File: xml-prevent-assignment-of-attribute-value-inside-any.patch

package info (click to toggle)
lasso 2.8.1-1%2Bdeb12u1
  • links: PTS
  • area: main
  • in suites: bookworm-proposed-updates
  • size: 21,184 kB
  • sloc: ansic: 38,284; xml: 23,941; python: 5,148; sh: 4,726; makefile: 1,002; php: 495; perl: 117
file content (53 lines) | stat: -rw-r--r-- 2,389 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 15 May 2025 15:44:58 +0200
Subject: xml: prevent assignment of attribute value inside any attribute
Origin: https://git.entrouvert.org/lasso.git/commit/?id=8d12e6263fd6add923469bd5704e05a1ccfa8c69
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-47151

---
 lasso/xml/misc_text_node.c                 | 2 +-
 lasso/xml/saml-2.0/saml2_attribute_value.c | 2 +-
 lasso/xml/xml.c                            | 3 +++
 3 files changed, 5 insertions(+), 2 deletions(-)

--- a/lasso/xml/misc_text_node.c
+++ b/lasso/xml/misc_text_node.c
@@ -41,7 +41,7 @@ typedef struct {
 static struct XmlSnippet schema_snippets[] = {
 	{ "content", SNIPPET_TEXT_CHILD,
 		G_STRUCT_OFFSET(LassoMiscTextNode, content), NULL, NULL, NULL},
-	{ "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
+	{ "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
 		G_STRUCT_OFFSET(LassoMiscTextNodePrivate, any_attributes), NULL, NULL, NULL},
 	{NULL, 0, 0, NULL, NULL, NULL}
 };
--- a/lasso/xml/saml-2.0/saml2_attribute_value.c
+++ b/lasso/xml/saml-2.0/saml2_attribute_value.c
@@ -53,7 +53,7 @@ struct _LassoSaml2AttributeValuePrivate
 static struct XmlSnippet schema_snippets[] = {
 	{ "any", SNIPPET_LIST_NODES | SNIPPET_ANY | SNIPPET_ALLOW_TEXT,
 		G_STRUCT_OFFSET(LassoSaml2AttributeValue, any), NULL, NULL, NULL},
-	{ "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
+	{ "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
 		G_STRUCT_OFFSET(struct _LassoSaml2AttributeValuePrivate, any_attributes), NULL,
 		NULL, NULL },
 	{NULL, 0, 0, NULL, NULL, NULL}
--- a/lasso/xml/xml.c
+++ b/lasso/xml/xml.c
@@ -1569,6 +1569,7 @@ lasso_node_impl_init_from_xml(LassoNode
 				type = snippet->type & 0xff;
 				/* assign attribute content if attribute has the same name as the
 				 * snippet and:
+				 * - the snippet is not the any attribute snippet,
 				 * - the snippet and the attribute have no namespace
 				 * - the snippet has no namespace but the attribute has the same
 				 *   namespace as the node
@@ -1576,6 +1577,8 @@ lasso_node_impl_init_from_xml(LassoNode
 				 */
 				if (type != SNIPPET_ATTRIBUTE)
 					continue;
+				if (snippet->type & SNIPPET_ANY)
+					continue;
 				if (! lasso_strisequal((char*)attr->name, (char*)snippet->name))
 					continue;
 				if (attr->ns) {