--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libapache2-mod-auth-openidc@packages.debian.org, Debian Security Team <team@security.debian.org>
Control: affects -1 + src:libapache2-mod-auth-openidc
[ Reason ]
Backported redirect url validations from upstream version 2.4.12.2
which include a fix for CVE-2022-23527[1]:
> Versions prior to 2.4.12.2 are vulnerable to Open Redirect.
> When providing a logout parameter to the redirect URI, the
> existing code in oidc_validate_redirect_url() does not properly
> check for URLs that start with /\t, leading to an open redirect.
[ Impact ]
> Users unable to upgrade can mitigate the issue by configuring
> mod_auth_openidc to only allow redirection when the destination
> matches a given regular expression with OIDCRedirectURLsAllowed.
[ Tests ]
Manually tested the package with the fix on our infrastructure, no problems
found.
[ Risks ]
Since I backported the whole check block, that includes more checks
than just for the tab character, the change in this p-u is not quite
minimal, but all the other checks do have a purpose of security
enhancement, so I think it's worth to have them. And the whole block
of code is already checked by more people.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
- Backported whole url check block in oidc_validate_redirect_url
from the latest version 2.4.12.2 [2]
- Also backported new helper function oidc_util_strcasestr as a dependency
[ Other info ]
(Anything else the release team should know.)
[1]: https://security-tracker.debian.org/tracker/CVE-2022-23527
[2]:
https://github.com/zmartzone/mod_auth_openidc/commit/87119f44b9a88312dbc1f752d720bcd2371b94a8
diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/changelog libapache2-mod-auth-openidc-2.3.10.2/debian/changelog
--- libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2019-11-27 11:09:17.000000000 +0100
+++ libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2022-12-21 11:40:16.000000000 +0100
@@ -1,3 +1,12 @@
+libapache2-mod-auth-openidc (2.3.10.2-1+deb10u2) buster; urgency=medium
+
+ * Backport fix for CVE-2022-23527: prevent open redirect in default setup
+ when OIDCRedirectURLsAllowed is not configured
+ see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
+ (Closes: #1026444)
+
+ -- Moritz Schlarb <schlarbm@uni-mainz.de> Wed, 21 Dec 2022 11:40:16 +0100
+
libapache2-mod-auth-openidc (2.3.10.2-1+deb10u1) buster; urgency=medium
* Add patch for CVE-2019-14857
diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0003-Fix-CVE-2022-23527-prevent-open-redirect.patch libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0003-Fix-CVE-2022-23527-prevent-open-redirect.patch
--- libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0003-Fix-CVE-2022-23527-prevent-open-redirect.patch 1970-01-01 01:00:00.000000000 +0100
+++ libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0003-Fix-CVE-2022-23527-prevent-open-redirect.patch 2022-12-21 11:39:39.000000000 +0100
@@ -0,0 +1,79 @@
+From: Moritz Schlarb <schlarbm@uni-mainz.de>
+Date: Tue, 20 Dec 2022 12:04:24 +0100
+Subject: Fix CVE-2022-23527: prevent open redirect
+
+- CVE-2022-23527: prevent open redirect in default setup when OIDCRedirectURLsAllowed is not configured
+ see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
+---
+ src/mod_auth_openidc.c | 14 ++++++++++++++
+ src/mod_auth_openidc.h | 1 +
+ src/util.c | 19 +++++++++++++++++++
+ 3 files changed, 34 insertions(+)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index 916d60d..d1d8609 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -2989,6 +2989,20 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url,
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
++ if ( (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
++ || (strstr(url, "/\t") != NULL)
++ || (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
++ || (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
++ || (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
++ || (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
++ || (strstr(url, "/〱") != NULL) || (strstr(url, "/ー") != NULL)
++ || (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
++ || (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
++ *err_str = apr_pstrdup(r->pool, "Invalid URL");
++ *err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
++ oidc_error(r, "%s: %s", *err_str, *err_desc);
++ return FALSE;
++ }
+
+ return TRUE;
+ }
+diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
+index c69fa16..fab20cd 100644
+--- a/src/mod_auth_openidc.h
++++ b/src/mod_auth_openidc.h
+@@ -766,6 +766,7 @@ apr_hash_t * oidc_util_merge_symmetric_key(apr_pool_t *pool, apr_hash_t *private
+ const char *oidc_util_get_provided_token_binding_id(const request_rec *r);
+ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const apr_table_t *params);
+ char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
++char* oidc_util_strcasestr(const char *s1, const char *s2);
+
+ /* HTTP header constants */
+ #define OIDC_HTTP_HDR_COOKIE "Cookie"
+diff --git a/src/util.c b/src/util.c
+index 21dedc7..0b8de24 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -369,6 +369,25 @@ char *oidc_util_html_escape(apr_pool_t *pool, const char *s) {
+ return apr_pstrdup(pool, r);
+ }
+
++char* oidc_util_strcasestr(const char *s1, const char *s2) {
++ const char *s = s1;
++ const char *p = s2;
++ do {
++ if (!*p)
++ return (char*) s1;
++ if ((*p == *s) || (tolower(*p) == tolower(*s))) {
++ ++p;
++ ++s;
++ } else {
++ p = s2;
++ if (!*s)
++ return NULL;
++ s = ++s1;
++ }
++ } while (1);
++ return *p ? NULL : (char*) s1;
++}
++
+ /*
+ * get the URL scheme that is currently being accessed
+ */
diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series
--- libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series 2019-11-27 11:09:17.000000000 +0100
+++ libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series 2022-12-21 11:39:39.000000000 +0100
@@ -1,2 +1,3 @@
fix-parallel-build.patch
0002-improve-validation-of-the-post-logout-URL-parameter-.patch
+0003-Fix-CVE-2022-23527-prevent-open-redirect.patch
--- End Message ---