Bug#1069252: bookworm-pu: package libapache2-mod-auth-openidc/2.4.12.3-2+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libapache2-mod-auth-openidc@packages.debian.org, team@security.debian.org
Control: affects -1 + src:libapache2-mod-auth-openidc
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Backported the patch to fix CVE-2024-24814.
Does not require DSA as per #1064183#28.
[ Impact ]
DoS when `OIDCSessionType client-cookie` is set and
a crafted Cookie header is supplied
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-
hxr6-w4gc-7vvv
[ Tests ]
Manually on own infra.
[ Risks ]
Patch has minimal complexity but is from the upstream author
who is generally very knowledgable about his code.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Added upstream commit as patch that fixes oidc_util_get_chunked_cookie
function to properly handle chunked cookies and decline malicious ones.
[ Other info ]
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/changelog libapache2-mod-auth-openidc-2.4.12.3/debian/changelog
--- libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 2023-05-02 11:48:09.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 2024-04-18 14:20:00.000000000 +0200
@@ -1,3 +1,16 @@
+libapache2-mod-auth-openidc (2.4.12.3-2+deb12u1) bookworm; urgency=medium
+
+ * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
+ cookie value made the server vulnerable to a Denial of Service (DoS)
+ attack. If an attacker manipulated the value of the OpenIDC cookie to a
+ very large integer like 99999999, the server struggled with the request for
+ a long time and finally returned a 500 error. Making a few requests of this
+ kind caused servers to become unresponsive, and so attackers could thereby
+ craft requests that would make the server work very hard and/or crash with
+ minimal effort. (Closes: #1064183)
+
+ -- Moritz Schlarb <schlarbm@uni-mainz.de> Thu, 18 Apr 2024 14:20:00 +0200
+
libapache2-mod-auth-openidc (2.4.12.3-2) unstable; urgency=high
* Add patch to Fix CVE-2023-28625 (Closes: #1033916)
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf
--- libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf 2023-05-02 11:41:28.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf 2024-04-18 14:20:00.000000000 +0200
@@ -1,2 +1,3 @@
[DEFAULT]
pristine-tar = True
+debian-branch = bookworm
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
--- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch 2023-05-02 11:47:32.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch 2024-04-18 14:20:00.000000000 +0200
@@ -1,9 +1,9 @@
From: Moritz Schlarb <schlarbm@uni-mainz.de>
Date: Tue, 2 May 2023 11:44:18 +0200
Subject: Fix CVE-2023-28625: segfault DoS when OIDCStripCookies is set
+
Origin: upstream, https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr
Applied-Upstream: 2.4.13.2, https://github.com/OpenIDC/mod_auth_openidc/commit/c0e1edac3c4c19988ccdc7713d7aebfce6ff916a
-
---
src/mod_auth_openidc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch
--- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch 1970-01-01 01:00:00.000000000 +0100
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch 2024-04-18 14:20:00.000000000 +0200
@@ -0,0 +1,60 @@
+From: Hans Zandbelt <hans.zandbelt@openidc.com>
+Date: Tue, 6 Feb 2024 23:45:40 +0100
+Subject: [PATCH] release 2.4.15.2: fix DoS CVE-2024-24814
+
+fix CVE-2024-24814: DoS when 'OIDCSessionType client-cookie' is set and
+a crafted Cookie header is supplied
+https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
+
+Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
+---
+ src/util.c | 35 +++++++++++++++++------------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index e1f0a3a..7a86c24 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -1325,25 +1325,24 @@ static char* oidc_util_get_chunk_cookie_name(request_rec *r,
+ */
+ char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
+ int chunkSize) {
+- char *cookieValue = NULL;
+- char *chunkValue = NULL;
+- int i = 0;
+- if (chunkSize == 0) {
+- cookieValue = oidc_util_get_cookie(r, cookieName);
+- } else {
+- int chunkCount = oidc_util_get_chunked_count(r, cookieName);
+- if (chunkCount > 0) {
+- cookieValue = "";
+- for (i = 0; i < chunkCount; i++) {
+- chunkValue = oidc_util_get_cookie(r,
+- oidc_util_get_chunk_cookie_name(r, cookieName, i));
+- if (chunkValue != NULL)
+- cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue,
+- chunkValue);
+- }
+- } else {
+- cookieValue = oidc_util_get_cookie(r, cookieName);
++ char *cookieValue = NULL, *chunkValue = NULL;
++ int chunkCount = 0, i = 0;
++ if (chunkSize == 0)
++ return oidc_util_get_cookie(r, cookieName);
++ chunkCount = oidc_util_get_chunked_count(r, cookieName);
++ if (chunkCount == 0)
++ return oidc_util_get_cookie(r, cookieName);
++ if ((chunkCount < 0) || (chunkCount > 99)) {
++ oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
++ return NULL;
++ }
++ for (i = 0; i < chunkCount; i++) {
++ chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i));
++ if (chunkValue == NULL) {
++ oidc_warn(r, "could not find chunk %d; aborting", i);
++ break;
+ }
++ cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue);
+ }
+ return cookieValue;
+ }
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series
--- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series 2023-05-02 11:44:59.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series 2024-04-18 14:20:00.000000000 +0200
@@ -1 +1,2 @@
0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
+0002-fix-DoS-CVE-2024-24814.patch
Reply to: