[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1026447: marked as done (bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u2)

Your message dated Sat, 29 Apr 2023 10:54:14 +0100
with message-id <502b8fb37ece620c9723446611a9287974ba5a0c.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.7
has caused the Debian Bug report #1026447,
regarding bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1026447: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026447
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libapache2-mod-auth-openidc@packages.debian.org, Debian Security Team <team@security.debian.org>
Control: affects -1 + src:libapache2-mod-auth-openidc

[ Reason ]
Backported redirect url validations from upstream version 2.4.12.2
which include a fix for CVE-2022-23527[1]:
> Versions prior to 2.4.12.2 are vulnerable to Open Redirect.
> When providing a logout parameter to the redirect URI, the
> existing code in oidc_validate_redirect_url() does not properly
> check for URLs that start with /\t, leading to an open redirect.

[ Impact ]
> Users unable to upgrade can mitigate the issue by configuring
> mod_auth_openidc to only allow redirection when the destination
> matches a given regular expression with OIDCRedirectURLsAllowed.

[ Tests ]
Manually tested the package with the fix on our infrastructure, no problems
found.

[ Risks ]
Since I backported the whole check block, that includes more checks
than just for the tab character, the change in this p-u is not quite
minimal, but all the other checks do have a purpose of security
enhancement, so I think it's worth to have them. And the whole block
of code is already checked by more people.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
- Backported whole url check block in oidc_validate_redirect_url
  from the latest version 2.4.12.2 [2]
- Also backported new helper function oidc_util_strcasestr as a dependency

[ Other info ]
(Anything else the release team should know.)

[1]: https://security-tracker.debian.org/tracker/CVE-2022-23527
[2]:
https://github.com/zmartzone/mod_auth_openidc/commit/87119f44b9a88312dbc1f752d720bcd2371b94a8

diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/changelog libapache2-mod-auth-openidc-2.4.9.4/debian/changelog
--- libapache2-mod-auth-openidc-2.4.9.4/debian/changelog	2022-02-23 12:16:08.000000000 +0100
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/changelog	2022-12-20 12:20:52.000000000 +0100
@@ -1,3 +1,12 @@
+libapache2-mod-auth-openidc (2.4.9.4-0+deb11u2) bullseye; urgency=medium
+
+  * Backport fix for CVE-2022-23527: prevent open redirect in default setup
+    when OIDCRedirectURLsAllowed is not configured
+    see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
+    (Closes: #1026444)
+
+ -- Moritz Schlarb <schlarbm@uni-mainz.de>  Tue, 20 Dec 2022 12:20:52 +0100
+
 libapache2-mod-auth-openidc (2.4.9.4-0+deb11u1) bullseye; urgency=medium
 
   * New upstream version 2.4.9.4
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0002-Fix-CVE-2022-23527-prevent-open-redirect.patch libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0002-Fix-CVE-2022-23527-prevent-open-redirect.patch
--- libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0002-Fix-CVE-2022-23527-prevent-open-redirect.patch	1970-01-01 01:00:00.000000000 +0100
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0002-Fix-CVE-2022-23527-prevent-open-redirect.patch	2022-12-20 12:20:03.000000000 +0100
@@ -0,0 +1,82 @@
+From: Moritz Schlarb <schlarbm@uni-mainz.de>
+Author: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
+Date: Tue, 20 Dec 2022 12:04:24 +0100
+Subject: Fix CVE-2022-23527: prevent open redirect
+
+- CVE-2022-23527: prevent open redirect in default setup when OIDCRedirectURLsAllowed is not configured
+  see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
+
+Origin: backport, https://github.com/zmartzone/mod_auth_openidc/commit/87119f44b9a88312dbc1f752d720bcd2371b94a8
+Forwarded: not-needed
+---
+ src/mod_auth_openidc.c | 14 ++++++++++++++
+ src/mod_auth_openidc.h |  1 +
+ src/util.c             | 18 ++++++++++++++++++
+ 3 files changed, 33 insertions(+)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index b36f6c1..099c716 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -2543,6 +2543,20 @@ static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
+ 		oidc_error(r, "%s: %s", *err_str, *err_desc);
+ 		return FALSE;
+ 	}
++	if (       (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
++			|| (strstr(url, "/\t") != NULL)
++			|| (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
++			|| (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
++			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
++			|| (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
++			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/ー") != NULL)
++			|| (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
++			|| (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
++		*err_str = apr_pstrdup(r->pool, "Invalid URL");
++		*err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
++		oidc_error(r, "%s: %s", *err_str, *err_desc);
++		return FALSE;
++	}
+ 
+ 	return TRUE;
+ }
+diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
+index 2218d76..8757411 100644
+--- a/src/mod_auth_openidc.h
++++ b/src/mod_auth_openidc.h
+@@ -800,6 +800,7 @@ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const ap
+ char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
+ apr_byte_t oidc_enabled(request_rec *r);
+ char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params);
++char* oidc_util_strcasestr(const char *s1, const char *s2);
+ 
+ /* HTTP header constants */
+ #define OIDC_HTTP_HDR_COOKIE							"Cookie"
+diff --git a/src/util.c b/src/util.c
+index 4c46156..c6453d0 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -446,6 +446,24 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
+     return output;
+ }
+ 
++char* oidc_util_strcasestr(const char *s1, const char *s2) {
++	const char *s = s1;
++	const char *p = s2;
++	do {
++		if (!*p)
++			return (char*) s1;
++		if ((*p == *s) || (tolower(*p) == tolower(*s))) {
++			++p;
++			++s;
++		} else {
++			p = s2;
++			if (!*s)
++				return NULL;
++			s = ++s1;
++		}
++	} while (1);
++	return *p ? NULL : (char*) s1;
++}
+ 
+ /*
+  * get the URL scheme that is currently being accessed
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series
--- libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series	2022-02-23 12:16:08.000000000 +0100
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series	2022-12-20 12:14:25.000000000 +0100
@@ -1 +1,2 @@
 fix-parallel-build.patch
+0002-Fix-CVE-2022-23527-prevent-open-redirect.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.7

Hi,

Each of the updates referred to in these requests was included in this
morning's 11.7 point release.

Regards,

Adam

--- End Message ---
Reply to: