Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: libapache2-mod-auth-open...@packages.debian.org, Debian Security Team <t...@security.debian.org> Control: affects -1 + src:libapache2-mod-auth-openidc
[ Reason ] Backported redirect url validations from upstream version 2.4.12.2 which include a fix for CVE-2022-23527[1]: > Versions prior to 2.4.12.2 are vulnerable to Open Redirect. > When providing a logout parameter to the redirect URI, the > existing code in oidc_validate_redirect_url() does not properly > check for URLs that start with /\t, leading to an open redirect. [ Impact ] > Users unable to upgrade can mitigate the issue by configuring > mod_auth_openidc to only allow redirection when the destination > matches a given regular expression with OIDCRedirectURLsAllowed. [ Tests ] Manually tested the package with the fix on our infrastructure, no problems found. [ Risks ] Since I backported the whole check block, that includes more checks than just for the tab character, the change in this p-u is not quite minimal, but all the other checks do have a purpose of security enhancement, so I think it's worth to have them. And the whole block of code is already checked by more people. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] - Backported whole url check block in oidc_validate_redirect_url from the latest version 2.4.12.2 [2] - Also backported new helper function oidc_util_strcasestr as a dependency [ Other info ] (Anything else the release team should know.) [1]: https://security-tracker.debian.org/tracker/CVE-2022-23527 [2]: https://github.com/zmartzone/mod_auth_openidc/commit/87119f44b9a88312dbc1f752d720bcd2371b94a8
diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/changelog libapache2-mod-auth-openidc-2.3.10.2/debian/changelog --- libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2019-11-27 11:09:17.000000000 +0100 +++ libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2022-12-21 11:40:16.000000000 +0100 @@ -1,3 +1,12 @@ +libapache2-mod-auth-openidc (2.3.10.2-1+deb10u2) buster; urgency=medium + + * Backport fix for CVE-2022-23527: prevent open redirect in default setup + when OIDCRedirectURLsAllowed is not configured + see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53 + (Closes: #1026444) + + -- Moritz Schlarb <schla...@uni-mainz.de> Wed, 21 Dec 2022 11:40:16 +0100 + libapache2-mod-auth-openidc (2.3.10.2-1+deb10u1) buster; urgency=medium * Add patch for CVE-2019-14857 diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0003-Fix-CVE-2022-23527-prevent-open-redirect.patch libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0003-Fix-CVE-2022-23527-prevent-open-redirect.patch --- libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0003-Fix-CVE-2022-23527-prevent-open-redirect.patch 1970-01-01 01:00:00.000000000 +0100 +++ libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0003-Fix-CVE-2022-23527-prevent-open-redirect.patch 2022-12-21 11:39:39.000000000 +0100 @@ -0,0 +1,79 @@ +From: Moritz Schlarb <schla...@uni-mainz.de> +Date: Tue, 20 Dec 2022 12:04:24 +0100 +Subject: Fix CVE-2022-23527: prevent open redirect + +- CVE-2022-23527: prevent open redirect in default setup when OIDCRedirectURLsAllowed is not configured + see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53 +--- + src/mod_auth_openidc.c | 14 ++++++++++++++ + src/mod_auth_openidc.h | 1 + + src/util.c | 19 +++++++++++++++++++ + 3 files changed, 34 insertions(+) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index 916d60d..d1d8609 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -2989,6 +2989,20 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; + } ++ if ( (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL) ++ || (strstr(url, "/\t") != NULL) ++ || (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL) ++ || (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL) ++ || (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL) ++ || (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL) ++ || (strstr(url, "/〱") != NULL) || (strstr(url, "/ー") != NULL) ++ || (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL) ++ || (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) { ++ *err_str = apr_pstrdup(r->pool, "Invalid URL"); ++ *err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } + + return TRUE; + } +diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h +index c69fa16..fab20cd 100644 +--- a/src/mod_auth_openidc.h ++++ b/src/mod_auth_openidc.h +@@ -766,6 +766,7 @@ apr_hash_t * oidc_util_merge_symmetric_key(apr_pool_t *pool, apr_hash_t *private + const char *oidc_util_get_provided_token_binding_id(const request_rec *r); + char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const apr_table_t *params); + char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename); ++char* oidc_util_strcasestr(const char *s1, const char *s2); + + /* HTTP header constants */ + #define OIDC_HTTP_HDR_COOKIE "Cookie" +diff --git a/src/util.c b/src/util.c +index 21dedc7..0b8de24 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -369,6 +369,25 @@ char *oidc_util_html_escape(apr_pool_t *pool, const char *s) { + return apr_pstrdup(pool, r); + } + ++char* oidc_util_strcasestr(const char *s1, const char *s2) { ++ const char *s = s1; ++ const char *p = s2; ++ do { ++ if (!*p) ++ return (char*) s1; ++ if ((*p == *s) || (tolower(*p) == tolower(*s))) { ++ ++p; ++ ++s; ++ } else { ++ p = s2; ++ if (!*s) ++ return NULL; ++ s = ++s1; ++ } ++ } while (1); ++ return *p ? NULL : (char*) s1; ++} ++ + /* + * get the URL scheme that is currently being accessed + */ diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series --- libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series 2019-11-27 11:09:17.000000000 +0100 +++ libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series 2022-12-21 11:39:39.000000000 +0100 @@ -1,2 +1,3 @@ fix-parallel-build.patch 0002-improve-validation-of-the-post-logout-URL-parameter-.patch +0003-Fix-CVE-2022-23527-prevent-open-redirect.patch
