Version in base suite: 1.19.7-1

Base version: simplesamlphp_1.19.7-1
Target version: simplesamlphp_1.19.7-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/simplesamlphp/simplesamlphp_1.19.7-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/simplesamlphp/simplesamlphp_1.19.7-1+deb12u1.dsc

 changelog                    |    7 +++++++
 patches/CVE-2024-52596.patch |   31 +++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 39 insertions(+)

diff -Nru simplesamlphp-1.19.7/debian/changelog simplesamlphp-1.19.7/debian/changelog
--- simplesamlphp-1.19.7/debian/changelog	2023-01-04 13:43:34.000000000 +0000
+++ simplesamlphp-1.19.7/debian/changelog	2024-12-01 15:41:33.000000000 +0000
@@ -1,3 +1,10 @@
+simplesamlphp (1.19.7-1+deb12u1) bookworm-security; urgency=high
+
+  * Upload to the security archive.
+  * Fix CVE-2024-52596
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Sun, 01 Dec 2024 16:41:33 +0100
+
 simplesamlphp (1.19.7-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru simplesamlphp-1.19.7/debian/patches/CVE-2024-52596.patch simplesamlphp-1.19.7/debian/patches/CVE-2024-52596.patch
--- simplesamlphp-1.19.7/debian/patches/CVE-2024-52596.patch	1970-01-01 00:00:00.000000000 +0000
+++ simplesamlphp-1.19.7/debian/patches/CVE-2024-52596.patch	2024-12-01 15:41:33.000000000 +0000
@@ -0,0 +1,31 @@
+diff -ur simplesamlphp-1.19.7.orig/vendor/simplesamlphp/saml2/src/SAML2/DOMDocumentFactory.php simplesamlphp-1.19.7/vendor/simplesamlphp/saml2/src/SAML2/DOMDocumentFactory.php
+--- simplesamlphp-1.19.7.orig/vendor/simplesamlphp/saml2/src/SAML2/DOMDocumentFactory.php	2022-11-23 13:50:43.000000000 +0100
++++ simplesamlphp-1.19.7/vendor/simplesamlphp/saml2/src/SAML2/DOMDocumentFactory.php	2024-12-01 16:44:49.843511658 +0100
+@@ -30,15 +30,26 @@
+     {
+         if (trim($xml) === '') {
+             throw InvalidArgumentException::invalidType('non-empty string', $xml);
++        } elseif (preg_match('/<(\s*)!(\s*)DOCTYPE/', $xml)) {
++            throw new RuntimeException(
++                'Dangerous XML detected, DOCTYPE nodes are not allowed in the XML body'
++            );
+         } elseif (PHP_VERSION_ID < 80000) {
+             $entityLoader = libxml_disable_entity_loader(true);
++        } else {
++            libxml_set_external_entity_loader(null);
+         }
+ 
+         $internalErrors = libxml_use_internal_errors(true);
+         libxml_clear_errors();
+ 
+         $domDocument = self::create();
+-        $options = LIBXML_DTDLOAD | LIBXML_DTDATTR | LIBXML_NONET | LIBXML_PARSEHUGE;
++        $options = LIBXML_NONET | LIBXML_PARSEHUGE;
++
++        /* LIBXML_NO_XXE available from PHP 8.4 */
++        if (defined('LIBXML_NO_XXE')) {
++            $options |= LIBXML_NO_XXE;
++        }
+         if (defined('LIBXML_COMPACT')) {
+             $options |= LIBXML_COMPACT;
+         }
diff -Nru simplesamlphp-1.19.7/debian/patches/series simplesamlphp-1.19.7/debian/patches/series
--- simplesamlphp-1.19.7/debian/patches/series	2019-11-26 15:25:04.000000000 +0000
+++ simplesamlphp-1.19.7/debian/patches/series	2024-12-01 15:41:25.000000000 +0000
@@ -1 +1,2 @@
 debian_config.patch
+CVE-2024-52596.patch