Version in base suite: 3.2.0-3

Base version: xmltooling_3.2.0-3
Target version: xmltooling_3.2.0-3+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/x/xmltooling/xmltooling_3.2.0-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/x/xmltooling/xmltooling_3.2.0-3+deb11u1.dsc

 changelog                                                            |   19 ++
 gbp.conf                                                             |    2 
 patches/CPPXT-157-Install-blocking-URI-resolver-into-Santuario.patch |   75 ++++++++++
 patches/series                                                       |    1 
 4 files changed, 96 insertions(+), 1 deletion(-)

diff -Nru xmltooling-3.2.0/debian/changelog xmltooling-3.2.0/debian/changelog
--- xmltooling-3.2.0/debian/changelog	2021-07-26 14:39:29.000000000 +0000
+++ xmltooling-3.2.0/debian/changelog	2023-06-14 20:44:03.000000000 +0000
@@ -1,3 +1,22 @@
+xmltooling (3.2.0-3+deb11u1) bullseye-security; urgency=high
+
+  * [6afa199] New patch: CPPXT-157 - Install blocking URI resolver into
+    Santuario.
+    Fix a denial of service vulnerability: Parsing of KeyInfo elements can
+    cause remote resource access.
+    Including certain legal but "malicious in intent" content in the
+    KeyInfo element defined by the XML Signature standard will result
+    in attempts by the SP's shibd process to dereference untrusted
+    URLs.
+    While the content of the URL must be supplied within the message
+    and does not include any SP internal state or dynamic content,
+    there is at minimum a risk of denial of service, and the attack
+    could be combined with others to create more serious vulnerabilities
+    in the future.
+    Thanks to Scott Cantor for the fix. (Closes: #1037948)
+
+ -- Ferenc Wágner <wferi@debian.org>  Wed, 14 Jun 2023 22:44:03 +0200
+
 xmltooling (3.2.0-3) unstable; urgency=medium
 
   * [e9c5d46] New patch: CPPXT-151 Wiki migration broke some SecurityHelperTest
diff -Nru xmltooling-3.2.0/debian/gbp.conf xmltooling-3.2.0/debian/gbp.conf
--- xmltooling-3.2.0/debian/gbp.conf	2021-07-25 21:20:41.000000000 +0000
+++ xmltooling-3.2.0/debian/gbp.conf	2023-06-14 20:39:30.000000000 +0000
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/bullseye
 upstream-branch = upstream/latest
 pristine-tar = True
 
diff -Nru xmltooling-3.2.0/debian/patches/CPPXT-157-Install-blocking-URI-resolver-into-Santuario.patch xmltooling-3.2.0/debian/patches/CPPXT-157-Install-blocking-URI-resolver-into-Santuario.patch
--- xmltooling-3.2.0/debian/patches/CPPXT-157-Install-blocking-URI-resolver-into-Santuario.patch	1970-01-01 00:00:00.000000000 +0000
+++ xmltooling-3.2.0/debian/patches/CPPXT-157-Install-blocking-URI-resolver-into-Santuario.patch	2023-06-14 20:39:30.000000000 +0000
@@ -0,0 +1,75 @@
+From: Scott Cantor <cantor.2@osu.edu>
+Date: Tue, 6 Jun 2023 16:31:48 -0400
+Subject: CPPXT-157 - Install blocking URI resolver into Santuario
+
+https://shibboleth.atlassian.net/browse/CPPXT-157
+---
+ xmltooling/XMLToolingConfig.cpp | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/xmltooling/XMLToolingConfig.cpp b/xmltooling/XMLToolingConfig.cpp
+index 4bd5b11..dd5634d 100644
+--- a/xmltooling/XMLToolingConfig.cpp
++++ b/xmltooling/XMLToolingConfig.cpp
+@@ -75,6 +75,7 @@
+ # include <xsec/framework/XSECException.hpp>
+ # include <xsec/framework/XSECProvider.hpp>
+ # include <xsec/transformers/TXFMBase.hpp>
++# include <xsec/framework/XSECURIResolver.hpp>
+ #endif
+ 
+ using namespace soap11;
+@@ -116,7 +117,7 @@ namespace {
+ #endif
+     static ptr_vector<Mutex> g_openssl_locks;
+ 
+-    extern "C" void openssl_locking_callback(int mode,int n,const char *file,int line)
++    extern "C" void openssl_locking_callback(int mode, int n, const char *, int)
+     {
+         if (mode & CRYPTO_LOCK)
+             g_openssl_locks[n].lock();
+@@ -144,7 +145,7 @@ namespace {
+ 	    void setInput(TXFMBase *newInput) {
+ 	        input = newInput;
+ 	        if (newInput->getOutputType() != TXFMBase::BYTE_STREAM)
+-		        throw XSECException(XSECException::TransformInputOutputFail, "OutputLog transform requires BYTE_STREAM input");
++		        throw XSECException(XSECException       ::TransformInputOutputFail, "OutputLog transform requires BYTE_STREAM input");
+ 	        keepComments = input->getCommentsStatus();
+             m_log.debug("\n----- BEGIN SIGNATURE DEBUG -----\n");
+         }
+@@ -175,6 +176,27 @@ namespace {
+         return nullptr;
+     }
+ 
++    class BlockingXSECURIResolver : public XSECURIResolver {
++    public:
++    	BlockingXSECURIResolver() : m_log(Category::getInstance(XMLTOOLING_LOGCAT ".XMLSecurity")) {}
++    	~BlockingXSECURIResolver() {}
++
++    	BinInputStream* resolveURI(const XMLCh* uri) {
++    		auto_ptr_char temp(uri);
++    		m_log.warn("blocked remote resource retrieval by xml-security-c library: %s",
++    				temp.get() ? temp.get() : "(none)");
++    		return nullptr;
++    	}
++
++    	void setBaseURI(const XMLCh* uri) {}
++
++    	XSECURIResolver* clone() {
++    		return new BlockingXSECURIResolver();
++    	}
++
++    private:
++    	Category& m_log;
++    };
+ #endif
+ 
+ #ifdef WIN32
+@@ -400,6 +422,7 @@ bool XMLToolingInternalConfig::init(bool deprecationSupport)
+         XSECPlatformUtils::Initialise();
+         XSECPlatformUtils::SetReferenceLoggingSink(TXFMOutputLogFactory);
+         m_xsecProvider.reset(new XSECProvider());
++        m_xsecProvider->setDefaultURIResolver(new BlockingXSECURIResolver());
+         log.debug("XML-Security %s initialization complete", XSEC_FULLVERSIONDOT);
+ #endif
+ 
diff -Nru xmltooling-3.2.0/debian/patches/series xmltooling-3.2.0/debian/patches/series
--- xmltooling-3.2.0/debian/patches/series	2021-07-26 14:35:02.000000000 +0000
+++ xmltooling-3.2.0/debian/patches/series	2023-06-14 20:39:30.000000000 +0000
@@ -1 +1,2 @@
 CPPXT-151-Wiki-migration-broke-some-SecurityHelperTest-te.patch
+CPPXT-157-Install-blocking-URI-resolver-into-Santuario.patch