Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: lemonldap...@packages.debian.org Control: affects -1 + src:lemonldap-ng
[ Reason ] lemonldap-ng is vulnerable to URL validation bypass (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832). No CVE, fixed in lemonldap-ng 2.0.16-1 [ Impact ] Medimu vulnerability: hacker may use a LemonLDAP-NG URL to redirect to their site. [ Tests ] New test included in this patch [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Use URI to test base64 encoded URL instead of custom regex. Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index c276c65c0..b6f666f69 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lemonldap-ng (2.0.11+ds-4+deb11u3) bullseye; urgency=medium + + * Fix URL validation bypass + (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832) + + -- Yadd <y...@debian.org> Sun, 05 Feb 2023 18:03:16 +0400 + lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium * Add patch to improve session destroy propagation (Closes: CVE-2022-37186) diff --git a/debian/patches/fix-url-validation-bypass.patch b/debian/patches/fix-url-validation-bypass.patch new file mode 100644 index 000000000..7eb27f79b --- /dev/null +++ b/debian/patches/fix-url-validation-bypass.patch @@ -0,0 +1,66 @@ +Description: Fix URL validation bypass + An attacker can forge a redirection on a malicious site using a fake credentials in URL value. + . + Example: + . + Portal : https://auth.openid.club + Allowed application : https://test1.openid.club + Malicious site : https://google.fr + Malicious URL : https://test1.openid.club:t...@google.fr + Malicious URL base 64 : aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo= + Malicious redirection trigger : https://auth.openid.club/?url=aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo= +Author: Maxime Besson <maxime.bes...@worteks.com> +Origin: upstream, commit:88d3507d commit:e6156db0 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832 +Forwarded: not-needed +Applied-Upstream: 2.0.16 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-02-05 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm +@@ -8,6 +8,7 @@ + use MIME::Base64; + use POSIX qw(strftime); + use Lemonldap::NG::Portal::Main::Constants qw(portalConsts); ++use URI; + + # Main method + # ----------- +@@ -152,12 +153,19 @@ + } + + # Unprotected hosts +- my ( $proto, $vhost, $appuri ) = $tmp =~ m#^(https?://)([^/]*)(.*)#; +- $vhost =~ s/:\d+$//; ++ my ( $proto, $vhost, $appuri ); ++ if ($tmp) { ++ my $u = URI->new($tmp); ++ if ( $u->scheme =~ /^https?$/ ) { ++ $proto = $u->scheme; ++ $vhost = $u->host if $u->can("host"); ++ $appuri = $u->path_query; ++ } ++ } + + # Try to resolve alias + my $originalVhost = $self->HANDLER->resolveAlias($vhost); +- $vhost = $proto . $originalVhost; ++ $vhost = $proto . '://' . $originalVhost; + $self->logger->debug( "Required URL (param: " + . ( $req->param('logout') ? 'HTTP Referer' : 'urldc' ) + . " | value: $tmp | alias: $vhost)" ); +--- a/lemonldap-ng-portal/t/03-XSS-protection.t ++++ b/lemonldap-ng-portal/t/03-XSS-protection.t +@@ -80,6 +80,11 @@ + => 0, + 'base64 encoded HTML tags', + ++ # Make sure userinfo does not confuse URL parsing (#2832) ++ # https://test1.example.com:t...@hacker.com ++ 'aHR0cHM6Ly90ZXN0MS5leGFtcGxlLmNvbTp0ZXN0QGhhY2tlci5jb20=' => 0, ++ 'userinfo trick', ++ + # LOGOUT TESTS + 'LOGOUT', + diff --git a/debian/patches/series b/debian/patches/series index 9d8952af0..8b9338fec 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,4 @@ fix-xss-on-register-form.patch dont-display-totp-secret.patch CVE-2021-40874.patch CVE-2022-37186.patch +fix-url-validation-bypass.patch
