Overview

File CVE-2025-47151.patch of Package lasso.41555

From 8d12e6263fd6add923469bd5704e05a1ccfa8c69 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 15 May 2025 15:44:58 +0200
Subject: [PATCH] xml: prevent assignment of attribute value inside any
 attribute

---
 lasso/xml/misc_text_node.c                 | 2 +-
 lasso/xml/saml-2.0/saml2_attribute_value.c | 2 +-
 lasso/xml/xml.c                            | 3 +++
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/lasso/xml/misc_text_node.c b/lasso/xml/misc_text_node.c
index 15a0a898..4b127a4d 100644
--- a/lasso/xml/misc_text_node.c
+++ b/lasso/xml/misc_text_node.c
@@ -41,7 +41,7 @@ G_DEFINE_TYPE_WITH_PRIVATE(LassoMiscTextNode, lasso_misc_text_node, LASSO_TYPE_N
 static struct XmlSnippet schema_snippets[] = {
 	{ "content", SNIPPET_TEXT_CHILD,
 		G_STRUCT_OFFSET(LassoMiscTextNode, content), NULL, NULL, NULL},
-	{ "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
+	{ "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
 		G_STRUCT_OFFSET(LassoMiscTextNodePrivate, any_attributes), NULL, NULL, NULL},
 	{NULL, 0, 0, NULL, NULL, NULL}
 };
diff --git a/lasso/xml/saml-2.0/saml2_attribute_value.c b/lasso/xml/saml-2.0/saml2_attribute_value.c
index c41f0e05..396e0aef 100644
--- a/lasso/xml/saml-2.0/saml2_attribute_value.c
+++ b/lasso/xml/saml-2.0/saml2_attribute_value.c
@@ -55,7 +55,7 @@ G_DEFINE_TYPE_WITH_PRIVATE(LassoSaml2AttributeValue, lasso_saml2_attribute_value
 static struct XmlSnippet schema_snippets[] = {
 	{ "any", SNIPPET_LIST_NODES | SNIPPET_ANY | SNIPPET_ALLOW_TEXT,
 		G_STRUCT_OFFSET(LassoSaml2AttributeValue, any), NULL, NULL, NULL},
-	{ "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
+	{ "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
 		G_STRUCT_OFFSET(struct _LassoSaml2AttributeValuePrivate, any_attributes), NULL,
 		NULL, NULL },
 	{NULL, 0, 0, NULL, NULL, NULL}
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
index b713b523..ca8d72fa 100644
--- a/lasso/xml/xml.c
+++ b/lasso/xml/xml.c
@@ -1576,6 +1576,7 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
 				type = snippet->type & 0xff;
 				/* assign attribute content if attribute has the same name as the
 				 * snippet and:
+				 * - the snippet is not the any attribute snippet,
 				 * - the snippet and the attribute have no namespace
 				 * - the snippet has no namespace but the attribute has the same
 				 *   namespace as the node
@@ -1583,6 +1584,8 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
 				 */
 				if (type != SNIPPET_ATTRIBUTE)
 					continue;
+				if (snippet->type & SNIPPET_ANY)
+					continue;
 				if (! lasso_strisequal((char*)attr->name, (char*)snippet->name))
 					continue;
 				if (attr->ns) {

From ebf3dd68910492ab18e9b8b319386f6495c96b01 Mon Sep 17 00:00:00 2001
From: Yann Weber <yweber@entrouvert.com>
Date: Thu, 15 May 2025 17:12:57 +0200
Subject: [PATCH] tests: check assignement of any_attribute is prevented
 (#105693)

---
 tests/basic_tests.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/tests/basic_tests.c b/tests/basic_tests.c
index 65d60b90..ae8c4128 100644
--- a/tests/basic_tests.c
+++ b/tests/basic_tests.c
@@ -1104,6 +1104,34 @@ START_TEST(test17_test_get_issuer_leading_equal)
 }
 END_TEST
 
+START_TEST(test18_test_unexpected_any_attribute_assignement)
+{
+	const char *xml_str = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\
+<samlp:Response\n\
+  xmlns:xsi=\"XXX\"\n\
+  xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" \n\
+  xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"\n\
+  >\n\
+  <saml:Assertion ID=\"ID_03371036-a6cb-48cd-86eb-6792f33e96cd\" IssueInstant=\"2025-03-06T15:25:53.175Z\" Version=\"2.0\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\">\n\
+    <saml:AttributeStatement>\n\
+      <saml:Attribute Name=\"Magic\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\">\n\
+        <saml:AttributeValue any_attributes=\"CCCCCCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBB\" xsi:type=\"xs:string\">BBB_CCCC_DDD</saml:AttributeValue>\n\
+      </saml:Attribute>\n\
+    </saml:AttributeStatement>\n\
+  </saml:Assertion>\n\
+</samlp:Response>\n\
+";
+	xmlDoc *xmldoc;
+	LassoNode *node;
+	begin_check_do_log(NULL, G_LOG_LEVEL_WARNING, "Unexpected attribute: {(null)}any_attributes = CCCCCCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBB", TRUE);
+	xmldoc = xmlParseDoc(xml_str);
+	node = lasso_node_new_from_xmlNode(xmlDocGetRootElement(xmldoc));
+	g_object_unref(node);
+	lasso_release_doc(xmldoc);
+	end_check_do_log(NULL);
+}
+END_TEST
+
 Suite*
 basic_suite()
 {
@@ -1124,6 +1152,7 @@ basic_suite()
 	TCase *tc_key = tcase_create("Test loading and manipulating LassoKey objects");
 	TCase *tc_key_info = tcase_create("Test creating and dumping ds:KeyInfo nodes");
 	TCase *tc_get_issuer = tcase_create("Test get_issuer and get_request_id");
+	TCase *tc_prevent_any_attribute_assignement = tcase_create("Test any_attribute assignement is prevented");
 
 	suite_add_tcase(s, tc_server_load_dump_empty_string);
 	suite_add_tcase(s, tc_server_load_dump_random_string);
@@ -1141,6 +1170,7 @@ basic_suite()
 	suite_add_tcase(s, tc_key);
 	suite_add_tcase(s, tc_key_info);
 	suite_add_tcase(s, tc_get_issuer);
+	suite_add_tcase(s, tc_prevent_any_attribute_assignement);
 
 	tcase_add_test(tc_server_load_dump_empty_string, test01_server_load_dump_empty_string);
 	tcase_add_test(tc_server_load_dump_random_string, test02_server_load_dump_random_string);
@@ -1159,5 +1189,6 @@ basic_suite()
 	tcase_add_test(tc_key_info, test15_ds_key_info);
 	tcase_add_test(tc_get_issuer, test16_test_get_issuer);
+	tcase_add_test(tc_prevent_any_attribute_assignement, test18_test_unexpected_any_attribute_assignement);
 	tcase_set_timeout(tc_load_metadata, 10);
 	return s;
 }
openSUSE Build Service is sponsored by
Places