File CVE-2025-46705.patch of Package lasso.41555
From b140660709c341bb44f9b7ebbd8253cde9169e8b Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 15 May 2025 15:39:42 +0200
Subject: [PATCH] tests: test that inserted comment do not change node value
and still validate signature (#105693)
---
bindings/python/tests/profiles_tests.py | 23 +++++++++++++++++++++++
lasso/xml/xml.c | 2 +-
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/bindings/python/tests/profiles_tests.py b/bindings/python/tests/profiles_tests.py
index 8679d663..9f694907 100755
--- a/bindings/python/tests/profiles_tests.py
+++ b/bindings/python/tests/profiles_tests.py
@@ -24,6 +24,7 @@
# along with this program; if not, see <http://www.gnu.org/licenses/>.
+import base64
import os
import unittest
import sys
@@ -362,6 +363,28 @@ class LoginTestCase(unittest.TestCase):
idp_login.buildAssertion("None", "None", "None", "None", "None")
idp_login.buildAuthnResponseMsg()
+ def test_09(self):
+ '''Login test between SP and IdP with encrypted private keys'''
+ sp_server = server('sp7-saml2', lasso.PROVIDER_ROLE_IDP, 'idp7-saml2')
+ idp_server = server('idp7-saml2', lasso.PROVIDER_ROLE_SP, 'sp7-saml2')
+
+ sp_login = lasso.Login(sp_server)
+ sp_login.initAuthnRequest()
+ sp_login.request.protocolBinding = lasso.SAML2_METADATA_BINDING_POST
+ sp_login.buildAuthnRequestMsg()
+ idp_login = lasso.Login(idp_server)
+ idp_login.setSignatureVerifyHint(lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE)
+ idp_login.processAuthnRequestMsg(sp_login.msgUrl.split('?')[1])
+ idp_login.validateRequestMsg(True, True)
+ idp_login.buildAssertion("None", "None", "None", "None", "None")
+ idp_login.buildAuthnResponseMsg()
+ sp_login.setSignatureVerifyHint(lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE)
+ # insert comment inside NameID
+ msg = base64.b64encode(base64.b64decode(idp_login.msgBody).decode().replace(idp_login.assertion.subject.nameId.content, idp_login.assertion.subject.nameId.content[:10] + '<!-- coin -->' + idp_login.assertion.subject.nameId.content[10:]).encode())
+ sp_login.processAuthnResponseMsg(msg.decode())
+ sp_login.acceptSso()
+ assert sp_login.assertion.subject.nameId.content == idp_login.assertion.subject.nameId.content
+
class LogoutTestCase(unittest.TestCase):
def test01(self):
"""SP logout without session and identity; testing initRequest."""
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
index adf0ba99..b713b523 100644
--- a/lasso/xml/xml.c
+++ b/lasso/xml/xml.c
@@ -1710,7 +1710,6 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
ERROR;
}
#undef ADVANCE
-#undef ERROR
if (matched_snippet->offset || (matched_snippet->type & SNIPPET_PRIVATE)) {
switch (matched_snippet->type & 0xff) {
@@ -1772,6 +1771,7 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
g_assert_not_reached();
}
}
+#undef ERROR
if (t) { /* t is an ELEMENT that dont match any snippet, when taken in order */
if (snippet_any && is_snippet_type(snippet_any, SNIPPET_LIST_XMLNODES)) {
value = SNIPPET_STRUCT_MEMBER_P(node, g_type_any, snippet_any);
From 37836a9cf14234ce720edb5c43f6ed0491f72cf6 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 15 May 2025 16:02:25 +0200
Subject: [PATCH] xml: do not terminate on an unknown XML node type (#105693)
---
lasso/xml/xml.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
index ca8d72fa..10732f3b 100644
--- a/lasso/xml/xml.c
+++ b/lasso/xml/xml.c
@@ -1771,7 +1771,8 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
lasso_node_set_original_xmlnode(subnode, t);
}
} else {
- g_assert_not_reached();
+ /* Anything else should not be there, abort. */
+ ERROR;
}
}
#undef ERROR
