--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I propose this upload to buster to fix a relatively minor security issue
(open redirect) in libapache2-mod-auth-mellon.
The changes are already in sid and bookworm for a longer time, and in
bullseye for the first part.
Cheers,
Thijs
diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/changelog libapache2-mod-auth-mellon-0.14.2/debian/changelog
--- libapache2-mod-auth-mellon-0.14.2/debian/changelog 2019-03-22 12:10:11.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/debian/changelog 2022-12-06 15:39:13.000000000 +0000
@@ -1,3 +1,10 @@
+libapache2-mod-auth-mellon (0.14.2-1+deb10u1) buster; urgency=high
+
+ * Upload to fix security issues:
+ - Open redirect in logout endpoint (CVE-2019-13038 CVE-2021-3639)
+
+ -- Thijs Kinkhorst <thijs@debian.org> Tue, 06 Dec 2022 15:39:13 +0000
+
libapache2-mod-auth-mellon (0.14.2-1) unstable; urgency=high
* New upstream security release. (closes: #925197)
diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch
--- libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch 1970-01-01 00:00:00.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch 2022-12-06 15:36:36.000000000 +0000
@@ -0,0 +1,29 @@
+From a52645391d08739a6a96df21e2506d3e57b888dc Mon Sep 17 00:00:00 2001
+From: Valentin <awakenine@users.noreply.github.com>
+Date: Fri, 6 Sep 2019 13:30:36 +0300
+Subject: [PATCH] Fix open redirect CVE-2019-13038
+
+Resolves:
+ https://github.com/latchset/mod_auth_mellon/issues/2
+
+The original reported redirect attack was:
+ https://application.com/mellon/login?ReturnTo=http:www.malicious.com
+---
+ auth_mellon_util.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/auth_mellon_util.c b/auth_mellon_util.c
+index fd442f9..e53a98f 100644
+--- a/auth_mellon_util.c
++++ b/auth_mellon_util.c
+@@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char *url)
+
+ /* Sanity check of the scheme of the domain. We only allow http and https. */
+ if (uri.scheme) {
++ /* http and https schemes without hostname are invalid. */
++ if (!uri.hostname) {
++ return HTTP_BAD_REQUEST;
++ }
+ if (strcasecmp(uri.scheme, "http")
+ && strcasecmp(uri.scheme, "https")) {
+ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r,
diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch
--- libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch 1970-01-01 00:00:00.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch 2022-12-06 15:38:26.000000000 +0000
@@ -0,0 +1,44 @@
+From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
+From: AIMOTO Norihito <aimoto@osstech.co.jp>
+Date: Tue, 6 Jul 2021 22:57:24 +0200
+Subject: [PATCH] Prevent redirect to URLs that begin with '///'
+
+Visiting a logout URL like this:
+ https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
+would have redirected the user to fishing-site.example.com
+
+With the patch, this URL would be rejected.
+
+Fixes: CVE-2021-3639
+---
+ auth_mellon_util.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/auth_mellon_util.c b/auth_mellon_util.c
+index 2f8c9c3..6a686db 100644
+--- a/auth_mellon_util.c
++++ b/auth_mellon_util.c
+@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
+ {
+ const char *i;
+
++ if (url == NULL) {
++ return HTTP_BAD_REQUEST;
++ }
++
+ for (i = url; *i; i++) {
+ if (*i >= 0 && *i < ' ') {
+ /* Deny all control-characters. */
+@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
+ }
+ }
+
++ if (strstr(url, "///") == url) {
++ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
++ "URL starts with '///'");
++ return HTTP_BAD_REQUEST;
++ }
++
+ return OK;
+ }
+
diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/series libapache2-mod-auth-mellon-0.14.2/debian/patches/series
--- libapache2-mod-auth-mellon-0.14.2/debian/patches/series 2018-01-06 12:58:18.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/debian/patches/series 2022-12-06 15:39:01.000000000 +0000
@@ -0,0 +1,2 @@
+CVE-2019-13038.patch
+CVE-2021-3639.patch
--- End Message ---
--- Begin Message ---
Hi,
On Tue, 2022-12-06 at 21:10 +0100, Thijs Kinkhorst wrote:
> I propose this upload to buster to fix a relatively minor security
> issue
> (open redirect) in libapache2-mod-auth-mellon.
>
> The changes are already in sid and bookworm for a longer time, and in
> bullseye for the first part.
SRM no longer handle updates to buster, as it moved to LTS support at
the end of June. Please co-ordinate any updates there with the LTS
team.
Regards,
Adam
--- End Message ---