[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1030598: marked as done (bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u3)

Your message dated Sat, 29 Apr 2023 10:54:14 +0100
with message-id <502b8fb37ece620c9723446611a9287974ba5a0c.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.7
has caused the Debian Bug report #1030598,
regarding bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1030598: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030598
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lemonldap-ng@packages.debian.org
Control: affects -1 + src:lemonldap-ng

[ Reason ]
lemonldap-ng is vulnerable to URL validation bypass
(https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832).
No CVE, fixed in lemonldap-ng 2.0.16-1

[ Impact ]
Medimu vulnerability: hacker may use a LemonLDAP-NG URL to redirect to their
site.

[ Tests ]
New test included in this patch

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Use URI to test base64 encoded URL instead of custom regex.

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index c276c65c0..b6f666f69 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.0.11+ds-4+deb11u3) bullseye; urgency=medium
+
+  * Fix URL validation bypass
+    (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832)
+
+ -- Yadd <yadd@debian.org>  Sun, 05 Feb 2023 18:03:16 +0400
+
 lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium
 
   * Add patch to improve session destroy propagation (Closes: CVE-2022-37186)
diff --git a/debian/patches/fix-url-validation-bypass.patch b/debian/patches/fix-url-validation-bypass.patch
new file mode 100644
index 000000000..7eb27f79b
--- /dev/null
+++ b/debian/patches/fix-url-validation-bypass.patch
@@ -0,0 +1,66 @@
+Description: Fix URL validation bypass
+ An attacker can forge a redirection on a malicious site using a fake credentials in URL value.
+ .
+ Example:
+ .
+    Portal : https://auth.openid.club
+    Allowed application : https://test1.openid.club
+    Malicious site : https://google.fr
+    Malicious URL : https://test1.openid.club:test@google.fr
+    Malicious URL base 64 : aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo=
+    Malicious redirection trigger : https://auth.openid.club/?url=aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo=
+Author: Maxime Besson <maxime.besson@worteks.com>
+Origin: upstream, commit:88d3507d commit:e6156db0
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832
+Forwarded: not-needed
+Applied-Upstream: 2.0.16
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-02-05
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
+@@ -8,6 +8,7 @@
+ use MIME::Base64;
+ use POSIX qw(strftime);
+ use Lemonldap::NG::Portal::Main::Constants qw(portalConsts);
++use URI;
+ 
+ # Main method
+ # -----------
+@@ -152,12 +153,19 @@
+         }
+ 
+         # Unprotected hosts
+-        my ( $proto, $vhost, $appuri ) = $tmp =~ m#^(https?://)([^/]*)(.*)#;
+-        $vhost =~ s/:\d+$//;
++        my ( $proto, $vhost, $appuri );
++        if ($tmp) {
++            my $u = URI->new($tmp);
++            if ( $u->scheme =~ /^https?$/ ) {
++                $proto  = $u->scheme;
++                $vhost  = $u->host if $u->can("host");
++                $appuri = $u->path_query;
++            }
++        }
+ 
+         # Try to resolve alias
+         my $originalVhost = $self->HANDLER->resolveAlias($vhost);
+-        $vhost = $proto . $originalVhost;
++        $vhost = $proto . '://' . $originalVhost;
+         $self->logger->debug( "Required URL (param: "
+               . ( $req->param('logout') ? 'HTTP Referer' : 'urldc' )
+               . " | value: $tmp | alias: $vhost)" );
+--- a/lemonldap-ng-portal/t/03-XSS-protection.t
++++ b/lemonldap-ng-portal/t/03-XSS-protection.t
+@@ -80,6 +80,11 @@
+       => 0,
+     'base64 encoded HTML tags',
+ 
++    # Make sure userinfo does not confuse URL parsing (#2832)
++    # https://test1.example.com:test@hacker.com
++    'aHR0cHM6Ly90ZXN0MS5leGFtcGxlLmNvbTp0ZXN0QGhhY2tlci5jb20=' => 0,
++    'userinfo trick',
++
+     # LOGOUT TESTS
+     'LOGOUT',
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 9d8952af0..8b9338fec 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@ fix-xss-on-register-form.patch
 dont-display-totp-secret.patch
 CVE-2021-40874.patch
 CVE-2022-37186.patch
+fix-url-validation-bypass.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.7

Hi,

Each of the updates referred to in these requests was included in this
morning's 11.7 point release.

Regards,

Adam

--- End Message ---
Reply to: