Version in base suite: 2.8.1-1

Base version: lasso_2.8.1-1
Target version: lasso_2.8.1-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lasso/lasso_2.8.1-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lasso/lasso_2.8.1-1+deb12u1.dsc

 changelog                                                          |   12 +
 patches/misc-check-xmlSecGetNodeNsHref-for-possible-NULL-res.patch |   28 +++
 patches/series                                                     |    4 
 patches/tests-test-that-inserted-comment-do-not-change-node-.patch |   75 ++++++++++
 patches/xml-do-not-terminate-on-an-unknown-XML-node-type-105.patch |   27 +++
 patches/xml-prevent-assignment-of-attribute-value-inside-any.patch |   53 +++++++
 6 files changed, 199 insertions(+)

diff -Nru lasso-2.8.1/debian/changelog lasso-2.8.1/debian/changelog
--- lasso-2.8.1/debian/changelog	2023-03-01 07:36:25.000000000 +0000
+++ lasso-2.8.1/debian/changelog	2025-11-07 20:51:12.000000000 +0000
@@ -1,3 +1,15 @@
+lasso (2.8.1-1+deb12u1) bookworm-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * tests: test that inserted comment do not change node value and still
+    validate signature
+  * xml: prevent assignment of attribute value inside any attribute
+    (CVE-2025-47151)
+  * misc: check xmlSecGetNodeNsHref for possible NULL result (CVE-2025-46404)
+  * xml: do not terminate on an unknown XML node type (CVE-2025-46705)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 07 Nov 2025 21:51:12 +0100
+
 lasso (2.8.1-1) unstable; urgency=medium
 
   * New upstream bugfix release.
diff -Nru lasso-2.8.1/debian/patches/misc-check-xmlSecGetNodeNsHref-for-possible-NULL-res.patch lasso-2.8.1/debian/patches/misc-check-xmlSecGetNodeNsHref-for-possible-NULL-res.patch
--- lasso-2.8.1/debian/patches/misc-check-xmlSecGetNodeNsHref-for-possible-NULL-res.patch	1970-01-01 00:00:00.000000000 +0000
+++ lasso-2.8.1/debian/patches/misc-check-xmlSecGetNodeNsHref-for-possible-NULL-res.patch	2025-11-07 20:50:32.000000000 +0000
@@ -0,0 +1,28 @@
+From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
+Date: Thu, 15 May 2025 15:51:08 +0200
+Subject: misc: check xmlSecGetNodeNsHref for possible NULL result (#105693)
+Origin: https://git.entrouvert.org/lasso.git/commit/?id=c880cad13732bcb50cbd9fa376ea39edb53e7d68
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-46404
+
+---
+ lasso/id-ff/provider.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c
+index 1dcd1b02b48c..e3c9dce52421 100644
+--- a/lasso/id-ff/provider.c
++++ b/lasso/id-ff/provider.c
+@@ -1364,8 +1364,8 @@ lasso_provider_verify_saml_signature(LassoProvider *provider,
+ 
+ 	/* ID-FF 1.2 Signatures case */
+ 	node_ns = xmlSecGetNodeNsHref(signed_node);
+-	if ((strcmp((char*)node_ns, LASSO_SAML2_PROTOCOL_HREF) == 0) ||
+-			(strcmp((char*)node_ns, LASSO_SAML2_ASSERTION_HREF) == 0)) {
++	if (node_ns && ((strcmp((char*)node_ns, LASSO_SAML2_PROTOCOL_HREF) == 0) ||
++			(strcmp((char*)node_ns, LASSO_SAML2_ASSERTION_HREF) == 0))) {
+ 		id_attribute_name = "ID";
+ 	} else if (xmlSecCheckNodeName(signed_node, (xmlChar*)"Request", (xmlChar*)LASSO_SAML_PROTOCOL_HREF)) {
+ 		id_attribute_name = "RequestID";
+-- 
+2.51.0
+
diff -Nru lasso-2.8.1/debian/patches/series lasso-2.8.1/debian/patches/series
--- lasso-2.8.1/debian/patches/series	2023-03-01 07:36:13.000000000 +0000
+++ lasso-2.8.1/debian/patches/series	2025-11-07 20:50:47.000000000 +0000
@@ -0,0 +1,4 @@
+tests-test-that-inserted-comment-do-not-change-node-.patch
+xml-prevent-assignment-of-attribute-value-inside-any.patch
+misc-check-xmlSecGetNodeNsHref-for-possible-NULL-res.patch
+xml-do-not-terminate-on-an-unknown-XML-node-type-105.patch
diff -Nru lasso-2.8.1/debian/patches/tests-test-that-inserted-comment-do-not-change-node-.patch lasso-2.8.1/debian/patches/tests-test-that-inserted-comment-do-not-change-node-.patch
--- lasso-2.8.1/debian/patches/tests-test-that-inserted-comment-do-not-change-node-.patch	1970-01-01 00:00:00.000000000 +0000
+++ lasso-2.8.1/debian/patches/tests-test-that-inserted-comment-do-not-change-node-.patch	2025-11-07 20:49:48.000000000 +0000
@@ -0,0 +1,75 @@
+From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
+Date: Thu, 15 May 2025 15:39:42 +0200
+Subject: tests: test that inserted comment do not change node value and still
+ validate signature (#105693)
+Origin: https://git.entrouvert.org/lasso.git/commit/?id=b140660709c341bb44f9b7ebbd8253cde9169e8b
+
+---
+ bindings/python/tests/profiles_tests.py | 23 +++++++++++++++++++++++
+ lasso/xml/xml.c                         |  2 +-
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/bindings/python/tests/profiles_tests.py b/bindings/python/tests/profiles_tests.py
+index 8679d6633a22..9f6949077167 100755
+--- a/bindings/python/tests/profiles_tests.py
++++ b/bindings/python/tests/profiles_tests.py
+@@ -24,6 +24,7 @@
+ # along with this program; if not, see <http://www.gnu.org/licenses/>.
+ 
+ 
++import base64
+ import os
+ import unittest
+ import sys
+@@ -362,6 +363,28 @@ class LoginTestCase(unittest.TestCase):
+         assert 'xmlenc#rsa-1_5' not in run(key_encryption_method=lasso.KEY_ENCRYPTION_METHOD_OAEP)
+         assert 'xmlenc#rsa-oaep-mgf1p' in run(key_encryption_method=lasso.KEY_ENCRYPTION_METHOD_OAEP)
+ 
++    def test_09(self):
++        '''Login test between SP and IdP with encrypted private keys'''
++        sp_server = server('sp7-saml2', lasso.PROVIDER_ROLE_IDP, 'idp7-saml2')
++        idp_server = server('idp7-saml2', lasso.PROVIDER_ROLE_SP, 'sp7-saml2')
++
++        sp_login = lasso.Login(sp_server)
++        sp_login.initAuthnRequest()
++        sp_login.request.protocolBinding = lasso.SAML2_METADATA_BINDING_POST
++        sp_login.buildAuthnRequestMsg()
++        idp_login = lasso.Login(idp_server)
++        idp_login.setSignatureVerifyHint(lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE)
++        idp_login.processAuthnRequestMsg(sp_login.msgUrl.split('?')[1])
++        idp_login.validateRequestMsg(True, True)
++        idp_login.buildAssertion("None", "None", "None", "None", "None")
++        idp_login.buildAuthnResponseMsg()
++        sp_login.setSignatureVerifyHint(lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE)
++        # insert comment inside NameID
++        msg = base64.b64encode(base64.b64decode(idp_login.msgBody).decode().replace(idp_login.assertion.subject.nameId.content, idp_login.assertion.subject.nameId.content[:10] + '<!-- coin -->' + idp_login.assertion.subject.nameId.content[10:]).encode())
++        sp_login.processAuthnResponseMsg(msg.decode())
++        sp_login.acceptSso()
++        assert sp_login.assertion.subject.nameId.content == idp_login.assertion.subject.nameId.content
++
+ 
+ class LogoutTestCase(unittest.TestCase):
+     def test01(self):
+diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
+index adf0ba99dd45..b713b523fe23 100644
+--- a/lasso/xml/xml.c
++++ b/lasso/xml/xml.c
+@@ -1710,7 +1710,6 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
+ 				ERROR;
+ 			}
+ #undef ADVANCE
+-#undef ERROR
+ 
+ 			if (matched_snippet->offset || (matched_snippet->type & SNIPPET_PRIVATE)) {
+ 				switch (matched_snippet->type & 0xff) {
+@@ -1772,6 +1771,7 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
+ 			g_assert_not_reached();
+ 		}
+ 	}
++#undef ERROR
+ 	if (t) { /* t is an ELEMENT that dont match any snippet, when taken in order */
+ 		if (snippet_any && is_snippet_type(snippet_any, SNIPPET_LIST_XMLNODES)) {
+ 			value = SNIPPET_STRUCT_MEMBER_P(node, g_type_any, snippet_any);
+-- 
+2.51.0
+
diff -Nru lasso-2.8.1/debian/patches/xml-do-not-terminate-on-an-unknown-XML-node-type-105.patch lasso-2.8.1/debian/patches/xml-do-not-terminate-on-an-unknown-XML-node-type-105.patch
--- lasso-2.8.1/debian/patches/xml-do-not-terminate-on-an-unknown-XML-node-type-105.patch	1970-01-01 00:00:00.000000000 +0000
+++ lasso-2.8.1/debian/patches/xml-do-not-terminate-on-an-unknown-XML-node-type-105.patch	2025-11-07 20:50:47.000000000 +0000
@@ -0,0 +1,27 @@
+From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
+Date: Thu, 15 May 2025 16:02:25 +0200
+Subject: xml: do not terminate on an unknown XML node type (#105693)
+Origin: https://git.entrouvert.org/lasso.git/commit/?id=37836a9cf14234ce720edb5c43f6ed0491f72cf6
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-46705
+
+---
+ lasso/xml/xml.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
+index ca8d72fa7b21..10732f3b89c2 100644
+--- a/lasso/xml/xml.c
++++ b/lasso/xml/xml.c
+@@ -1771,7 +1771,8 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
+ 				lasso_node_set_original_xmlnode(subnode, t);
+ 			}
+ 		} else {
+-			g_assert_not_reached();
++			/* Anything else should not be there, abort. */
++			ERROR;
+ 		}
+ 	}
+ #undef ERROR
+-- 
+2.51.0
+
diff -Nru lasso-2.8.1/debian/patches/xml-prevent-assignment-of-attribute-value-inside-any.patch lasso-2.8.1/debian/patches/xml-prevent-assignment-of-attribute-value-inside-any.patch
--- lasso-2.8.1/debian/patches/xml-prevent-assignment-of-attribute-value-inside-any.patch	1970-01-01 00:00:00.000000000 +0000
+++ lasso-2.8.1/debian/patches/xml-prevent-assignment-of-attribute-value-inside-any.patch	2025-11-07 20:50:14.000000000 +0000
@@ -0,0 +1,53 @@
+From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
+Date: Thu, 15 May 2025 15:44:58 +0200
+Subject: xml: prevent assignment of attribute value inside any attribute
+Origin: https://git.entrouvert.org/lasso.git/commit/?id=8d12e6263fd6add923469bd5704e05a1ccfa8c69
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-47151
+
+---
+ lasso/xml/misc_text_node.c                 | 2 +-
+ lasso/xml/saml-2.0/saml2_attribute_value.c | 2 +-
+ lasso/xml/xml.c                            | 3 +++
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/lasso/xml/misc_text_node.c
++++ b/lasso/xml/misc_text_node.c
+@@ -41,7 +41,7 @@ typedef struct {
+ static struct XmlSnippet schema_snippets[] = {
+ 	{ "content", SNIPPET_TEXT_CHILD,
+ 		G_STRUCT_OFFSET(LassoMiscTextNode, content), NULL, NULL, NULL},
+-	{ "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
++	{ "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
+ 		G_STRUCT_OFFSET(LassoMiscTextNodePrivate, any_attributes), NULL, NULL, NULL},
+ 	{NULL, 0, 0, NULL, NULL, NULL}
+ };
+--- a/lasso/xml/saml-2.0/saml2_attribute_value.c
++++ b/lasso/xml/saml-2.0/saml2_attribute_value.c
+@@ -53,7 +53,7 @@ struct _LassoSaml2AttributeValuePrivate
+ static struct XmlSnippet schema_snippets[] = {
+ 	{ "any", SNIPPET_LIST_NODES | SNIPPET_ANY | SNIPPET_ALLOW_TEXT,
+ 		G_STRUCT_OFFSET(LassoSaml2AttributeValue, any), NULL, NULL, NULL},
+-	{ "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
++	{ "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
+ 		G_STRUCT_OFFSET(struct _LassoSaml2AttributeValuePrivate, any_attributes), NULL,
+ 		NULL, NULL },
+ 	{NULL, 0, 0, NULL, NULL, NULL}
+--- a/lasso/xml/xml.c
++++ b/lasso/xml/xml.c
+@@ -1569,6 +1569,7 @@ lasso_node_impl_init_from_xml(LassoNode
+ 				type = snippet->type & 0xff;
+ 				/* assign attribute content if attribute has the same name as the
+ 				 * snippet and:
++				 * - the snippet is not the any attribute snippet,
+ 				 * - the snippet and the attribute have no namespace
+ 				 * - the snippet has no namespace but the attribute has the same
+ 				 *   namespace as the node
+@@ -1576,6 +1577,8 @@ lasso_node_impl_init_from_xml(LassoNode
+ 				 */
+ 				if (type != SNIPPET_ATTRIBUTE)
+ 					continue;
++				if (snippet->type & SNIPPET_ANY)
++					continue;
+ 				if (! lasso_strisequal((char*)attr->name, (char*)snippet->name))
+ 					continue;
+ 				if (attr->ns) {