Bug#1026447: bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1026447: bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u2
From: Moritz Schlarb <schlarbm@uni-mainz.de>
Date: Tue, 20 Dec 2022 13:34:28 +0100
Message-id: <[🔎] 167153966884.900457.9495787191034558154.reportbug@schlarb-0>
Reply-to: Moritz Schlarb <schlarbm@uni-mainz.de>, 1026447@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libapache2-mod-auth-openidc@packages.debian.org, Debian Security Team <team@security.debian.org>
Control: affects -1 + src:libapache2-mod-auth-openidc

[ Reason ]
Backported redirect url validations from upstream version 2.4.12.2
which include a fix for CVE-2022-23527[1]:
> Versions prior to 2.4.12.2 are vulnerable to Open Redirect.
> When providing a logout parameter to the redirect URI, the
> existing code in oidc_validate_redirect_url() does not properly
> check for URLs that start with /\t, leading to an open redirect.

[ Impact ]
> Users unable to upgrade can mitigate the issue by configuring
> mod_auth_openidc to only allow redirection when the destination
> matches a given regular expression with OIDCRedirectURLsAllowed.

[ Tests ]
Manually tested the package with the fix on our infrastructure, no problems
found.

[ Risks ]
Since I backported the whole check block, that includes more checks
than just for the tab character, the change in this p-u is not quite
minimal, but all the other checks do have a purpose of security
enhancement, so I think it's worth to have them. And the whole block
of code is already checked by more people.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
- Backported whole url check block in oidc_validate_redirect_url
  from the latest version 2.4.12.2 [2]
- Also backported new helper function oidc_util_strcasestr as a dependency

[ Other info ]
(Anything else the release team should know.)

[1]: https://security-tracker.debian.org/tracker/CVE-2022-23527
[2]:
https://github.com/zmartzone/mod_auth_openidc/commit/87119f44b9a88312dbc1f752d720bcd2371b94a8

diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/changelog libapache2-mod-auth-openidc-2.4.9.4/debian/changelog
--- libapache2-mod-auth-openidc-2.4.9.4/debian/changelog	2022-02-23 12:16:08.000000000 +0100
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/changelog	2022-12-20 12:20:52.000000000 +0100
@@ -1,3 +1,12 @@
+libapache2-mod-auth-openidc (2.4.9.4-0+deb11u2) bullseye; urgency=medium
+
+  * Backport fix for CVE-2022-23527: prevent open redirect in default setup
+    when OIDCRedirectURLsAllowed is not configured
+    see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
+    (Closes: #1026444)
+
+ -- Moritz Schlarb <schlarbm@uni-mainz.de>  Tue, 20 Dec 2022 12:20:52 +0100
+
 libapache2-mod-auth-openidc (2.4.9.4-0+deb11u1) bullseye; urgency=medium
 
   * New upstream version 2.4.9.4
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0002-Fix-CVE-2022-23527-prevent-open-redirect.patch libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0002-Fix-CVE-2022-23527-prevent-open-redirect.patch
--- libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0002-Fix-CVE-2022-23527-prevent-open-redirect.patch	1970-01-01 01:00:00.000000000 +0100
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0002-Fix-CVE-2022-23527-prevent-open-redirect.patch	2022-12-20 12:20:03.000000000 +0100
@@ -0,0 +1,82 @@
+From: Moritz Schlarb <schlarbm@uni-mainz.de>
+Author: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
+Date: Tue, 20 Dec 2022 12:04:24 +0100
+Subject: Fix CVE-2022-23527: prevent open redirect
+
+- CVE-2022-23527: prevent open redirect in default setup when OIDCRedirectURLsAllowed is not configured
+  see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
+
+Origin: backport, https://github.com/zmartzone/mod_auth_openidc/commit/87119f44b9a88312dbc1f752d720bcd2371b94a8
+Forwarded: not-needed
+---
+ src/mod_auth_openidc.c | 14 ++++++++++++++
+ src/mod_auth_openidc.h |  1 +
+ src/util.c             | 18 ++++++++++++++++++
+ 3 files changed, 33 insertions(+)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index b36f6c1..099c716 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -2543,6 +2543,20 @@ static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
+ 		oidc_error(r, "%s: %s", *err_str, *err_desc);
+ 		return FALSE;
+ 	}
++	if (       (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
++			|| (strstr(url, "/\t") != NULL)
++			|| (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
++			|| (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
++			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
++			|| (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
++			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/ｰ") != NULL)
++			|| (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
++			|| (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
++		*err_str = apr_pstrdup(r->pool, "Invalid URL");
++		*err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
++		oidc_error(r, "%s: %s", *err_str, *err_desc);
++		return FALSE;
++	}
+ 
+ 	return TRUE;
+ }
+diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
+index 2218d76..8757411 100644
+--- a/src/mod_auth_openidc.h
++++ b/src/mod_auth_openidc.h
+@@ -800,6 +800,7 @@ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const ap
+ char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
+ apr_byte_t oidc_enabled(request_rec *r);
+ char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params);
++char* oidc_util_strcasestr(const char *s1, const char *s2);
+ 
+ /* HTTP header constants */
+ #define OIDC_HTTP_HDR_COOKIE							"Cookie"
+diff --git a/src/util.c b/src/util.c
+index 4c46156..c6453d0 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -446,6 +446,24 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
+     return output;
+ }
+ 
++char* oidc_util_strcasestr(const char *s1, const char *s2) {
++	const char *s = s1;
++	const char *p = s2;
++	do {
++		if (!*p)
++			return (char*) s1;
++		if ((*p == *s) || (tolower(*p) == tolower(*s))) {
++			++p;
++			++s;
++		} else {
++			p = s2;
++			if (!*s)
++				return NULL;
++			s = ++s1;
++		}
++	} while (1);
++	return *p ? NULL : (char*) s1;
++}
+ 
+ /*
+  * get the URL scheme that is currently being accessed
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series
--- libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series	2022-02-23 12:16:08.000000000 +0100
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series	2022-12-20 12:14:25.000000000 +0100
@@ -1 +1,2 @@
 fix-parallel-build.patch
+0002-Fix-CVE-2022-23527-prevent-open-redirect.patch

Reply to:

Follow-Ups:
- Processed: bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u2
Next by Date: Bug#1023550: marked as done (transition: qcustomplot)
Previous by thread: Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Next by thread: Processed: bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u2
Index(es):
- Date
- Thread