Version in base suite: 1.19.7-1+deb12u1 Base version: simplesamlphp_1.19.7-1+deb12u1 Target version: simplesamlphp_1.19.7-1+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/simplesamlphp/simplesamlphp_1.19.7-1+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/simplesamlphp/simplesamlphp_1.19.7-1+deb12u2.dsc changelog | 9 ++- patches/CVE-2025-27773.patch | 122 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 131 insertions(+), 1 deletion(-) diff -Nru simplesamlphp-1.19.7/debian/changelog simplesamlphp-1.19.7/debian/changelog --- simplesamlphp-1.19.7/debian/changelog 2024-12-01 15:41:33.000000000 +0000 +++ simplesamlphp-1.19.7/debian/changelog 2025-05-11 06:35:04.000000000 +0000 @@ -1,7 +1,14 @@ +simplesamlphp (1.19.7-1+deb12u2) bookworm; urgency=medium + + * Team upload for stable proposed updates. + * Fix CVE-2025-27773 (Closes: #1100595) + + -- Tobias Frost Sun, 11 May 2025 08:35:04 +0200 + simplesamlphp (1.19.7-1+deb12u1) bookworm-security; urgency=high * Upload to the security archive. - * Fix CVE-2024-52596 + * Fix CVE-2024-52596 (Closes: #1088904) -- Thijs Kinkhorst Sun, 01 Dec 2024 16:41:33 +0100 diff -Nru simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch --- simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch 1970-01-01 00:00:00.000000000 +0000 +++ simplesamlphp-1.19.7/debian/patches/CVE-2025-27773.patch 2025-05-11 06:25:15.000000000 +0000 @@ -0,0 +1,122 @@ +Description: CVE-2025-27773 - signature confusion attack +Origin: https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595 +Bug: https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56 + +--- a/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php ++++ b/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php +@@ -94,7 +94,7 @@ + /** + * Receive a SAML 2 message sent using the HTTP-Redirect binding. + * +- * Throws an exception if it is unable receive the message. ++ * Throws an exception if it is unable to receive the message. + * + * @throws \Exception + * @return \SAML2\Message The received message. +@@ -104,10 +104,36 @@ + public function receive(): Message + { + $data = self::parseQuery(); +- if (array_key_exists('SAMLRequest', $data)) { +- $message = $data['SAMLRequest']; +- } elseif (array_key_exists('SAMLResponse', $data)) { +- $message = $data['SAMLResponse']; ++ $signedQuery = $data['SignedQuery']; ++ ++ /** ++ * Get the SAMLRequest/SAMLResponse from the exact same signed data that will be verified later in ++ * validateSignature into $res using the actual SignedQuery ++ */ ++ $res = []; ++ foreach (explode('&', $signedQuery) as $e) { ++ $tmp = explode('=', $e, 2); ++ $name = $tmp[0]; ++ if (count($tmp) === 2) { ++ $value = $tmp[1]; ++ } else { ++ /* No value for this parameter. */ ++ $value = ''; ++ } ++ $name = urldecode($name); ++ $res[$name] = urldecode($value); ++ } ++ ++ /** ++ * Put the SAMLRequest/SAMLResponse from the actual query string into $message, ++ * and assert that the result from parseQuery() in $data and the parsing of the SignedQuery in $res agree ++ */ ++ if (array_key_exists('SAMLRequest', $res)) { ++ Assert::same($res['SAMLRequest'], $data['SAMLRequest'], 'Parse failure.'); ++ $message = $res['SAMLRequest']; ++ } elseif (array_key_exists('SAMLResponse', $res)) { ++ Assert::same($res['SAMLResponse'], $data['SAMLResponse'], 'Parse failure.'); ++ $message = $res['SAMLResponse']; + } else { + throw new \Exception('Missing SAMLRequest or SAMLResponse parameter.'); + } +@@ -116,7 +142,7 @@ + throw new \Exception('Unknown SAMLEncoding: '.var_export($data['SAMLEncoding'], true)); + } + +- $message = base64_decode($message); ++ $message = base64_decode($message, true); + if ($message === false) { + throw new \Exception('Error while base64 decoding SAML message.'); + } +@@ -141,6 +167,15 @@ + return $message; + } + ++ /** ++ * 3.4.5.2 - SAML Bindings ++ * ++ * If the message is signed, the Destination XML attribute in the root SAML element of the protocol ++ * message MUST contain the URL to which the sender has instructed the user agent to deliver the ++ * message. ++ */ ++ Assert::notNull($message->getDestination()); // Validation of the value must be done upstream ++ + if (!array_key_exists('SigAlg', $data)) { + throw new \Exception('Missing signature algorithm.'); + } +@@ -148,7 +183,7 @@ + $signData = [ + 'Signature' => $data['Signature'], + 'SigAlg' => $data['SigAlg'], +- 'Query' => $data['SignedQuery'], ++ 'Query' => $signedQuery, + ]; + + $message->addValidator([get_class($this), 'validateSignature'], $signData); +@@ -165,6 +200,7 @@ + * signed. + * + * @return array The query data that is signed. ++ * @throws \Exception + */ + private static function parseQuery() : array + { +@@ -186,7 +222,12 @@ + /* No value for this parameter. */ + $value = ''; + } ++ + $name = urldecode($name); ++ // Prevent keys from being set more than once ++ if (array_key_exists($name, $data)) { ++ throw new \Exception('Duplicate parameter.'); ++ } + $data[$name] = urldecode($value); + + switch ($name) { +@@ -202,6 +243,9 @@ + break; + } + } ++ if (array_key_exists('SAMLRequest', $data) && array_key_exists('SAMLResponse', $data)) { ++ throw new \Exception('Both SAMLRequest and SAMLResponse provided.'); ++ } + + $data['SignedQuery'] = $sigQuery.$relayState.$sigAlg; + diff -Nru simplesamlphp-1.19.7/debian/patches/series simplesamlphp-1.19.7/debian/patches/series --- simplesamlphp-1.19.7/debian/patches/series 2024-12-01 15:41:25.000000000 +0000 +++ simplesamlphp-1.19.7/debian/patches/series 2025-05-11 06:25:15.000000000 +0000 @@ -1,2 +1,3 @@ debian_config.patch CVE-2024-52596.patch +CVE-2025-27773.patch