From ae2841ae491d86bc0d6e1736fab3a170407c314e Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Tue, 18 Nov 2025 00:26:29 +0000
Subject: [PATCH] import UBI lasso-2.6.0-14.el8_10

---
 ..._attribute_value_inside_any_attribut.patch | 50 +++++++++++++++++++
 SPECS/lasso.spec                              |  8 ++-
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0010-prevent_assignment_of_attribute_value_inside_any_attribut.patch

diff --git a/SOURCES/0010-prevent_assignment_of_attribute_value_inside_any_attribut.patch b/SOURCES/0010-prevent_assignment_of_attribute_value_inside_any_attribut.patch
new file mode 100644
index 0000000..e196e9e
--- /dev/null
+++ b/SOURCES/0010-prevent_assignment_of_attribute_value_inside_any_attribut.patch
@@ -0,0 +1,50 @@
+based on commit 8d12e6263fd6add923469bd5704e05a1ccfa8c69
+Author: Benjamin Dauvergne <bdauvergne@entrouvert.com>
+Date:   Thu May 15 15:44:58 2025 +0200
+
+    xml: prevent assignment of attribute value inside any attribute
+
+diff -up lasso-2.6.0/lasso/xml/misc_text_node.c.orig lasso-2.6.0/lasso/xml/misc_text_node.c
+--- lasso-2.6.0/lasso/xml/misc_text_node.c.orig	2017-12-22 18:18:37.545076317 +0100
++++ lasso-2.6.0/lasso/xml/misc_text_node.c	2025-11-14 17:21:38.831364473 +0100
+@@ -41,7 +41,7 @@ typedef struct {
+ static struct XmlSnippet schema_snippets[] = {
+ 	{ "content", SNIPPET_TEXT_CHILD,
+ 		G_STRUCT_OFFSET(LassoMiscTextNode, content), NULL, NULL, NULL},
+-	{ "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
++	{ "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
+ 		G_STRUCT_OFFSET(LassoMiscTextNodePrivate, any_attributes), NULL, NULL, NULL},
+ 	{NULL, 0, 0, NULL, NULL, NULL}
+ };
+diff -up lasso-2.6.0/lasso/xml/saml-2.0/saml2_attribute_value.c.orig lasso-2.6.0/lasso/xml/saml-2.0/saml2_attribute_value.c
+--- lasso-2.6.0/lasso/xml/saml-2.0/saml2_attribute_value.c.orig	2017-12-22 18:18:37.545076317 +0100
++++ lasso-2.6.0/lasso/xml/saml-2.0/saml2_attribute_value.c	2025-11-14 17:21:38.832083737 +0100
+@@ -53,7 +53,7 @@ struct _LassoSaml2AttributeValuePrivate
+ static struct XmlSnippet schema_snippets[] = {
+ 	{ "any", SNIPPET_LIST_NODES | SNIPPET_ANY | SNIPPET_ALLOW_TEXT,
+ 		G_STRUCT_OFFSET(LassoSaml2AttributeValue, any), NULL, NULL, NULL},
+-	{ "any_attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
++	{ "", SNIPPET_ATTRIBUTE | SNIPPET_ANY | SNIPPET_PRIVATE,
+ 		G_STRUCT_OFFSET(struct _LassoSaml2AttributeValuePrivate, any_attributes), NULL,
+ 		NULL, NULL },
+ 	{NULL, 0, 0, NULL, NULL, NULL}
+diff -up lasso-2.6.0/lasso/xml/xml.c.orig lasso-2.6.0/lasso/xml/xml.c
+--- lasso-2.6.0/lasso/xml/xml.c.orig	2018-04-06 16:42:54.289732627 +0200
++++ lasso-2.6.0/lasso/xml/xml.c	2025-11-14 17:21:38.832869755 +0100
+@@ -1593,6 +1593,7 @@ lasso_node_impl_init_from_xml(LassoNode
+ 				type = snippet->type & 0xff;
+ 				/* assign attribute content if attribute has the same name as the
+ 				 * snippet and:
++				 * - the snippet is not the any attribute snippet,
+ 				 * - the snippet and the attribute have no namespace
+ 				 * - the snippet has no namespace but the attribute has the same
+ 				 *   namespace as the node
+@@ -1600,6 +1601,8 @@ lasso_node_impl_init_from_xml(LassoNode
+ 				 */
+ 				if (type != SNIPPET_ATTRIBUTE)
+ 					continue;
++				if (snippet->type & SNIPPET_ANY)
++					continue;
+ 				if (! lasso_strisequal((char*)attr->name, (char*)snippet->name))
+ 					continue;
+ 				if (attr->ns) {
diff --git a/SPECS/lasso.spec b/SPECS/lasso.spec
index 19230d7..f3b505d 100644
--- a/SPECS/lasso.spec
+++ b/SPECS/lasso.spec
@@ -58,7 +58,7 @@
 Summary: Liberty Alliance Single Sign On
 Name: lasso
 Version: 2.6.0
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: GPLv2+
 Group: System Environment/Libraries
 Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz
@@ -72,6 +72,7 @@ Patch6: 0006-Fix-ECP-signature-not-found-error-when-only-assertio.patch
 Patch7: 0007-PAOS-Do-not-populate-Destination-attribute.patch
 Patch8: 0008-Fix-signature-checking-on-unsigned-response-with-mul.patch
 Patch9: 0009-lasso_saml20_login_process_response_status_and_asser.patch
+Patch10: 0010-prevent_assignment_of_attribute_value_inside_any_attribut.patch
 
 BuildRequires: libtool autoconf automake
 
@@ -209,6 +210,7 @@ library.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 # Remove any python script shebang lines (unless they refer to python3)
 sed -i -E -e '/^#![[:blank:]]*(\/usr\/bin\/env[[:blank:]]+python[^3]?\>)|(\/usr\/bin\/python[^3]?\>)/d' \
@@ -326,6 +328,10 @@ rm -fr %{buildroot}%{_defaultdocdir}/%{name}
 %endif
 
 %changelog
+* Fri Nov 14 2025 Tomas Halman <thalman@redhat.com> - 2.6.0-14
+- Fixing CVE-2025-47151
+  Resolves: RHEL-126687 CVE-2025-47151 lasso: Type confusion in Entr'ouvert Lasso
+
 * Wed May 4 2022 Tomas Halman <thalman@redhat.com> - 2.6.0-13
 - Publishing the python3-lasso binding
 - Resolves: rhbz#1888195 - Release python lasso package