Fixing CVE-2025-47151

Resolves: RHEL-126685 CVE-2025-47151 lasso: Type confusion in Entr'ouvert Lasso

0010-prevent_assignment_of_attribute_value_inside_any_attribut.patch

@@ -0,0 +1,50 @@
+based on commit 8d12e6263fd6add923469bd5704e05a1ccfa8c69
+Author: Benjamin Dauvergne <bdauvergne@entrouvert.com>
+Date:   Thu May 15 15:44:58 2025 +0200
+
+    xml: prevent assignment of attribute value inside any attribute
+
+diff -up lasso-2.7.0/lasso/xml/misc_text_node.c.orig lasso-2.7.0/lasso/xml/misc_text_node.c
+--- lasso-2.7.0/lasso/xml/misc_text_node.c.orig	2021-05-17 22:00:09.223308401 +0200
++++ lasso-2.7.0/lasso/xml/misc_text_node.c	2025-11-07 10:32:08.764208427 +0100
+@@ -41,7 +41,7 @@ typedef struct {
+ static struct XmlSnippet schema_snippets[] = {
+ 	{ "content", SNIPPET_TEXT_CHILD,
+ 		G_STRUCT_OFFSET(LassoMiscTextNode, content), NULL, NULL, NULL},
+-	{ "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
++	{ "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
+ 		G_STRUCT_OFFSET(LassoMiscTextNodePrivate, any_attributes), NULL, NULL, NULL},
+ 	{NULL, 0, 0, NULL, NULL, NULL}
+ };
+diff -up lasso-2.7.0/lasso/xml/saml-2.0/saml2_attribute_value.c.orig lasso-2.7.0/lasso/xml/saml-2.0/saml2_attribute_value.c
+--- lasso-2.7.0/lasso/xml/saml-2.0/saml2_attribute_value.c.orig	2021-05-17 22:00:09.227308355 +0200
++++ lasso-2.7.0/lasso/xml/saml-2.0/saml2_attribute_value.c	2025-11-07 10:33:52.120133710 +0100
+@@ -53,7 +53,7 @@ struct _LassoSaml2AttributeValuePrivate
+ static struct XmlSnippet schema_snippets[] = {
+ 	{ "any", SNIPPET_LIST_NODES | SNIPPET_ANY | SNIPPET_ALLOW_TEXT,
+ 		G_STRUCT_OFFSET(LassoSaml2AttributeValue, any), NULL, NULL, NULL},
+-	{ "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
++	{ "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
+ 		G_STRUCT_OFFSET(struct _LassoSaml2AttributeValuePrivate, any_attributes), NULL,
+ 		NULL, NULL },
+ 	{NULL, 0, 0, NULL, NULL, NULL}
+diff -up lasso-2.7.0/lasso/xml/xml.c.orig lasso-2.7.0/lasso/xml/xml.c
+--- lasso-2.7.0/lasso/xml/xml.c.orig	2025-11-07 09:47:52.161152310 +0100
++++ lasso-2.7.0/lasso/xml/xml.c	2025-11-07 10:32:08.765465069 +0100
+@@ -1610,6 +1610,7 @@ lasso_node_impl_init_from_xml(LassoNode
+ 				type = snippet->type & 0xff;
+ 				/* assign attribute content if attribute has the same name as the
+ 				 * snippet and:
++				 * - the snippet is not the any attribute snippet,
+ 				 * - the snippet and the attribute have no namespace
+ 				 * - the snippet has no namespace but the attribute has the same
+ 				 *   namespace as the node
+@@ -1617,6 +1618,8 @@ lasso_node_impl_init_from_xml(LassoNode
+ 				 */
+ 				if (type != SNIPPET_ATTRIBUTE)
+ 					continue;
++				if (snippet->type & SNIPPET_ANY)
++					continue;
+ 				if (! lasso_strisequal((char*)attr->name, (char*)snippet->name))
+ 					continue;
+ 				if (attr->ns) {

lasso.spec

@@ -59,7 +59,7 @@
 Summary: Liberty Alliance Single Sign On
 Name: lasso
 Version: 2.7.0
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 URL: http://lasso.entrouvert.org/
 Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz
@@ -97,6 +97,7 @@ Patch0006: 0006-python-Skip-the-DSA-key-test-unless-SHA-1-is-configu.patch
 Patch0007: 0007-test13_test_lasso_server_load_metadata-Don-t-verify-.patch
 Patch0008: autogen.noconfig
 Patch0009: 0009-lasso_saml20_login_process_response_status_and_asser.patch
+Patch0010: 0010-prevent_assignment_of_attribute_value_inside_any_attribut.patch
 
 %description
 Lasso is a library that implements the Liberty Alliance Single Sign On
@@ -323,6 +324,10 @@ rm -fr %{buildroot}%{_defaultdocdir}/%{name}
 %endif
 
 %changelog
+* Fri Nov 7 2025 Tomas Halman <thalman@redhat.com> - 2.7.0-12
+- Fixing CVE-2025-47151
+  Resolves: RHEL-126685 CVE-2025-47151 lasso: Type confusion in Entr'ouvert Lasso
+
 * Wed Nov 9 2022 Tomas Halman <thalman@redhat.com> - 2.7.0-11
 - Fixing changelog chronological order
 - Related: rhbz#2117590 - release python3-lasso pkg