Security fixes

- Fix CVE-2025-46404 (bsc#1253092) - Denial of service in Entr'ouvert Lasso
  * CVE-2025-46404.patch
- Fix CVE-2025-46705 (bsc#1253093) - Denial of service in Entr'ouvert Lasso
  * CVE-2025-46705.patch
- Fix CVE-2025-47151 (bsc#1253095) - type confusion vulnerability in the
  lasso_node_impl_init_from_xml functionality
  * CVE-2025-47151.patch

CVE-2025-46404.patch

@@ -0,0 +1,25 @@
+From c880cad13732bcb50cbd9fa376ea39edb53e7d68 Mon Sep 17 00:00:00 2001
+From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
+Date: Thu, 15 May 2025 15:51:08 +0200
+Subject: [PATCH] misc: check xmlSecGetNodeNsHref for possible NULL result
+ (#105693)
+
+---
+ lasso/id-ff/provider.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c
+index 1dcd1b02..e3c9dce5 100644
+--- a/lasso/id-ff/provider.c
++++ b/lasso/id-ff/provider.c
+@@ -1364,8 +1364,8 @@ lasso_provider_verify_saml_signature(LassoProvider *provider,
+ 
+ 	/* ID-FF 1.2 Signatures case */
+ 	node_ns = xmlSecGetNodeNsHref(signed_node);
+-	if ((strcmp((char*)node_ns, LASSO_SAML2_PROTOCOL_HREF) == 0) ||
+-			(strcmp((char*)node_ns, LASSO_SAML2_ASSERTION_HREF) == 0)) {
++	if (node_ns && ((strcmp((char*)node_ns, LASSO_SAML2_PROTOCOL_HREF) == 0) ||
++			(strcmp((char*)node_ns, LASSO_SAML2_ASSERTION_HREF) == 0))) {
+ 		id_attribute_name = "ID";
+ 	} else if (xmlSecCheckNodeName(signed_node, (xmlChar*)"Request", (xmlChar*)LASSO_SAML_PROTOCOL_HREF)) {
+ 		id_attribute_name = "RequestID";

