Bug#1076784: bookworm-pu: package libapache2-mod-auth-openidc/2.4.12.3-2+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libapache2-mod-auth-openidc@packages.debian.org
Control: affects -1 + src:libapache2-mod-auth-openidc
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
This pu adds an (upstream) patch to fix a segfault when using
the apache module.
More information provided by upstream is at:
https://github.com/OpenIDC/mod_auth_openidc/discussions/1233
[ Impact ]
Segfaulting Apache processes when requests don't have the
forwarded headers set
[ Tests ]
Testsuite (includes a test specific for this problem and) passes,
manually tested the package.
[ Risks ]
Actual code change is three lines:
https://github.com/OpenIDC/mod_auth_openidc/commit/c2f200fb246f546e07c91f04e82345793af0c7c0
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Properly check for null pointers in function arguments and
return value.
[ Other info ]
Closes: #1076429
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/changelog libapache2-mod-auth-openidc-2.4.12.3/debian/changelog
--- libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 2024-04-18 14:20:00.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 2024-07-23 10:47:49.000000000 +0200
@@ -1,3 +1,10 @@
+libapache2-mod-auth-openidc (2.4.12.3-2+deb12u2) bookworm; urgency=medium
+
+ * Add patch for "oidc_check_x_forwarded_hdr check segfaults"
+ (Closes: #1076429)
+
+ -- Moritz Schlarb <schlarbm@uni-mainz.de> Tue, 23 Jul 2024 10:47:49 +0200
+
libapache2-mod-auth-openidc (2.4.12.3-2+deb12u1) bookworm; urgency=medium
* CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0003-avoid-crash-when-the-Forwarded-header-is-not-present.patch libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0003-avoid-crash-when-the-Forwarded-header-is-not-present.patch
--- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0003-avoid-crash-when-the-Forwarded-header-is-not-present.patch 1970-01-01 01:00:00.000000000 +0100
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0003-avoid-crash-when-the-Forwarded-header-is-not-present.patch 2024-07-23 10:47:23.000000000 +0200
@@ -0,0 +1,50 @@
+From: Moritz Schlarb <schlarbm@uni-mainz.de>
+Date: Mon, 22 Jul 2024 14:16:02 +0200
+Subject: avoid crash when the Forwarded header is not present
+
+but OIDCXForwardedHeaders is configured for it; see #1171; thanks
+@daviddpd
+
+Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
+---
+ src/util.c | 4 +++-
+ test/test.c | 4 ++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/util.c b/src/util.c
+index 7a86c24..8bcfb94 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -437,6 +437,8 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
+ char* oidc_util_strcasestr(const char *s1, const char *s2) {
+ const char *s = s1;
+ const char *p = s2;
++ if ((s == NULL) || (p == NULL))
++ return NULL;
+ do {
+ if (!*p)
+ return (char*) s1;
+@@ -468,7 +470,7 @@ static const char* oidc_util_hdr_forwarded_get(const request_rec *r, const char
+ if (ptr)
+ *ptr = '\0';
+ }
+- return apr_pstrdup(r->pool, value);
++ return value ? apr_pstrdup(r->pool, value) : NULL;
+ }
+
+ /*
+diff --git a/test/test.c b/test/test.c
+index 714f523..c75a940 100755
+--- a/test/test.c
++++ b/test/test.c
+@@ -1343,6 +1343,10 @@ static char * test_current_url(request_rec *r) {
+
+ apr_table_unset(r->headers_in, "Forwarded");
+
++ // it should not crash when Forwarded is not present
++ url = oidc_get_current_url(r, OIDC_HDR_FORWARDED);
++ TST_ASSERT_STR("test_current_url (16)", url, "https://www.example.com/private/?foo=bar¶m1=value1");
++
+ apr_table_set(r->headers_in, "Host", "www.example.com");
+
+ return 0;
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series
--- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series 2024-04-18 14:20:00.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series 2024-07-23 10:47:23.000000000 +0200
@@ -1,2 +1,3 @@
0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
0002-fix-DoS-CVE-2024-24814.patch
+0003-avoid-crash-when-the-Forwarded-header-is-not-present.patch
Reply to: