Version in base suite: 3.5.0+dfsg-2 Base version: shibboleth-sp_3.5.0+dfsg-2 Target version: shibboleth-sp_3.5.0+dfsg-2+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/shibboleth-sp/shibboleth-sp_3.5.0+dfsg-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/shibboleth-sp/shibboleth-sp_3.5.0+dfsg-2+deb13u1.dsc changelog | 11 ++++++++ gbp.conf | 2 - patches/SSPCPP-1014-Extend-escaping-in-strings.patch | 25 +++++++++++++++++++ patches/series | 1 4 files changed, 38 insertions(+), 1 deletion(-) diff -Nru shibboleth-sp-3.5.0+dfsg/debian/changelog shibboleth-sp-3.5.0+dfsg/debian/changelog --- shibboleth-sp-3.5.0+dfsg/debian/changelog 2025-01-12 12:52:44.000000000 +0000 +++ shibboleth-sp-3.5.0+dfsg/debian/changelog 2025-09-06 09:46:12.000000000 +0000 @@ -1,3 +1,14 @@ +shibboleth-sp (3.5.0+dfsg-2+deb13u1) trixie-security; urgency=high + + * [627cc27] New patch: SSPCPP-1014 - Extend escaping in strings. + Fix SQL injection vulnerability in Service Provider ODBC plugin: + specially crafted inputs can exfiltrate information stored in the + database used by the SP. The vulnerability is moderate to high + severity for anyone using the ODBC plugin, and of no impact for others. + Thanks to Scott Cantor (Closes: #1114506) + + -- Ferenc Wágner Sat, 06 Sep 2025 11:46:12 +0200 + shibboleth-sp (3.5.0+dfsg-2) unstable; urgency=medium * Upload to unstable diff -Nru shibboleth-sp-3.5.0+dfsg/debian/gbp.conf shibboleth-sp-3.5.0+dfsg/debian/gbp.conf --- shibboleth-sp-3.5.0+dfsg/debian/gbp.conf 2023-01-22 13:20:06.000000000 +0000 +++ shibboleth-sp-3.5.0+dfsg/debian/gbp.conf 2025-09-06 09:43:32.000000000 +0000 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/master +debian-branch = debian/trixie upstream-branch = upstream/latest pristine-tar = True diff -Nru shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch --- shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch 1970-01-01 00:00:00.000000000 +0000 +++ shibboleth-sp-3.5.0+dfsg/debian/patches/SSPCPP-1014-Extend-escaping-in-strings.patch 2025-09-06 09:44:50.000000000 +0000 @@ -0,0 +1,25 @@ +From: Scott Cantor +Date: Wed, 3 Sep 2025 08:45:54 -0400 +Subject: SSPCPP-1014 - Extend escaping in strings + +--- + odbc-store/odbc-store.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/odbc-store/odbc-store.cpp b/odbc-store/odbc-store.cpp +index 2316e95..aae8520 100644 +--- a/odbc-store/odbc-store.cpp ++++ b/odbc-store/odbc-store.cpp +@@ -255,9 +255,10 @@ namespace { + string m_copy; + public: + SQLString(const char* src) : m_src(src) { +- if (strchr(src, '\'')) { ++ if (strchr(src, '\\') || strchr(src, '\'')) { + m_copy = src; +- replace_all(m_copy, "'", "''"); ++ replace_all(m_copy, "\\", "\\\\"); ++ replace_all(m_copy, "'", "\\'"); + } + } + diff -Nru shibboleth-sp-3.5.0+dfsg/debian/patches/series shibboleth-sp-3.5.0+dfsg/debian/patches/series --- shibboleth-sp-3.5.0+dfsg/debian/patches/series 2025-01-03 21:53:32.000000000 +0000 +++ shibboleth-sp-3.5.0+dfsg/debian/patches/series 2025-09-06 09:44:50.000000000 +0000 @@ -3,3 +3,4 @@ Debianize-the-systemd-service-file-of-shibd.patch seckeygen-defaults-for-Debian.patch Use-runstatedir-from-future-Autoconf-2.70.patch +SSPCPP-1014-Extend-escaping-in-strings.patch