Bug#1025647: buster-pu: package libapache2-mod-auth-mellon/0.14.2-1+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1025647: buster-pu: package libapache2-mod-auth-mellon/0.14.2-1+deb10u1
From: Thijs Kinkhorst <thijs@debian.org>
Date: Tue, 06 Dec 2022 21:10:23 +0100
Message-id: <[🔎] 167035742388.25972.9310547478428709456.reportbug@tetraquark.soleus.nu>
Reply-to: Thijs Kinkhorst <thijs@debian.org>, 1025647@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I propose this upload to buster to fix a relatively minor security issue
(open redirect) in libapache2-mod-auth-mellon.

The changes are already in sid and bookworm for a longer time, and in
bullseye for the first part.


Cheers,
Thijs

diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/changelog libapache2-mod-auth-mellon-0.14.2/debian/changelog
--- libapache2-mod-auth-mellon-0.14.2/debian/changelog	2019-03-22 12:10:11.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/debian/changelog	2022-12-06 15:39:13.000000000 +0000
@@ -1,3 +1,10 @@
+libapache2-mod-auth-mellon (0.14.2-1+deb10u1) buster; urgency=high
+
+  * Upload to fix security issues:
+    - Open redirect in logout endpoint (CVE-2019-13038 CVE-2021-3639)
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Tue, 06 Dec 2022 15:39:13 +0000
+
 libapache2-mod-auth-mellon (0.14.2-1) unstable; urgency=high
 
   * New upstream security release. (closes: #925197)
diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch
--- libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch	1970-01-01 00:00:00.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch	2022-12-06 15:36:36.000000000 +0000
@@ -0,0 +1,29 @@
+From a52645391d08739a6a96df21e2506d3e57b888dc Mon Sep 17 00:00:00 2001
+From: Valentin <awakenine@users.noreply.github.com>
+Date: Fri, 6 Sep 2019 13:30:36 +0300
+Subject: [PATCH] Fix open redirect CVE-2019-13038
+
+Resolves:
+    https://github.com/latchset/mod_auth_mellon/issues/2
+
+The original reported redirect attack was:
+    https://application.com/mellon/login?ReturnTo=http:www.malicious.com
+---
+ auth_mellon_util.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/auth_mellon_util.c b/auth_mellon_util.c
+index fd442f9..e53a98f 100644
+--- a/auth_mellon_util.c
++++ b/auth_mellon_util.c
+@@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char *url)
+ 
+     /* Sanity check of the scheme of the domain. We only allow http and https. */
+     if (uri.scheme) {
++        /* http and https schemes without hostname are invalid. */
++        if (!uri.hostname) {
++            return HTTP_BAD_REQUEST;
++        }
+         if (strcasecmp(uri.scheme, "http")
+             && strcasecmp(uri.scheme, "https")) {
+             AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r,
diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch
--- libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch	1970-01-01 00:00:00.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch	2022-12-06 15:38:26.000000000 +0000
@@ -0,0 +1,44 @@
+From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
+From: AIMOTO Norihito <aimoto@osstech.co.jp>
+Date: Tue, 6 Jul 2021 22:57:24 +0200
+Subject: [PATCH] Prevent redirect to URLs that begin with '///'
+
+Visiting a logout URL like this:
+    https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
+would have redirected the user to fishing-site.example.com
+
+With the patch, this URL would be rejected.
+
+Fixes: CVE-2021-3639
+---
+ auth_mellon_util.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/auth_mellon_util.c b/auth_mellon_util.c
+index 2f8c9c3..6a686db 100644
+--- a/auth_mellon_util.c
++++ b/auth_mellon_util.c
+@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
+ {
+     const char *i;
+ 
++    if (url == NULL) {
++        return HTTP_BAD_REQUEST;
++    }
++
+     for (i = url; *i; i++) {
+         if (*i >= 0 && *i < ' ') {
+             /* Deny all control-characters. */
+@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
+         }
+     }
+ 
++    if (strstr(url, "///") == url) {
++        AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
++                          "URL starts with '///'");
++        return HTTP_BAD_REQUEST;
++    }
++
+     return OK;
+ }
+ 
diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/series libapache2-mod-auth-mellon-0.14.2/debian/patches/series
--- libapache2-mod-auth-mellon-0.14.2/debian/patches/series	2018-01-06 12:58:18.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/debian/patches/series	2022-12-06 15:39:01.000000000 +0000
@@ -0,0 +1,2 @@
+CVE-2019-13038.patch
+CVE-2021-3639.patch

Reply to:

Follow-Ups:
- Bug#1025647: marked as done (buster-pu: package libapache2-mod-auth-mellon/0.14.2-1+deb10u1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1025646: bullseye-pu: package libapache2-mod-auth-mellon/0.17.0-1+deb11u1
Next by Date: Bug#1025646: bullseye-pu: package libapache2-mod-auth-mellon/0.17.0-1+deb11u1
Previous by thread: Bug#1025646: marked as done (bullseye-pu: package libapache2-mod-auth-mellon/0.17.0-1+deb11u1)
Next by thread: Bug#1025647: marked as done (buster-pu: package libapache2-mod-auth-mellon/0.14.2-1+deb10u1)
Index(es):
- Date
- Thread