Bug#1025646: bullseye-pu: package libapache2-mod-auth-mellon/0.17.0-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I propose this upload to bullseye to fix a relatively minor security issue
(open redirect) in libapache2-mod-auth-mellon.
The changes are already in sid and bookworm for a longer time.
Cheers,
Thijs
diff -Nru libapache2-mod-auth-mellon-0.17.0/debian/changelog libapache2-mod-auth-mellon-0.17.0/debian/changelog
--- libapache2-mod-auth-mellon-0.17.0/debian/changelog 2020-09-08 12:56:41.000000000 +0200
+++ libapache2-mod-auth-mellon-0.17.0/debian/changelog 2022-12-06 20:12:37.000000000 +0100
@@ -1,3 +1,10 @@
+libapache2-mod-auth-mellon (0.17.0-1+deb11u1) bullseye; urgency=medium
+
+ * Upload to fix security issue:
+ - Open redirect in logout endpoint (CVE-2021-3639)
+
+ -- Thijs Kinkhorst <thijs@debian.org> Tue, 06 Dec 2022 20:12:37 +0100
+
libapache2-mod-auth-mellon (0.17.0-1) unstable; urgency=medium
* New upstream release.
diff -Nru libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch
--- libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch 1970-01-01 01:00:00.000000000 +0100
+++ libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch 2022-12-06 20:12:37.000000000 +0100
@@ -0,0 +1,44 @@
+From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
+From: AIMOTO Norihito <aimoto@osstech.co.jp>
+Date: Tue, 6 Jul 2021 22:57:24 +0200
+Subject: [PATCH] Prevent redirect to URLs that begin with '///'
+
+Visiting a logout URL like this:
+ https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
+would have redirected the user to fishing-site.example.com
+
+With the patch, this URL would be rejected.
+
+Fixes: CVE-2021-3639
+---
+ auth_mellon_util.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/auth_mellon_util.c b/auth_mellon_util.c
+index 2f8c9c3..6a686db 100644
+--- a/auth_mellon_util.c
++++ b/auth_mellon_util.c
+@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
+ {
+ const char *i;
+
++ if (url == NULL) {
++ return HTTP_BAD_REQUEST;
++ }
++
+ for (i = url; *i; i++) {
+ if (*i >= 0 && *i < ' ') {
+ /* Deny all control-characters. */
+@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
+ }
+ }
+
++ if (strstr(url, "///") == url) {
++ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
++ "URL starts with '///'");
++ return HTTP_BAD_REQUEST;
++ }
++
+ return OK;
+ }
+
diff -Nru libapache2-mod-auth-mellon-0.17.0/debian/patches/series libapache2-mod-auth-mellon-0.17.0/debian/patches/series
--- libapache2-mod-auth-mellon-0.17.0/debian/patches/series 2020-01-27 14:32:39.000000000 +0100
+++ libapache2-mod-auth-mellon-0.17.0/debian/patches/series 2022-12-06 20:12:37.000000000 +0100
@@ -0,0 +1 @@
+CVE-2021-3639.patch
Reply to: