Version in base suite: 2.21.2+ds-1

Base version: lemonldap-ng_2.21.2+ds-1
Target version: lemonldap-ng_2.21.2+ds-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lemonldap-ng/lemonldap-ng_2.21.2+ds-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lemonldap-ng/lemonldap-ng_2.21.2+ds-1+deb13u1.dsc

 changelog                                              |    8 +
 patches/CVE-2025-59518.patch                           |   92 +++++++++++++++++
 patches/dont-expose-session-id-in-ajax-responses.patch |   37 ++++++
 patches/fix-google-auth.patch                          |   45 ++++++++
 patches/series                                         |    3 
 5 files changed, 185 insertions(+)

diff -Nru lemonldap-ng-2.21.2+ds/debian/changelog lemonldap-ng-2.21.2+ds/debian/changelog
--- lemonldap-ng-2.21.2+ds/debian/changelog	2025-07-11 15:42:56.000000000 +0000
+++ lemonldap-ng-2.21.2+ds/debian/changelog	2025-11-02 15:24:21.000000000 +0000
@@ -1,3 +1,11 @@
+lemonldap-ng (2.21.2+ds-1+deb13u1) trixie; urgency=medium
+
+  * Fix shell injection from admin interface (Closes: CVE-2025-59518)
+  * Don't expose session-id into Ajax responses
+  * Fix Google authentication
+
+ -- Yadd <yadd@debian.org>  Sun, 02 Nov 2025 16:24:21 +0100
+
 lemonldap-ng (2.21.2+ds-1) unstable; urgency=medium
 
   * Update debian upstream keys
diff -Nru lemonldap-ng-2.21.2+ds/debian/patches/CVE-2025-59518.patch lemonldap-ng-2.21.2+ds/debian/patches/CVE-2025-59518.patch
--- lemonldap-ng-2.21.2+ds/debian/patches/CVE-2025-59518.patch	1970-01-01 00:00:00.000000000 +0000
+++ lemonldap-ng-2.21.2+ds/debian/patches/CVE-2025-59518.patch	2025-11-02 15:24:06.000000000 +0000
@@ -0,0 +1,92 @@
+Description: fix shell injection from admin interface (notifications
+Author: Maxime Besson <maxime.besson@worteks.com>
+Origin: upstream, commit:228d0194, commit:8b5ce4de
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3462
+Forwarded: not-needed
+Applied-Upstream: 2.21.3, commit:228d0194
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2025-10-17
+
+--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Combination/Parser.pm
++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Combination/Parser.pm
+@@ -208,7 +208,7 @@
+ sub buildSub {
+     my ( $self, $cond ) = @_;
+     my $safe = Safe->new;
+-    my $res  = $safe->reval("sub{my(\$env)=\@_;return ($cond)}");
++    my $res  = $safe->reval("sub{my(\$env)=\@_;local *_;return ($cond)}");
+     die "Bad condition $cond: $@" if ($@);
+     return $res;
+ }
+--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
++++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
+@@ -673,7 +673,7 @@
+ sub buildSub {
+     my ( $class, $val ) = @_;
+     my $res =
+-      $class->tsv->{jail}->jail_reval("sub{my (\$r,\$s)=\@_;return($val)}");
++      $class->tsv->{jail}->jail_reval("sub{my (\$r,\$s)=\@_; local *_;return($val)}");
+     unless ($res) {
+         $class->logger->error( $class->tsv->{jail}->error );
+     }
+--- a/lemonldap-ng-handler/t/14-Lemonldap-NG-Handler-Rule-Building.t
++++ b/lemonldap-ng-handler/t/14-Lemonldap-NG-Handler-Rule-Building.t
+@@ -154,6 +154,18 @@
+         "0", "inDomain works for notexample.com" );
+     is( $r->( { env => { HTTP_HOST => "exampleacom" } }, {} ),
+         "0", "inDomain works for exampleacom" );
++
++    # Complex expressions
++    $r = compileRule('join(":",grep {$_ eq "a"} split(":", $list))');
++    is( ref($r), "CODE", "Returned code ref" );
++    is(
++        $r->(
++            { env  => { HTTP_HOST => "AUTH.EXAMPLE.COM" } },
++            { list => "a:b:c:a:d:a" }
++        ),
++        "a:a:a"
++    );
++
+ }
+ 
+ sub runUnsafeTests {
+@@ -173,7 +185,7 @@
+ ok( !$@, 'init' );
+ 
+ subtest "Safe jail off" => sub {
+-    plan tests => 35;
++    plan tests => 37;
+     ok( $h->configReload($conf), 'Load conf' );
+     is(
+         ref( $h->tsv->{jail}->jail ),
+@@ -186,7 +198,7 @@
+ };
+ 
+ subtest "Safe jail on" => sub {
+-    plan tests => 33;
++    plan tests => 35;
+     ok( $h->configReload( { %$conf, useSafeJail => 1 } ), 'Load conf' );
+     is( ref( $h->tsv->{jail}->jail ), "Safe", "Safe jail is enabled" );
+ 
+--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
++++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+@@ -23,7 +23,7 @@
+     );
+     $cpt->share_from( 'Lemonldap::NG::Common::Safelib',
+         $Lemonldap::NG::Common::Safelib::functions );
+-    $cpt->reval($val);
++    $cpt->reval("local *_;$val");
+     my $err = join( '',
+         grep { $_ =~ /(?:Undefined subroutine|Devel::StackTrace)/ ? () : $_ }
+           split( /\n/, $@ ) );
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AutoSignin.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AutoSignin.pm
+@@ -29,7 +29,7 @@
+         my $safe = Safe->new;
+         foreach my $id ( sort keys %$rules ) {
+             my $sub =
+-              $safe->reval( 'sub{my($env)=@_;return (' . $rules->{$id} . ')}' );
++              $safe->reval( 'sub{my($env)=@_;local *_;return (' . $rules->{$id} . ')}' );
+             if ($@) {
+                 $self->logger->error(
+                     'Bad Autologin rule "' . $rules->{$id} . ": $@" );
diff -Nru lemonldap-ng-2.21.2+ds/debian/patches/dont-expose-session-id-in-ajax-responses.patch lemonldap-ng-2.21.2+ds/debian/patches/dont-expose-session-id-in-ajax-responses.patch
--- lemonldap-ng-2.21.2+ds/debian/patches/dont-expose-session-id-in-ajax-responses.patch	1970-01-01 00:00:00.000000000 +0000
+++ lemonldap-ng-2.21.2+ds/debian/patches/dont-expose-session-id-in-ajax-responses.patch	2025-11-02 15:08:43.000000000 +0000
@@ -0,0 +1,37 @@
+Description: don't expose session id into Ajax responses
+Author: Yadd <yadd@debian.org>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/778
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3446
+Forwarded: not-needed
+Applied-Upstream: 2.21.3, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3446
+Last-Update: 2025-09-12
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
+@@ -679,6 +679,7 @@
+         ? $req->{sessionInfo}
+         : $req->{userData}
+     );
++    $req->data->{newAuth} = 1;
+     $self->auditLog(
+         $req,
+         message => (
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+@@ -195,7 +195,6 @@
+ 
+ sub authenticatedRequest {
+     my ( $self, $req ) = @_;
+-    $req->data->{alreadyAuthenticated} = 1;
+     return $self->do(
+         $req,
+         [
+@@ -400,7 +399,7 @@
+         }
+         else {
+             my $res = { result => 1, error => $err };
+-            unless ( $req->data->{alreadyAuthenticated} ) {
++            if ( $req->data->{newAuth} ) {
+                 $res->{id}      = $req->id;
+                 $res->{id_http} = $req->sessionInfo->{_httpSession}
+                   if $req->sessionInfo->{_httpSession};
diff -Nru lemonldap-ng-2.21.2+ds/debian/patches/fix-google-auth.patch lemonldap-ng-2.21.2+ds/debian/patches/fix-google-auth.patch
--- lemonldap-ng-2.21.2+ds/debian/patches/fix-google-auth.patch	1970-01-01 00:00:00.000000000 +0000
+++ lemonldap-ng-2.21.2+ds/debian/patches/fix-google-auth.patch	2025-11-02 15:08:43.000000000 +0000
@@ -0,0 +1,45 @@
+Description: fix Google OIDC authentication
+Author: Maxime Besson <maxime.besson@worteks.com
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/777
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3445
+Forwarded: not-needed
+Applied-Upstream: 2.21.3, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/777
+Reviewed-By: <name and email of someone who approved/reviewed the patch>
+Last-Update: 2025-09-12
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
+@@ -2751,6 +2751,10 @@
+ sub exportRequestParameters {
+     my ( $self, $req ) = @_;
+ 
++    unless ( $self->ssoMatch($req) ) {
++        return PE_OK;
++    }
++
+     if ( my $p = $req->param('prompt') ) {
+         if ( $p eq 'none' ) {
+             return $self->_unauthPromptNone($req);
+--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
++++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
+@@ -466,6 +466,9 @@
+             openidconnectcallback => 1,
+             error                 => "canceled",
+             state                 => $state,
++
++            # 3445, make sure unwanted parameters don't confuse LLNG
++            prompt => "none",
+         },
+         accept => 'text/html',
+     ),
+@@ -551,6 +554,10 @@
+     return LLNG::Manager::Test->new( {
+             ini => {
+                 logLevel                   => $debug,
++
++                # needed to to test #3445
++                issuerDBOpenIDConnectActivation => "1",
++
+                 domain                     => 'rp.com',
+                 portal                     => 'http://auth.rp.com/',
+                 authentication             => 'OpenIDConnect',
diff -Nru lemonldap-ng-2.21.2+ds/debian/patches/series lemonldap-ng-2.21.2+ds/debian/patches/series
--- lemonldap-ng-2.21.2+ds/debian/patches/series	2025-07-01 06:46:21.000000000 +0000
+++ lemonldap-ng-2.21.2+ds/debian/patches/series	2025-11-02 15:23:35.000000000 +0000
@@ -2,3 +2,6 @@
 Avoid-developer-tests.patch
 replace-api-doc-by-link.diff
 fix-makefile.patch
+CVE-2025-59518.patch
+dont-expose-session-id-in-ajax-responses.patch
+fix-google-auth.patch