CVE-2025-46705.patch

@@ -0,0 +1,96 @@
+From b140660709c341bb44f9b7ebbd8253cde9169e8b Mon Sep 17 00:00:00 2001
+From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
+Date: Thu, 15 May 2025 15:39:42 +0200
+Subject: [PATCH] tests: test that inserted comment do not change node value
+ and still validate signature (#105693)
+
+---
+ bindings/python/tests/profiles_tests.py | 23 +++++++++++++++++++++++
+ lasso/xml/xml.c                         |  2 +-
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/bindings/python/tests/profiles_tests.py b/bindings/python/tests/profiles_tests.py
+index 8679d663..9f694907 100755
+--- a/bindings/python/tests/profiles_tests.py
++++ b/bindings/python/tests/profiles_tests.py
+@@ -24,6 +24,7 @@
+ # along with this program; if not, see <http://www.gnu.org/licenses/>.
+ 
+ 
++import base64
+ import os
+ import unittest
+ import sys
+@@ -362,6 +363,28 @@ class LoginTestCase(unittest.TestCase):
+         assert 'xmlenc#rsa-1_5' not in run(key_encryption_method=lasso.KEY_ENCRYPTION_METHOD_OAEP)
+         assert 'xmlenc#rsa-oaep-mgf1p' in run(key_encryption_method=lasso.KEY_ENCRYPTION_METHOD_OAEP)
+ 
++    def test_09(self):
++        '''Login test between SP and IdP with encrypted private keys'''
++        sp_server = server('sp7-saml2', lasso.PROVIDER_ROLE_IDP, 'idp7-saml2')
++        idp_server = server('idp7-saml2', lasso.PROVIDER_ROLE_SP, 'sp7-saml2')
++
++        sp_login = lasso.Login(sp_server)
++        sp_login.initAuthnRequest()
++        sp_login.request.protocolBinding = lasso.SAML2_METADATA_BINDING_POST
++        sp_login.buildAuthnRequestMsg()
++        idp_login = lasso.Login(idp_server)
++        idp_login.setSignatureVerifyHint(lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE)
++        idp_login.processAuthnRequestMsg(sp_login.msgUrl.split('?')[1])
++        idp_login.validateRequestMsg(True, True)
++        idp_login.buildAssertion("None", "None", "None", "None", "None")
++        idp_login.buildAuthnResponseMsg()
++        sp_login.setSignatureVerifyHint(lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE)
++        # insert comment inside NameID
++        msg = base64.b64encode(base64.b64decode(idp_login.msgBody).decode().replace(idp_login.assertion.subject.nameId.content, idp_login.assertion.subject.nameId.content[:10] + '<!-- coin -->' + idp_login.assertion.subject.nameId.content[10:]).encode())
++        sp_login.processAuthnResponseMsg(msg.decode())
++        sp_login.acceptSso()
++        assert sp_login.assertion.subject.nameId.content == idp_login.assertion.subject.nameId.content
++
+ 
+ class LogoutTestCase(unittest.TestCase):
+     def test01(self):
+diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
+index adf0ba99..b713b523 100644
+--- a/lasso/xml/xml.c
++++ b/lasso/xml/xml.c
+@@ -1710,7 +1710,6 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
+ 				ERROR;
+ 			}
+ #undef ADVANCE
+-#undef ERROR
+ 
+ 			if (matched_snippet->offset || (matched_snippet->type & SNIPPET_PRIVATE)) {
+ 				switch (matched_snippet->type & 0xff) {
+@@ -1772,6 +1771,7 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
+ 			g_assert_not_reached();
+ 		}
+ 	}
++#undef ERROR
+ 	if (t) { /* t is an ELEMENT that dont match any snippet, when taken in order */
+ 		if (snippet_any && is_snippet_type(snippet_any, SNIPPET_LIST_XMLNODES)) {
+ 			value = SNIPPET_STRUCT_MEMBER_P(node, g_type_any, snippet_any);
+
+From 37836a9cf14234ce720edb5c43f6ed0491f72cf6 Mon Sep 17 00:00:00 2001
+From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
+Date: Thu, 15 May 2025 16:02:25 +0200
+Subject: [PATCH] xml: do not terminate on an unknown XML node type (#105693)
+
+---
+ lasso/xml/xml.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
+index ca8d72fa..10732f3b 100644
+--- a/lasso/xml/xml.c
++++ b/lasso/xml/xml.c
+@@ -1771,7 +1771,8 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
+ 				lasso_node_set_original_xmlnode(subnode, t);
+ 			}
+ 		} else {
+-			g_assert_not_reached();
++			/* Anything else should not be there, abort. */
++			ERROR;
+ 		}
+ 	}
+ #undef ERROR

