From 1f87a4d9fe8f0eee7a563cc4e45c8b91ebb67a14 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 26 Jul 2021 23:16:19 +0200
Subject: [PATCH] Fix dead code issue

Resolves: rhbz#1966606: CVE-2021-28091 lasso: XML signature wrapping
                          vulnerability when parsing SAML responses
---
 ...in_process_response_status_and_asser.patch | 59 +++++++++++++++++++
 lasso.spec                                    |  8 ++-
 2 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 0009-lasso_saml20_login_process_response_status_and_asser.patch

diff --git a/0009-lasso_saml20_login_process_response_status_and_asser.patch b/0009-lasso_saml20_login_process_response_status_and_asser.patch
new file mode 100644
index 0000000..05f5bea
--- /dev/null
+++ b/0009-lasso_saml20_login_process_response_status_and_asser.patch
@@ -0,0 +1,59 @@
+From 20f653f70818b85fe1b4de77a629fce352fb8cbd Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Mon, 26 Jul 2021 16:25:52 +0200
+Subject: [PATCH] lasso_saml20_login_process_response_status_and_assertion:
+ handle rc as per verify_hint
+
+In case VERIFY_HINT was set to IGNORE and the login signature was
+incorrect, lasso_saml20_login_process_response_status_and_assertion
+would have jumped straight to the cleanup label which just returns the
+return code. Let's jump to a new label handlerc instead which might set
+the return code to 0 in case verify_hint is set to IGNORE.
+
+Related: https://dev.entrouvert.org/issues/54689
+---
+ lasso/saml-2.0/login.c | 20 ++++++--------------
+ 1 file changed, 6 insertions(+), 14 deletions(-)
+
+diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
+index cf62c1cc9..1d5668b5b 100644
+--- a/lasso/saml-2.0/login.c
++++ b/lasso/saml-2.0/login.c
+@@ -1371,7 +1371,7 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
+ 	char *status_value;
+ 	lasso_error_t rc = 0;
+ 	lasso_error_t assertion_signature_status = 0;
+-	LassoProfileSignatureVerifyHint verify_hint;
++	LassoProfileSignatureVerifyHint verify_hint = LASSO_PROFILE_SIGNATURE_VERIFY_HINT_LAST;
+ 
+ 	profile = &login->parent;
+ 	lasso_extract_node_or_fail(response, profile->response, SAMLP2_STATUS_RESPONSE,
+@@ -1492,20 +1492,12 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
+ 		lasso_assign_gobject (login->private_data->saml2_assertion, last_assertion);
+ 	}
+ 
+-	switch (verify_hint) {
+-		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
+-		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
+-			break;
+-		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:
+-			/* ignore signature errors */
+-			if (rc == LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE) {
+-				rc = 0;
+-			}
+-			break;
+-		default:
+-			g_assert(0);
+-	}
+ cleanup:
++	if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE &&
++		rc == LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE) {
++	    profile->signature_status = rc;
++	    rc = 0;
++	}
+ 	return rc;
+ }
+ 
+-- 
+2.26.3
+
diff --git a/lasso.spec b/lasso.spec
index eb9e60e..e461304 100644
--- a/lasso.spec
+++ b/lasso.spec
@@ -59,7 +59,7 @@
 Summary: Liberty Alliance Single Sign On
 Name: lasso
 Version: 2.7.0
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 URL: http://lasso.entrouvert.org/
 Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz
@@ -96,6 +96,7 @@ Patch0005: 0005-Check-if-the-signature-method-is-allowed-in-addition.patch
 Patch0006: 0006-python-Skip-the-DSA-key-test-unless-SHA-1-is-configu.patch
 Patch0007: 0007-test13_test_lasso_server_load_metadata-Don-t-verify-.patch
 Patch0008: autogen.noconfig
+Patch0009: 0009-lasso_saml20_login_process_response_status_and_asser.patch
 
 %description
 Lasso is a library that implements the Liberty Alliance Single Sign On
@@ -322,6 +323,11 @@ rm -fr %{buildroot}%{_defaultdocdir}/%{name}
 %endif
 
 %changelog
+* Mon Jun 28 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-7
+- Fix dead code issue
+- Resolves: rhbz#1966606: CVE-2021-28091 lasso: XML signature wrapping
+                          vulnerability when parsing SAML responses
+
 * Thu Jul 29 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-6
 - Resolves: rhbz#1984822 - lasso: FTBFS in test suite due to short test
                            timeout (potentially OpenSSL-related)