Bug#1069252: bookworm-pu: package libapache2-mod-auth-openidc/2.4.12.3-2+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1069252: bookworm-pu: package libapache2-mod-auth-openidc/2.4.12.3-2+deb12u1
From: Moritz Schlarb <schlarbm@uni-mainz.de>
Date: Thu, 18 Apr 2024 21:43:15 +0200
Message-id: <[🔎] 171346939535.3353198.4166348853884970551.reportbug@schlarb-0>
Reply-to: Moritz Schlarb <schlarbm@uni-mainz.de>, 1069252@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libapache2-mod-auth-openidc@packages.debian.org, team@security.debian.org
Control: affects -1 + src:libapache2-mod-auth-openidc
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Backported the patch to fix CVE-2024-24814.
Does not require DSA as per #1064183#28.

[ Impact ]
DoS when `OIDCSessionType client-cookie` is set and
a crafted Cookie header is supplied
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-
hxr6-w4gc-7vvv

[ Tests ]
Manually on own infra.

[ Risks ]
Patch has minimal complexity but is from the upstream author
who is generally very knowledgable about his code.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Added upstream commit as patch that fixes oidc_util_get_chunked_cookie
function to properly handle chunked cookies and decline malicious ones.

[ Other info ]

diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/changelog libapache2-mod-auth-openidc-2.4.12.3/debian/changelog
--- libapache2-mod-auth-openidc-2.4.12.3/debian/changelog	2023-05-02 11:48:09.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/changelog	2024-04-18 14:20:00.000000000 +0200
@@ -1,3 +1,16 @@
+libapache2-mod-auth-openidc (2.4.12.3-2+deb12u1) bookworm; urgency=medium
+
+  * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
+    cookie value made the server vulnerable to a Denial of Service (DoS)
+    attack. If an attacker manipulated the value of the OpenIDC cookie to a
+    very large integer like 99999999, the server struggled with the request for
+    a long time and finally returned a 500 error. Making a few requests of this
+    kind caused servers to become unresponsive, and so attackers could thereby
+    craft requests that would make the server work very hard and/or crash with
+    minimal effort. (Closes: #1064183)
+
+ -- Moritz Schlarb <schlarbm@uni-mainz.de>  Thu, 18 Apr 2024 14:20:00 +0200
+
 libapache2-mod-auth-openidc (2.4.12.3-2) unstable; urgency=high
 
   * Add patch to Fix CVE-2023-28625 (Closes: #1033916)
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf
--- libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf	2023-05-02 11:41:28.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf	2024-04-18 14:20:00.000000000 +0200
@@ -1,2 +1,3 @@
 [DEFAULT]
 pristine-tar = True
+debian-branch = bookworm
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
--- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch	2023-05-02 11:47:32.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch	2024-04-18 14:20:00.000000000 +0200
@@ -1,9 +1,9 @@
 From: Moritz Schlarb <schlarbm@uni-mainz.de>
 Date: Tue, 2 May 2023 11:44:18 +0200
 Subject: Fix CVE-2023-28625: segfault DoS when OIDCStripCookies is set
+
 Origin: upstream, https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr
 Applied-Upstream: 2.4.13.2, https://github.com/OpenIDC/mod_auth_openidc/commit/c0e1edac3c4c19988ccdc7713d7aebfce6ff916a
-
 ---
  src/mod_auth_openidc.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch
--- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch	1970-01-01 01:00:00.000000000 +0100
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch	2024-04-18 14:20:00.000000000 +0200
@@ -0,0 +1,60 @@
+From: Hans Zandbelt <hans.zandbelt@openidc.com>
+Date: Tue, 6 Feb 2024 23:45:40 +0100
+Subject: [PATCH] release 2.4.15.2: fix DoS CVE-2024-24814
+
+fix CVE-2024-24814: DoS when 'OIDCSessionType client-cookie' is set and
+a crafted Cookie header is supplied
+https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
+
+Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
+---
+ src/util.c | 35 +++++++++++++++++------------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index e1f0a3a..7a86c24 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -1325,25 +1325,24 @@ static char* oidc_util_get_chunk_cookie_name(request_rec *r,
+  */
+ char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
+ 		int chunkSize) {
+-	char *cookieValue = NULL;
+-	char *chunkValue = NULL;
+-	int i = 0;
+-	if (chunkSize == 0) {
+-		cookieValue = oidc_util_get_cookie(r, cookieName);
+-	} else {
+-		int chunkCount = oidc_util_get_chunked_count(r, cookieName);
+-		if (chunkCount > 0) {
+-			cookieValue = "";
+-			for (i = 0; i < chunkCount; i++) {
+-				chunkValue = oidc_util_get_cookie(r,
+-						oidc_util_get_chunk_cookie_name(r, cookieName, i));
+-				if (chunkValue != NULL)
+-					cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue,
+-							chunkValue);
+-			}
+-		} else {
+-			cookieValue = oidc_util_get_cookie(r, cookieName);
++	char *cookieValue = NULL, *chunkValue = NULL;
++	int chunkCount = 0, i = 0;
++	if (chunkSize == 0)
++		return oidc_util_get_cookie(r, cookieName);
++	chunkCount = oidc_util_get_chunked_count(r, cookieName);
++	if (chunkCount == 0)
++		return oidc_util_get_cookie(r, cookieName);
++	if ((chunkCount < 0) || (chunkCount > 99)) {
++		oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
++		return NULL;
++	}
++	for (i = 0; i < chunkCount; i++) {
++		chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i));
++		if (chunkValue == NULL) {
++			oidc_warn(r, "could not find chunk %d; aborting", i);
++			break;
+ 		}
++		cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue);
+ 	}
+ 	return cookieValue;
+ }
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series
--- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series	2023-05-02 11:44:59.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series	2024-04-18 14:20:00.000000000 +0200
@@ -1 +1,2 @@
 0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
+0002-fix-DoS-CVE-2024-24814.patch

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package libapache2-mod-auth-openidc/2.4.12.3-2+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1069252: libapache2-mod-auth-openidc 2.4.12.3-2+deb12u1 flagged for acceptance
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: Bug#1069253: bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u4
Next by Date: Processed: bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u4
Previous by thread: Processed: libapache2-mod-auth-openidc 2.4.9.4-0+deb11u4 flagged for acceptance
Next by thread: Processed: bookworm-pu: package libapache2-mod-auth-openidc/2.4.12.3-2+deb12u1
Index(es):
- Date
- Thread