CVE-2025-47151.patch

@@ -0,0 +1,133 @@
+From 8d12e6263fd6add923469bd5704e05a1ccfa8c69 Mon Sep 17 00:00:00 2001
+From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
+Date: Thu, 15 May 2025 15:44:58 +0200
+Subject: [PATCH] xml: prevent assignment of attribute value inside any
+ attribute
+
+---
+ lasso/xml/misc_text_node.c                 | 2 +-
+ lasso/xml/saml-2.0/saml2_attribute_value.c | 2 +-
+ lasso/xml/xml.c                            | 3 +++
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/lasso/xml/misc_text_node.c b/lasso/xml/misc_text_node.c
+index 15a0a898..4b127a4d 100644
+--- a/lasso/xml/misc_text_node.c
++++ b/lasso/xml/misc_text_node.c
+@@ -41,7 +41,7 @@ G_DEFINE_TYPE_WITH_PRIVATE(LassoMiscTextNode, lasso_misc_text_node, LASSO_TYPE_N
+ static struct XmlSnippet schema_snippets[] = {
+ 	{ "content", SNIPPET_TEXT_CHILD,
+ 		G_STRUCT_OFFSET(LassoMiscTextNode, content), NULL, NULL, NULL},
+-	{ "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
++	{ "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
+ 		G_STRUCT_OFFSET(LassoMiscTextNodePrivate, any_attributes), NULL, NULL, NULL},
+ 	{NULL, 0, 0, NULL, NULL, NULL}
+ };
+diff --git a/lasso/xml/saml-2.0/saml2_attribute_value.c b/lasso/xml/saml-2.0/saml2_attribute_value.c
+index c41f0e05..396e0aef 100644
+--- a/lasso/xml/saml-2.0/saml2_attribute_value.c
++++ b/lasso/xml/saml-2.0/saml2_attribute_value.c
+@@ -55,7 +55,7 @@ G_DEFINE_TYPE_WITH_PRIVATE(LassoSaml2AttributeValue, lasso_saml2_attribute_value
+ static struct XmlSnippet schema_snippets[] = {
+ 	{ "any", SNIPPET_LIST_NODES | SNIPPET_ANY | SNIPPET_ALLOW_TEXT,
+ 		G_STRUCT_OFFSET(LassoSaml2AttributeValue, any), NULL, NULL, NULL},
+-	{ "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
++	{ "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
+ 		G_STRUCT_OFFSET(struct _LassoSaml2AttributeValuePrivate, any_attributes), NULL,
+ 		NULL, NULL },
+ 	{NULL, 0, 0, NULL, NULL, NULL}
+diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
+index b713b523..ca8d72fa 100644
+--- a/lasso/xml/xml.c
++++ b/lasso/xml/xml.c
+@@ -1576,6 +1576,7 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
+ 				type = snippet->type & 0xff;
+ 				/* assign attribute content if attribute has the same name as the
+ 				 * snippet and:
++				 * - the snippet is not the any attribute snippet,
+ 				 * - the snippet and the attribute have no namespace
+ 				 * - the snippet has no namespace but the attribute has the same
+ 				 *   namespace as the node
+@@ -1583,6 +1584,8 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
+ 				 */
+ 				if (type != SNIPPET_ATTRIBUTE)
+ 					continue;
++				if (snippet->type & SNIPPET_ANY)
++					continue;
+ 				if (! lasso_strisequal((char*)attr->name, (char*)snippet->name))
+ 					continue;
+ 				if (attr->ns) {
+
+From ebf3dd68910492ab18e9b8b319386f6495c96b01 Mon Sep 17 00:00:00 2001
+From: Yann Weber <yweber@entrouvert.com>
+Date: Thu, 15 May 2025 17:12:57 +0200
