Bug#1114979: Update
Hi,
upstream improved its security patch, here is the new debdiff
Note that this patch is exactly the upstream release 2.21.4, so if you
want I can replace this by a "2.21.4~deb13u1"
Best regards,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 211a03423..3ba2005bc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lemonldap-ng (2.21.2+ds-1+deb13u1) trixie; urgency=medium
+
+ * Fix shell injection from admin interface (Closes: CVE-2025-59518)
+ * Don't expose session-id into Ajax responses
+ * Fix Google authentication
+
+ -- Yadd <yadd@debian.org> Fri, 17 Oct 2025 11:20:01 +0200
+
lemonldap-ng (2.21.2+ds-1) unstable; urgency=medium
* Update debian upstream keys
diff --git a/debian/patches/CVE-2025-59518.patch b/debian/patches/CVE-2025-59518.patch
new file mode 100644
index 000000000..96867d7d5
--- /dev/null
+++ b/debian/patches/CVE-2025-59518.patch
@@ -0,0 +1,74 @@
+Description: fix shell injection from admin interface (notifications
+Author: Maxime Besson <maxime.besson@worteks.com>
+Origin: upstream, commit:228d0194, commit:8b5ce4de
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3462
+Forwarded: not-needed
+Applied-Upstream: 2.21.3, commit:228d0194
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2025-10-17
+
+--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Combination/Parser.pm
++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Combination/Parser.pm
+@@ -208,7 +208,7 @@
+ sub buildSub {
+ my ( $self, $cond ) = @_;
+ my $safe = Safe->new;
+- my $res = $safe->reval("sub{my(\$env)=\@_;return ($cond)}");
++ my $res = $safe->reval("sub{my(\$env)=\@_;local *_;return ($cond)}");
+ die "Bad condition $cond: $@" if ($@);
+ return $res;
+ }
+--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
++++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
+@@ -673,7 +673,7 @@
+ sub buildSub {
+ my ( $class, $val ) = @_;
+ my $res =
+- $class->tsv->{jail}->jail_reval("sub{my (\$r,\$s)=\@_;return($val)}");
++ $class->tsv->{jail}->jail_reval("sub{my (\$r,\$s)=\@_; local *_;return($val)}");
+ unless ($res) {
+ $class->logger->error( $class->tsv->{jail}->error );
+ }
+--- a/lemonldap-ng-handler/t/14-Lemonldap-NG-Handler-Rule-Building.t
++++ b/lemonldap-ng-handler/t/14-Lemonldap-NG-Handler-Rule-Building.t
+@@ -154,6 +154,18 @@
+ "0", "inDomain works for notexample.com" );
+ is( $r->( { env => { HTTP_HOST => "exampleacom" } }, {} ),
+ "0", "inDomain works for exampleacom" );
++
++ # Complex expressions
++ $r = compileRule('join(":",grep {$_ eq "a"} split(":", $list))');
++ is( ref($r), "CODE", "Returned code ref" );
++ is(
++ $r->(
++ { env => { HTTP_HOST => "AUTH.EXAMPLE.COM" } },
++ { list => "a:b:c:a:d:a" }
++ ),
++ "a:a:a"
++ );
++
+ }
+
+ sub runUnsafeTests {
+--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
++++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+@@ -23,7 +23,7 @@
+ );
+ $cpt->share_from( 'Lemonldap::NG::Common::Safelib',
+ $Lemonldap::NG::Common::Safelib::functions );
+- $cpt->reval($val);
++ $cpt->reval("local *_;$val");
+ my $err = join( '',
+ grep { $_ =~ /(?:Undefined subroutine|Devel::StackTrace)/ ? () : $_ }
+ split( /\n/, $@ ) );
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AutoSignin.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AutoSignin.pm
+@@ -29,7 +29,7 @@
+ my $safe = Safe->new;
+ foreach my $id ( sort keys %$rules ) {
+ my $sub =
+- $safe->reval( 'sub{my($env)=@_;return (' . $rules->{$id} . ')}' );
++ $safe->reval( 'sub{my($env)=@_;local *_;return (' . $rules->{$id} . ')}' );
+ if ($@) {
+ $self->logger->error(
+ 'Bad Autologin rule "' . $rules->{$id} . ": $@" );
diff --git a/debian/patches/dont-expose-session-id-in-ajax-responses.patch b/debian/patches/dont-expose-session-id-in-ajax-responses.patch
new file mode 100644
index 000000000..57d0aab8d
--- /dev/null
+++ b/debian/patches/dont-expose-session-id-in-ajax-responses.patch
@@ -0,0 +1,37 @@
+Description: don't expose session id into Ajax responses
+Author: Yadd <yadd@debian.org>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/778
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3446
+Forwarded: not-needed
+Applied-Upstream: 2.21.3, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3446
+Last-Update: 2025-09-12
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
+@@ -679,6 +679,7 @@
+ ? $req->{sessionInfo}
+ : $req->{userData}
+ );
++ $req->data->{newAuth} = 1;
+ $self->auditLog(
+ $req,
+ message => (
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+@@ -195,7 +195,6 @@
+
+ sub authenticatedRequest {
+ my ( $self, $req ) = @_;
+- $req->data->{alreadyAuthenticated} = 1;
+ return $self->do(
+ $req,
+ [
+@@ -400,7 +399,7 @@
+ }
+ else {
+ my $res = { result => 1, error => $err };
+- unless ( $req->data->{alreadyAuthenticated} ) {
++ if ( $req->data->{newAuth} ) {
+ $res->{id} = $req->id;
+ $res->{id_http} = $req->sessionInfo->{_httpSession}
+ if $req->sessionInfo->{_httpSession};
diff --git a/debian/patches/fix-google-auth.patch b/debian/patches/fix-google-auth.patch
new file mode 100644
index 000000000..9781d3ba4
--- /dev/null
+++ b/debian/patches/fix-google-auth.patch
@@ -0,0 +1,45 @@
+Description: fix Google OIDC authentication
+Author: Maxime Besson <maxime.besson@worteks.com
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/777
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3445
+Forwarded: not-needed
+Applied-Upstream: 2.21.3, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/777
+Reviewed-By: <name and email of someone who approved/reviewed the patch>
+Last-Update: 2025-09-12
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
+@@ -2751,6 +2751,10 @@
+ sub exportRequestParameters {
+ my ( $self, $req ) = @_;
+
++ unless ( $self->ssoMatch($req) ) {
++ return PE_OK;
++ }
++
+ if ( my $p = $req->param('prompt') ) {
+ if ( $p eq 'none' ) {
+ return $self->_unauthPromptNone($req);
+--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
++++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
+@@ -466,6 +466,9 @@
+ openidconnectcallback => 1,
+ error => "canceled",
+ state => $state,
++
++ # 3445, make sure unwanted parameters don't confuse LLNG
++ prompt => "none",
+ },
+ accept => 'text/html',
+ ),
+@@ -551,6 +554,10 @@
+ return LLNG::Manager::Test->new( {
+ ini => {
+ logLevel => $debug,
++
++ # needed to to test #3445
++ issuerDBOpenIDConnectActivation => "1",
++
+ domain => 'rp.com',
+ portal => 'http://auth.rp.com/',
+ authentication => 'OpenIDConnect',
diff --git a/debian/patches/series b/debian/patches/series
index 8bfa6370a..443671b56 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,6 @@ javascript-path.patch
Avoid-developer-tests.patch
replace-api-doc-by-link.diff
fix-makefile.patch
+CVE-2025-59518.patch
+dont-expose-session-id-in-ajax-responses.patch
+fix-google-auth.patch
Reply to: