[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1026799: marked as done (buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1+deb10u2)

Your message dated Wed, 21 Dec 2022 19:59:59 +0000
with message-id <f768795c7e392ae80a9c7f1c6717a68e6eae38d1.camel@adam-barratt.org.uk>
and subject line Re: Bug#1026799: buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1+deb10u2
has caused the Debian Bug report #1026799,
regarding buster-pu: package libapache2-mod-auth-openidc/2.3.10.2-1+deb10u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1026799: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026799
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libapache2-mod-auth-openidc@packages.debian.org, Debian Security Team <team@security.debian.org>
Control: affects -1 + src:libapache2-mod-auth-openidc

[ Reason ]
Backported redirect url validations from upstream version 2.4.12.2
which include a fix for CVE-2022-23527[1]:
> Versions prior to 2.4.12.2 are vulnerable to Open Redirect.
> When providing a logout parameter to the redirect URI, the
> existing code in oidc_validate_redirect_url() does not properly
> check for URLs that start with /\t, leading to an open redirect.

[ Impact ]
> Users unable to upgrade can mitigate the issue by configuring
> mod_auth_openidc to only allow redirection when the destination
> matches a given regular expression with OIDCRedirectURLsAllowed.

[ Tests ]
Manually tested the package with the fix on our infrastructure, no problems
found.

[ Risks ]
Since I backported the whole check block, that includes more checks
than just for the tab character, the change in this p-u is not quite
minimal, but all the other checks do have a purpose of security
enhancement, so I think it's worth to have them. And the whole block
of code is already checked by more people.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
- Backported whole url check block in oidc_validate_redirect_url
  from the latest version 2.4.12.2 [2]
- Also backported new helper function oidc_util_strcasestr as a dependency

[ Other info ]
(Anything else the release team should know.)

[1]: https://security-tracker.debian.org/tracker/CVE-2022-23527
[2]:
https://github.com/zmartzone/mod_auth_openidc/commit/87119f44b9a88312dbc1f752d720bcd2371b94a8

diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/changelog libapache2-mod-auth-openidc-2.3.10.2/debian/changelog
--- libapache2-mod-auth-openidc-2.3.10.2/debian/changelog	2019-11-27 11:09:17.000000000 +0100
+++ libapache2-mod-auth-openidc-2.3.10.2/debian/changelog	2022-12-21 11:40:16.000000000 +0100
@@ -1,3 +1,12 @@
+libapache2-mod-auth-openidc (2.3.10.2-1+deb10u2) buster; urgency=medium
+
+  * Backport fix for CVE-2022-23527: prevent open redirect in default setup
+    when OIDCRedirectURLsAllowed is not configured
+    see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
+    (Closes: #1026444)
+
+ -- Moritz Schlarb <schlarbm@uni-mainz.de>  Wed, 21 Dec 2022 11:40:16 +0100
+
 libapache2-mod-auth-openidc (2.3.10.2-1+deb10u1) buster; urgency=medium
 
   * Add patch for CVE-2019-14857
diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0003-Fix-CVE-2022-23527-prevent-open-redirect.patch libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0003-Fix-CVE-2022-23527-prevent-open-redirect.patch
--- libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0003-Fix-CVE-2022-23527-prevent-open-redirect.patch	1970-01-01 01:00:00.000000000 +0100
+++ libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0003-Fix-CVE-2022-23527-prevent-open-redirect.patch	2022-12-21 11:39:39.000000000 +0100
@@ -0,0 +1,79 @@
+From: Moritz Schlarb <schlarbm@uni-mainz.de>
+Date: Tue, 20 Dec 2022 12:04:24 +0100
+Subject: Fix CVE-2022-23527: prevent open redirect
+
+- CVE-2022-23527: prevent open redirect in default setup when OIDCRedirectURLsAllowed is not configured
+  see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
+---
+ src/mod_auth_openidc.c | 14 ++++++++++++++
+ src/mod_auth_openidc.h |  1 +
+ src/util.c             | 19 +++++++++++++++++++
+ 3 files changed, 34 insertions(+)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index 916d60d..d1d8609 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -2989,6 +2989,20 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url,
+ 		oidc_error(r, "%s: %s", *err_str, *err_desc);
+ 		return FALSE;
+ 	}
++	if (       (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
++			|| (strstr(url, "/\t") != NULL)
++			|| (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
++			|| (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
++			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
++			|| (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
++			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/ー") != NULL)
++			|| (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
++			|| (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
++		*err_str = apr_pstrdup(r->pool, "Invalid URL");
++		*err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
++		oidc_error(r, "%s: %s", *err_str, *err_desc);
++		return FALSE;
++	}
+ 
+ 	return TRUE;
+ }
+diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
+index c69fa16..fab20cd 100644
+--- a/src/mod_auth_openidc.h
++++ b/src/mod_auth_openidc.h
+@@ -766,6 +766,7 @@ apr_hash_t * oidc_util_merge_symmetric_key(apr_pool_t *pool, apr_hash_t *private
+ const char *oidc_util_get_provided_token_binding_id(const request_rec *r);
+ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const apr_table_t *params);
+ char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
++char* oidc_util_strcasestr(const char *s1, const char *s2);
+ 
+ /* HTTP header constants */
+ #define OIDC_HTTP_HDR_COOKIE							"Cookie"
+diff --git a/src/util.c b/src/util.c
+index 21dedc7..0b8de24 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -369,6 +369,25 @@ char *oidc_util_html_escape(apr_pool_t *pool, const char *s) {
+ 	return apr_pstrdup(pool, r);
+ }
+ 
++char* oidc_util_strcasestr(const char *s1, const char *s2) {
++	const char *s = s1;
++	const char *p = s2;
++	do {
++		if (!*p)
++			return (char*) s1;
++		if ((*p == *s) || (tolower(*p) == tolower(*s))) {
++			++p;
++			++s;
++		} else {
++			p = s2;
++			if (!*s)
++				return NULL;
++			s = ++s1;
++		}
++	} while (1);
++	return *p ? NULL : (char*) s1;
++}
++
+ /*
+  * get the URL scheme that is currently being accessed
+  */
diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series
--- libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series	2019-11-27 11:09:17.000000000 +0100
+++ libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series	2022-12-21 11:39:39.000000000 +0100
@@ -1,2 +1,3 @@
 fix-parallel-build.patch
 0002-improve-validation-of-the-post-logout-URL-parameter-.patch
+0003-Fix-CVE-2022-23527-prevent-open-redirect.patch

--- End Message ---
--- Begin Message --- 
On Wed, 2022-12-21 at 11:44 +0100, Moritz Schlarb wrote:
> Backported redirect url validations from upstream version 2.4.12.2
> which include a fix for CVE-2022-23527[1]:
> > Versions prior to 2.4.12.2 are vulnerable to Open Redirect.
> > When providing a logout parameter to the redirect URI, the
> > existing code in oidc_validate_redirect_url() does not properly
> > check for URLs that start with /\t, leading to an open redirect.
> 

buster hasn't been supported by the Release or Security Teams since
late June, when it moved to LTS.

If you want to update the package in buster, please liaise with the LTS
Team.

Regards,

Adam

--- End Message ---
Reply to: