Update xmlseclibs to 3.1.4 due CVE-2025-66475

pitbulk · pitbulk · commit 7c1cbd6914f4 · 2025-12-09T23:06:24.000+01:00
diff --git a/onelogin-saml-sso/php/extlib/xmlseclibs/CHANGELOG.txt b/onelogin-saml-sso/php/extlib/xmlseclibs/CHANGELOG.txt
@@ -1,5 +1,19 @@
 xmlseclibs.php
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+08, Dec 2025, 3.1.4
+Security:
+- fix canonicalization bypass error (d0ge)
+
+20, Nov 2024, 3.1.3
+Bug Fixes:
+- remove loadKey check due to BC issues
+
+20, Nov 2024, 3.1.2
+Improvements:
+- Add tab to list of whitespace values to remove from cert. refs #252
+- loadKey should check return value for openssl_get_privatekey (sammarshallou)
+- Switch to GitHub actions (SharkMachine)
+
 05, Sep 2020, 3.1.1
 Features:
 - Support OAEP (iggyvolz)
diff --git a/onelogin-saml-sso/php/extlib/xmlseclibs/src/XMLSecurityDSig.php b/onelogin-saml-sso/php/extlib/xmlseclibs/src/XMLSecurityDSig.php
@@ -293,7 +293,11 @@ private function canonicalizeData($node, $canonicalmethod, $arXPath=null, $prefi
             }
         }
 
-        return $node->C14N($exclusive, $withComments, $arXPath, $prefixList);
+        $ret = $node->C14N($exclusive, $withComments, $arXPath, $prefixList);
+        if ($ret === false) {
+            throw new Exception("Canonicalization failed");
+        }
+        return $ret;
     }
 
     /**
@@ -1050,7 +1054,7 @@ public static function staticAdd509Cert($parentRef, $cert, $isPEMFormat=true, $i
                             }
                             $subjectNameValue = implode(',', $parts);
                         } else {
-                            $subjectNameValue = $certData['issuer'];
+                            $subjectNameValue = $certData['subject'];
                         }
                         $x509SubjectNode = $baseDoc->createElementNS(self::XMLDSIGNS, $dsig_pfx.'X509SubjectName', $subjectNameValue);
                         $x509DataNode->appendChild($x509SubjectNode);
diff --git a/onelogin-saml-sso/php/extlib/xmlseclibs/xmlseclibs.php b/onelogin-saml-sso/php/extlib/xmlseclibs/xmlseclibs.php
@@ -2,7 +2,7 @@
 /**
  * xmlseclibs.php
  *
- * Copyright (c) 2007-2020, Robert Richards <rrichards@cdatazone.org>.
+ * Copyright (c) 2007-2025, Robert Richards <rrichards@cdatazone.org>.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -35,9 +35,9 @@
  * POSSIBILITY OF SUCH DAMAGE.
  *
  * @author    Robert Richards <rrichards@cdatazone.org>
- * @copyright 2007-2020 Robert Richards <rrichards@cdatazone.org>
+ * @copyright 2007-2025 Robert Richards <rrichards@cdatazone.org>
  * @license   http://www.opensource.org/licenses/bsd-license.php  BSD License
- * @version   3.1.1
+ * @version   3.1.4
  */
 
 $xmlseclibs_srcdir = dirname(__FILE__) . '/src/';

Original file line number	Diff line number	Diff line change
`@@ -293,7 +293,11 @@ private function canonicalizeData($node, $canonicalmethod, $arXPath=null, $prefi`
`293`	`293`	`}`
`294`	`294`	`}`
`295`	`295`
`296`		`- return $node->C14N($exclusive, $withComments, $arXPath, $prefixList);`
	`296`	`+ $ret = $node->C14N($exclusive, $withComments, $arXPath, $prefixList);`
	`297`	`+ if ($ret === false) {`
	`298`	`+ throw new Exception("Canonicalization failed");`
	`299`	`+ }`
	`300`	`+ return $ret;`
`297`	`301`	`}`
`298`	`302`
`299`	`303`	`/**`
`@@ -1050,7 +1054,7 @@ public static function staticAdd509Cert($parentRef, $cert, $isPEMFormat=true, $i`
`1050`	`1054`	`}`
`1051`	`1055`	`$subjectNameValue = implode(',', $parts);`
`1052`	`1056`	`} else {`
`1053`		`- $subjectNameValue = $certData['issuer'];`
	`1057`	`+ $subjectNameValue = $certData['subject'];`
`1054`	`1058`	`}`
`1055`	`1059`	`$x509SubjectNode = $baseDoc->createElementNS(self::XMLDSIGNS, $dsig_pfx.'X509SubjectName', $subjectNameValue);`
`1056`	`1060`	`$x509DataNode->appendChild($x509SubjectNode);`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`/**`
`3`	`3`	`* xmlseclibs.php`
`4`	`4`	`*`
`5`		`- * Copyright (c) 2007-2020, Robert Richards <rrichards@cdatazone.org>.`
	`5`	`+ * Copyright (c) 2007-2025, Robert Richards <rrichards@cdatazone.org>.`
`6`	`6`	`* All rights reserved.`
`7`	`7`	`*`
`8`	`8`	`* Redistribution and use in source and binary forms, with or without`
`@@ -35,9 +35,9 @@`
`35`	`35`	`* POSSIBILITY OF SUCH DAMAGE.`
`36`	`36`	`*`
`37`	`37`	`* @author Robert Richards <rrichards@cdatazone.org>`
`38`		`- * @copyright 2007-2020 Robert Richards <rrichards@cdatazone.org>`
	`38`	`+ * @copyright 2007-2025 Robert Richards <rrichards@cdatazone.org>`
`39`	`39`	`* @license http://www.opensource.org/licenses/bsd-license.php BSD License`
`40`		`- * @version 3.1.1`
	`40`	`+ * @version 3.1.4`
`41`	`41`	`*/`
`42`	`42`
`43`	`43`	`$xmlseclibs_srcdir = dirname(__FILE__) . '/src/';`