+Subject: [PATCH] tests: check assignement of any_attribute is prevented
+ (#105693)
+
+---
+ tests/basic_tests.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/tests/basic_tests.c b/tests/basic_tests.c
+index 65d60b90..ae8c4128 100644
+--- a/tests/basic_tests.c
++++ b/tests/basic_tests.c
+@@ -1104,6 +1104,34 @@ START_TEST(test17_test_get_issuer_leading_equal)
+ }
+ END_TEST
+ 
++START_TEST(test18_test_unexpected_any_attribute_assignement)
++{
++	const char *xml_str = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\
++<samlp:Response\n\
++  xmlns:xsi=\"XXX\"\n\
++  xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" \n\
++  xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"\n\
++  >\n\
++  <saml:Assertion ID=\"ID_03371036-a6cb-48cd-86eb-6792f33e96cd\" IssueInstant=\"2025-03-06T15:25:53.175Z\" Version=\"2.0\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\">\n\
++    <saml:AttributeStatement>\n\
++      <saml:Attribute Name=\"Magic\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\">\n\
++        <saml:AttributeValue any_attributes=\"CCCCCCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBB\" xsi:type=\"xs:string\">BBB_CCCC_DDD</saml:AttributeValue>\n\
++      </saml:Attribute>\n\
++    </saml:AttributeStatement>\n\
++  </saml:Assertion>\n\
++</samlp:Response>\n\
++";
++	xmlDoc *xmldoc;
++	LassoNode *node;
++	begin_check_do_log(NULL, G_LOG_LEVEL_WARNING, "Unexpected attribute: {(null)}any_attributes = CCCCCCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBB", TRUE);
++	xmldoc = xmlParseDoc(xml_str);
++	node = lasso_node_new_from_xmlNode(xmlDocGetRootElement(xmldoc));
++	g_object_unref(node);
++	lasso_release_doc(xmldoc);
++	end_check_do_log(NULL);
++}
++END_TEST
++
+ Suite*
+ basic_suite()
+ {
+@@ -1124,6 +1152,7 @@ basic_suite()
+ 	TCase *tc_key = tcase_create("Test loading and manipulating LassoKey objects");
+ 	TCase *tc_key_info = tcase_create("Test creating and dumping ds:KeyInfo nodes");
+ 	TCase *tc_get_issuer = tcase_create("Test get_issuer and get_request_id");
++	TCase *tc_prevent_any_attribute_assignement = tcase_create("Test any_attribute assignement is prevented");
+ 
+ 	suite_add_tcase(s, tc_server_load_dump_empty_string);
+ 	suite_add_tcase(s, tc_server_load_dump_random_string);
+@@ -1141,6 +1170,7 @@ basic_suite()
+ 	suite_add_tcase(s, tc_key);
+ 	suite_add_tcase(s, tc_key_info);
+ 	suite_add_tcase(s, tc_get_issuer);
++	suite_add_tcase(s, tc_prevent_any_attribute_assignement);
+ 
+ 	tcase_add_test(tc_server_load_dump_empty_string, test01_server_load_dump_empty_string);
+ 	tcase_add_test(tc_server_load_dump_random_string, test02_server_load_dump_random_string);
+@@ -1159,5 +1189,6 @@ basic_suite()
+ 	tcase_add_test(tc_key_info, test15_ds_key_info);
+ 	tcase_add_test(tc_get_issuer, test16_test_get_issuer);
++	tcase_add_test(tc_prevent_any_attribute_assignement, test18_test_unexpected_any_attribute_assignement);
+ 	tcase_set_timeout(tc_load_metadata, 10);
+ 	return s;
+ }
+

lasso-automake-1.17-support.patch

@@ -2,15 +2,55 @@ Index: b/autogen.sh
 ===================================================================
 --- a/autogen.sh
 +++ b/autogen.sh
-@@ -27,7 +27,10 @@ cd "$srcdir"
+@@ -27,46 +27,16 @@ cd "$srcdir"
  	DIE=1
  }
  
 -if automake-1.16 --version < /dev/null > /dev/null 2>&1; then
-+if automake-1.17 --version < /dev/null > /dev/null 2>&1; then
-+    AUTOMAKE=automake-1.17
-+    ACLOCAL=aclocal-1.17
-+elif automake-1.16 --version < /dev/null > /dev/null 2>&1; then
-     AUTOMAKE=automake-1.16
-     ACLOCAL=aclocal-1.16
- elif automake-1.15 --version < /dev/null > /dev/null 2>&1; then
+-    AUTOMAKE=automake-1.16
+-    ACLOCAL=aclocal-1.16
+-elif automake-1.15 --version < /dev/null > /dev/null 2>&1; then
+-    AUTOMAKE=automake-1.15
+-    ACLOCAL=aclocal-1.15
+-elif automake-1.14 --version < /dev/null > /dev/null 2>&1; then
+-    AUTOMAKE=automake-1.14
+-    ACLOCAL=aclocal-1.14
+-elif automake-1.13 --version < /dev/null > /dev/null 2>&1; then
+-    AUTOMAKE=automake-1.13
+-    ACLOCAL=aclocal-1.13
+-elif automake-1.12 --version < /dev/null > /dev/null 2>&1; then
+-    AUTOMAKE=automake-1.12
+-    ACLOCAL=aclocal-1.12
+-elif automake-1.11 --version < /dev/null > /dev/null 2>&1; then
+-    AUTOMAKE=automake-1.11
+-    ACLOCAL=aclocal-1.11
+-elif automake-1.10 --version < /dev/null > /dev/null 2>&1; then
+-    AUTOMAKE=automake-1.10
+-    ACLOCAL=aclocal-1.10
+-elif automake-1.9 --version < /dev/null > /dev/null 2>&1; then
+-    AUTOMAKE=automake-1.9
+-    ACLOCAL=aclocal-1.9
+-elif automake-1.8 --version < /dev/null > /dev/null 2>&1; then
+-    AUTOMAKE=automake-1.8
+-    ACLOCAL=aclocal-1.8
+-elif automake-1.7 --version < /dev/null > /dev/null 2>&1; then
+-    AUTOMAKE=automake-1.7
+-    ACLOCAL=aclocal-1.7
+-elif automake-1.6 --version < /dev/null > /dev/null 2>&1; then
+-    AUTOMAKE=automake-1.6
+-    ACLOCAL=aclocal-1.6
+-else
++(automake --version) < /dev/null > /dev/null 2>&1 || {
+ 	echo
+ 	echo "You must have automake installed to compile $PROJECT."
+ 	echo "Download the appropriate package for your distribution,"
+ 	echo "or get the source tarball at ftp://ftp.gnu.org/gnu/automake/"
+ 	DIE=1
+-fi
++}
++
++    AUTOMAKE=automake
++    ACLOCAL=aclocal
+ 
+ if test "$DIE" -eq 1; then
+ 	exit 1

lasso.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Fri Nov  7 14:45:01 UTC 2025 - Antonio Teixeira <antonio.teixeira@suse.com>
+
+- Fix CVE-2025-46404 (bsc#1253092) - Denial of service in Entr'ouvert Lasso
+  * CVE-2025-46404.patch
+- Fix CVE-2025-46705 (bsc#1253093) - Denial of service in Entr'ouvert Lasso
+  * CVE-2025-46705.patch
+- Fix CVE-2025-47151 (bsc#1253095) - type confusion vulnerability in the
+  lasso_node_impl_init_from_xml functionality
+  * CVE-2025-47151.patch
+
+-------------------------------------------------------------------
+Wed Jul  9 16:04:54 UTC 2025 - Antonio Teixeira <antonio.teixeira@suse.com>
+
+- Fix builds with automake >= 1.17
+  * lasso-automake-1.17-support.patch
+
 -------------------------------------------------------------------
 Wed Jun 18 19:11:23 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
 

lasso.spec

@@ -50,6 +50,12 @@ Patch5:         fix_shebangs.patch
 # from https://git.entrouvert.org/entrouvert/lasso/pulls/19
 # remove dependency on the Python six module
 Patch6:         remove-six.patch
+# PATCH-FIX-UPSTREAM CVE-2025-46404.patch bsc#1253092 antonio.teixeira@suse.com -- CVE-2025-46404: Denial of service in Entr'ouvert Lasso
+Patch7:         CVE-2025-46404.patch
+# PATCH-FIX-UPSTREAM CVE-2025-46705.patch bsc#1253093 antonio.teixeira@suse.com -- CVE-2025-46705: Denial of service in Entr'ouvert Lasso
+Patch8:         CVE-2025-46705.patch
+# PATCH-FIX-UPSTREAM CVE-2025-47151.patch bsc#1253095 antonio.teixeira@suse.com -- CVE-2025-47151: type confusion vulnerability in the lasso_node_impl_init_from_xml functionality
+Patch9:         CVE-2025-47151.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  check-devel