01 16:41:33.000000000 +0100
+++ simplesamlphp-1.19.7/debian/changelog	2025-05-11 08:35:04.000000000 +0200
@@ -1,7 +1,14 @@
+simplesamlphp (1.19.7-1+deb12u2) bookworm; urgency=medium
+
+  * Team upload for stable proposed updates.
+  * Fix CVE-2025-27773 (Closes: #1100595)
+
+ -- Tobias Frost <tobi@debian.org>  Sun, 11 May 2025 08:35:04 +0200
+
 simplesamlphp (1.19.7-1+deb12u1) bookworm-security; urgency=high
 
   * Upload to the security archive.
-  * Fix CVE-2024-52596
+  * Fix CVE-2024-52596 (Closes: #1088904)
 
  -- Thijs Kinkhorst <thijs@debian.org>  Sun, 01 Dec 2024 16:41:33 +0100
 
diff -Nru simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch
--- simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch	1970-01-01 01:00:00.000000000 +0100
+++ simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch	2025-05-11 08:25:15.000000000 +0200
@@ -0,0 +1,122 @@
+Description: CVE-2025-27773 - signature confusion attack
+Origin: https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595
+Bug: https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56
+
+--- a/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php
++++ b/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php
+@@ -94,7 +94,7 @@
+     /**
+      * Receive a SAML 2 message sent using the HTTP-Redirect binding.
+      *
+-     * Throws an exception if it is unable receive the message.
++     * Throws an exception if it is unable to receive the message.
+      *
+      * @throws \Exception
+      * @return \SAML2\Message The received message.
+@@ -104,10 +104,36 @@
+     public function receive(): Message
+     {
+         $data = self::parseQuery();
+-        if (array_key_exists('SAMLRequest', $data)) {
+-            $message = $data['SAMLRequest'];
+-        } elseif (array_key_exists('SAMLResponse', $data)) {
+-            $message = $data['SAMLResponse'];
++        $signedQuery = $data['SignedQuery'];
++
++        /**
++         * Get the SAMLRequest/SAMLResponse from the exact same signed data that will be verified later in
++         * validateSignature into $res using the actual SignedQuery
++         */
++        $res = [];
++        foreach (explode('&', $signedQuery) as $e) {
++            $tmp = explode('=', $e, 2);
++            $name = $tmp[0];
++            if (count($tmp) === 2) {
++                $value = $tmp[1];
++            } else {
++                /* No value for this parameter. */
++                $value = '';
++            }
++            $name = urldecode($name);
++            $res[$name] = urldecode($value);
++        }
++
++        /**
++         * Put the SAMLRequest/SAMLResponse from the actual query string into $message,
++         * and assert that the result from parseQuery() in $data and the parsing of the SignedQuery in $res agree
++         */
++        if (array_key_exists('SAMLRequest', $res)) {
++            Assert::same($res['SAMLRequest'], $data['SAMLRequest'], 'Parse failure.');
++            $message = $res['SAMLRequest'];
++        } elseif (array_key_exists('SAMLResponse', $res)) {
++            Assert::same($res['SAMLResponse'], $data['SAMLResponse'], 'Parse failure.');
++            $message = $res['SAMLResponse'];
+         } else {
+             throw new \Exception('Missing SAMLRequest or SAMLResponse parameter.');
+         }
+@@ -116,7 +142,7 @@
+             throw new \Exception('Unknown SAMLEncoding: '.var_export($data['SAMLEncoding'], true));
+         }
+ 
+-        $message = base64_decode($message);
++        $message = base64_decode($message, true);
+         if ($message === false) {
+             throw new \Exception('Error while base64 decoding SAML message.');
+         }
+@@ -141,6 +167,15 @@
+             return $message;
+         }
+ 
++        /**
++         * 3.4.5.2 - SAML Bindings
++         *
++         * If the message is signed, the Destination XML attribute in the root SAML element of the protocol
++         * message MUST contain the URL to which the sender has instructed the user agent to deliver the
++         * message.
++         */
++        Assert::notNull($message->getDestination()); // Validation of the value must be done upstream
++
+         if (!array_key_exists('SigAlg', $data)) {
+             throw new \Exception('Missing signature algorithm.');
+         }
+@@ -148,7 +183,7 @@
+         $signData = [
+             'Signature' => $data['Signature'],
+             'SigAlg'    => $data['SigAlg'],
+-            'Query'     => $data['SignedQuery'],
++            'Query'     => $signedQuery,
+         ];
+ 
+         $message->addValidator([get_class($this), 'validateSignature'], $signData);
+@@ -165,6 +200,7 @@
+      * signed.
+      *
+      * @return array The query data that is signed.
++     * @throws \Exception
+      */
+     private static function parseQuery() : array
+     {
+@@ -186,7 +222,12 @@
+                 /* No value for this parameter. */
+                 $value = '';
+             }
++
+             $name = urldecode($name);
++            // Prevent keys from being set more than once
++            if (array_key_exists($name, $data)) {
++                throw new \Exception('Duplicate parameter.');
++            }
+             $data[$name] = urldecode($value);
+ 
+             switch ($name) {
+@@ -202,6 +243,9 @@
+                     break;
+             }
+         }
++        if (array_key_exists('SAMLRequest', $data) && array_key_exists('SAMLResponse', $data)) {
++                throw new \Exception('Both SAMLRequest and SAMLResponse provided.');
++        }
+ 
+         $data['SignedQuery'] = $sigQuery.$relayState.$sigAlg;
+ 
diff -Nru simplesamlphp-1.19.7/debian/patches/series simplesamlphp-1.19.7/debian/patches/series
--- simplesamlphp-1.19.7/debian/patches/series	2024-12-01 16:41:33.000000000 +0100
+++ simplesamlphp-1.19.7/debian/patches/series	2025-05-11 08:25:15.000000000 +0200
@@ -1,2 +1,3 @@
 debian_config.patch
 CVE-2024-52596.patch
+CVE-2025-27773.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: